Well, unlike many users I run across, I had a backup.  it was about a week old, but I only lost one blog post, so not really a huge deal.

So, as any IT guy will tell you, BACKUP! BACKUP! BACKUP!

FYI, Cpanel makes this pretty easy and HostGator has an easy to follow tutorial at http://support.hostgator.com/articles/cpanel/how-to-generatedownload-a-full-backup.  Restoring is actually pretty simple too.  If you have root on the server it’s real easy (I don’t from home), but if you are a HostGator customer and you have a full backup all you need to do is upload it to your account and fill out the form at https://secure.hostgator.com/restore.php and be sure to specify the location of the backup that you generated and a friendly HostGator admin (maybe even me) will restore the backup for you at no charge.

If you don’t have root, and you only need to restore a few files, or a database or two, you can also do it manually.  The CPanel generated backup is just a zipped up tarball that includes all of your account information in a few directories, a tarball of your home directory, and some SQL dumps of your MySQL databases.  So, I untarred my backup from SSH on the suer as my user:

~: tar -xvzf ????backup-4.5.2011_18-38-58_bamed.tar.gz

?This puts the content of the backup in ~/backup-4.5.2011_18-38-58_bamed.  Then all of my home directory is in a tarball named homdir.tar, so I untar it with:

~: tar -xvf backup-4.5.2011_18-38-58_bamed/homedir.tar

I ran this from my home directory, so the contents of homedir.tar extract directly into my home directory all the files going into the right places.  Once that was done, then I re-created my WordPress database in MySQL by following the instructions at http://www.hostgator.com/tutorials/cpanel/hgx3/creating-a-mysql-database.htm.  Not that I needed to actually follow the tutorial, I just low HG video tutorials.  Save me a lot of time trying to explain step-by-step instructions.  Anyway, I created the same DB name, unsername, and password that I had used before accidentally deleting everything.  If you don’t have this information saved, after you restore your homedir you can pull it from your wp-config.php file.

Anyway, after recreating the DB, I was able to restore it from the backup in ~/backup-4.5.2011_18-38-58_bamed/mysql.  The actual name of the backup file is the same as the name of the database you are restoring.  Just go to PHPMyAdmin from Cpanel and restore the database using the instructions at http://support.hostgator.com/articles/cpanel/how-to-import-your-mysql-database.  (Again, love those HG tutorials)

Then my site was back exactly as it had been on 4-5-2011 at 18:38:58(CDT).  Pretty exciting ehh?

So, that’s a quick rundown of doing a manual restore.  If I actually needed to restore some domain names, or email addresses, or anything else it would be a little more complicated, but I was only worried about a few files and one database so it was pretty easy and only took a few minutes.  I could have let my peers at HG do it, but why waste their time when I can do it myself.  Let them spend their time helping our customers.

Anyway, hopefully I’ll get back and blog some more stuff later.

The only thing constant in life is change.  And as such bamed and family are on the cusp of a most significant change.  Seven years ago this month I began a new adventure as the ‘IT guy’ for College Heights Christian Church in Joplin, MO.  “I may not have gone where I intended to go, but I think I have ended up where I needed to be.” (Douglas Adams) Later this month we will be leaving Missouri and heading South to the great state of Texas.

“Let the past hold on to itself and let the present move forward into the future.” (Douglas Adams)

At the end of this month I will be beginning a new adventure as a Linux sysadmin for HostGator.com in Houston.  Anyone who knows me at all will know that I have always been a rather large fan of Linux and have made it the focus of not a few blog posts through the years.  As such, I am looking forward to spending my days at a command line exercising my CLI-fu.  I’m also rather excited about moving to the great town of Houston where things such as Linux Users Groups, 2600 meetings, and hacker spaces are more than something you read about on the internets.

“The fact that we live at the bottom of a deep gravity well, on the surface of a gas covered planet going around a nuclear fireball 90 million miles away and think this to be normal is obviously some indication of how skewed our perspective tends to be.” (Douglas Adams)

We should be all moved and begin settling in by Christmas.  To all those we’re leaving behind, know that you will be missed, that you are welcome to stop by whenever you’re in the area, and that if you have any Linux experience HostGator is still hiring!  So… until we meet again, “So long, and thanks for all the fish!” (Douglas Adams)

I’m continuing on to achieve my Bachelor’s by next summer and I hope to obtain another certification or two this year.

So, if anyone is looking for either an entry-level infosec position, or an experienced sysadmin position, check out my resume and drop me an email.

Personally, this sounds like a blast but I have no team. So who wants to hack with me?

I’m looking for up to four people willing to join me in this endeavor. I’m looking for people who have some experience in similar types of events. I will admit that I still have a lot to learn, though I do have some experience. Specifically, I have obtained my OSCP (Offensive Security Certified Professional) from Offensive Security. I also went to the Louisville Metro Infosec in 2009 and got 3rd place in their CTF.  I’ve been working in IT for over a decade now and currently work as a sysadmin for a small/medium size organization (~50 users).  I’m also going to school and taking other steps to focus my IT career more on InfoSec.

If this sounds like fun and you want to get to know some new people comment to this post and let me know you’re interested and what kind of experience you may have.  I’m looking for people with some experience and are just looking to have some fun.  Details of the event can be found here. Teams will be announced a week before the event, so we would need to form our team by the end of this week and get our application in.
So, wanna hack with me?

Another resource I’ve found but haven’t spent much time on is Webster’s Art of Assembly Language, which basically amounts to a list of other useful resources, including useful resources for Win32 Assembly.

Since my focus is on exploit development, the Assembly Language Primer for Hackers on SecurityTube is also an excellent resource.  This is a video resource that walks you through the basics of assembly, the stack, and eventually moves on to another series that gives the anatomy of a Buffer Overflow in the Buffer Overflow Primer.

And of course, if you ever need more resources, there’s Google.

The general concept behind the scenario was you were brought in to do a pentest on a network.  On this network there is a file with personally identifiable information (PII: names + ssn) that was encrypted.  The file in question was zipped and password protected with 7zip, then saved in a hidden TrueCrypt volume.  Theoretically, this should keep the PII safe, assuming the network admins use their heads and keep their passwords safe, but of course, they didn’t.

So, the first part of the challenge was to find the wireless network which was not broadcasting its SSID.  IronGeek suggests using Kismet to find it, and that was my original plan, but while I was still hooking up my gear I pulled out my CrackBerry and did a quick scan for wireless network, and sure enough it found IrongeekCTF.  So I didn’t bother with Kismet and just associated myself with IrongeekCTF, got an IP, and started scanning the network.  We were told we needed to find a Windows box, a Linux box, and a non-x86 system.  I used nmap to scan the network and quickly identified all the targets.  Specifically I scanned with:

# nmap -sT -sV -O 10.0.0.1-100

The -sT specified a Connect scan, which is quick and easy, and in a real pentest also easily recognizable by IDS, but in this situation who cares.  The -sV enables version scanning to let me know what version of what service is running on the ports located on the remote system.  And finally the -O is OS detection.  We were given the IP range to attack, so that pretty much found me everything I needed to know for this section of the challenge.

Now that we’ve identified some targets, it’s time to start hacking.  The nature of the challenge, and what specific “flags” we needed were made known some time before the challenge, so I already knew I’d need a password for a hidden TrueCrypt volume as well as for a 7zip file.  I also know there is not a real practical way to recover these types of passwords without an admin screwing up somewhere, so I was looking for a couple of specific things.  I did find some ways to bruteforce both TrueCrypt and 7zip, but these methods take FOREVER!  Since the entire competition was only a few hours long, I knew this wouldn’t work unless the passwords were less than 3 characters long.  So I started with the assumption that the fictitious admins of the network in question wrote the password down somewhere and all I had to do was find it.  All that being said, the next step in the challenge was to find the Windows administrator password, but I noticed a web server running on the Linux box, so I pulled up the website from that box first.  What I found was an intranet site that included a login, a “My notes” section, and a chat log between the admins.  The chat log revealed the admins didn’t think it was necessary to patch a Windows XP box if it was behind a firewall ( so there’s one easy target), it also revealed that the user named greg saved the password to the TrueCrypt volume in “my notes”, and the user john wrote the password to the 7zip file on a post-it and stuck it to his monitor.  At this point I also noticed the 3rd non-x86 system was named “CAM”.  So at this point I knew I needed greg’s password for the intranet site to get the TrueCrypt password, and I thought there was a good chance CAM led me to a camera that was pointed at a monitor somewhere with the 7zip password attached.

So, now I really started hacking.  First off the Windows box was unpatched, so you could pretty much pick any windows exploit you wanted to get in.  I think most everyone used the infamous MS03-026, as did I.  I also think pretty much everybody used metasploit and meterpreter to get into the windows box and extract the password hashes.  In preparation for this even I downloaded a couple hundred Gigs worth of Rainbow Tables and brought them on an external hard drive.  So once I had the hashes I just had to wait for the Rainbow Tables to do their magic.

After about half an hour I had the Administrator password as well as the password for greg and john.  Turns out, these passwords worked on the Linux box as well, so I didn’t even have to crack it.  So now I’ve got Administrator on the windows box and root on the Linux box, and now I’m looking for the logins to the intranet site, which if you remember was on the Linux box (which I now have root on).  I should also mention that the encrypted PII file was in /home/greg on the Linux box.  So after sftping the file to my laptop I have it now.

Now I needed greg’s password for the intranet in order to get the TrueCrypt password in his “My Notes” section.  The intranet site is susceptible to an SQL injection attack and if you watch IronGeek’s video you can see how he was able to login.  I went a different route.  Once I had root on the Linux box I went to /root/.bash_history to see what might be revealed.  What I learned was that there was a php file edited by root in the /var/www directory recently.  A quick read of this file actually revealed it to be a script used to setup the DB, and in it were the usernames and passwords of all the intranet users.  I know someone else dumped the password directly from MySQL.

So, I logged in as greg to the intranet site and got the password for the hidden TrueCrypt volume, all that was left was the 7zip file.  Port 80 was open on the last non-x86 based box which was named “CAM” and after opening it up in a web browser  it turned out to be an IP cam after all.  So I’m doing really well at this point and am pretty sure I’m ahead of everyone, or at least in the top 3, and this is where I get stuck.  I spend the next several hours finding out everything I can about this cam and the webserver it’s running on.  I keep looking for some kind of vulnerability, I try some brute-forcing, all the while I DO have a 7zip bruteforce running, though VERY slowly, and I’m out of luck.

Finally, Rel1k (Dave Kennedy, one of the first place winners, also a BackTrack4 developer) mentions ARP poisoning.  So I fire up ettercap, notice some traffic between the IP cam and the windows box and poison ARP to have all traffic between these two boxes pass through my laptop first.  In a couple of seconds ettercap gives me the cam’s password, then I login, see the post-it attached to a monitor, use it on the 7zip file and I’m done!  I got 3rd place when it was all said and done.  It seems several others were at the exact same point that I was and when Rel1k gave us that hint we all finished pretty quickly, within minutes of each other.  I was about 10 minutes from being either 2nd or 4th.  I should also mention that the webcam in question was pointed away from the password and had to be rotated via the web interface.  This little fact hung up the winning team for quite some time.

That’s my story!  So how was it?  It was loads of fun.  Adrian did a great job.  He came up with an interesting challenge that wasn’t too difficult, so several beginners, such as myself, could get involved, and yet the creativity with the camera even kept the experts guessing for some time.  I’m looking forward to next year and hope I can make it again.

What are some things I might like to see added, or suggestions for next year?  Maybe there could be more investigating work on the targets.  For example, we need to find a document in an email in Outlook, or even extract it from Exchange.  I know it would take more work and some volunteers, but it would also be cool if there were actual users to social-engineer.  Honestly, if it wasn’t for the camera, the challenge would have been too short.  I think it should start out at the level of complexity it was, but more difficult challenges later on would have been even better.  Of course, Adrian probably has other things to do with his time, but I’m sure he could find some help.  I’d volunteer!

Today is a good day...

New comic!  Ya, I know, it’s been awhile.

I introduce a couple of new characters today, so here’s the background.  Some friends and I get together on a weekly basis, or so, and game.  We played ShadowRun for awhile, we’ve done PC gaming, and now we’re doing D20.  Specifically, we’re going through the Savage Tide campaign at the moment.  The players include bamed(top-left, and author of this blog), poorchoices (top-right, featured in the last comic), vollmond (bottom-left, moved to MD and plays with us over the interwebs), and nitz (bottom-right, and no he doens’t really look like Vollmond, I just got tired of drawing).  Maybe I’ll come up with more soon…

http://www.securityfocus.com/bid/32703/discuss