Jump to content


Photo
- - - - -

Gained root - now what?


  • Please log in to reply
2 replies to this topic

#1 c0mrade

c0mrade

    the 0ne

  • Members
  • 1 posts
  • Gender:Male

Posted 18 April 2011 - 02:32 AM

A couple of days ago I found a box running Arch Linux, which I thought I'd try to exploit for learning purposes. A quick nmap showed it was running an exploitable server, so I managed to get a shell - and from there I really didn't have much of a problem finally gaining root. The fact that even I could get into the box tells me that this guy did absolutely nothing to secure it.

Inside, I found out that this is a workstation, full of personal files to the user. Not of much use to me, although I saved some accounts/passwords for usable websites (thanks to saved passwords in ~/.mozilla/). I don't want to ruin this guys life in any way, so Facebook accounts etc doesn't interest me.

Now, as root, I want to make sure this box will be available to me in the future, for various purposes. Unfortunately it was obvious to me that this guy shuts down the computer at night, and he has a public dynamic IP.

  • First off, I anonymously registered an account at no-ip.org, and installed a daemon which updates the DNS-records whenever the IP changes. This enables me to at least reach his box, as long as he's not suddenly behind a firewall.
  • I setup a new account with a generic name (such as "ptd") and sudo privileges, and placed the home directory under /var/spool/<username> to ensure it's at least a bit more hidden.
  • I deleted all logs which witnessed on my activities, and replaced them with symlinks to /dev/null, to make sure that nothing was saved in the logs when/if he discovers I'm connected.
  • I renamed and moved the "/usr/bin/who"-application to "/usr/sbin/wat", so I can see him when he's logged in, while not letting him see me. My hostname shows up with that script. Is there any other way to disable that without replacing the program with a fake one compiled from scratch? Is my hostname visible anywhere else? /var/log/lastlog points to /dev/null, as well as /var/log/auth.log.
  • I installed an FTPd which can enable me to access files, or store files on his box.
  • A polipo proxy was added, to get me another way of accessing the internet "anonymously". I'm thinking about installing OpenVPN instead...
  • I also installed a keylogger which logs all physical keystrokes into a stealth file, available for me by SSH or FTP.

So, what have I missed? Any tips would be great, since I'm not very experienced in being stealth online. Of course I did all this from a WiFi-network which isn't mine, and I spoofed my MAC-address beforehand.

#2 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,102 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 18 April 2011 - 12:47 PM

Tell the owner his box is insecure.

Edited by tekio, 18 April 2011 - 12:50 PM.


#3 ticom

ticom

    SUPR3M3 31337 Mack Daddy P1MP

  • Moderating Team
  • 420 posts
  • Gender:Male
  • Location:860

Posted 18 April 2011 - 07:25 PM

I suggest you tell the owner his box is unsecure, and maybe offer him some form of assistance in securing it. I would then suggest you find another aspect of the hobby for "learning purposes", or at the very least refrain from making what my lawyer would refer to as "admissions against interest" on a public online forum.

If you are looking for a learning experience, you should consider setting up your own *nix box, installing all the known security patches, and then attempting to find holes or bugs in the system. I would think that to be more challenging then simply finding a box on the net that some ignorant admin failed to properly secure.




BinRev is hosted by the great people at Lunarpages!