April 14th, 2003 11:14 AM
doese anyone know a good site about wargames tutorial?
i need to know what are the commands to be used to.
April 14th, 2003 12:05 PM
I have no friends nor enemies,ONLY COMPETITORS
April 14th, 2003 12:09 PM
A wargame is basically a box set up as a server for people to break into.
Most of these boxes run some flavour of *nix.
This OS is setup with various vulnerabilities that can be exposed so that the 'player' can escalate his/her privileges until they complete the 'game'.
You basically start of at the lowest level with a guest account, from there you search for vulnerabilities using the appropriate commands, and once this vulnerability has been found then you must make use of it to gain access to the next level, and so on.
I would really recommend learning how to use *nix, as these are the commands that you will need in order to progress through the 'game'.
There are afew tutorials here on AO that focus on *nix commands, so either have a look at them or buy yourself a good book on *nix.
It would also help if you had a flavour of *nix installed so you could mess with it yourself.
BTW, wrong forum for the question.
Hope this helped a little
April 14th, 2003 04:06 PM
Like r3b00+ said most wargames are based on *nix servers so learning nix is inevitable.
If you have familiarized yourself with *nix you could start by scanning the box for open ports using nmap or something like that.
Try using proxy servers also.
With the open ports you can start your quest in comprimizing the server. Look for appropriate exploits.
April 14th, 2003 06:28 PM
Checkout: telnet://drill.hackerslab.org and go to the hackerslab.org site for little tips and stuff...
If your tottaly clueless and is running a box like winXP then go into command promt, type telnet, type the letter o, C&P this IP and port# into DOS --> 22.214.171.124 25 (understand now?)
I don't have time to spoon feed you info but fortunetly that lady from happy hacker does... so checkout happyhacker.org for instructions on how to press buttons, point, and click. There is also some more games and things on the site...
April 15th, 2003 09:22 AM
i have an account thier, but still in on level0. how could i go to the next level.
what should i do?
April 15th, 2003 09:52 AM
You need to escalate your privileges from level0 to level1.
So in order to do this you need to look for a file that was created with level1 privileges and exploit that!
Im not going to give you the command(s), that you need to find out for yourself!
As i mentioned in my other post, read up on the *nix console commands.
Hint: You need to find these files
April 15th, 2003 12:56 PM
Learn what to do, and don't do anything too nasty!
April 25th, 2003 07:34 PM
2) Finding your wargame
3) Connecting to your wargame
4) Basic Linux/Unix commands
5) *nix files
Section 1: Disclaimer.
Wargames are legal no need for a disclaimer. :-)
Section 2: Finding your wargame.
Almost all hacker cons have a r00t-war that you can try. If you can't go to a hacker
con, or want to hack more then 1 time a year then try one of these:
126.96.36.199 : guest/guest (from pulltheplug.com)
188.8.131.52 : guest/guest (from pulltheplug.com)
184.108.40.206 : guest/guest (from pulltheplug.com)
drill.hackerslab.org : level0/guest (go to hackerslab.org to get tips)
Section 3: Connecting to your wargame.
click 'start'>'run'>type 'telnet'
Win 95-me - click the connect button at the top of the screen.
Win 2K(maybe xp/nt) - type 'open' then enter the IP and port like '220.127.116.11:80', you can
just enter the IP number to connect to the telnet port(for most wargames).
Section 4: Basic Linux/Unix commands.
Here are a few basic commands for *nix.
ls -This command lists the files and subdirectories in a directory. If you
simply type "ls", it will display the files in your current directory.
You can also specify the pathname of another directory, and it will
display the files in it. It will not display hidden files (files whose
name begins with a period).
a -This option will display all files, including hidden files.
l -This will show who can run what files...
$ ls -a
. .. junk source
man -This is one of the most important commands I can think of, it is the
manual command. It is used to that you can find info on other commands
and even some of files.
$ man man
man - format and display the on-line manual pages
man path - determine user's search path for man pages
man formats adn displays the on-line manual pages. If you
specify section, man only looks in that section of the
manual. name is normally the name of the manual page,
which is typically the name of a command, function, or
file. HOwever, if name contains a slash (/) then man
interprets it as a file specification, so that you can do
man ./foo.5 or even man /cd/foo/bar.1.gz.
cd -This is the command used to move from one directory to another. To go
to a directory directly below your current directory, type "cd
<dirname>". To move up to the directory directly above your current
directory, type "cd .." You can also jump to any directory in the
system from any other directory in the system by specifying the path-
name of the directory you wish to go to, such as "cd /usr/source".
pwd -This prints out the pathname of the directory you are currently in.
Useful if you forget where you're at in the system tree.
cat -Displays the contents of a text file on the screen. The correct syntax
is "cat <filename>". You can use base-names or pathnames.
Remember to feed the cat!
rm -This deletes a file. Syntax: "rm <filename>".
cp -Copies a file. Syntax: "cp file1 file2", where file1 is the file you
wish to copy, and file2 is the name of the copy you wish to create. If
file2 already exists, it will be overwritten. You may specify pathnames
for one or both arguments.
$cp /usr/junk /usr/junk.backup
stty -Displays/sets your terminal characteristics. To display the current
settings, type "stty". To change a setting, specify one of the options
echo -System echoes back your input.
noecho -System doesn't echo your input.
intr 'arg' -Sets the break character. The format is '^c' for control-c,
etc. '' means no break character.
erase 'arg' -Sets the backspace character. Format is '^h' for control-h,
etc. '' means no backspace character.
kill 'arg' -Sets the kill character (which means to ignore the last line
you typed). Format is the same as for intr and erase,
'^[character]', with '' meaning no kill character.
$stty intr '^c' erase '^h'
stty -echo intr '^c' erase '^h' kill '^x'
lpr -This command prints out a file on the Unix system's printer, for you
to drop by and pick up (if you dare!) The format is "lpr <filename>".
ed -This is a text file line editor. The format is "edit <filename>". The
file you wish to modify is not modified directly by the editor; it is
loaded into a buffer instead, and the changes are only made when you
issue a write command. If the file you are editing does not already
exist, it will be created as soon as issue the first write command.
When you first issue the edit command, you will be placed at the
command prompt, ":" Here is where you issue the various commands. Here
is list of some of the basic editor commands.
# -This is any number, such as 1, 2, etc. This will move you down
to that line of the file and display it.
d -This deletes the line you are currently at. You will then be
moved to the previous line, which will be displayed.
a -Begin adding lines to the file, just after the line that you
are currently on. This command will put you in the text input
mode. Simply type in the text you wish to add. To return to the
command mode, type return to get to an empty line, and press
the break key (which is whatever character you have set as your
break key). It is important to set the break character with
stty before you use the editor!
/ -Searches for a pattern in the file. For example, "/junk" would
search the file from your current line down for the first line
which contains the string "junk", and will move you to that
line if it finds one.
i -Insert. Works similar to a, except that the text is inserted
before the line you are currently on.
p -Prints out a line or lines in the buffer. "p" by itself will
display your current line. "#p" will display the line "#".
You may also specify a range of lines, such as "1,3p" which
will display lines 1-3. "1,$p" will print out the entire file.
w -Write the changes in the buffer to the file.
q -Quit the editor.
Editing "myfile" [new file]
0 lines, 0 characters
I am adding stupid text to myfile.
This is a test.
^c [this is assumed as a default break character in this example]
I am adding stupid text to myfile.
This is a test.
This is a test.
I am adding stupid text to myfile.
grep -this command searches for strings of text in text files. The format is
grep [string] [file]. It will print out every line in the file that
contains the string you specified.
v -Invert. This will print out every line that DOESN'T contain
the string you specified.
$ grep you letter
I think you're going to get caught.
who -This will show the users currently logged onto the system.
root console Mar 10 01:00
uucp contty Mar 30 13:00
bill tty03 Mar 30 12:15
Now, to explain the above output: the first field is the username of
the account. The second field shows which terminal the account is on.
Console is, always, the system console itself. On many systems where
there is only one dialup line, the terminal for that line is usually
called contty. the tty## terminals can usually be either dialups or
local terminals. The last fields show the date and time that the user
logged on. In the example above, let's assume that the current time and
date is March 30, and the time is 1:00. Notice that the time is in 24
hour format. Now, notice that the root (super-user) account logged in on
March 10! Some systems leave the root account logged in all the time on
the console. So, if this is done on a system you are using, how can you
tell if the system operator is really online or not? Use the ps
command, explained next.
ps -This command displays information about system processes.
u -this displays information on a specific user's processes. For
instance, to display the root account's processes:
$ ps -uroot
PID TTY TIME CMD
1234 console 01:00 sh
1675 ? 00:00 cron
1687 console 13:00 who
1780 tty09 12:03 sh
Now, to explain that: The first field is the process number.
Each and every time you start a process, running a program,
issuing a command, etc., that process is assigned a unique
number. The second is which terminal the process is being run
on. The third field is when the process was started. The last
field is the base name of the program or command being run.
A user's lowest process number is his login (shell) process.
Note that the lowest process in the above example is 1234.
This process is being run on the console tty, which means the
super-user is logged on at the system console. Note the ? as the
tty in the next entry, for the cron process. You can ignore any
processes with a question mark as the terminal. These processes
are not being carried out by a user; they are being carried
out by the system under that user's id. Next, note the entry
for process # 1687, on the console terminal, "who". this means
that the super-user is executing the who command...which means
he is currently actively on-line. The next entry is interesting...
it shows that the root user has a shell process on the
terminal tty09! This means that someone else is logged in
under the root account, on tty09. If more than one person is
using an account, this option will display information for all
of them, unless you specify the next option...
t -This allows you to select processes run on a specific terminal.
$ps -t console
will show all the processes currently being run on the console.
Remember, options can usually be combined. This will show all
the root user's processes being run on the system console:
$ ps -uroot -tconsole
PID TTY TIME CMD
1234 console 01:00 sh
1687 console 13:00 who
kill -Kills processes. Syntax: kill [-#] process#. You must know the process
number to kill it. You can, optionally, specify an option of 1-9, to
determine the power of the kill command. Certain kinds of processes,
like shell processes, require more power to kill. Kill -9 will stop any
process. You must have super-user capabilities to kill another user's
processes (unless he's using your account).
$kill -9 1234
write -This command is for on-line real-time user to user communications. To
communicate with a user, type "write <username>". If more than one
person is logged in under that user name, you must specify a specific
terminal you wish to speak to. When you do this, the person you wish
to communicate with will see:
Message from [your account name] tty## [<--your terminal]
Now you can type messages, and they will be displayed on that person's
terminal when you press return. When you are finished, press control-D
$ write root
**** you I'm a hacker! [This is not advised.]
mail -The Unix mail facilities, used to send/receive mail. To send mail,
type "mail <username>". Enter your message and press control-d to send.
To read your mail, type "mail". Your first letter will be displayed,
and then you will be given a "?" prompt.
Here are the legal commands you give at this point:
## -Read message number ##.
d -Delete last message read.
+ -Go to next message.
- -Move back one message.
m -Send mail to user.
s -Save last message read. You can specify the name of the file
to which it is saved, or it will be saved to the default file,
w -Same as s, but will save the message without the mail file
x -Exit without deleting messages that have been read.
q -Exit, deleting messages that have been read.
p -Print last message read again.
? -Lists these commands.
To send mail:
$ mail root
Hi bill! This is a nice system.
To read mail:
From john Thu Mar 13 02:00:00 2001
Hi bill! This is a nice system.
crypt -This is the Unix file encryption utility. Type "crypt". You will then
be prompted to enter the password. You then enter the text. Each line
is encrypted when you press return, and the encrypted form is displayed
on the screen. So, to encrypt a file, you must use I/O redirection.
Type "crypt [password] < [file1] > [file2]". This will encrypt the con-
tents of file1 and place the encrypted output in file2. If file 2 does
not exist, it will be created.
passwd -This is the command used to change the password of an account. The
format is "passwd <account>". You must have super-user capabilities to
change the password for any account other than the one you are logged
in under. To change the password of the account you are currently
using, simply type "passwd". You will then be prompted to enter the
current password. Next, you will be asked to enter the new password.
Then you will be asked to verify the new password. If you verify the
old password correctly, the password change will be complete. (Note:
some systems use a security feature which forces you to use at least
2 non-alphanumeric characters in the password. If this is the case with
the system you are on, you will be informed so if you try to enter a
new password that does not contain at least 2 non-alphanumeric characters.)
su -This command is used to temporarily assume the id of another account.
the format is "su <account>". If you don't specify an account, the
default root is assumed. If the account has no password, you will then
assume that account's identity. If it does have a password, you will
be prompted to enter it. Beware of hacking passwords like this, as the
system keeps a log of all attempted uses, both successful and un-
successful, and which account you attempted to access.
mkdir -This command creates a directory. the format is "mkdir <dirname>".
rmdir -This command deletes a directory. The directory must be empty first.
The format is "rmdir <dirname>".
mv -Renames a file. The syntax is "mv [oldname] [newname]". You can use
full pathnames, but the new name must have the same pathname as the
old name, except for the filename itself.
5: *nix files.
Here is a list and purposes of some files that are found on
/etc/passwd -This is the password file, and is THE single most important file on the system. This file is where information on the system's accounts are stored. Each entry has 7 fields:
The first field, naturally, is the account's username. The second field is the account's password (in an encrypted form).
If this field is blank, the account doesn't have a password.
The next field is the account's user number. The fourth field is the account's group number. The fifth field is for a description of the account. This field is used only in the password file, and is often just left blank, as it has no significance. The sixth field is the pathname of the account's home directory, and the last field is the pathname of the account's shell program. Sometimes you may see an account witha program besides the standard shell programs (sh, csh, etc.) as its shell program. These are "command logins". These accounts execute these programs when logging in. For example, the "who" command login would have the /bin/who program as its shell.
Here is a typical-looking entry:
This entry is for the root account. Notice that the encrypted form of the password is 13 characters, yet the Unix passwords are only 11 characters maximum. The last 2 characters are what is called a "salt string", and are used in the encryption process, which will be explained in more detail later. Now, notice the user number, which is zero. Any account with a user number of 0 has super-user capabilities. The group number is 1. The account description is "super-user". The account's home directory is the root directory, or "/". The account's shell isthe bourne shell (sh), which is kept in the directory /bin.
Sometimes you may see an entry in the password field like this:
Notice the period after the 13th character, followed by 2 digits and 2 letters. If an account has an entry like this, the account has a fixed expiration date on its password. The first digit, in this case 2, shows the maximum number of weeks that the account can keep the same password. The second digit shows how many weeks must pass before the account can change its password. (This is to prevent users from using the same old password constantly by changing the password when forced to and then changing it back immediately.) The last 2 characters are an encrypted form of when the password was last changed.
Other unusual password field entries you might encounter are:
The first entry means that the account has no password. The second entry means that the account has no password yet, but has a fixed expiration date that will begin as soon as a pass-word is given to it.
Now, for an explanation of how the Unix system encrypts the passwords. The first thing any hacker thinks of is trying decrypt the password file. This is as close to impossible as anything gets in this world. I've often heard other "hackers" brag about doing this...this is the biggest lie since Moses said "I did it". The encryption scheme is a variation on the DES (Data Encryption Standard). When you enter the command passwd (to change the password), the system will form a 2 character "salt string" based on the process number of the password command you just issued. This 2-character string produces a slight change in the way the password is encrypted.
There are a total of 4096 different variations on the encryption scheme caused by different salt string characters. This is NOT the same encryption scheme used by the crypt utility. The password is NEVER decrypted on the system. When you log on, the password you enter at the password prompt is encrypted (the salt string is taken from the password file) and compared to the encrypted entry in the password file. The system generates its own key, and as of yet, I have not discovered any way to get the key. The login program does not encrypt the password you enter itself, it does so, I believe, by a system call.
/etc/group -This is the group file. This allows the super-user to give certain accounts group access to groups other than their own.
Entries are in the format:
group nameassword:group number:users in this group
The first field is the name of the group. The second is thefield for the group password. In all my experience with Unix, I have never seen the password feature used. The third is the group's number. The fourth field is a list of the users who group access to this group. (Note: this can include users whose group number is different from the number of the group whose entry you are reading in the group file.) The usernames are separated by commas. Here's an example:
To change to a new group identity, type "newgrp [group]". Ifthe group has a password, you must enter the proper password. You cannot change to another group if you are not listed as amember of that group in the group file.
/dev/console -This is the device file for the system console, or the system's main terminal.
/dev/tty## -The device files for the system's terminals are usually in the form tty##, such as tty09, and sometimes ttyaa,ttyab, etc.
Some ways to make use of the Unix system's treatment of devices as files will be explored in the section on Hacking Unix. When these files are not in use by a user (in other words, no one's logged onto this terminal), the file is owned by root. While a user is logged onto a terminal, however, ownership of its device file is temporarily transferred to that account.
/dev/dk## -These are the device files for the system's disks.
login files -There are special files that are in a user's home directory that contain commands that are executed when the user logs in. The name of the file depends on what shell the user is using.
Here are the names of the files for the various shells:
Some systems also use a file called ".logout" that contains commands which are executed upon logoff. These types of files are called shell scripts, and will will be explained in the section on Unix Software Development's explanation of shell programming.
/usr/adm/sulog -This is a log of all attempted uses of the su utility. It shows when the attempt was made, what account made it, and which account the user attempted to assume, and whether or not the attempt was successful.
/usr/adm/acct/sum/loginlog- This is a log of all logins to the system. Thisonly includes the time and the account's username.
mbox -These are files in the home directories of the system's users, that contain all the mail messages that they have saved.
/usr/mail/<user> -These files in the directory /usr/mail are named aftersystem accounts. They contain all the unread mail forthe account they are named after.
/dev/null -This is the null device file. Anything written to this file isjust lost forever. Any attempt to read this file will result in an immediate control-D (end of file) character.
/tmp -The directory /tmp provides storage space for temporary files createdby programs and other processes. This directory will always have rwxrwxrwx permissions. Examining these files occasionally reveals some interesting information, and if you know what program generates them and the format of the information in the file, you could easily change the info in the files, thereby changing the outcome of the program.
By the way i take no credit for the tutorial because i didn't write it!
April 26th, 2003 03:29 PM
For those interested that tutorial came from http://codestorm.free2host.net/Libra...ty/wargame.txt . There may be more fun stuff found at the site.