Pn0×0b – The Aliens are coming!!! – ROOTWAR Overview
We’re all gonna be FOOd man!
We made it back from PhreakNIC, mostly in one piece. I’ll try to go over the highlights over the next couple of days. So I know you’re all wondering, how did the RootWar go? Well… as it turned out no one registered for the RootWar. We had no teams, so there was no competition. So we went to plan B and just left the servers up for everyone to hack away at, and they did. Here’s the basic setup, at least my part. I had one box running Ubuntu and VMWare, and two Windows server VMs on it. One was just Server 2003 with no patches. IIS was setup and MSSQL 2005 Express. I setup an ASPNUKE site on it. The second VM server was SBS Server 2003 R2. Again, no patches, but I did setup AD and Exchange and setup a couple of users. (BTW, the first server was also part of the AD domain.) I also brought a second box which was just running Windows XP SP1 with no additional patches. I also stuck MS Office on it, added it to the domain, and setup both users to use it, and also setup Outlook for both users to use Exchange, and passed some mail back and forth between the users. One of the emails actually had one of the users password in it. My goal was to make these systems easy to hack, so everyone could have fun finding different ways to hack them. The XP machine was hacked pretty quickly, and someone loaded an FTP server onto it and started filling up the hard drive. The ASPNUKE site was pwned pretty quickly as well. There was a message left on the front page of the site by the one who pwned it first, but it looks like it’s been hacked since then, and the site isn’t functioning properly. Here’s a screen shot:
I don’t have a screen shot from when the site was still working, so if you were the one who pwned it first, let me know. No one claimed to have pwned the SBS server, and I looked over it briefly and couldn’t find any definite signs of it, so if any of you did, please let me know, and let me know how you did it. I should note that when I started the VM up a little while ago the DNS server crashed on boot, which makes me think someone may have taken advantage of vulnerabilities in Windows’ DNS server and done something.
Jeffx did some packet capturing, and will be making that available. I’ll let you know where it’s at when it’s available.
Things to come…
Wifi Race Wreck…
I was running through Star Wars planets in my head…
Joplin Linux Users Group
Turn-Key Pen-Test Labs
HoneyNets
Anything else I think might be not too boring…
Hah, I wish I was able to get inside one of those. I sat there a GOOD part of Saturday evening just trying to get into one of the boxes and I got no where near it
Eh…so much practice so little time. You have any pointers on where to begin? lol
Team AllThatsEvil had a lot to do with getting the FTP server onto that box.. Amazing what MetaSploit can do. We had semi functional command line access into the box several times.. and were able to tftp from the box to put the ftp server onto the box, and made several attempts at a registry change / reboot to pwn the box, but the reboot wouldn’t take.
Did some over the wire analysis, and determined that we were talking to a couple of vmware sessions, the domain controller and mail server, on top of some flavor of linux. Also found the user box, but between lack of planning (power outage thursday night ended at 7:05 am friday morning, so no chance to download a full set of tools) and lack of useable network connectivity to the outside world at the hotel, actually being able to take advantage of the swiss-cheesy goodness of the windows boxes (virtual and real) was limited.
We did have a blast though, as it was my son’s first con, and he felt quite at home.