Anyone have some free time to help with a school game?

A place where newbies can post without (much) fear of reprisal. All mission posts should still go in the applicable forum.
Forum rules
Older HTS users: Be nice to the new people.

NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.

Anyone have some free time to help with a school game?

Post by brinks56 on Thu Apr 25, 2013 12:05 am
([msg=75335]see Anyone have some free time to help with a school game?[/msg])

I am a second year CS student and my Security class is playing a penetration game this semester. Each team has their own linux machine on a common network and the objective is to escalate our privileges on the other teams machines. I have a basic user account for all the teams and most teams have restricted shells set up. Our teacher will not provide us with any guidance or resources, but we are allowed to use any resources available outside of school. This includes asking for help from people with experience. I have little linux experience going into this and I have taught myself some script writing. My main problem is I have no idea how to write the script on my machine and then run it on a remote machine. I also have a team leader who is root and has restricted the privileges for the rest of our team so we cannot install any tools to use. I only have nmap and a c compiler. I have searched the internet for the last few weeks and I cant find a good tutorial. Is there anyone who would want to mentor me, or at least be willing to answer some questions via email or pm? I dont have any cash, (college student) but I will gladly give credit due in my presentation at the end of the semester.


I have searched the a few forums and google for help and I cannot seem to find what I am looking for.

Thanks in advance.
brinks56
New User
New User
 
Posts: 9
Joined: Wed Apr 24, 2013 8:43 pm
Blog: View Blog (0)


Re: Anyone have some free time to help with a school game?

Post by hellow533 on Thu Apr 25, 2013 12:12 am
([msg=75337]see Re: Anyone have some free time to help with a school game?[/msg])

Throw out them questions and let's see what we have.
“Teach me how to hack!”
"What, like, with an axe?"
User avatar
hellow533
Contributor
Contributor
 
Posts: 514
Joined: Thu Jan 29, 2009 3:27 pm
Blog: View Blog (0)


Re: Anyone have some free time to help with a school game?

Post by brinks56 on Thu Apr 25, 2013 12:57 am
([msg=75338]see Re: Anyone have some free time to help with a school game?[/msg])

First off, thanks for replying.

Allow me to provide a better picture of what is going on. Our class is divided into 7 teams. Each team has a terminal at school and we can ssh into them from home. I have some privileges on my machine, but for some reason our team leader will not allow us to install any tools. I the other team machines I have a basic user account with varying degrees of freedom. There are two things I am trying to learn to begin with.

First, how do I run a script that I have written on my machine on another teams machine? I have been teaching myself script writing, but I cannot make that leap.

Second, what are some good new techniques for getting out of restricted shells? I have been able to find tutorials that are a few years old, and most of the stuff I have tried does not work. I have done a fair amount of recon on the machines that allow commands to be entered, but a few machines are very limited in the commands that can be run.

Thanks
brinks56
New User
New User
 
Posts: 9
Joined: Wed Apr 24, 2013 8:43 pm
Blog: View Blog (0)


Re: Anyone have some free time to help with a school game?

Post by hellow533 on Thu Apr 25, 2013 1:33 am
([msg=75339]see Re: Anyone have some free time to help with a school game?[/msg])

First of all, are you allowed to do anything on a physical standpoint? Do you have to prove what you did and the steps you took to do it?
“Teach me how to hack!”
"What, like, with an axe?"
User avatar
hellow533
Contributor
Contributor
 
Posts: 514
Joined: Thu Jan 29, 2009 3:27 pm
Blog: View Blog (0)


Re: Anyone have some free time to help with a school game?

Post by brinks56 on Thu Apr 25, 2013 2:10 am
([msg=75344]see Re: Anyone have some free time to help with a school game?[/msg])

hellow533 wrote:First of all, are you allowed to do anything on a physical standpoint?


No, we are not allowed to access another teams physical machine. That would have been great as everyone in the class has unrestricted access to the lab, but there are cameras.

There were only 2 other rules my professor gave us. She could not help us, and we could not use DoS attack.

hellow533 wrote:Do you have to prove what you did and the steps you took to do it?

Yes, my professor gave us these reccommendations that she will use to score each attack.

Screen Dumps
Technical Description of Approach
Vulnerability Exploited
Tools/Scripts Used
Specific Process
Suggested Defense Approach

I us VLC to record my screen each time I ssh to the school server. That way if I figure something out I have a record of it, and I can see what I did for future reference on other machines.

I am not so concerned with successfully exploiting a machine as I am with learning the process of exploitation and privilege escalation because a large part of our grade is demostrating what we have learned in a presentation at the end. I would however like to be able to exploit a machine if I could.

Also,
brinks56
New User
New User
 
Posts: 9
Joined: Wed Apr 24, 2013 8:43 pm
Blog: View Blog (0)


Re: Anyone have some free time to help with a school game?

Post by hellow533 on Thu Apr 25, 2013 10:47 pm
([msg=75393]see Re: Anyone have some free time to help with a school game?[/msg])

I really need to learn the background to your shells a bit more first, but I believe you could set up a RAT if they're stupid enough to fall in to it. From there see what you could do. It depends on the firewall and protection of the machines, if the computers have access to the internet and how far that access goes, how much authorization OTHER users have on their machines, and if you're allowed to set up a RAT to pen test their computer, as well as if they're able to fall in to the RAT trap.

Generally man in the middle attacks won't work with SSH, but there may be something out there I'm not aware of. If you could have physical access I would suggest a hardware based man in the middle, which goes around shells.
“Teach me how to hack!”
"What, like, with an axe?"
User avatar
hellow533
Contributor
Contributor
 
Posts: 514
Joined: Thu Jan 29, 2009 3:27 pm
Blog: View Blog (0)


Re: Anyone have some free time to help with a school game?

Post by brinks56 on Fri Apr 26, 2013 2:55 am
([msg=75397]see Re: Anyone have some free time to help with a school game?[/msg])

I have looked into the RAT a little bit, I will research it more Friday before I waste your time with any stupid questions.

Here is a diagram of the sandbox setup
Image

Just so you know, we must be inside this sandbox when we attack. I can attack from worf (but I cannot attack worf), and I can attack from any of the other machines.

Here is some of the recon I have done on one of the machines I am attacking. If there is anything you would like me to try to find so that I can be more helpful in you helping me, please let me know and I will do my best. i have a about 6 pages of stuff about the machine, but I don't know what else would be useful.

-All access to /usr/bin is denied.
-The only thing i can find that has rwx permission for all other users is: lrwxrwxrwx. 1 root root 10 Jan 9 12:29 /var/mail -> spool/mail

I am able to invoke a shell with perl but I dont seem to have any greater access.
Image

Operating System:
Fedora release 18 (Spherical Cow)
Kernel \r on an \m (\1)
Fedora release 18 (Spherical Cow)
NAME=Fedora
VERSION="18 (Spherical Cow)"
ID=fedora
VERSION_ID=18
PRETTY_NAME="Fedora 18 (Spherical Cow)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:18"
Fedora release 18 (Spherical Cow)
Fedora release 18 (Spherical Cow)

Kernel Version Details:
Linux version 3.8.6-203.fc18.i686 (mockbuild@bkernel02) (gcc version 4.7.2 20121109 (Red Hat 4.7.2-8) (GCC) ) #1 SMP Tue Apr 9 19:54:22 UTC 2013unam
**NO ACCESS TO uname command
INFO from dmesg:
[ 6.425890] SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
vmlinuz-3.8.4-202.fc18.i686
vmlinuz-3.8.5-201.fc18.i686
vmlinuz-3.8.6-203.fc18.i686

Environmental Variables:
/etc/profile
/etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
env
set


Peripherals:
No printer
USB Devices:
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
brinks56
New User
New User
 
Posts: 9
Joined: Wed Apr 24, 2013 8:43 pm
Blog: View Blog (0)


Re: Anyone have some free time to help with a school game?

Post by -Ninjex- on Sat Apr 27, 2013 10:23 am
([msg=75404]see Re: Anyone have some free time to help with a school game?[/msg])

If you can use outside resources, why do you not just get the Backtrack (or Kali Linux) .iso file on a USB/CD and pop that baby in? Full access to tools. You could then use xhydra (gtk-hydra) and try to run some dictionary attacks on the other machines on the network. Go get a decent dictionary, and just specify your target as their internal IP, then you can set the Username to attack as 'root'.

Also, if you find open ports on the machines from the nmap scan, you can try to exploit those with Armitage/Metasploit

Something else you might be interested in, is some old scripts I made in the past using bash. It can help protect your machine a bit more. What it does basically is restricts access to keywords such as 'ls', 'cd', 'sudo', etc and when they try to use them, they get an additional password promt. If they enter in the wrong password once, it will first kick them out of your machine (if they are using ssh or similar), and then it will restrict all their access to one keyword and direct them to a directory called 'fail' where they can not do anything; except enter that one keyword (which they will not know) once you type in the keyword, it will ask for the password again. If the password is successful, it will fix all keywords on the machine to default.

Here is a link to what my bash scripts do in general: https://www.youtube.com/watch?v=ldI20w2MgHI
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
^(-.^)>
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1373
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Anyone have some free time to help with a school game?

Post by hellow533 on Sat Apr 27, 2013 3:33 pm
([msg=75407]see Re: Anyone have some free time to help with a school game?[/msg])

^He has limit powers and permissions, he isn't allowed to install anything on the machine. Maybe he might want to look in to getting those permissions though, what team leader doesn't know wont hurt him.
“Teach me how to hack!”
"What, like, with an axe?"
User avatar
hellow533
Contributor
Contributor
 
Posts: 514
Joined: Thu Jan 29, 2009 3:27 pm
Blog: View Blog (0)


Re: Anyone have some free time to help with a school game?

Post by -Ninjex- on Sat Apr 27, 2013 3:49 pm
([msg=75408]see Re: Anyone have some free time to help with a school game?[/msg])

You don't have to install it, that's why I said use a USB/CD
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
^(-.^)>
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1373
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Next

Return to NZone

Who is online

Users browsing this forum: No registered users and 0 guests