• Re: SSH BBS Hack Challenge

    From 2twisty@21:3/166 to ALL on Thu Mar 31 17:10:08 2022
    I'm going to give you the excuse of 'youthful exuberance' here. Port 22 and SSH access are not the same. Do *not* open ANY SSH port to the world!

    Opening any telnet port to the world is actually FAR FAR FAR more dangerous than SSH. As for "youthful exuberance," the only youth here is my experience with this particular software. I have been running Linux servers since 1995.



    And that's kind of my point! Why would you give any Trouble, Dick, and Hasbeen, free access to your underlying OS? Close that port, sir!

    Fine. PROVE ME WRONG. HACK ME.

    To anyone out there: Hack my board and put some obvious file in the root of the system (please don't cause damage). Show me that you CAN do it via SSH and NOT do it over Telnet.

    First one to succeed gets $100 sent via Facebook Messenger.

    Note, you must show your work (so that I can FIX said problem) and you must show that you CANNOT break in over telnet.

    If you can prove the opposite ( that you CAN get in over telnet and NOT over SSH) I will send $50.

    If you can break in over BOTH, I will send $150.

    Furthermore, you exploit a bug in Mystic to gain access, you have to show all that work, as well. We would want to make sure that g00r00 gets what he needs to plug that hole.

    Please note: $150 is a lot of money for me; I don't make this challenge lightly, and if we have a winner, it may take me a while to have that much cash in reserve to send.

    If you succeed, please contact me at 2twisty@gmail.com and give me all the proof I need (name of the file you created and your proof of exploit(s)) so that I can validate a winner. Your process has to be repeatable in order to verify how you did it.

    --- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
    * Origin: The Ratrace Losers (21:3/166)
  • From 2twisty@21:3/166 to Andre on Thu Mar 31 17:49:38 2022
    On unix it's like a five minute job if you've never done it before, including the web search for how to do it. Super easy.

    Been thinking about this:

    1) Having the well-known ports open (22/23) is more of a risk for portscan/DDOS than obfuscated ports. Not that 2222 and 2323 aren't OBVIOUS alternatives...

    2) instead of moving sshd on the internal network, just port forward 22 and 23 to 2222 and 2323 respectively in the firewall. That way when you are internal you can still just ssh user@bbs.contoso.com for admin purposes, and set your terminal software inside the network to 2222/2323. Leave 2222 and 2323 forwarded as well so if you take your laptop outside your network, you don't have to mod your terminal settings. This would keep your linux server more "standard" on the inside of your network. If I *needed* to access the terminal from outside, I have other means (VPN, TeamViewer to internal host, etc) to get to that terminal from outside the network.

    I'm gonna change that country file and then do #2.

    --- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
    * Origin: The Ratrace Losers (21:3/166)
  • From McDoob@21:4/135 to 2twisty on Thu Mar 31 20:04:32 2022
    And that's kind of my point! Why would you give any Trouble, Dick, an Hasbeen, free access to your underlying OS? Close that port, sir!

    Fine. PROVE ME WRONG. HACK ME.

    Out of respect, sir, I will refuse to accept this challenge.

    To anyone out there: Hack my board and put some obvious file in the root of the system (please don't cause damage). Show me that you CAN do it
    via SSH and NOT do it over Telnet.

    Again, I refuse to accept this challenge. At least hackthissite.com offered a reward. Do *not* tempt the dogs of war, for we are already foaming at the mouth!

    O twisty one: please, just close your SSH port, and be safe! (Q_Q)
    Or don't, and expect to format your machine in the near future...

    McDoob
    SysOp, PiBBS
    pibbs.sytes.net

    ... I am NOT a tagline THIEF. I am a tagline CONSERVATIONIST.

    --- Mystic BBS v1.12 A47 2021/12/24 (Raspberry Pi/32)
    * Origin: PiBBS (21:4/135)
  • From McDoob@21:4/135 to 2twisty on Thu Mar 31 20:10:10 2022
    To anyone out there: Hack my board and put some obvious file in the root of the system (please don't cause damage). Show me that you CAN do it
    via SSH and NOT do it over Telnet.

    Not gonna lie, I stopped reading after that sentence...

    First one to succeed gets $100 sent via Facebook Messenger.

    Note, you must show your work (so that I can FIX said problem) and you must show that you CANNOT break in over telnet.

    If you can prove the opposite ( that you CAN get in over telnet and NOT over SSH) I will send $50.

    If you can break in over BOTH, I will send $150.

    Furthermore, you exploit a bug in Mystic to gain access, you have to
    show all that work, as well. We would want to make sure that g00r00
    gets what he needs to plug that hole.

    Were you born stupid? Or are you just a gifted actor? (o_O)

    Remember the dogs of war I recently mentioned? Well, you just took away their leash!

    I promise you one thing: it won't be me that attempts to claim that prize. My hat is white; I don't use my superpower for personal gain.

    *HUGE* mistake, newbie! \(@_@)/

    McDoob
    SysOp, PiBBS
    pibbs.sytes.net

    ... Back up my hard drive? I can't find the reverse switch!

    --- Mystic BBS v1.12 A47 2021/12/24 (Raspberry Pi/32)
    * Origin: PiBBS (21:4/135)
  • From Andre@21:3/117 to 2twisty on Thu Mar 31 19:09:42 2022
    1) Having the well-known ports open (22/23) is more of a risk for portscan/DDOS than obfuscated ports. Not that 2222 and 2323 aren't OBVIOUS alternatives...

    It probably limits it a bit, but it's not worth the bother. Tools like Shodan can find SSH across any port, or any of the other mass scanners can do the same thing. If someone finds a zero day for OpenSSH, it's not going to make any difference what port you're listening on because it's already been scanned and found and put into a database.

    2) instead of moving sshd on the internal network, just port forward 22 and 23 to 2222 and 2323 respectively in the firewall. That way when you

    Sure, whatever works. My SSH clients all have my high port in the server profile. If you're typing into a client, that'd save you the time of adding :5555 or whatever to the end.

    I do it my way because I want my BBS client to connect on 22/23 regardless of whether I'm on or off network. I guess I could PAT from LAN to DMZ, but for me that's more effort than just changing the sshd port.

    All personal preference.


    - Andre
    --- SBBSecho 3.15-Linux
    * Origin: Radio Mentor BBS - bbs.radiomentor.org (21:3/117)
  • From 2twisty@21:3/166 to McDoob on Thu Mar 31 18:13:04 2022
    Again, I refuse to accept this challenge. At least hackthissite.com offered a reward. Do *not* tempt the dogs of war, for we are already foaming at the mouth!

    Um. I *did* offer a reward! Up to $150.

    Or don't, and expect to format your machine in the near future...

    Ah, the beauty of ZFS snapshots and automated backups.

    I'm not running this thing on a pi; I am running on (near) enterprise-grade hardware and software.

    --- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
    * Origin: The Ratrace Losers (21:3/166)
  • From 2twisty@21:3/166 to Andre on Thu Mar 31 18:16:42 2022
    ..................... If someone finds a zero day for OpenSSH, it's not going to make any difference what port you're listening on because it's already been scanned and found and put into a database.

    Furthermore, if a 0-day is found in OpenSSH, there are WAAAAAAAAAAAAY juicier targets than us that will occupy the Ransomware crowd long enough for us to close some ports and wait for the patch, which with something as critical as OpenSSH, would likely be patched quickly as soon as the exploit gets its CVE.

    --- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
    * Origin: The Ratrace Losers (21:3/166)
  • From 2twisty@21:3/166 to McDoob on Thu Mar 31 18:21:12 2022
    Remember the dogs of war I recently mentioned? Well, you just took away their leash!

    I have backups and can easily rebuild. I am offering a bug bounty, but in order to claim it, they have to reveal how they did it so that the bug can be fixed.


    I promise you one thing: it won't be me that attempts to claim that
    prize. My hat is white; I don't use my superpower for personal gain.

    Actually, what I asked for *was* white-hat hacking. Ethical hacking (white-hat) is done with the goal of increasing security. White hats won't hack without permission; this permsission has been granted.

    If they hack me and cause damage, they won't get the bounty. If they fail to reveal their methods, no bounty.

    Granted, as bug/hack bounties go, it's a pittance. However, if it is as easy as you say, someone will snap it up soon, I will be out $150, the software will get improved, and you'll gave gloating rights for at least the next 3 millennia.

    Sounds like a win/win/win to me? $150 for improved security is WELL worth it.

    --- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
    * Origin: The Ratrace Losers (21:3/166)
  • From 2twisty@21:3/166 to McDoob on Thu Mar 31 18:22:42 2022
    *HUGE* mistake, newbie! \(@_@)/

    When it comes to security, I'm no n00b. I'm no haxx0r g0d by any stretch, but I am at least average or better.

    --- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
    * Origin: The Ratrace Losers (21:3/166)
  • From McDoob@21:4/135 to 2twisty on Thu Mar 31 20:44:04 2022
    I'm gonna change that country file and then do #2.

    As long as you're thinking about this, I'm happy. If you want to have an external server, these are the things you need to think about!

    McDoob
    SysOp, PiBBS
    pibbs.sytes.net

    ... A penny saved is not very much

    --- Mystic BBS v1.12 A47 2021/12/24 (Raspberry Pi/32)
    * Origin: PiBBS (21:4/135)
  • From McDoob@21:4/135 to 2twisty on Thu Mar 31 21:00:16 2022
    Um. I *did* offer a reward! Up to $150.

    Or don't, and expect to format your machine in the near future...

    Ah, the beauty of ZFS snapshots and automated backups.

    I'm not running this thing on a pi; I am running on (near) enterprise-grade hardware and software.

    Aw, fukkin' HELL! \(@_@)/ PLEEZE MCDOOB?

    No!

    I continue continuing to refuse. You are free to assume that you're better than me, if you wish. You won't be the first to make that mistake.

    My white hat wasn't built with felt, brother. It was built with decision.

    McDoob
    SysOp, PiBBS
    pibbs.sytes.net

    ... Isn’t it a bit unnerving that doctors call what they do "practice"?

    --- Mystic BBS v1.12 A47 2021/12/24 (Raspberry Pi/32)
    * Origin: PiBBS (21:4/135)
  • From McDoob@21:4/135 to 2twisty on Thu Mar 31 21:10:46 2022
    Remember the dogs of war I recently mentioned? Well, you just took aw their leash!

    I have backups and can easily rebuild. I am offering a bug bounty, but
    in order to claim it, they have to reveal how they did it so that the
    bug can be fixed.


    I promise you one thing: it won't be me that attempts to claim that prize. My hat is white; I don't use my superpower for personal gain.

    Actually, what I asked for *was* white-hat hacking. Ethical hacking (white-hat) is done with the goal of increasing security. White hats
    won't hack without permission; this permsission has been granted.

    If they hack me and cause damage, they won't get the bounty. If they
    fail to reveal their methods, no bounty.

    Granted, as bug/hack bounties go, it's a pittance. However, if it is as easy as you say, someone will snap it up soon, I will be out $150, the software will get improved, and you'll gave gloating rights for at least the next 3 millennia.

    Sounds like a win/win/win to me? $150 for improved security is WELL
    worth it.

    Let's everyone be clear!

    Are you giving me permission to break your sh--uh...stuff?

    I don't like this. I am literally paid to be on the other side of this fence. But, if you're gonna offer me, twice, $150 USD to make you cry, well, who am I to refuse?

    Be sure that your coding dick is bigger than mine before you say 'yes' to this, sir. You may not be aware of the poop-storm of which you are enticing...

    I won't be nice. I won't leave a friendly note. I will destroy everything. You have been warned, more than once.

    McDoob
    SysOp, PiBBS
    pibbs.sytes.net

    ... There are two types of people; those who finish what they start and

    --- Mystic BBS v1.12 A47 2021/12/24 (Raspberry Pi/32)
    * Origin: PiBBS (21:4/135)
  • From Andre@21:3/117 to McDoob on Thu Mar 31 20:15:48 2022
    I won't be nice. I won't leave a friendly note. I will destroy everything. You have been warned, more than once.

    That's not whitehat and it's not ethical. But regardless, I think he should still allow it. Remote exploit and priv escalation only. No denial of service.


    - Andre
    --- SBBSecho 3.15-Linux
    * Origin: Radio Mentor BBS - bbs.radiomentor.org (21:3/117)
  • From 2twisty@21:3/166 to McDoob on Thu Mar 31 19:51:20 2022
    Are you giving me permission to break your sh--uh...stuff?
    Yes, provided that you abide by the rules I set out.

    I won't be nice. I won't leave a friendly note. I will destroy
    everything. You have been warned, more than once.

    This would violate the rules. Let me restate succinctly:

    1) No damage is allowed
    2) You must prove that you can get in with SSH and not Telnet (since this was your argument)
    3) You must reveal all methods and exploits used in such a way that the information can be used to patch/plug the security holes
    4) You must leave proof on the system somewhere to prove that you have root access
    5) Your documentation of the exploits/methods must be sufficiently complete to replicate your hack.
    6) Aside from the firewall and the BBS itself, you must not access any other systems.

    The above rules are the very definition of White-Hat hacking.

    Please note #2. This is the key. You can't exploit anything other than SSH (or Telnet or a bug in Mystic itself) to get in. Once in, you will likely need to perform a priv escalation attack, and so long as no damage is done to the system, use whatever.

    If you agree to the rules above, you have permission to make the attempt. The goal here is to either prove that SSH is secure or prove that it isn't, and to gather the needed info in order to MAKE it secure.

    --- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
    * Origin: The Ratrace Losers (21:3/166)
  • From DustCouncil@21:1/227 to Andre on Fri Apr 1 02:36:32 2022
    1) Having the well-known ports open (22/23) is more of a risk for portscan/DDOS than obfuscated ports. Not that 2222 and 2323 aren't OB alternatives...

    It probably limits it a bit, but it's not worth the bother. Tools like Shodan can find SSH across any port, or any of the other mass scanners
    can do the same thing. If someone finds a zero day for OpenSSH, it's not going to make any difference what port you're listening on because it's already been scanned and found and put into a database.

    I have my homebrew firewall logging all ports in /etc/services - I have received no hits at all on the non-standard ssh ports, but seeing as how the majority of port thwacks are from bots, that makes sense as those bots are looking for something specific.

    I do have my SSH server displaying a banner on its non-standard port. It's been about a week; shodan hasn't picked it up yet. While the potentiality exists to simply scan all 65k+ ports on any given host, it is unclear to me whether shodan actually does this. (The banner is there so I can quickly search on a keyword to find it in shodan).

    We'll see in a few weeks. I know there are no known services that run on the port I'm running SSH on, so if shodan hits that, it'll be pretty clear they're scanning the whole port range.

    But it still is significant to me that thus far hits on that port (other than me), are zero, after a week, compared to 190 on port 22 just today so far as of 7 hours ago (the report runs every 12 hours).

    --- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
    * Origin: Shipwrecks & Shibboleths [San Francisco, CA - USA] (21:1/227)
  • From McDoob@21:4/135 to Andre on Thu Mar 31 23:08:10 2022
    I won't be nice. I won't leave a friendly note. I will destroy everyt You have been warned, more than once.

    That's not whitehat and it's not ethical. But regardless, I think he should still allow it. Remote exploit and priv escalation only. No
    denial of service.

    Just because I'm being paid to wear a white hat doesn't mean I wasn't first Gandalf the Grey...(o_-)

    McDoob
    SysOp, PiBBS
    pibbs.sytes.net

    ... If at first you don't succeed, blame your parents!

    --- Mystic BBS v1.12 A47 2021/12/24 (Raspberry Pi/32)
    * Origin: PiBBS (21:4/135)
  • From McDoob@21:4/135 to 2twisty on Thu Mar 31 23:19:38 2022
    Are you giving me permission to break your sh--uh...stuff?
    Yes, provided that you abide by the rules I set out.

    I won't be nice. I won't leave a friendly note. I will destroy everything. You have been warned, more than once.

    This would violate the rules. Let me restate succinctly:

    Therefore, I will have to, again, refuse.

    There are *no* rules, other than 'Let the best man win'. It is wise for you to tell me to desist. As I said: if I did find a way into your network, I wouldn't be nice at all. I would ensure that you would have to work hard for the chace to make that particular mistake again.

    Again, I am refusing this challenge! I whole-heartedly encourage everyone else to take part, instead!

    t(^_^t)

    McDoob
    SysOp, PiBBS
    pibbs.sytes.net

    ... Classic: A book which people praise but don't read. - Mark Twain

    --- Mystic BBS v1.12 A47 2021/12/24 (Raspberry Pi/32)
    * Origin: PiBBS (21:4/135)
  • From Spectre@21:3/101 to McDoob on Fri Apr 1 14:22:00 2022
    Remember the dogs of war I recently mentioned? Well, you just took away

    Wherever you go, you know they've been there before...


    *** THE READER V4.50 [freeware]
    --- SuperBBS v1.17-3 (Eval)
    * Origin: The future's uncertain, the end is always near. (21:3/101)
  • From boraxman@21:1/101 to Andre on Fri Apr 1 21:18:36 2022
    It probably limits it a bit, but it's not worth the bother. Tools like Shodan can find SSH across any port, or any of the other mass scanners
    can do the same thing. If someone finds a zero day for OpenSSH, it's not going to make any difference what port you're listening on because it's already been scanned and found and put into a database.


    They can, and I've experimented with a BBS with only SSH access, on a non standard port, and I get repeated failed attempts at the port multiple times a day.

    The thing is, they'll be scanning telnet ports, and because that will communicate with plain text, it gives attackers a bit more of a clue of what is responding.

    Remember, with SSH, you can't assume the other end is a shell, it could be a BBS, a VPN, it could be anything.

    I guess this is another argument against telnet.

    --- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
    * Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)
  • From Nightfox@21:1/137 to Spectre on Fri Apr 1 09:26:28 2022
    Re: Re: Nightmares / Dreams
    By: Spectre to 2twisty on Fri Apr 01 2022 01:37 pm

    In most cases I expect there's not a lot critical information on a BBS worth sniffing.. what are you going to get if you hack an account someones mail?

    That's what I find funny about the apparent attemps I see from bots trying to brute-force into my BBS. There isn't much of value someone could get from it, but they can go ahead and spend all that time trying if they really want to. :P

    Nightfox
    --- SBBSecho 3.15-Win32
    * Origin: Digital Distortion: digdist.synchro.net (21:1/137)
  • From Spectre@21:3/101 to Nightfox on Sat Apr 2 07:51:00 2022
    That's what I find funny about the apparent attemps I see from bots trying to brute-force into my BBS. There isn't much of value someone could get from it, but they can go ahead and spend all that time trying if they really want to. :P

    I figure if they want to waste their time and mine, the least I can do is assist in wasting more of theirs :) I've got the relatively large bad user list although most try and log in with admin or root. At one stage I used to feed the SuperBBS manual back out as the failure text... before I went on the your ip has been noted and logged we'll ban you soon.

    Spec


    *** THE READER V4.50 [freeware]
    --- SuperBBS v1.17-3 (Eval)
    * Origin: The future's uncertain, the end is always near. (21:3/101)
  • From Warpslide@21:3/110 to Nightfox on Sat Apr 2 08:03:18 2022
    On 01 Apr 2022, Nightfox said the following...

    I suspect they may be UTF-8 and SyncTerm handles UTF-8, whereas other terminals and readers don't.

    Your message with SyncTerm:
    https://i.imgur.com/OMszRdU.png

    Your message with PuTTY;
    https://i.imgur.com/BCZp9dm.png

    Interesting! I just tried both Syncterm 1.0 & 1.1 on my board and it comes up the same on each. It looks like the BBS itself also needs to support UTF-8, so those of us using Mystic are currently out of luck.

    https://ibb.co/ZgQgw4P


    P.S: If anyone is looking for a version of Syncterm where copy/paste works without having to scroll back, this version appears to do the trick:

    https://sourceforge.net/projects/syncterm/files/syncterm/syncterm-1.0/


    Jay

    ... I say we nuke the site from orbit, it's the only way to be sure

    --- Mystic BBS v1.12 A48 2022/03/26 (Raspberry Pi/32)
    * Origin: Northern Realms (21:3/110)
  • From Warpslide@21:3/110 to 2twisty on Sat Apr 2 16:46:06 2022
    On 02 Apr 2022, 2twisty said the following...

    Is there a setting somewhere I need to adjust, or is it just another symptom of my bizarrely-bastard copy of Syncterm (I can't paste with
    mouse or ctrl-ins).

    Try this version for copy/paste:

    https://sourceforge.net/projects/syncterm/files/syncterm/syncterm-1.0/


    Jay

    ... Kettle, plug, fridge, milk, coffee. Yawn.

    --- Mystic BBS v1.12 A48 2022/03/26 (Raspberry Pi/32)
    * Origin: Northern Realms (21:3/110)
  • From Spectre@21:3/101 to Warpslide on Sun Apr 3 10:12:00 2022
    Interesting! I just tried both Syncterm 1.0 & 1.1 on my board and it comes up the same on each. It looks like the BBS itself also needs to support UTF-8, so those of us using Mystic are currently out of luck.

    Any legacy DOS system will have the same problem, its being stored at two characters not one.

    P.S: If anyone is looking for a version of Syncterm where copy/paste works without having to scroll back, this version appears to do the trick: https://sourceforge.net/projects/syncterm/files/syncterm/syncterm-1.0/

    Tres Strange, I'm using 1.1 with no copy/paste issues, but also under Win7
    for what thats worth.

    Spec


    *** THE READER V4.50 [freeware]
    --- SuperBBS v1.17-3 (Eval)
    * Origin: The future's uncertain, the end is always near. (21:3/101)