All teams were able to find vulnerabilities in both webservers, one
running Joomla and the other Drupal / ViArt Shop Enterprise and they
were able to load up webshells.
So after webshells were loaded, they recognized users on /etc/passwd
and decided to log in using these usernames.
First mistakes each team did was to look for a short cut to hack into
these servers via kernels exploitation, i knew that would happen. No
one took time to read /etc/passwd to think about why not we even try
the second user. Both these users had simple passwords, eg cpanel was
'cpanel123' and shiro had 'goodafternoon' which was a password used in
mysql, found on config file for the web app.
If these teams looked clearly, they would have checked Desktop
directory or even home directory of each server.
With this info picked up, if anyone looked into these home directory, they would have found the shadow file as below,
tcpdump **Never logged in**
webmaster pts/0 220.127.116.11 Fri Oct 5 10:32:52 +0100 2012
cpanel pts/3 server109-xxx.xxx. Mon Oct 8 08:32:46 +0100 2012
memcached **Never logged in**
[cpanel@server109-xxx.-xxx-xxx ~]$ ls
and on the other box, the home directory had a mail folder, and they
could have gone ahead and found a mail as below
[root@server109-xxx-xxx-xxx ~]# cd /home/shiro/
[root@server109-xxx-xxx-xxx shiro]# ls
[root@server109-xxx-xxx-xxx shiro]# cd Maildir/
[root@server109- Maildir]# ls
[root@server109-xxx-xxx-xxx Maildir]# cd cur/
[root@server109-xxx-xxx-xxx cur]# ls
[root@server109-xxx-xxx-xxx cur]# cat mail1
15th September 2012 mail1 password is mrfreakshow2012
3rd October 2012 The black hat team gained this access, thank you for
your cooperation, #Blackdiamond #hackbattle2012
So right now am reseting the servers, the BH team has forwarded all
credentials and am hoping we should be back to the whole game again by
Good luck to all.