HTS Rooting Challenge 1

This is the place for ALL of the user submitted challenges. If you create a little challenge/mission/riddle/whatever, post it here.
Forum rules
Do not post missions that you did NOT create without proper citing.

HTS Rooting Challenge 1

Post by 0phidian on Mon Feb 04, 2013 1:17 am
([msg=73385]see HTS Rooting Challenge 1[/msg])

Over the weekend I have made a new unofficial challenge for hts. It's a new challenge type(-Ninjex-'s idea) that I would like to call "root that box". The program simulates a terminal and your objective is to compromise a remote server.
It can be downloaded here.
The Linux version comes in 64 and 32 bit versions. The Windows version is 64bit only(Sorry I dont have 32bit windows).

If people like it I will probably make more. Any feedback or critisism is appreciated.
I have put the source code on github if you would like to help improve the challenge or use the code to make your own challenges. ;)

Now on with the challenge.

Objectives:
1.) Identify the hosts located on the network.
2.) Identify which machine is the server and your vector of attack.
3.) Gain root access to the server.

You are connected to the network via ethernet.

The following tools and commands are available to you on your machine:
arp-scan, exit(exits the program), hydra, ifconfig, ls, nmap, ssh.

Note: Since this is just a simulation I did not program in all of the options for the tools or every bash command, only what you may need. Running a program with no arguments will tell you the options are availible and give an example.

This challenge should be easy for everyone but, if not below is a walkthrough for the challenge.
Walkthrough:

Root that Box 1:
by 0phidian

Difficulty: easy

Alright so first things first you need to identify which hosts are on the network. Just based on the names of the tools you have at your disposal you can probably guess what you are going to need. arp-scan has the word scan in it, seems appropriate. What does arp mean? Address Resolution Protocol. Heard of the old OSI Model, if not google it. So IP addresses and MAC addresses are on different layers of the OSI model. Well ARP messages are basically used to communicate between two layers. How does it work? An ARP request is sent out to every device on a network and says “hey, who ever has the IP address 192.168.56.102 send me your MAC address”. All of the devices on a network ignore this except for 192.168.56.102. When 192.168.56.102 receives this it sends an ARP response saying “Yo I'm 192.168.56.102 my MAC address is 00:00:00:00”. If you open Wireshark and start capturing some packets, you should notice plenty or ARP requests and responses. How does this help us? What we can use arp-scan to do is send ARP requests to every IP address on the network we're on. Every device on the network should respond giving you there IP and MAC addresses. Go ahead and enter arp-scan into the terminal and it will tell you the arguments that it takes. Now use arp-scan to find what hosts are on the network.

Now you have a couple IP addresses, so lets find out which one could is the server. I'm going ahead and assuming you know what to use here, if not goolge each of the tools and figure out which one would be best suited for this task. After scanning each machine you should notice that one is running certain services indicating it is the server. It is also running a particular service of interest, that will be our vector of attack. Go ahead and try to connect to the box.

It's password protected. Well we will just have to test the strength of that password then. There is a tool that we have not used yet, if you are not familiar with it go ahead an google it, I'll be here when you get back. For this challenge we'll use a dictionary attack. Luckily you have a word list in your current directory. Don't believe me go ahead and enter “ls”. Like the other tools you can enter it with no arguments and it will tell you how it is used. Remember that the point of this mission is to root the box, so when your preforming the dictionary attack remember your after the root password.

You should have the root password, now time to connect. Remember to login as root. You are now logged in as the super user on the remote server. Congratulations you compromised a Linux server and completed the challenge!
Last edited by 0phidian on Mon Feb 04, 2013 5:41 pm, edited 5 times in total.
User avatar
0phidian
Poster
Poster
 
Posts: 245
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: HTS Rooting Challenge 1

Post by -Ninjex- on Mon Feb 04, 2013 1:21 am
([msg=73386]see Re: HTS Rooting Challenge 1[/msg])

Challenge Accepted!

This is going to be great :twisted:
----------------------------------------------
Says invalid coding
Doesn't work for me unfortunately 32 bit here.

-- Mon Feb 04, 2013 1:29 am --

Meh, I got it up with wine so
let's get it on!
Spreading knowledge just once a day, can help keep the script kiddies away ⠠⠵
no_hope if world.map{|person, ic = 0| ic +=1 if ignorance.include?(person)}.compact.length > (world.length / 2)
The absence of evidence is not evidence of absence.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1064
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: HTS Rooting Challenge 1

Post by 1njustice on Mon Feb 04, 2013 5:01 am
([msg=73390]see Re: HTS Rooting Challenge 1[/msg])

Good little exercise :p. I'll give it a go after work!
Last updated: 01/02/2013: 14:49

Code: Select all
Challenges
Basic missions: 1 - 11 complete
User avatar
1njustice
New User
New User
 
Posts: 23
Joined: Fri Feb 01, 2013 7:26 am
Blog: View Blog (0)


Re: HTS Rooting Challenge 1

Post by -Ninjex- on Mon Feb 04, 2013 11:27 am
([msg=73392]see Re: HTS Rooting Challenge 1[/msg])

Eh, I can't seem to get the commands to work properly...
I'm not sure why, I keep getting invalid arguments when the commands are correct. Maybe it's just the wine version, and I can't run the 64b linux file.

-- Mon Feb 04, 2013 11:34 am --

Also, keep in mind another reason for flash is to help against reverse engineering.

I just got the password, this way because I couldn't get the commands working :D

I am one of those things that start with a N
Spreading knowledge just once a day, can help keep the script kiddies away ⠠⠵
no_hope if world.map{|person, ic = 0| ic +=1 if ignorance.include?(person)}.compact.length > (world.length / 2)
The absence of evidence is not evidence of absence.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1064
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: HTS Rooting Challenge 1

Post by 1njustice on Mon Feb 04, 2013 12:09 pm
([msg=73393]see Re: HTS Rooting Challenge 1[/msg])

-Ninjex- wrote:Eh, I can't seem to get the commands to work properly...
I'm not sure why, I keep getting invalid arguments when the commands are correct. Maybe it's just the wine version, and I can't run the 64b linux file.

-- Mon Feb 04, 2013 11:34 am --

Also, keep in mind another reason for flash is to help against reverse engineering.

I just got the password, this way because I couldn't get the commands working :D

I am one of those things that start with a N


Way to boost my confidence! Lmao.
Last updated: 01/02/2013: 14:49

Code: Select all
Challenges
Basic missions: 1 - 11 complete
User avatar
1njustice
New User
New User
 
Posts: 23
Joined: Fri Feb 01, 2013 7:26 am
Blog: View Blog (0)


Re: HTS Rooting Challenge 1

Post by 0phidian on Mon Feb 04, 2013 12:35 pm
([msg=73394]see Re: HTS Rooting Challenge 1[/msg])

-Ninjex- wrote:Eh, I can't seem to get the commands to work properly...
I'm not sure why, I keep getting invalid arguments when the commands are correct. Maybe it's just the wine version, and I can't run the 64b linux file.

-- Mon Feb 04, 2013 11:34 am --

Also, keep in mind another reason for flash is to help against reverse engineering.

I just got the password, this way because I couldn't get the commands working :D

I am one of those things that start with a N


Sorry about that, I a bit too lazy to put in every possible way to use all of the tools.
For nmap it should be : nmap (IP address) or nmap -Pn (IP address) or nmap -sS (IP address)
Also for arp-scan, you are connected via ethernet(eth0). So: arp-scan --interface=eth0 (IP address or Option)
User avatar
0phidian
Poster
Poster
 
Posts: 245
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: HTS Rooting Challenge 1

Post by -Ninjex- on Mon Feb 04, 2013 1:00 pm
([msg=73395]see Re: HTS Rooting Challenge 1[/msg])

Okay, the connection helps.
You should have just added in the ifconfig command and I would have been set.
I also was trying nmap -Pn 192.168.1.0/24 which should scan the entire network and show all open ports.

The work is still great so far, and I love it!
However I feel flash would be harder, but much more secure.

Also, the example for how to use arp-scan is wrong you added two "=" signs, so that kind of confused me xD
Spreading knowledge just once a day, can help keep the script kiddies away ⠠⠵
no_hope if world.map{|person, ic = 0| ic +=1 if ignorance.include?(person)}.compact.length > (world.length / 2)
The absence of evidence is not evidence of absence.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1064
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: HTS Rooting Challenge 1

Post by 0phidian on Mon Feb 04, 2013 1:20 pm
([msg=73396]see Re: HTS Rooting Challenge 1[/msg])

-Ninjex- wrote:Okay, the connection helps.
You should have just added in the ifconfig command and I would have been set.
I also was trying nmap -Pn 192.168.1.0/24 which should scan the entire network and show all open ports.

The work is still great so far, and I love it!
However I feel flash would be harder, but much more secure.

Also, the example for how to use arp-scan is wrong you added two "=" signs, so that kind of confused me xD


Thanks for the feedback. Should of send it to you to test, before publishing it lol.
I'll fix the issues and re-upload it after I get done with classes today. If I make any more of these I'll be sure to include more functionallity like for nmap and more commands like ifconfig.
User avatar
0phidian
Poster
Poster
 
Posts: 245
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: HTS Rooting Challenge 1

Post by fashizzlepop on Mon Feb 04, 2013 4:20 pm
([msg=73400]see Re: HTS Rooting Challenge 1[/msg])

Post it on Github and let people contribute to the code.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2304
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: HTS Rooting Challenge 1

Post by 0phidian on Mon Feb 04, 2013 4:32 pm
([msg=73401]see Re: HTS Rooting Challenge 1[/msg])

I fixed the issues and re-uploaded it. I also added in ifconfig. 32 bit versions should be coming soon.

Post it on Github and let people contribute to the code


I was palnning on it. When I do I'll post a link and put one in the OP.

-- Mon Feb 04, 2013 4:49 pm --

Uploaded the source to GIthub. Feel free to contribute to the code and improve the challenge or use the code to make your own challenges. ;)

-- Mon Feb 04, 2013 5:39 pm --

A 32bit version for linux has been uploaded, I dont have windows installed on my 32 bit system. So, sorry 32bit windows users you'll have to use linux in a vm or compile it from source(Try not to peek at the spoilers).
User avatar
0phidian
Poster
Poster
 
Posts: 245
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Next

Return to User Submitted

Who is online

Users browsing this forum: No registered users and 0 guests