From ivo@amaze.nl Fri Jun 22 08:44:05 2001 Date: Fri, 8 Jun 2001 13:01:59 +0200 From: Ivo van der Wijk To: project@honeynet.org Cc: Bas van der Linden Subject: My scna16 solution Hi there, My first submission to you guys - didn't know it was there (and haven't been really active with security latelty) 1. Identify the encryption algorithim used to encrypt the file. All characters are bitwise inversions of the original. 2. How did you determine the encryption method? Examining the file with a normal viewer/editor revealed that all charachters were "high ascii", i.e. > 127. As the original is probably plain tekst, the first goal is to remove the high bit (and more?) Also, the high ascii had a clear structure, lots of repetition of the same combination of characters. So probably a very simple encryption scheme. My first attempt was to "c & 127" all characters, i.e. strip the high bit. This didn't work. The next attempt was to "~c" all characters, i.e. bitwise invert them. This gave the following result: 3. Decrypt the file, be sure to explain how you decrypted the file. I wrote the following small piece of C code: ---- #include int main(int argc, char **argv) { int c; FILE *f; f = fopen("somefile", "r"); while((c = fgetc(f)) != EOF) { printf("%c", ~c); } fclose(f); exit(0); } ---- This gave the following output: ---- [file] find=/dev/pts/01/bin/find du=/dev/pts/01/bin/du ls=/dev/pts/01/bin/ls file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER [ps] ps=/dev/pts/01/bin/psr ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667,/dev/pts/01,sn.l,prom,lsof,psbnc [netstat] netstat=/dev/pts/01/bin/netstat net_filters=47018,6668 [login] su_loc=/dev/pts/01/bin/su ping=/dev/pts/01/bin/ping passwd=/dev/pts/01/bin/passwd shell=/bin/sh su_pass=l33th4x0r ---- 4. Once decrypted, explain the purpose/function of the file and why it was encrypted It's the configuration file of a rootkit. It defines a su backdoor password, stuff not to show in ps, file, ls, etc. 5. What lesson did you learn from this challenge? Not much. I already knew that enigma/rot like encryption methods don't work. bit inversion is not much better. 6. How long did this challenge take you? 10 minutes at most. Perhaps I was lucky. Bonus Question: This encryption method and file are part of a security toolkit. Can you identify this toolkit? SunOS Rootkit v2.5 (C) 1997-2001 Tragedy/Dor   If you find this file, most likely your host has been hacked by a user   of this rootkit. If you want information about this tool, removal instructions   or such, please email bert.smith@mbox.bol.bg   The author takes NO RESPONSIBILITY for anyone who misuses this tool. (No, noone hacked us using this rootkit :) ObHack: Reverse engineering the disassembly of inetd to find a LRK (linux rootkit) backdoor password by examining the assembly. Took me a bit longer than this :) -- Drs. I.R. van der Wijk -=- Brouwersgracht 132 Amaze Internet Services V.O.F. 1013 HA Amsterdam -=- Tel: +31-20-4688336 Linux/Web/Zope/SQL Fax: +31-20-4688337 Network Solutions Web: http://www.amaze.nl/ Consultancy Email: ivo@amaze.nl -=-