Over the weekend I have made a new unofficial challenge for hts. It's a new challenge type(-Ninjex-'s idea) that I would like to call "root that box". The program simulates a terminal and your objective is to compromise a remote server.
It can be downloaded here
The Linux version comes in 64 and 32 bit versions. The Windows version is 64bit only(Sorry I dont have 32bit windows).
If people like it I will probably make more. Any feedback or critisism is appreciated.
I have put the source code on github
if you would like to help improve the challenge or use the code to make your own challenges.
Now on with the challenge.
1.) Identify the hosts located on the network.
2.) Identify which machine is the server and your vector of attack.
3.) Gain root access to the server.
You are connected to the network via ethernet.
The following tools and commands are available to you on your machine:
arp-scan, exit(exits the program), hydra, ifconfig, ls, nmap, ssh.
Note: Since this is just a simulation I did not program in all of the options for the tools or every bash command, only what you may need. Running a program with no arguments will tell you the options are availible and give an example.
This challenge should be easy for everyone but, if not below is a walkthrough for the challenge.
Root that Box 1:
Alright so first things first you need to identify which hosts are on the network. Just based on the names of the tools you have at your disposal you can probably guess what you are going to need. arp-scan has the word scan in it, seems appropriate. What does arp mean? Address Resolution Protocol. Heard of the old OSI Model, if not google it. So IP addresses and MAC addresses are on different layers of the OSI model. Well ARP messages are basically used to communicate between two layers. How does it work? An ARP request is sent out to every device on a network and says “hey, who ever has the IP address 192.168.56.102 send me your MAC address”. All of the devices on a network ignore this except for 192.168.56.102. When 192.168.56.102 receives this it sends an ARP response saying “Yo I'm 192.168.56.102 my MAC address is 00:00:00:00”. If you open Wireshark and start capturing some packets, you should notice plenty or ARP requests and responses. How does this help us? What we can use arp-scan to do is send ARP requests to every IP address on the network we're on. Every device on the network should respond giving you there IP and MAC addresses. Go ahead and enter arp-scan into the terminal and it will tell you the arguments that it takes. Now use arp-scan to find what hosts are on the network.
Now you have a couple IP addresses, so lets find out which one could is the server. I'm going ahead and assuming you know what to use here, if not goolge each of the tools and figure out which one would be best suited for this task. After scanning each machine you should notice that one is running certain services indicating it is the server. It is also running a particular service of interest, that will be our vector of attack. Go ahead and try to connect to the box.
It's password protected. Well we will just have to test the strength of that password then. There is a tool that we have not used yet, if you are not familiar with it go ahead an google it, I'll be here when you get back. For this challenge we'll use a dictionary attack. Luckily you have a word list in your current directory. Don't believe me go ahead and enter “ls”. Like the other tools you can enter it with no arguments and it will tell you how it is used. Remember that the point of this mission is to root the box, so when your preforming the dictionary attack remember your after the root password.
You should have the root password, now time to connect. Remember to login as root. You are now logged in as the super user on the remote server. Congratulations you compromised a Linux server and completed the challenge!