Awhile ago ocean gave a list of roots out in haqnet. Knowing that xd would deploy his 'super leet rootkit' that he brags about, we decided to log ssh on some of the boxes. Leaving/being banned from HaqNET, we waited a month or so. As expected, several of the boxes were dead due to xd's lack of stealth. After joining ircd for what, the 2nd time after being banned for asking for the challenge, ocean decided it was time to trick this idiot ^_^, more on this in the upcoming post, but essentially ocean irc'd with a root that we knew was still up, and probably kitted by xd. He felt so powerful when he logged in, and ran yum update, LOL, well, thanks to his stupidity, we have this information, oh, and he even admits that ocean ended up rming that box right after, so uh, who actually got owned here..?
Information on xd's methods of being stealthy/keeping ax to compromised boxes:
he rm'd tons of shit, such as /var/log/*, super stealthy man
three new users added:
adms
daemons
strace
an example entry from shadow (didn't bother cracking it):
strace:h3bCsDM35lQY6:15874:0:99999:7:::And well, we guess the shit-kit failed, so he had to ssh into the box,
adms:thesecret404 <--- LOL NICEAnd the home dirs of the users were set to /var/lib, each one of them had a set-uid binary named 'su' in their dirs, once again, talk about stealth!
an example:
/var/lib/strace/su <--- 4755 (u+s/setuid) his super leet rkit was deployed on the box:
We were excited to recover his rootkit, it was supposed to be fun to pwn it, we were sadly mistaken. The rootkit was just a modified version of a kit romanian script kiddies use (originated around 2003).
*notes:
- Creates several files with hardcoded names (rkhunter/chkrootkit, anyone?)
- Uses some form of encryption, sniffs packets on the compromised system
- Always sends reverse shells to the same hardcoded port 43333
- Uses DES crypt "hashes" for its password. This is kiiiinda hardcoded but we can sed it out LOL, if you were curious, the hash was "crnGtapg9Zb6I", and the plaintext result of that was "103-craz". xd doesn't realize that DEScrypt limits you to 8 chars.
- We're guessing, and hoping, the source code for this has a little config.h or something that lets us change these things
xd, why do you even try to act like you have knowledge, you name your github "x90", yet you probably don't understand the role of NOP in exploits/code in general. That being said, it is amazing the guy has the audacity to talk shit on a decent backdoor PoC.
https://github.com/x90/ssh_rape
"A c00l kit ???
but, were is, logging into, maybe OPEN tcp ports...etc etc.... you should look @ sebd (id b happy to give u copy...) , and sshtrix 9via noptrix...0 , maybe adding some extra functionality, would b cool... but, i dont know.... it is sofar, a very good method, BUT, not as good as, the one i use :> xd"
This is blasty @ fail0verflow's PoC that he showed off @ hackinthebox, it is 100x better than sebd, why would it log, it's a PoC, logging is a feature the coder would implement to weaponize this, the 'method' is kinda old, however, it is MUCH better than the piece of shit you use, stop acting like you are the latest and greatest, you have no cool w4r3z.
https://github.com/blasty
www.hackintherandom2600nldatabox.nl/archive/slides/2012/blasty.pdf
^ you should attempt reading that xd
Link to sebd (original w/installer) + sebd ( xd's version + our own installer, [incase you actually want to try this piece of shit out] )
Original sebd: http://easkytb.3host.ro/phrame.php?action=saveDownload&fileId=21576
xd's sebd + our installer: http://www.multiupload.nl/0ZIB0QCBL3
Thanks for reading!
No comments:
Post a Comment