Oh my I was Hacked (lol)

[linux]

Uhm...all I can say is..WTF?

This is his current name, but we hacked him a long time ago when he
went by the handle, "Linux[e1]." Well, he obviously may know a bit about
Linux, right? WRONG. This newb thinks he's a hacker or some shit.
Well apparently not, considering how insecure his box was. Let's
take a little look, shall we?

tw0p4ck@stygian:~$ gcc (name snipped).c -o exploit
tw0p4ck@stygian:~$ ./exploit (ip snipped)

(name snipped) 0day remote heap overflow root exploit
by tw0p4ck and BigBoySam!

[~] checking to see if daemon is vulnerable...

• the daemon is vulnerable!
  [~] sending evil packets...
  [~] receiving kernel and OS response...
  
• response received:
  
• Red Hat 9
  
• Kernel 2.4.x
  [~] exploiting (ip snipped)...
  
• exploit was successful!
  [.] dropping to bindshell on port 31337...
  
  # whoami
  root
  # id
  uid=0(root) gid=0(root) groups=0(root)
  # echo owned ;)
  owned ;)
  # export PS1="\u@\h:\W\\$ "
  root@misery:~# ls -la
  total 28
  drwxr-x---   4 root www-data 4096 2005-01-09 11:23 .
  drwxr-xr-x  13 root root     4096 2005-01-10 11:09 ..
  -rw-------   1 root root      491 2005-01-09 12:20 .bash_history
  -rw-------   1 root root      704 2005-01-09 11:02 .bash_profile
  -rw-------   1 root root     1290 2005-01-09 11:02 .bashrc
  drwx------   2 root root     4096 2005-01-09 11:23 public_html
  drwx------   2 root root     4096 2005-01-09 11:14 .ssh
  root@misery:~# cat .bash_history
  ls
  cd ..
  ls
  touhc 123
  tuoch 123
  touch 123
  pico 123
  cat 123
  cd /etc
  cd ..
  cd /etc
  ./zds
  ./zds
  ./zds
  ./zds
  ./zds
  ./zds
  hexedit zds
  ./zds
  cd $HOME
  wget
  wget www.qwlkjdakljalk.com
  echo hi
  cd /var/log
  cat syslog
  cat syslog.1
  pwd
  whoami
  su misery
  screen ./zds
  screen
  man man
  man woman
  mount your_mom
  ls
  cd /home
  ls -l
  cd ~
  cat .bashrc
  root@misery:~# uname -a
  Linux misery 2.4.18 #1 Wed Nov 1 20:09:22 JST 2004 i686 GNU/Linux
  [...cut...]
  
  As you can see, he is not very good at Linux. I find it
  ironic that such a dumbass would name himself after Linux, when
  in fact he can't even use it! Not only that, but he doesn't
  even patch his kernel... haha! I, Tw0p4ck, have obviously owned
  this newb, and for what you ask? Only $45, but hey... it was fun!
  And I did happen to buy a game with it. Anyways, I took a screenshot
  and left a message:
  
  root@misery:~# echo Hacked by tw0p4ck and BigBoySam. A message from the person who
  paid us to own your insecure box: d0n7 fuck w1th p30pl3 wh0 4r3 b3773r 7h4n j00
  > /etc/motd
  root@misery:~# cat /etc/motd
  Hacked by tw0p4ck and BigBoySam. A message from the person who
  paid us to own your insecure box: d0n7 fuck w1th p30pl3 wh0 4r3 b3773r 7h4n j00

[Quik]

It's made to look like Metasploit, says iago. It's pathetic, half of that wouldn't work. AND, who runs Red Hat 9?!

pico 123
cat 123
cd /etc
cd ..
cd /etc
./zds
./zds
./zds
./zds
./zds
./zds
hexedit zds
./zds
cd $HOME
wget
wget www.qwlkjdakljalk.com
echo hi
cd /var/log
cat syslog
cat syslog.1
pwd
whoami
su misery
screen ./zds
screen
man man
man woman
mount your_mom

Looks like they are just learning Linux commands.

http://www.cc.gatech.edu/~kaluskar/unix.html

[iago]

Incidentally, they did "cat .bash_history" -- that was whoever owned that machine "learning commands". 

Here is an excerpt from my own!

iago@Slayer:~$ cat .bash_history  | less
ping www.google.ca
vi LuckySevens.java
ls
rm LuckySevens.java
ssh hitmen
cat /etc/hosts
ssh hitmen
telnet hitmen 22
telnet hitmen 22
ssh iago@hitmen
ssh darkside
exit
javac LuckySevens.java
javac LuckySevens.java
javac LuckySevens.java
javac LuckySevens.java
javac LuckySevens.java
cat /etc/resolv.conf
ssh hitmen
exit
sudo vi /etc/sudoers
java -version
cd javaop
cd projects/
cd c
ls
cd xmms-nowplaying/
ls
vi xmms-playing.c
exit
cd .gaim
cd logs
cd aim
cd iagoishere
cd ckykrazed/
grep http *
cd workspace/Control
ls
java -jar JavaOp2.jar
java -jar JavaOp2.jar
java -jar JavaOp2.jar
java -jar JavaOp2.jar
java -jar JavaOp2.jar
java -jar JavaOp2.jar
java -jar JavaOp2.jar
java -jar JavaOp2.jar
ls
java -jar SelectPlugins.jar
rm ../Help.jar
java -jar SelectPlugins.jar
java -jar JavaOp2.jar
java -jar SetupBots.jar
java -jar JavaOp2.jar
java -jar JavaOp2.jar
java -jar JavaOp2.jar
java -jar JavaOp2.jar
java -jar JavaOp2.jar
java -jar JavaOp2.jar
java -jar JavaOp2.jar
java -jar JavaOp2.jar
java -jar JavaOp2.jar
java -jar JavaOp2.jar
java -jar JavaOp2.jar

I'm elite :)

Anyway, post the Windows one, I want to point out the obvious mistakes.

[Quik]

-----------------------------------------------------------------
Inner@USWest                      |
-----------------------------------------------------------------

yo this is BigBoySam here to show you the hacking of a faggot every1
hates: Inner. yeahz this kid is like fucking gay n shit and ive been
monitoring him. eventually through some persuasion and manipulation
I w4s able to get Inner's IP address. newayz yeah so i logged on
tw0p4ck's NetBSD box and used our leetest and newest Winbl0wz exploit we have
on Inner.

bigboysam@stygian:~$ gcc (censored).c -o innerisowned
bigboysam@stygian:~$ ./innerisowned (ip cut out)

(censored) - Windows XP Universal Remote Admin Exploit
by tw0p4ck and BigBoySam!

Exploiting remote target...
Sending evil buffer...
Shellcode successfully executed!
Dropping to remote bound cmd.exe on port 18241...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C\Documents and Settings\Inner>dir

Directory of C:\Documents and Settings\Inner


12/26/2004  01:05 AM    <DIR>          .
12/26/2004  01:05 AM    <DIR>          ..
01/11/2005  01:04 PM    <DIR>          Desktop
11/29/2004  03:40 PM    <DIR>          Favorites
12/29/2004  01:21 PM    <DIR>          My Documents
10/18/2004  01:19 AM    <DIR>          Start Menu
11/07/2004  10:15 AM    <DIR>          WINDOWS
               3 File(s)            985 bytes
               7 Dir(s)  45,233,357,824 bytes free

C:\Documents and Settings\Inner>cd Desktop
C:\Documents and Settings\Inner>echo HACKED BY BIGBOYSAM AND TW0P4CK!! > HACKED.txt

as you can see I owned his box haha. all I did was own it and place a msg
on his desktop. Newayz, i think it sumz that shiz up haha! Btw, we got
offered $125 by one person, $45 by one other, and $70 by another. We
accepted all of them ;). Hooray for us... we got paid a lot 4 somethin
fun!

by3 4 n0w ph4gz!

-----------------

Why wouldn't it go to Desktop when they CD'd to desktop? And why would WINDOWS be in the "Inner" directory? And why in HELL would he have "Inner" as the logon to his Windows machine?

[linux]

I don't know if I'm odd, I use my Actual Full name?

[iago]

Why wouldn't it go to Desktop when they CD'd to desktop? And why would WINDOWS be in the "Inner" directory? And why in HELL would he have "Inner" as the logon to his Windows machine?

Exactly!

[Newby]

I'm confused. Someone summarize what happened. :/

[iago]

All those quotes are from some website who claims they hacked people and blahblahblah.  I dunno, maybe somebody should post the quote here.

[Quik]

http://forum.valhallalegends.com/phpbbs/index.php?topic=10185.0

[wires]

Lol. :P

11. List of Lame Faggots
------------------------

y0 th3ze r 4ll th3 ppl 7h3 bn3t 4x3 ph34lz iz r33ly g4y, 4nd
n33dz 2 b3 4x3d ;). 1ph j00 r 0n th1z l1st, th3n pr3p4r3 j00r53lph,
b3cauz3 4 b0un7y h4z b33n 5eT 0n j00, 0r w3 juzT ph33l j00 5h00d
g1t 4x3d.

*snip*
Op Forge@USEast

[linux]

..Do they realize NO ONE types like that...except them? [FLAME] Bigboysam and tw0p4ck have been crowned the residental battle.net idiots. [/FLAME]

[Mythix]

wow.

Code Select Expand

/dev/hda3 / ext2 defaults 1 1
none /dev/pts devpts mode=0620 0 0
/dev/hda4 /home ext2 defaults 1 2
/mnt/cdrom /mnt/cdrom supermount fs=iso9660,dev=/dev/cdrom 0 0
/mnt/floppy /mnt/floppy supermount fs=vfat,dev=/dev/fd0 0 0
/mnt/zip /mnt/zip supermount fs=vfat,dev=/dev/zip 0 0
none /proc proc defaults 0 0
/dev/hdb2 /usr ext2 defaults 1 2
/dev/hdb5 swap swap defaults 0 0

HOLY CRAP IT HAXED HIS HD

[Newby]

Wrong about the WINDOWS dir comment, everyone.

C:\Documents and Settings\[snip]>dir
Volume in drive C has no label.
Volume Serial Number is C860-LALA

Directory of C:\Documents and Settings\[snip]

11/27/2004  01:51 PM    <DIR>          .
11/27/2004  01:51 PM    <DIR>          ..
04/22/2003  04:40 PM    <DIR>          .javaws
08/27/2003  06:12 AM                 0 Botmail.txt
08/27/2003  06:12 AM               137 Config.ini
08/27/2003  06:12 AM                 0 Database.txt
11/25/2004  09:27 AM    <DIR>          Desktop
11/11/2004  10:47 AM    <DIR>          Favorites
08/27/2003  06:12 AM                 0 LastSeen.txt
12/23/2004  07:33 PM    <DIR>          My Documents
08/27/2003  06:12 AM               177 Options.ini
08/27/2003  06:12 AM                64 Settings.ini
03/23/2003  09:32 AM    <DIR>          Start Menu
11/27/2004  01:51 PM    <DIR>          VSWebCache
04/21/2003  10:10 AM    <DIR>          WINDOWS
               6 File(s)            378 bytes
               9 Dir(s)  14,040,182,784 bytes free

C:\Documents and Settings\[snip]>

[Quik]

Explain, please.

[Krazed]

WINDOWS is in the home directory, atleast on XP it is. I just verified this with my brothers laptop, I'll upload the screenshot when I get unlazy.