HackFest: FLAG Escalated Access Taken = ROOT

Lisa Kachold lisakachold at obnosis.com
Sun Dec 14 19:55:04 MST 2008 







The second and most important root escalated privilege flag was taken by ATB known as Arkaic on Freenode PlugLabs IRC.  The escalated permissions were obtained after running the
default password shadow file on a FC system through John the Ripper to obtain "nobody" [whose default /etc/passwd shell was changed by a clueless and highly paid Drupal "developer"
who  was trying to get ftp to work to /bin/bash from /bin/nologin ("Um....file transfer from Drupal is ftp right...?).  ATB then
found that there was a backup of the shadow file root hash with readable
permissions (silly admins never set their UMASK right!) and that pam.d
directory also had things writable (su).

After these easy actions, including running the /etc/shadow-bak file through John the Ripper [type yum install john],  to get the root 4 digit numerical password,  I believe ATB was resourceful enough to try "sudo" from nobody which the admin had, in his haste, set in /etc/sudoers to ALL (ALL) ALL rather than designate each and every one of the developers, since they were in a $REALBIGHURRY to get the site up.  I believe ATB in his wisdom, then endeavored to add a few backdoors, and possibly a rootkit, but we have to do our full forensics for a full determination of all FLAGS obtained by his actions.

Dec 14 17:01:48 spider useradd[21049]: new group: name=waldo, GID=508
Dec 14 17:01:48 spider useradd[21049]: new user: name=waldo, UID=508, GID=508, home=/home/waldo, shell=/bin/bash
Dec 14 17:01:54 spider passwd: PAM unable to dlopen(/lib/security/pam_gnome_keyring.so):/lib/security/pam_gnome_keyring.so: cannot open shared object file: No such file or directory
Dec 14 17:01:54 spider passwd: PAM adding faulty module: /lib/security/pam_gnome_keyring.so
Dec 14 17:02:01 spider passwd: pam_unix(passwd:chauthtok): password changed for waldo
Dec 14 17:03:49 spider su: pam_unix(su-l:session): session closed for user root
Dec 14 17:03:52 spider sudo:   nobody : TTY=pts/5 ; PWD=/ ; USER=root ; COMMAND=/bin/su -
Dec 14 17:03:52 spider su: pam_unix(su-l:session): session opened for user root by nobody(uid=0)
nobody   pts/5    ip70-176-228-90. 16:55    1:09   0.20s  0.04s sshd: nobody [priv]

www.Obnosis.com |  http://en.wiktionary.org/wiki/Citations:obnosis |  (503)754-4452
Catch the January PLUG HackFest!   Kristy Westphal, CSO for the AZ Department of Economic
Security will provide a one hour
presentation on forensics 1/10/09 Noon at UAT.edu.



_________________________________________________________________
Suspicious message? There’s an alert for that. 
http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_broad2_122008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20081215/4ff3bcf4/attachment.htm

More information about the PLUG-discuss mailing list