Skip to content

Instantly share code, notes, and snippets.

@bridgpal

bridgpal/HackerMission-Solution.md

Forked from f3r/HackerMission-Solution.md
Last active June 19, 2019 15:57
Show Gist options
  • Save bridgpal/cf2e904313bb9f94cc89 to your computer and use it in GitHub Desktop.
Save bridgpal/cf2e904313bb9f94cc89 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
HackerMission-Solution.md

Here is the Student Asessment

Mission Brief

Morning 007s.

Your mission, should you choose to accept it, is to identify and eliminate the hacker who breached our secure data centers.

All the identities of your fellow WDI agents will be open and they will all be in great danger if we don't react fast.

Our security records indicate this following log access to the servers

Server Access Log

********************************************************************************************
* Server: //H4rry-Web3.wdiLovesBond.ga
* File:   /var/log/nginx/access/20150407-2.log
********************************************************************************************
*
*         ________   ________    _________  ____________;_
*         - ______ \ - ______ \ / _____   //.  .  ._______/
*        / /     / // /     / //_/     / // ___   /
*       / /     / // /     / /       .-'//_/|_/,-'
*      / /     / // /     / /     .-'.-'
*     / /     / // /     / /     / /
*    / /     / // /     / /     / /
*   / /_____/ // /_____/ /     / /
*   \________- \________-     /_/
*
* 2015-04-07 04:32 |                          SYSTEM BREACH ALERT.  IP Detected 72.21.92.59
*
********************************************************************************************

Server Error Log

********************************************************************************************
* Server: //f3r-is-the-hacker.wdiLovesBond.ga
* File:   /var/log/nginx/error/20150407.log
********************************************************************************************
*                                                              http://towel.blinkenlights.nl
*
*
*
*                                        ,-/o"O`--.._      _/(_
*                                  _,-o'.|o 0 'O o  O`o--'.  e\
*                  (`o-..___..--''o:,-'  )o /._" O "o 0 o : ._>
*                   ``--o___o..o.''     :'.O\_ ```--.\o .' `--
*                                          `-`.,)      \`.o`._
*                                                       `-`-.,)****>> Follow the Repo --->>>
*
********************************************************************************************

MISSION OBJECTIVES

Your objective is to identify the hacker who intrude us, and save all our fellow classmates from a terrible death. We count on you!

1. Seek The Hackers Location

First, we must figure from which city in the world is that IP located. Fast!

Solution

Go to IPLocation and input the IP Adress we identified in the logs 72.21.92.59

| IP Address | Country | Region| City |ISP| |--|--|--|--|--|--| | 72.21.92.59 | United States |California | Santa Monica | Edgecast Networks Inc.|

2. Access the Website

There is a website in the logs (http://towel.blinkenlights.nl). What does it contain?

Solution

Forbidden

You don't have permission to access / on this server.

Apache Server at towel.blinkenlights.nl Port 80

3. Find a Back-Door

Dead-end. We can't access his server. We will have to find a work around it. We know that servers can have many ports, and each port will be the entry gate for a different service.

Since the webserver doesn't give us any information about the hacker, we will need to dig deeper.

  1. Please install Nmap ("Network Mapper") with homebrew
  2. Find the IP address of towel.blinkenlights.nl
  3. Run Nmap , a free and open source utility for network discovery and security auditing. To run it, simply call nmap IP_ADDRESS

Solution

Installing nmap

  $ brew install nmap

Finding the IP

 $ ping towel.blinkenlights.nl

 PING towel.blinkenlights.nl (94.142.241.111): 56 data bytes
 64 bytes from 94.142.241.111: icmp_seq=0 ttl=51 time=280.347 ms

 --- towel.blinkenlights.nl ping statistics ---
 1 packets transmitted, 1 packets received, 0.0% packet loss
 round-trip min/avg/max/stddev = 280.347/280.347/280.347/0.000 ms

Running nmap

 $ nmap 94.142.241.111

 Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-07 03:04 HKT
 Nmap scan report for 94.142.241.111 (94.142.241.111)
 Host is up (0.36s latency).
 rDNS record for 94.142.241.111: no-reverse-yet-please-set-it-in-service-menu.coloclue.net
 Not shown: 991 closed ports
 PORT     STATE    SERVICE
 21/tcp   open     ftp
 22/tcp   filtered ssh
 23/tcp   open     telnet
 25/tcp   filtered smtp
 80/tcp   open     http
 666/tcp  open     doom
 1068/tcp filtered instl_bootc
 6129/tcp filtered unknown
 6667/tcp open     irc

 Nmap done: 1 IP address (1 host up) scanned in 43.04 seconds

4. Services Analysis

We should see a list of open services as an output from nmap. Please descrive What does each of the open services do exactly?

Solution

| PORT | STATE | SERVICE | Service Information | |--|--|--|--|--| | 21/tcp | open | ftp | http://en.wikipedia.org/wiki/File_Transfer_Protocol | 23/tcp | open | telnet | http://en.wikipedia.org/wiki/Telnet | | 80/tcp | open | http | http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol | 666/tcp | open | doom | http://en.wikipedia.org/wiki/Doom_(series) | | 6667/tcp | open | irc | http://en.wikipedia.org/wiki/Internet_Relay_Chat |

5. TELNET

Please access the hacker's server using the Telnet protocol.

Good Luck. This message will self-destruct in 10 SECONDS.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment