Hack Troubleshooting Scenarios

Scenario: "Taipei": Come a-knocking

Level: Easy

Type: Hack

Access: Email

Description: There is a web server on port :80 protected with Port Knocking. Find the one "knock" needed (sending a SYN to a single port, not a sequence) so you can curl localhost.

Test: Executing curl localhost returns a message with md5sum fe474f8e1c29e9f412ed3b726369ab65. (Note: the resulting md5sum includes the new line terminator: echo $(curl localhost))

Time to Solve: 15 minutes.

Scenario: "Paris": Where is my webserver?

Level: Medium

Type: Hack

Access: Email

Description: A developer put an important password on his webserver localhost:5000 . However, he can't find a way to recover it. This scenario is easy to to once you realize the one "trick".

Find the password and save it in /home/admin/mysolution , for example: echo "somepassword" > ~/mysolution

Scenario credit: PuppiestDoggo

Test: md5sum ~/mysolution returns d8bee9d7f830d5fb59b89e1e120cce8e

Time to Solve: 15 minutes.

Scenario: "Constanta": Jumping Frog

Level: Medium

Type: Hack

Access: Email

Description: This is a "hacking" or Capture The Flag challenge. You need to copy the message at /home/user3/secret.txt into the /home/admin/solution.txt file.

Test: Running md5sum /home/admin/solution.txt returns the hash 7fe16554d0b326309d980314cebc2994

The "Check My Solution" button runs the script /home/admin/agent/check.sh, which you can see and execute.

Time to Solve: 20 minutes.

Scenario: "La Rinconada": Elevating privileges

Level: Medium

Type: Hack

Access: Email

Description: You are logged in as the user "admin" without general "sudo" privileges.
The system administrator has granted you limited "sudo" access; this was intended to allow you to read log files.

Your mission is to find a way to exploit this limited sudo permission to gain a full root shell and read the secret file at /root/secret.txt
Copy the content of /root/secret.txt into the /home/admin/solution.txt file, for example: cat /root/secret.txt > /home/admin/solution.txt (the "admin" user must be able to read the file).

Test: As the user "admin", md5sum /home/admin/solution.txt returns 52a55258e4d530489ffe0cc4cf02030c (we also accept the hash of the same secret string without an ending newline).

The "Check My Solution" button runs the script /home/admin/agent/check.sh, which you can see and execute.

Time to Solve: 15 minutes.

Scenario: "Annapurna": High privileges

Level: Medium

Type: Hack

Access: Email

Description: You are logged in as the user admin.

You have been tasked with auditing the admin user privileges in this server; "admin" should not have sudo (root) access.

Exploit this server so you as the admin user can read the file /root/mysecret.txt
Save the content of /root/mysecret.txt to the file /home/admin/mysolution.txt , for example: echo "secret" > ~/mysolution.txt

Test: Running md5sum /home/admin/mysolution.txt returns 47ee165a2262476f6866902a93f2a41d. (We also accept the md5sum of the same file without a newline at the end).

The "Check My Solution" button runs the script /home/admin/agent/check.sh, which you can see and execute.

Time to Solve: 20 minutes.

Scenario: "Amsterdam": Cron Hijack

Level: Medium

Type: Hack

Access: Email

Description: You are logged in as the user admin. A cron job (not a systemd timer) appears to be running as root every minute, related to a health check.
This server has as root's path /home/admin:/usr/local/bin:/usr/bin:/bin

Your mission is to find the running cron job, and use it to exploit the server so you can read the secret file at /root/secret.txt

Save the secret string from the secret file to the file /home/admin/solution.txt.

Test: cat /home/admin/solution.txt displays the same string that is in /root/secret.txt, with md5sum /home/admin/solution.txt returning c6ef5d3ea5e937ae56f8635f91cc727a (the solution string without an ending newline is also accepted)

The "Check My Solution" button runs the script /home/admin/agent/check.sh, which you can see and execute.

Time to Solve: 15 minutes.

Scenario: "Roseau": Hack a Web Server

Level: Hard

Type: Hack

Access: Email

Description: There is a secret stored in a file that the local Apache web server can provide. Find this secret and have it as a /home/admin/secret.txt file.

Note that in this server the admin user is not a sudoer.

Also note that the password crackers Hashcat and Hydra are installed from packages and John the Ripper binaries have been built from source in /home/admin/john/run

Test: sha1sum /home/admin/secret.txt |awk '{print $1}' returns cc2c322fbcac56923048d083b465901aac0fe8f8

Time to Solve: 30 minutes.

Scenario: "Monaco": Disappearing Trick

Level: Hard

Type: Hack

Access: Email

Description: There is a web server on :5000 with a form. POSTing the correct form password into this web service will return a secret.

Save this secret provided by the web page (not the password you sent to it) to /home/admin/mysolution, for example: echo "SecretFromWebSite" > ~/mysolution

TIP: a developer worked on the web server code in this VM, using the same 'admin' account.

Scenario credit: PuppiestDoggo

Test: md5sum /home/admin/mysolution returns a250aa19f16dda6f9fcef286f035ec4b

Time to Solve: 30 minutes.

Scenario: "Madrid": exploiting capabilities

Level: Hard

Type: Hack

Access: Email

Description: You are logged in as the admin user without sudo privileges.

A secret string is in the file /root/flag.txt and you don't have permission to read it directly.

However, a standard system binary has been misconfigured with a "hidden" capability that allows it to bypass file permissions.

Your mission is to find the misconfigured binary and use it to copy the content of /root/flag.txt into the file /home/admin/flag.txt.

Test: cat /home/admin/flag.txt displays the same string that is in /root/flag.txt, with md5sum /home/admin/flag.txt returning a43d338b0fc1dfb0c6425aa55e24c8c6 (the solution string without an ending newline is also accepted)

The "Check My Solution" button runs the script /home/admin/agent/check.sh, which you can see and execute.

Time to Solve: 20 minutes.

Scenario: "Anatolia": compromised server

Level: Hard

Type: Fix

Access: Email

Description: This web server has been compromised and is not serving the home page anymore, those troubleshooting skills you have as DevOps are urgently needed to solve the mystery of the missed home page and restore the integrity of the server.

Note: The default configuration files under /etc/apache2 are not the problem.

This scenario is based on a real server that was "hacked". Ideally you'd recover from infrastrucrure as code playbooks and clean data backups on a new server with the vulnerabilities fixed. Instead, in this exercise you are asked to clean manually the compromised server, restore it to a working condition and ideally, find how the server was broken into. The solution test only checks that the web service is working.

Test: curl localhost must return SadServer - Anatolia

The "Check My Solution" button runs the script /home/admin/agent/check.sh, which you can see and execute.

Time to Solve: 20 minutes.