Lab #1: Linux basics

Due: Friday, Sep 2 11:59PM

How this lab is structured

In this lab, you will be trying to get the passwords for ten users, user1 through user10, on a Linux server. You’ll start with access to user1, and solve various problems with basic Linux commands in order to progressively get the password for the next user.

Login details

Log into the Virginia Cyber Range and start up the Lab 1 environment. Once it’s started, you can enter the desktop environment by clicking the “play” button and then desktop.example.com. The username and password for the desktop user are both student.

From the desktop, you can log in to the first user for the server with

student@desktop$ ssh [email protected]

The password for user1 is flag{batch semantic beholden checkered}

After each problem, you will get the password to the next user, which will give you access to the next problem. For instance, after solving Problem 1 you should exit the SSH session (either by using the exit command or by pressing Ctrl+D) and then login as user2 with

student@desktop$ ssh [email protected]

Alternatively, you can log into user2 from within the server by running

user1@terminal$ ssh user2@localhost

Resources

At the end of each problem, I’ve added some of the Linux commands that I suggest you use to solve it. Note that there are many ways to solve each of these problems; you are not strictly required to use the commands I’ve suggested.

If you have never used Linux before, I would recommend taking a look at this intro, which you can also see by running

student@desktop$ man intro

in the terminal.

This lab is heavily inspired by OverTheWire’s Bandit wargame. If you’re struggling to figure out how to do this lab (or want additional Linux practice), I would recommend trying out Bandit; you can find many writeups for it online.

I highly encourage you to look up different ways of solving these problems. If you find a solution to one of these problems through an online resource like StackOverflow you are welcome to use it. However, please be sure to provide a reference for any copied-and-pasted code.

What to submit

At the end of this assignment, you should submit a document to Collab containing the password for each of the users user2 through user10. You should also write a short (1-3 sentences) description of how you solved each of the problems.

Grading

This lab is graded out of 9 points, one point per problem. For each of user2 through user10, you will get one point for getting the correct password and providing a valid solution to the user’s corresponding problem.

Problems

Problem 1

The password for user user2 is in the problem.txt file in user1’s home directory.

Suggested commands: ls, cat, less

Problem 2

user2’s home directory contains a directory problem/, which contains a bunch of randomly-named subdirectories like problem/6Ep9ZnXXDW/. The password for user3 is in a file named password.txt in one of these subdirectories.

Suggested commands: find, cat

Problem 3

user3’s home directory contains a directory problem/ once again. This time, problem/ contains many randomly-named text files like problem/PNr06wGq9o.txt. Each of these text files contains a zero-padded number followed by a password, e.g.

00017120 flag{airs cleared pressed butter}

The true password for user4 is contained in the file that starts with the highest number.

Suggested commands: cat, find, xargs, sort, tail

Hint: For this question you will probably need to understand how pipes work in Linux shells. Broadly speaking, you can use a pipe (represented by |) to feed the output of one command into the input of another. This StackOverflow question has some good answers about how pipes work and might be a good place to start.

Problem 4

The text file problem.txt in user4’s home directory contains millions of lines of random words. The password for user5 is contained in the only line that starts with the word "hello" and ends with the word "world".

Note: you won’t be able to SSH in as user5 after getting the password, since user5 is only allowed to connect over SFTP (see next problem).

Suggested commands: grep

Problem 5

The problem setup is identical to Problem 2, however, this time you’re only able to access the server over SFTP!

Suggested commands: sftp

Hints:

  • After you login to the server, you can run help at the sftp> prompt to see what commands you can run over SFTP. You can also run help <subcommand> to learn more about a specific SFTP subcommand.

Problem 6

user6’s home directory contains the private SSH key .ssh/id_ecdsa. Use this key to log in as user7 and get their password from /home/user7/user.txt.

Suggested commands: ssh

Problem 7

There is a process belonging to user7 on the server that is running a Python script. The password for user8 is defined in one of the environmental variables of that process.

Suggested commands: ps, cat

Problem 8

There is a web server running on a port between 21000 and 22000. Figure out what port it’s running on, and then find a way to use it to read user9’s password from /home/user9/user.txt.

Suggested commands: ss, curl

Hints: curl is a common Linux utility for crafting HTTP requests. In theory, you could surf the internet with just curl (although I wouldn’t recommend it!).

When you run

$ curl http://www.example.com/hello/world

you’re making an HTTP GET request to /hello/world on the web server www.example.com (check out the slides on web basics for a refresher on HTTP methods). Indeed, if you add the flag -v to your curl command, you should see a line like GET /hello/world HTTP/1.1 somewhere in the output.

Once you figure out the port number of the web server, the first request you should make to the server is

$ curl http://localhost:port_number/

This command makes a GET request to / on the server; you can think of this as fetching the “home page” of the server. The response to your request should be some nicely-formatted text output that includes the name of the program running the server, as well as some interesting URLs that you can query on it.

To solve this problem, you should start by using curl to make HTTP requests to those URLs; what do you get back? You should also think about the name of the web server (which you should have seen when you queried its “home page”). Given that name, what do you expect this server to do? Once you’ve figured out what the server is doing, start thinking about how you might trick it in a way that will allow you to learn the contents of /home/user9/user.txt.

This is the toughest problem of this assignment! This problem asks you to reason about what a program is doing without being able to see its source code. Try making a lot of different requests to the web server and see what you get, and look at the linked page on LFI vulnerabilities below for more ideas.

  • Once you’ve found the port of the web server, use curl to figure out what it’s doing.
  • Once you’ve figured out the port, the only command that you should need to solve the problem is curl.
  • Look up how local file inclusion (LFI) vulnerabilities work, as well as some examples of LFI exploitation. This page from OWASP may also be useful to you.

Problem 9

user9 has permissions to run sudo as user10. Figure out what commands you can run as user10, and find a way to use those commands to read /home/user10/user.txt.

Suggested commands: sudo