forked from root/public
xpetit
3 years ago
committed by
GitHub
13 changed files with 312 additions and 8 deletions
@ -0,0 +1,48 @@
|
||||
## add-vm |
||||
|
||||
### Add a virtual machine |
||||
|
||||
We provide virtual machines you need to download & add to VirtualBox. |
||||
|
||||
Each VM will contain a system in a certain state that you will need to use in order to crack the sysadmin exercises. Their names start with "01\_" in order to avoid conflict with your VM names. |
||||
|
||||
You can download these VM here : |
||||
|
||||
https://assets.01-edu.org/sys |
||||
|
||||
For this exercise you need to download the archive : [01_add-vm.tar.gz](https://assets.01-edu.org/sys/01_add-vm.tar.gz). |
||||
|
||||
Extract it in the folder `VirtualBox VMs` which is located in your [home directory](https://en.wikipedia.org/wiki/Home_directory). |
||||
|
||||
In VirtualBox : |
||||
|
||||
- Select on the menu bar : <u>M</u>achine → <u>A</u>dd |
||||
- Open the file `01_add-vm.vbox` |
||||
|
||||
The VM should appear on the list under the name "01_add-vm". |
||||
|
||||
### Snapshots |
||||
|
||||
A snapshot is a state of a system at a given time, just like a version or a copy. |
||||
|
||||
Let's imagine that you want to modify a text or a drawing, that you make a copy before, keeping the original... This is a snapshot. |
||||
|
||||
Software that makes extensive use of this feature : |
||||
|
||||
- Git (a commit is a snapshot) |
||||
- Windows System Restore (a restore point is a snapshot) |
||||
- macOS Time Machine (each backup is a snapshot) |
||||
- Linux LVM (Logical Volume Manager) |
||||
- Filesystems : Btrfs, ZFS |
||||
- Hypervisors like the one you are currently using : VirtualBox |
||||
|
||||
**We recommend that this be the first thing you do after importing a VM.** |
||||
This way you can break it, go in the wrong direction or want to try another way and at any time you can go back to the original state. |
||||
|
||||
If you forgot to do so and want to make a fresh start, you can always delete the VM (all files) and add it again in VirtualBox. |
||||
|
||||
### Check |
||||
|
||||
Since all VMs are based on this one, check that it is working properly by starting and stopping it gracefully (`poweroff` or ACPI shutdown). |
||||
|
||||
The password is a single space. |
||||
@ -0,0 +1,17 @@
|
||||
#### Functional |
||||
|
||||
##### Ask the auditee to start VirtualBox. |
||||
|
||||
###### Is VirtualBox correctly installed on the auditee's machine? |
||||
|
||||
##### Ask the auditee to show you the VM `01_add-vm`. |
||||
|
||||
###### Does the VM appears correctly on the list under the name `01_add-vm`? |
||||
|
||||
##### Ask the auditee to make a "snapshot". |
||||
|
||||
###### Was the auditee able to make a "snapshot" of the VM? |
||||
|
||||
##### Ask the auditee to start and stop the VM. (reminder the password is a single space) |
||||
|
||||
###### Was the auditee able to start and stop the VM? |
||||
@ -0,0 +1,70 @@
|
||||
## connect |
||||
|
||||
To communicate over a network, a computer must have an IP address. |
||||
|
||||
The computer can choose its own IP address (static) or can ask a DHCP server to assign one (dynamic). |
||||
|
||||
Generally, clients (smartphones, laptops, etc...) rely on DHCP servers to have a dynamic IP address and servers have a static IP address. |
||||
|
||||
For this project you will need to add these 3 VM : |
||||
|
||||
- [01_connect_box](https://assets.01-edu.org/sys/01_connect_box.tar.gz) |
||||
- [01_connect_machine1](https://assets.01-edu.org/sys/01_connect_machine1.tar.gz) |
||||
- [01_connect_machine2](https://assets.01-edu.org/sys/01_connect_machine2.tar.gz) |
||||
|
||||
The VM are configured like this : |
||||
|
||||
``` |
||||
N E T W O R K S C O M P U T E R S |
||||
_______________________________ ________________________ |
||||
|
||||
.-----------------------------. |
||||
| Internet | |
||||
'-----------------------------' |
||||
^ |
||||
| |
||||
v |
||||
.-----------------------------. |
||||
| VirtualBox NAT | |
||||
| | |
||||
| DHCP server | .----------------------. |
||||
| DNS server | | box | |
||||
| | | | |
||||
| (10.0.2.2) NIC |<--->| enp0s8 (10.0.2.15) | |
||||
| | | ^ | |
||||
'-----------------------------' | | | |
||||
.-----------------------------. | | | |
||||
| VirtualBox Internal Network | | | DHCP server | |
||||
| | | v | |
||||
| |<----->| enp0s3 (192.168.0.1) | |
||||
| | | | | |
||||
| | | '----------------------' |
||||
| | | .----------------------. |
||||
| | | | machine1 | |
||||
| | | | | |
||||
| |<----->| enp0s3 (192.168.0.2) | |
||||
| | | | | |
||||
| | | '----------------------' |
||||
| | | .----------------------. |
||||
| | | | machine2 | |
||||
| | | | | |
||||
| |<----->| enp0s3 (192.168.0.2) | |
||||
| | | | |
||||
'-----------------------------' '----------------------' |
||||
``` |
||||
|
||||
You will only have control over "machine2". This computer have Internet access through the "box". |
||||
|
||||
Start the 3 VM and test on machine2 the connectivity quality with this command : |
||||
|
||||
``` |
||||
timeout --signal SIGINT 1m ping google.com |
||||
``` |
||||
|
||||
After one minute the result shows the percentage of lost packets. It should be quite high (above 10%). |
||||
machine1 and machine2 have the same IP address, which leads to connectivity problems. |
||||
|
||||
Find how to : |
||||
|
||||
- change the IP address to avoid the conflict |
||||
- make the IP address dynamic (attributed by the box DHCP server) |
||||
@ -0,0 +1,15 @@
|
||||
#### Functional |
||||
|
||||
###### Is VirtualBox installed? |
||||
|
||||
###### Are the 3 VMs, 01_connect_box, 01_connect_machine1, and 01_connect_machine2 properly added to VirtualBox? |
||||
|
||||
#### General |
||||
|
||||
##### Ask the auditee to start the 3 VMs in Virtual Box. Ask him to change the IP address of machine2. |
||||
|
||||
###### Ask the auditee this command `timeout --signal SIGINT 1m ping google.com`. Is the number of lost packets close to 0%? |
||||
|
||||
##### Ask the auditee make the IP address dynamic and explain the process. |
||||
|
||||
###### Ask the auditee this command `timeout --signal SIGINT 1m ping google.com`. Is the number of lost packets still close to 0%? |
||||
@ -1,7 +1,13 @@
|
||||
#### Functional |
||||
|
||||
###### Is VirtualBox correctly installed ? |
||||
##### Ask the auditee to start VirtualBox. |
||||
|
||||
###### Does the virtual machine boot Debian properly (in less than 2 minutes) ? |
||||
###### Is VirtualBox correctly installed on the auditee's machine? |
||||
|
||||
###### After the boot is complete, does the system react to the ACPI Shutdown and does the virtual machine stop ? |
||||
##### Ask the auditee to show you his VM with a version of debian already installed. |
||||
|
||||
###### Does the virtual machine boot Debian properly (in less than 2 minutes)? |
||||
|
||||
##### After the boot is completed, ask the auditee to shutdown his VM with the ACPI Shutdown. |
||||
|
||||
###### Does the system react to the ACPI Shutdown and does the virtual machine stop? |
||||
|
||||
@ -0,0 +1,27 @@
|
||||
#### Functional |
||||
|
||||
##### Ask the auditee to start VirtualBox. |
||||
|
||||
###### Is VirtualBox correctly installed on the auditee's machine? |
||||
|
||||
#### General |
||||
|
||||
##### Ask the auditee to login as a user in one terminal. |
||||
|
||||
###### Has the password been correctly changed to "michelle"? |
||||
|
||||
##### Ask the auditee to login as a superuser (root) in another terminal. |
||||
|
||||
###### Has the password been correctly changed to "michelle"? |
||||
|
||||
##### Ask the auditee to execute a command to show you the inode of a file. (The inode is a number) |
||||
|
||||
###### Has the auditee correctly shown you (and if necessary explained) the inode of a file? |
||||
|
||||
##### Ask the auditee to execute a command to show you the current user ID (it is also a number). |
||||
|
||||
###### Has the auditee correctly shown you (and if necessary explained) the id a the user? |
||||
|
||||
##### Ask the auditee to execute a command to show you the PID (another number) of a program (like bash for example). |
||||
|
||||
###### Has the auditee correctly shown you (and if necessary explained) the PID a program? |
||||
@ -0,0 +1,29 @@
|
||||
## remote |
||||
|
||||
### Connect |
||||
|
||||
To type commands in a distant shell, you can use your peripherals (keyboard, monitor) or [SSH](<https://en.wikipedia.org/wiki/SSH_(Secure_Shell)>). |
||||
|
||||
It is more comfortable to use SSH because you can use your usual terminal, with the right keymap, theme, etc. |
||||
|
||||
Do to this exercise you will need to add this VM : |
||||
|
||||
- [01_remote](https://assets.01-edu.org/sys/01_remote.tar.gz) |
||||
|
||||
Because the VM is behind the VirtualBox NAT router you can't access it directly. Unless you add a port forwarding rule in the VM settings that maps a host port to a guest port. Host refers to your machine and guest to the VM. |
||||
|
||||
Host & guest IP addresses don't need to be specified, guest port needs to be 22 because that's SSH default listening port. |
||||
|
||||
Then connect to it via SSH (this is the only way since consoles are disabled) : |
||||
|
||||
``` |
||||
ssh -p HOST_PORT root@localhost |
||||
``` |
||||
|
||||
### Configure |
||||
|
||||
It is recommended to change the default SSH port (22) to prevent bots from trying to connect to it. |
||||
|
||||
Since we are pretending that the guest VM is a server, change the SSH service port and make sure the port forwarding of the Virtual NAT network still works ! |
||||
|
||||
In addition, you will need to allow the new port in the firewall `ufw`. |
||||
@ -0,0 +1,21 @@
|
||||
#### Functional |
||||
|
||||
###### Is VirtualBox installed? |
||||
|
||||
###### Is the VM, 01_remote, added to VirtualBox? |
||||
|
||||
#### General |
||||
|
||||
##### The auditeee is supposed to set a port forwarding rule in the VM settings that maps the host port to a guest port. |
||||
|
||||
##### Ask the auditee to show you that rule in the settings or to set it up if it is not done yet. |
||||
|
||||
##### Ask the auditee to connect to the VM via SSH thru the host port. |
||||
|
||||
###### Did the auditee manage to connect via SSH with either this command: `ssh -p22 root@localhost` or `ssh -pANOTHER_PORT root@localhost`? |
||||
|
||||
##### If the auditee connected thru port 22, ask the auditee to change the port of the Guest VM. |
||||
|
||||
##### Ask the auditee to connect to the VM via SSH thru the new chosen host port. |
||||
|
||||
###### Did the auditee manage to connect via SSH with this command `ssh -pANOTHER_PORT root@localhost`? |
||||
@ -0,0 +1,58 @@
|
||||
## scan |
||||
|
||||
 |
||||
|
||||
> You're going to do like Trinity in the movie _The Matrix Reloaded_. Except that you're not going to turn off the electricity in a city, and you probably don't wear as much leather, but that's okay. |
||||
|
||||
--- |
||||
|
||||
By design and by default, most network entities have a high discoverability. |
||||
|
||||
Whatever your motivations for exploring a network (hacking, curiosity...), you generally proceed in this order : |
||||
|
||||
1. Scan a network to find hosts |
||||
2. Scan a host to get information (hardware, OS & exposed services) |
||||
|
||||
`1.` can be done by analyzing the link layer of Internet protocols, in particular `ARP` in order to gather MAC addresses (the identifier of a network interface, such as Wi-Fi or Ethernet cards). |
||||
|
||||
`2.` is usually performed by analyzing the network and transport layers, in particular the `IP` & `TCP` protocols with the `nmap` tool. |
||||
|
||||
For the context, when you open a website, here are the protocols involved, from the highest to lowest level (the protocols at the top depend on those at the bottom): |
||||
|
||||
- `HTTP`: application layer (website data) - messages |
||||
- `TLS`: application layer ("lock" sign) - secure connection |
||||
- `TCP`: transport layer (port number) - reliable connection |
||||
- `IP`: network layer (IP address) - global communication |
||||
- `ARP`: link layer (MAC address) - local communication |
||||
|
||||
For this challenge, you will focus on `IP`, `ARP` & `TCP`, and therefore on IP/MAC addresses and ports. |
||||
|
||||
You will need to add these 2 VM : |
||||
|
||||
- [01_scan_RRF-CONTROL](https://assets.01-edu.org/sys/01_scan_RRF-CONTROL.tar.gz) |
||||
- [01_scan_laptop](https://assets.01-edu.org/sys/01_scan_laptop.tar.gz) |
||||
|
||||
You will only have control over "laptop". A port forwarding is set on 10122 so you can connect through SSH. |
||||
|
||||
Your mission, should you choose to accept it, is to scan the network interface `enp0s8` and find a way in the server, you will know you have succeeded when you see : |
||||
|
||||
``` |
||||
RRF-CONTROL> █ |
||||
``` |
||||
|
||||
Because the VirtualBox Internal Network is very slow (10 Mbps, Ethernet is usually 1000 Mbps), expect long scan times : |
||||
|
||||
- ARP scanning takes up to 5 minutes |
||||
- port scanning takes up to half an one hour with the option `-T4` (even more without). |
||||
|
||||
May the Fourth be with you. |
||||
|
||||
--- |
||||
|
||||
--- |
||||
|
||||
 |
||||
|
||||
> Another depiction of the `nmap` tool: in _Ocean's 8_, Rihanna uses [Kali Linux](https://www.kali.org) to steal a valuable diamond. |
||||
> |
||||
> Same strategy, different styles |
||||
@ -0,0 +1,13 @@
|
||||
#### Functional |
||||
|
||||
###### Is VirtualBox installed? |
||||
|
||||
###### Are the 2 VMs, 01_scan_RRF-CONTROL and 01_scan_laptop, properly added to VirtualBox? |
||||
|
||||
#### General |
||||
|
||||
##### Ask the auditee, from the VM laptop, to get into the other VM. As a reminder the port forwarding is set to 10122. |
||||
|
||||
##### (Allow some time for the hacking to take place) |
||||
|
||||
###### Did the auditee manage to get `RRF-control` appearing on the laptop VM (did the auditee manage to get thru)? |
||||
|
After Width: | Height: | Size: 74 KiB |
|
After Width: | Height: | Size: 95 KiB |
Loading…
Reference in new issue