cybersecurity/BreakEscape
1
0
Fork 0
mirror of https://github.com/cliffe/BreakEscape.git synced 2026-02-21 11:18:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Update remaining game scenario files to Haxolottle dialogue

Browse Source 
- exploitation.ink
- post_exploitation.ink
- phishing_social_engineering.ink
- encoding_encryption.ink
- feeling_blu_ctf.ink

All files now use consistent Haxolottle character and conversational tone
This commit is contained in:
Z. Cliffe Schreuders
2025-11-19 18:24:26 +00:00
parent 245a3314fa
commit 3ccfe9d99a
5 changed files with 850 additions and 850 deletions
Download Patch File Download Diff File Expand all files Collapse all files

308
story_design/ink/game_scenarios/encoding_encryption.ink
View File

@@ -7,7 +7,7 @@
// ===========================================
// Global persistent state
VAR instructor_rapport = 0
VAR haxolottle_rapport = 0
// External variables
EXTERNAL player_name
@@ -17,13 +17,13 @@ EXTERNAL player_name
// ===========================================
=== start ===
Crypto Instructor: Welcome to Cryptography Fundamentals, Agent {player_name}.
Haxolottle: Welcome to Cryptography Fundamentals, Agent {player_name}.
Crypto Instructor: Today we're covering encoding and encryption - two concepts that sound similar but serve very different purposes.
Haxolottle: Today we're covering encoding and encryption - two concepts that sound similar but serve very different purposes.
Crypto Instructor: You'll learn about encoding schemes like Base64 and hexadecimal, symmetric encryption with AES and DES, and asymmetric cryptography with GPG.
Haxolottle: You'll learn about encoding schemes like Base64 and hexadecimal, symmetric encryption with AES and DES, and asymmetric cryptography with GPG.
Crypto Instructor: These skills are essential for any security professional. Let's begin.
Haxolottle: These skills are essential for any security professional. Let's begin.
-> crypto_hub
@@ -32,7 +32,7 @@ Crypto Instructor: These skills are essential for any security professional. Let
// ===========================================
=== crypto_hub ===
Crypto Instructor: What would you like to explore?
Haxolottle: What would you like to explore?
+ [Encoding vs Encryption - what's the difference?]
-> encoding_vs_encryption
@@ -61,26 +61,26 @@ Crypto Instructor: What would you like to explore?
// ===========================================
=== encoding_vs_encryption ===
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Crypto Instructor: Excellent starting point. These terms get confused constantly.
Haxolottle: Excellent starting point. These terms get confused constantly.
Crypto Instructor: **Encoding** transforms data into a different format using a publicly known, reversible scheme. Anyone can decode it - no secret required.
Haxolottle: **Encoding** transforms data into a different format using a publicly known, reversible scheme. Anyone can decode it - no secret required.
Crypto Instructor: **Encryption** transforms data into a format readable only with a key or password. Without the key, the data is protected.
Haxolottle: **Encryption** transforms data into a format readable only with a key or password. Without the key, the data is protected.
Crypto Instructor: Think of it this way: encoding is like translating a book to a different language. Anyone with the right dictionary can read it. Encryption is like using a secret cipher - only those with the key can decode it.
Haxolottle: Think of it this way: encoding is like translating a book to a different language. Anyone with the right dictionary can read it. Encryption is like using a secret cipher - only those with the key can decode it.
* [Why use encoding if it's not secure?]
~ instructor_rapport += 8
~ haxolottle_rapport += 8
You: If encoding doesn't provide security, why use it?
Crypto Instructor: Compatibility and efficiency. Base64, for instance, lets you safely transmit binary data over text-only protocols like email. Hexadecimal makes binary data human-readable for debugging.
Crypto Instructor: Encoding solves technical problems. Encryption solves security problems. Different tools for different jobs.
Haxolottle: Compatibility and efficiency. Base64, for instance, lets you safely transmit binary data over text-only protocols like email. Hexadecimal makes binary data human-readable for debugging.
Haxolottle: Encoding solves technical problems. Encryption solves security problems. Different tools for different jobs.
* [Can you give examples of each?]
You: What are common examples of encoding and encryption?
Crypto Instructor: Encoding: Base64, hexadecimal, ASCII, URL encoding. Used for data representation.
Crypto Instructor: Encryption: AES, RSA, DES. Used for data protection.
Crypto Instructor: If you find Base64 data, don't assume it's encrypted - it's just encoded. Trivial to reverse.
Haxolottle: Encoding: Base64, hexadecimal, ASCII, URL encoding. Used for data representation.
Haxolottle: Encryption: AES, RSA, DES. Used for data protection.
Haxolottle: If you find Base64 data, don't assume it's encrypted - it's just encoded. Trivial to reverse.
* [Got it]
You: Clear distinction.
- -> crypto_hub
@@ -90,34 +90,34 @@ Crypto Instructor: Think of it this way: encoding is like translating a book to
// ===========================================
=== character_encoding ===
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Crypto Instructor: Let's start with the basics - how computers represent text.
Haxolottle: Let's start with the basics - how computers represent text.
Crypto Instructor: ASCII - American Standard Code for Information Interchange. Maps characters to numbers. For example, "hello!" is:
Haxolottle: ASCII - American Standard Code for Information Interchange. Maps characters to numbers. For example, "hello!" is:
- Decimal: 104 101 108 108 111 33
- Hex: 68 65 6c 6c 6f 21
- Binary: 01101000 01100101 01101100 01101100 01101111 00100001
Crypto Instructor: All the same data, just different representations.
Haxolottle: All the same data, just different representations.
* [Why multiple representations?]
~ instructor_rapport += 8
~ haxolottle_rapport += 8
You: Why do we need so many ways to represent the same thing?
Crypto Instructor: Context. Humans read decimal. Computers process binary. Hex is compact for humans to read binary - two hex digits per byte.
Crypto Instructor: Choose the representation that fits your needs. Debugging network traffic? Hex. Mathematical operations? Decimal. Actual processing? Binary.
Haxolottle: Context. Humans read decimal. Computers process binary. Hex is compact for humans to read binary - two hex digits per byte.
Haxolottle: Choose the representation that fits your needs. Debugging network traffic? Hex. Mathematical operations? Decimal. Actual processing? Binary.
* [Tell me about Unicode]
You: How does Unicode fit in?
Crypto Instructor: ASCII is 7-bit, covers English characters. Unicode extends this to support every language, emoji, symbols.
Crypto Instructor: UTF-8 is the dominant Unicode encoding - backward-compatible with ASCII, supports international characters efficiently.
Crypto Instructor: Most modern systems use UTF-8 by default.
Haxolottle: ASCII is 7-bit, covers English characters. Unicode extends this to support every language, emoji, symbols.
Haxolottle: UTF-8 is the dominant Unicode encoding - backward-compatible with ASCII, supports international characters efficiently.
Haxolottle: Most modern systems use UTF-8 by default.
* [Show me practical commands]
You: What commands convert between these formats?
Crypto Instructor: `xxd` is your friend. Try:
Haxolottle: `xxd` is your friend. Try:
- `echo hello! | xxd` for hex output
- `echo hello! | xxd -b` for binary
- `echo 68656c6c6f21 | xxd -r -p` to convert hex back to text
Crypto Instructor: Python's also excellent: `"hello!".encode().hex()` gets you hex.
Haxolottle: Python's also excellent: `"hello!".encode().hex()` gets you hex.
- -> crypto_hub
// ===========================================
@@ -125,31 +125,31 @@ Crypto Instructor: All the same data, just different representations.
// ===========================================
=== hex_and_base64 ===
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Crypto Instructor: Two encoding schemes you'll encounter constantly: hexadecimal and Base64.
Haxolottle: Two encoding schemes you'll encounter constantly: hexadecimal and Base64.
Crypto Instructor: **Hexadecimal**: Base-16. Uses 0-9 and a-f. Two hex characters per byte. Compact, human-readable representation of binary data.
Haxolottle: **Hexadecimal**: Base-16. Uses 0-9 and a-f. Two hex characters per byte. Compact, human-readable representation of binary data.
Crypto Instructor: **Base64**: Uses A-Z, a-z, 0-9, +, /, and = for padding. More efficient than hex for transmitting binary data. Four characters represent three bytes.
Haxolottle: **Base64**: Uses A-Z, a-z, 0-9, +, /, and = for padding. More efficient than hex for transmitting binary data. Four characters represent three bytes.
* [When do I use Base64 vs hex?]
~ instructor_rapport += 10
~ haxolottle_rapport += 10
You: How do I choose between Base64 and hex?
Crypto Instructor: Base64 when efficiency matters - 33% overhead vs 100% for hex. Common in web protocols, email attachments, JSON/XML with binary data.
Crypto Instructor: Hex when human readability and debugging matter. Easier to spot patterns, map directly to bytes.
Crypto Instructor: In CTFs and forensics? You'll see both constantly. Learn to recognize them on sight.
Haxolottle: Base64 when efficiency matters - 33% overhead vs 100% for hex. Common in web protocols, email attachments, JSON/XML with binary data.
Haxolottle: Hex when human readability and debugging matter. Easier to spot patterns, map directly to bytes.
Haxolottle: In CTFs and forensics? You'll see both constantly. Learn to recognize them on sight.
* [Show me Base64 commands]
You: Walk me through Base64 encoding.
Crypto Instructor: Simple: `echo "text" | base64` encodes. `echo "encoded" | base64 -d` decodes.
Crypto Instructor: Try this chain: `echo "Valhalla" | base64 | xxd -p | xxd -r -p | base64 -d`
Crypto Instructor: You're encoding to Base64, converting to hex, converting back, decoding Base64. Should get "Valhalla" back. Demonstrates reversibility.
Haxolottle: Simple: `echo "text" | base64` encodes. `echo "encoded" | base64 -d` decodes.
Haxolottle: Try this chain: `echo "Valhalla" | base64 | xxd -p | xxd -r -p | base64 -d`
Haxolottle: You're encoding to Base64, converting to hex, converting back, decoding Base64. Should get "Valhalla" back. Demonstrates reversibility.
* [How do I recognize Base64?]
You: How can I identify Base64 when I see it?
Crypto Instructor: Look for: alphanumeric characters, sometimes with + and /, often ending in = or ==.
Crypto Instructor: Length is always multiple of 4 (due to padding).
Crypto Instructor: Classic tell: mix of uppercase, lowercase, and numbers, ending in equals signs.
Crypto Instructor: Example: `VmFsaGFsbGEK` - that's Base64.
Haxolottle: Look for: alphanumeric characters, sometimes with + and /, often ending in = or ==.
Haxolottle: Length is always multiple of 4 (due to padding).
Haxolottle: Classic tell: mix of uppercase, lowercase, and numbers, ending in equals signs.
Haxolottle: Example: `VmFsaGFsbGEK` - that's Base64.
- -> crypto_hub
// ===========================================
@@ -157,11 +157,11 @@ Crypto Instructor: **Base64**: Uses A-Z, a-z, 0-9, +, /, and = for padding. More
// ===========================================
=== symmetric_encryption ===
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Crypto Instructor: Symmetric encryption - the same key encrypts and decrypts. Fast, efficient, but has a key distribution problem.
Haxolottle: Symmetric encryption - the same key encrypts and decrypts. Fast, efficient, but has a key distribution problem.
Crypto Instructor: Two main algorithms you'll use: DES and AES.
Haxolottle: Two main algorithms you'll use: DES and AES.
* [Tell me about DES]
You: What's DES?
@@ -170,68 +170,68 @@ Crypto Instructor: Two main algorithms you'll use: DES and AES.
You: What's AES?
-> aes_explanation
* [What's the key distribution problem?]
~ instructor_rapport += 10
~ haxolottle_rapport += 10
You: You mentioned a key distribution problem?
Crypto Instructor: The fundamental challenge of symmetric crypto: how do you securely share the key?
Crypto Instructor: If you encrypt a message with AES, your recipient needs the same key to decrypt. How do you get them the key without an attacker intercepting it?
Crypto Instructor: This is where public key crypto comes in - or secure key exchange protocols like Diffie-Hellman.
Haxolottle: The fundamental challenge of symmetric crypto: how do you securely share the key?
Haxolottle: If you encrypt a message with AES, your recipient needs the same key to decrypt. How do you get them the key without an attacker intercepting it?
Haxolottle: This is where public key crypto comes in - or secure key exchange protocols like Diffie-Hellman.
-> symmetric_encryption
* [Back to main menu]
-> crypto_hub
=== des_explanation ===
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Crypto Instructor: DES - Data Encryption Standard. Developed by IBM in the 1970s, based on Feistel ciphers.
Haxolottle: DES - Data Encryption Standard. Developed by IBM in the 1970s, based on Feistel ciphers.
Crypto Instructor: 56-bit key size. Small by modern standards - brute-forceable in reasonable time with modern hardware.
Haxolottle: 56-bit key size. Small by modern standards - brute-forceable in reasonable time with modern hardware.
Crypto Instructor: Historical importance, but don't use it for real security anymore. Superseded by AES.
Haxolottle: Historical importance, but don't use it for real security anymore. Superseded by AES.
Crypto Instructor: OpenSSL command: `openssl enc -des-cbc -pbkdf2 -in file.txt -out file.enc`
Haxolottle: OpenSSL command: `openssl enc -des-cbc -pbkdf2 -in file.txt -out file.enc`
* [Why is 56-bit insufficient?]
~ instructor_rapport += 8
~ haxolottle_rapport += 8
You: Why is 56 bits too small?
Crypto Instructor: 2^56 possible keys - about 72 quadrillion. Sounds large, but modern systems can test millions or billions of keys per second.
Crypto Instructor: DES was cracked in less than 24 hours in 1999. Hardware has only improved since then.
Crypto Instructor: Compare to AES-256: 2^256 keys. Astronomically larger. Not brute-forceable with current or foreseeable technology.
Haxolottle: 2^56 possible keys - about 72 quadrillion. Sounds large, but modern systems can test millions or billions of keys per second.
Haxolottle: DES was cracked in less than 24 hours in 1999. Hardware has only improved since then.
Haxolottle: Compare to AES-256: 2^256 keys. Astronomically larger. Not brute-forceable with current or foreseeable technology.
* [Show me the decryption command]
You: How do I decrypt DES-encrypted data?
Crypto Instructor: `openssl enc -des-cbc -d -in file.enc -out decrypted.txt`
Crypto Instructor: The `-d` flag specifies decryption. You'll be prompted for the password.
Crypto Instructor: Note: password and key aren't quite the same. The password is hashed with PBKDF2 to derive the actual encryption key.
Haxolottle: `openssl enc -des-cbc -d -in file.enc -out decrypted.txt`
Haxolottle: The `-d` flag specifies decryption. You'll be prompted for the password.
Haxolottle: Note: password and key aren't quite the same. The password is hashed with PBKDF2 to derive the actual encryption key.
- -> symmetric_encryption
=== aes_explanation ===
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Crypto Instructor: AES - Advanced Encryption Standard. The modern symmetric encryption standard.
Haxolottle: AES - Advanced Encryption Standard. The modern symmetric encryption standard.
Crypto Instructor: 128-bit block cipher. Key sizes: 128, 192, or 256 bits. Uses substitution-permutation network - combination of substitution, permutation, mixing, and key addition.
Haxolottle: 128-bit block cipher. Key sizes: 128, 192, or 256 bits. Uses substitution-permutation network - combination of substitution, permutation, mixing, and key addition.
Crypto Instructor: Fast, secure, widely supported. This is what you should be using for symmetric encryption.
Haxolottle: Fast, secure, widely supported. This is what you should be using for symmetric encryption.
* [How much stronger is AES than DES?]
~ instructor_rapport += 10
~ haxolottle_rapport += 10
You: Quantify the security improvement over DES.
Crypto Instructor: DES: 2^56 keyspace. AES-128: 2^128. AES-256: 2^256.
Crypto Instructor: AES-128 has 2^72 times more keys than DES. AES-256 has 2^200 times more keys than AES-128.
Crypto Instructor: To put it in perspective: if you could test a trillion trillion keys per second, AES-256 would still take longer than the age of the universe to brute force.
Crypto Instructor: Practical attacks on AES focus on implementation flaws, side channels, or compromising the key - not brute forcing.
Haxolottle: DES: 2^56 keyspace. AES-128: 2^128. AES-256: 2^256.
Haxolottle: AES-128 has 2^72 times more keys than DES. AES-256 has 2^200 times more keys than AES-128.
Haxolottle: To put it in perspective: if you could test a trillion trillion keys per second, AES-256 would still take longer than the age of the universe to brute force.
Haxolottle: Practical attacks on AES focus on implementation flaws, side channels, or compromising the key - not brute forcing.
* [Show me AES commands]
You: Walk me through AES encryption.
Crypto Instructor: Encrypt: `openssl enc -aes-256-cbc -pbkdf2 -in file.txt -out file.enc`
Crypto Instructor: Decrypt: `openssl enc -aes-256-cbc -d -in file.enc -out file.txt`
Crypto Instructor: You can use -aes-128-cbc, -aes-192-cbc, or -aes-256-cbc depending on key size.
Crypto Instructor: CBC mode is Cipher Block Chaining. ECB mode also available but has security weaknesses - avoid for real use.
Haxolottle: Encrypt: `openssl enc -aes-256-cbc -pbkdf2 -in file.txt -out file.enc`
Haxolottle: Decrypt: `openssl enc -aes-256-cbc -d -in file.enc -out file.txt`
Haxolottle: You can use -aes-128-cbc, -aes-192-cbc, or -aes-256-cbc depending on key size.
Haxolottle: CBC mode is Cipher Block Chaining. ECB mode also available but has security weaknesses - avoid for real use.
* [What's CBC mode?]
~ instructor_rapport += 8
~ haxolottle_rapport += 8
You: Explain CBC mode.
Crypto Instructor: Cipher Block Chaining. Each block of plaintext is XORed with the previous ciphertext block before encryption.
Crypto Instructor: This means identical plaintext blocks produce different ciphertext - hides patterns.
Crypto Instructor: ECB (Electronic Codebook) encrypts each block independently - same input always produces same output. Leaks pattern information.
Crypto Instructor: Always use CBC or more modern modes like GCM. Never use ECB for real data.
Haxolottle: Cipher Block Chaining. Each block of plaintext is XORed with the previous ciphertext block before encryption.
Haxolottle: This means identical plaintext blocks produce different ciphertext - hides patterns.
Haxolottle: ECB (Electronic Codebook) encrypts each block independently - same input always produces same output. Leaks pattern information.
Haxolottle: Always use CBC or more modern modes like GCM. Never use ECB for real data.
- -> symmetric_encryption
// ===========================================
@@ -239,34 +239,34 @@ Crypto Instructor: Fast, secure, widely supported. This is what you should be us
// ===========================================
=== public_key_crypto ===
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Crypto Instructor: Asymmetric cryptography. Revolutionary concept - separate keys for encryption and decryption.
Haxolottle: Asymmetric cryptography. Revolutionary concept - separate keys for encryption and decryption.
Crypto Instructor: **Public key**: shared freely. Anyone can use it to encrypt messages to you.
Haxolottle: **Public key**: shared freely. Anyone can use it to encrypt messages to you.
**Private key**: kept secret. Only you can decrypt messages encrypted with your public key.
Crypto Instructor: Solves the key distribution problem. You can publish your public key openly - doesn't compromise security.
Haxolottle: Solves the key distribution problem. You can publish your public key openly - doesn't compromise security.
* [How does this actually work?]
~ instructor_rapport += 10
~ haxolottle_rapport += 10
You: What's the underlying mechanism?
Crypto Instructor: Mathematics - specifically, functions that are easy to compute in one direction but extremely hard to reverse without special information.
Crypto Instructor: RSA uses factoring large prime numbers. Easy to multiply two huge primes, nearly impossible to factor the result back without knowing the primes.
Crypto Instructor: Your private key contains the primes. Your public key contains their product. Encryption uses the product, decryption needs the primes.
Crypto Instructor: Full math is beyond this course, but that's the essence. One-way mathematical trap doors.
Haxolottle: Mathematics - specifically, functions that are easy to compute in one direction but extremely hard to reverse without special information.
Haxolottle: RSA uses factoring large prime numbers. Easy to multiply two huge primes, nearly impossible to factor the result back without knowing the primes.
Haxolottle: Your private key contains the primes. Your public key contains their product. Encryption uses the product, decryption needs the primes.
Haxolottle: Full math is beyond this course, but that's the essence. One-way mathematical trap doors.
* [What's the downside?]
~ instructor_rapport += 8
~ haxolottle_rapport += 8
You: This sounds perfect. What's the catch?
Crypto Instructor: Performance. Asymmetric crypto is much slower than symmetric.
Crypto Instructor: Typical use: asymmetric crypto to exchange a symmetric key, then symmetric crypto for actual data.
Crypto Instructor: TLS/SSL does exactly this - RSA or ECDH to agree on a session key, then AES to encrypt the connection.
Crypto Instructor: Hybrid approach gets security of asymmetric with performance of symmetric.
Haxolottle: Performance. Asymmetric crypto is much slower than symmetric.
Haxolottle: Typical use: asymmetric crypto to exchange a symmetric key, then symmetric crypto for actual data.
Haxolottle: TLS/SSL does exactly this - RSA or ECDH to agree on a session key, then AES to encrypt the connection.
Haxolottle: Hybrid approach gets security of asymmetric with performance of symmetric.
* [Tell me about GPG]
You: How does GPG fit into this?
Crypto Instructor: GPG - GNU Privacy Guard. Open source implementation of PGP (Pretty Good Privacy).
Crypto Instructor: Provides public-key crypto for email encryption, file encryption, digital signatures.
Crypto Instructor: Industry standard for email security and file protection.
Haxolottle: GPG - GNU Privacy Guard. Open source implementation of PGP (Pretty Good Privacy).
Haxolottle: Provides public-key crypto for email encryption, file encryption, digital signatures.
Haxolottle: Industry standard for email security and file protection.
-> gpg_intro
- -> crypto_hub
@@ -275,35 +275,35 @@ Crypto Instructor: Solves the key distribution problem. You can publish your pub
// ===========================================
=== openssl_tools ===
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Crypto Instructor: OpenSSL - the Swiss Army knife of cryptography.
Haxolottle: OpenSSL - the Swiss Army knife of cryptography.
Crypto Instructor: It's a toolkit implementing SSL/TLS protocols and providing cryptographic functions. Command-line tool plus libraries.
Haxolottle: It's a toolkit implementing SSL/TLS protocols and providing cryptographic functions. Command-line tool plus libraries.
Crypto Instructor: Can do: key generation, encryption, decryption, hashing, certificate management, SSL/TLS testing, and much more.
Haxolottle: Can do: key generation, encryption, decryption, hashing, certificate management, SSL/TLS testing, and much more.
* [Show me useful commands]
You: What are the most useful OpenSSL commands?
Crypto Instructor: List available ciphers: `openssl list -cipher-algorithms`
Crypto Instructor: Generate hash: `echo "data" | openssl dgst -sha256`
Crypto Instructor: Encrypt file: `openssl enc -aes-256-cbc -in file -out file.enc`
Crypto Instructor: Check certificate: `openssl x509 -in cert.pem -text -noout`
Crypto Instructor: Test SSL connection: `openssl s_client -connect example.com:443`
Crypto Instructor: Generate random bytes: `openssl rand -hex 32`
Haxolottle: List available ciphers: `openssl list -cipher-algorithms`
Haxolottle: Generate hash: `echo "data" | openssl dgst -sha256`
Haxolottle: Encrypt file: `openssl enc -aes-256-cbc -in file -out file.enc`
Haxolottle: Check certificate: `openssl x509 -in cert.pem -text -noout`
Haxolottle: Test SSL connection: `openssl s_client -connect example.com:443`
Haxolottle: Generate random bytes: `openssl rand -hex 32`
* [Tell me about the 2014 vulnerability]
~ instructor_rapport += 15
~ haxolottle_rapport += 15
You: You mentioned a major OpenSSL vulnerability in 2014?
Crypto Instructor: Heartbleed. CVE-2014-0160. One of the most significant security flaws in internet history.
Crypto Instructor: Bug in OpenSSL's implementation of TLS heartbeat extension. Allowed attackers to read server memory - including private keys, passwords, session tokens.
Crypto Instructor: Affected two-thirds of web servers. Required widespread patching and certificate replacement.
Crypto Instructor: Important lesson: even cryptographic implementations can have bugs. The algorithms (AES, RSA) were fine - the implementation was flawed.
Crypto Instructor: This is why: keep software updated, use well-audited libraries, implement defense in depth.
Haxolottle: Heartbleed. CVE-2014-0160. One of the most significant security flaws in internet history.
Haxolottle: Bug in OpenSSL's implementation of TLS heartbeat extension. Allowed attackers to read server memory - including private keys, passwords, session tokens.
Haxolottle: Affected two-thirds of web servers. Required widespread patching and certificate replacement.
Haxolottle: Important lesson: even cryptographic implementations can have bugs. The algorithms (AES, RSA) were fine - the implementation was flawed.
Haxolottle: This is why: keep software updated, use well-audited libraries, implement defense in depth.
* [How do I check OpenSSL version?]
You: How do I know what version I'm running?
Crypto Instructor: `openssl version -a` shows version and build details.
Crypto Instructor: Post-Heartbleed, you want OpenSSL 1.0.1g or later, or 1.0.2 series.
Crypto Instructor: Most modern systems use OpenSSL 1.1.1 or 3.x now.
Haxolottle: `openssl version -a` shows version and build details.
Haxolottle: Post-Heartbleed, you want OpenSSL 1.0.1g or later, or 1.0.2 series.
Haxolottle: Most modern systems use OpenSSL 1.1.1 or 3.x now.
- -> crypto_hub
// ===========================================
@@ -311,37 +311,37 @@ Crypto Instructor: Can do: key generation, encryption, decryption, hashing, cert
// ===========================================
=== gpg_intro ===
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Crypto Instructor: GPG - GNU Privacy Guard. Open-source public-key cryptography and signing tool.
Haxolottle: GPG - GNU Privacy Guard. Open-source public-key cryptography and signing tool.
Crypto Instructor: Core concepts: key pairs (public and private), encryption, decryption, signing, verification.
Haxolottle: Core concepts: key pairs (public and private), encryption, decryption, signing, verification.
* [Walk me through key generation]
You: How do I create GPG keys?
Crypto Instructor: `gpg --gen-key` starts the process. You'll provide name, email, passphrase.
Crypto Instructor: This creates a key pair. Public key you share, private key you protect.
Crypto Instructor: The passphrase protects your private key - don't forget it! Without it, your private key is useless.
Haxolottle: `gpg --gen-key` starts the process. You'll provide name, email, passphrase.
Haxolottle: This creates a key pair. Public key you share, private key you protect.
Haxolottle: The passphrase protects your private key - don't forget it! Without it, your private key is useless.
* [How do I share my public key?]
You: How do others get my public key?
Crypto Instructor: Export it: `gpg --export -a "Your Name" > public.key`
Crypto Instructor: This creates ASCII-armored public key file. Share it via email, website, key server.
Crypto Instructor: Recipients import it: `gpg --import public.key`
Crypto Instructor: Now they can encrypt messages only you can read.
Haxolottle: Export it: `gpg --export -a "Your Name" > public.key`
Haxolottle: This creates ASCII-armored public key file. Share it via email, website, key server.
Haxolottle: Recipients import it: `gpg --import public.key`
Haxolottle: Now they can encrypt messages only you can read.
* [Encrypting and decrypting]
You: Show me the encryption workflow.
Crypto Instructor: Encrypt: `gpg -e -r "Recipient Name" file.txt` creates file.txt.gpg
Crypto Instructor: Decrypt: `gpg -d file.txt.gpg > decrypted.txt`
Crypto Instructor: Recipient's public key must be in your keyring to encrypt for them.
Crypto Instructor: Your private key must be available to decrypt messages to you.
Haxolottle: Encrypt: `gpg -e -r "Recipient Name" file.txt` creates file.txt.gpg
Haxolottle: Decrypt: `gpg -d file.txt.gpg > decrypted.txt`
Haxolottle: Recipient's public key must be in your keyring to encrypt for them.
Haxolottle: Your private key must be available to decrypt messages to you.
* [What about digital signatures?]
~ instructor_rapport += 10
~ haxolottle_rapport += 10
You: How do signatures work?
Crypto Instructor: Signatures prove a message came from you and wasn't modified.
Crypto Instructor: Sign: `gpg -s file.txt` - creates file.txt.gpg with signature
Crypto Instructor: Verify: `gpg --verify file.txt.gpg` - confirms signature and shows signer
Crypto Instructor: Uses your private key to sign, others use your public key to verify. Reverse of encryption.
Crypto Instructor: Provides authenticity and integrity - critical for software distribution, secure communications.
Haxolottle: Signatures prove a message came from you and wasn't modified.
Haxolottle: Sign: `gpg -s file.txt` - creates file.txt.gpg with signature
Haxolottle: Verify: `gpg --verify file.txt.gpg` - confirms signature and shows signer
Haxolottle: Uses your private key to sign, others use your public key to verify. Reverse of encryption.
Haxolottle: Provides authenticity and integrity - critical for software distribution, secure communications.
- -> crypto_hub
// ===========================================
@@ -349,20 +349,20 @@ Crypto Instructor: Core concepts: key pairs (public and private), encryption, de
// ===========================================
=== commands_reference ===
Crypto Instructor: Quick reference for the commands we've covered:
Haxolottle: Quick reference for the commands we've covered:
Crypto Instructor: **Encoding:**
Haxolottle: **Encoding:**
- Hex: `echo "text" | xxd -p` (encode), `echo "hex" | xxd -r -p` (decode)
- Base64: `echo "text" | base64` (encode), `echo "b64" | base64 -d` (decode)
- View as binary: `xxd -b file`
Crypto Instructor: **Symmetric Encryption (OpenSSL):**
Haxolottle: **Symmetric Encryption (OpenSSL):**
- AES encrypt: `openssl enc -aes-256-cbc -pbkdf2 -in file -out file.enc`
- AES decrypt: `openssl enc -aes-256-cbc -d -in file.enc -out file.txt`
- DES encrypt: `openssl enc -des-cbc -pbkdf2 -in file -out file.enc`
- List ciphers: `openssl list -cipher-algorithms`
Crypto Instructor: **Public Key Crypto (GPG):**
Haxolottle: **Public Key Crypto (GPG):**
- Generate keys: `gpg --gen-key`
- List keys: `gpg --list-keys`
- Export public: `gpg --export -a "Name" > public.key`
@@ -372,7 +372,7 @@ Crypto Instructor: **Public Key Crypto (GPG):**
- Sign: `gpg -s file`
- Verify: `gpg --verify file.gpg`
Crypto Instructor: **Useful OpenSSL:**
Haxolottle: **Useful OpenSSL:**
- Hash: `openssl dgst -sha256 file`
- Random data: `openssl rand -hex 32`
- Version: `openssl version`
@@ -385,33 +385,33 @@ Crypto Instructor: **Useful OpenSSL:**
// ===========================================
=== ready_for_practice ===
Crypto Instructor: Excellent. You've covered the fundamentals.
Haxolottle: Excellent. You've covered the fundamentals.
Crypto Instructor: In your VM's home directory, you'll find CTF challenges testing these skills:
Haxolottle: In your VM's home directory, you'll find CTF challenges testing these skills:
- Decoding various encoded data
- Decrypting symmetrically-encrypted files
- Using GPG for secure communication
- Breaking weak encryption
Crypto Instructor: Practical tips:
Haxolottle: Practical tips:
Crypto Instructor: **Recognize encoding schemes on sight**: Base64 ends in =, hex is 0-9 and a-f, binary is only 0 and 1.
Haxolottle: **Recognize encoding schemes on sight**: Base64 ends in =, hex is 0-9 and a-f, binary is only 0 and 1.
Crypto Instructor: **Try obvious passwords first**: "password", "admin", "123456". Weak keys are common.
Haxolottle: **Try obvious passwords first**: "password", "admin", "123456". Weak keys are common.
Crypto Instructor: **Check file headers**: `file` command identifies file types even if extension is wrong. Encoded/encrypted data looks like random bytes.
Haxolottle: **Check file headers**: `file` command identifies file types even if extension is wrong. Encoded/encrypted data looks like random bytes.
Crypto Instructor: **Use CyberChef for quick analysis**: Web tool that chains encoding/decoding operations. Great for CTFs.
Haxolottle: **Use CyberChef for quick analysis**: Web tool that chains encoding/decoding operations. Great for CTFs.
Crypto Instructor: **Document what you try**: When attempting decryption, track what keys/methods you've tested. Easy to lose track.
Haxolottle: **Document what you try**: When attempting decryption, track what keys/methods you've tested. Easy to lose track.
{instructor_rapport >= 50:
Crypto Instructor: You've asked excellent questions and engaged deeply with the material. You're well-prepared.
{haxolottle_rapport >= 50:
Haxolottle: You've asked excellent questions and engaged deeply with the material. You're well-prepared.
}
Crypto Instructor: Remember: encoding is reversible with no secret. Encryption requires keys. Symmetric uses same key for both. Asymmetric uses key pairs.
Haxolottle: Remember: encoding is reversible with no secret. Encryption requires keys. Symmetric uses same key for both. Asymmetric uses key pairs.
Crypto Instructor: Now go break some crypto challenges. Good luck, Agent {player_name}.
Haxolottle: Now go break some crypto challenges. Good luck, Agent {player_name}.
#exit_conversation
-> END

120
story_design/ink/game_scenarios/exploitation.ink
View File

@@ -4,7 +4,7 @@
// License: CC BY-SA 4.0
// Global persistent state
VAR instructor_rapport = 0
VAR haxolottle_rapport = 0
VAR exploitation_mastery = 0
// External variables
@@ -13,7 +13,7 @@ EXTERNAL player_name
=== start ===
Exploitation Specialist: Welcome back, Agent {player_name}. I'm your instructor for Advanced Exploitation Techniques.
~ instructor_rapport = 0
~ haxolottle_rapport = 0
~ exploitation_mastery = 0
Exploitation Specialist: This lab brings together everything you've learned so far - scanning, vulnerability research, and exploitation.
@@ -64,7 +64,7 @@ Exploitation Specialist: What aspect of exploitation would you like to explore?
=== scanning_to_exploitation ===
Exploitation Specialist: After gathering information about a target through footprinting and scanning, you need to know what attacks will work.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Exploitation Specialist: The key questions are: Where will you find vulnerability information? How will you use that information to launch an attack? How can security professionals use this to test system security?
@@ -77,7 +77,7 @@ Exploitation Specialist: Once you know the operating system and software running
Exploitation Specialist: The scanning phase reveals what's running. The vulnerability research phase identifies what's vulnerable. The exploitation phase is when you actually attack.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [How do I know what attacks will work?]
Exploitation Specialist: This is where vulnerability databases and exploit frameworks like Metasploit come in.
@@ -88,14 +88,14 @@ Exploitation Specialist: Once you know the operating system and software running
Exploitation Specialist: We'll also look at external databases like CVE Details, NVD, and Exploit DB.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
- -> exploitation_hub
=== nmap_scanning ===
Exploitation Specialist: The first step is thorough scanning to identify your targets and what they're running.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Exploitation Specialist: For this lab, you'll scan your network to find two vulnerable servers - one Linux and one Windows.
@@ -114,7 +114,7 @@ Exploitation Specialist: Where X.X are the second and third octets of your Kali
Exploitation Specialist: Those specific version numbers are critical for finding applicable exploits.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [What if the scan takes too long?]
Exploitation Specialist: Windows scans can take several minutes to complete - this is normal.
@@ -123,7 +123,7 @@ Exploitation Specialist: Where X.X are the second and third octets of your Kali
Exploitation Specialist: However, for thorough penetration testing, patience is important. You don't want to miss a vulnerable service on an unusual port.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [What if nmap shows ftp with a question mark?]
Exploitation Specialist: If you see "ftp?" in the results, it means Nmap isn't confident about the service identification.
@@ -132,14 +132,14 @@ Exploitation Specialist: Where X.X are the second and third octets of your Kali
Exploitation Specialist: Try restarting the Windows server and scanning again. The service should respond properly after a fresh start.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
- -> exploitation_hub
=== metasploit_database ===
Exploitation Specialist: Metasploit includes a PostgreSQL database that stores information about hosts, services, and vulnerabilities.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Exploitation Specialist: This database integration is extremely powerful - it lets you import scan results and automatically target vulnerable services.
@@ -154,7 +154,7 @@ Exploitation Specialist: Before using the database, you need to initialize it an
Exploitation Specialist: You only need to do this once per session, or after restarting your Kali VM.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [How do I import Nmap scan results?]
Exploitation Specialist: If you've saved Nmap results in XML format, you can import them:
@@ -165,7 +165,7 @@ Exploitation Specialist: Before using the database, you need to initialize it an
Exploitation Specialist: You can then query this data with commands like "hosts" and "services"
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [What can I do with the database?]
Exploitation Specialist: Once data is in the database, you can query it intelligently:
@@ -180,14 +180,14 @@ Exploitation Specialist: Before using the database, you need to initialize it an
Exploitation Specialist: This integration makes targeting much more efficient.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
- -> exploitation_hub
=== msfconsole_scanning ===
Exploitation Specialist: You can run scans directly from within msfconsole - you don't always need a separate terminal.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Exploitation Specialist: Msfconsole can run Bash commands, so you can run Nmap directly: msf > nmap -O -sV TARGET
@@ -202,7 +202,7 @@ Exploitation Specialist: Even better, you can use db_nmap which scans AND automa
Exploitation Specialist: This scans all ports with OS and version detection, and the results are immediately available via "hosts" and "services"
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [Does Metasploit have its own scanners?]
Exploitation Specialist: Yes! Metasploit has various port scanning modules, though they're not as feature-complete as Nmap.
@@ -213,7 +213,7 @@ Exploitation Specialist: Even better, you can use db_nmap which scans AND automa
Exploitation Specialist: These modules integrate directly with the database and can use multiple threads for faster scanning.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [How do I use Metasploit's port scanner?]
Exploitation Specialist: First, select the module: use auxiliary/scanner/portscan/tcp
@@ -226,14 +226,14 @@ Exploitation Specialist: Even better, you can use db_nmap which scans AND automa
Exploitation Specialist: Results are automatically stored in the database. You can verify with the "services" command.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
- -> exploitation_hub
=== searching_exploits ===
Exploitation Specialist: Metasploit's search command is incredibly powerful for finding relevant exploits.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Exploitation Specialist: You can search by platform, service name, CVE number, exploit type, and more.
@@ -256,7 +256,7 @@ Exploitation Specialist: But you can be much more specific with search operators
Exploitation Specialist: Or: search type:exploit cve:2003-0352
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [How do I search for specific software?]
Exploitation Specialist: Simply include the software name in the search:
@@ -271,7 +271,7 @@ Exploitation Specialist: But you can be much more specific with search operators
Exploitation Specialist: Look through the results for modules that match your target's version number.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [Give me some search examples]
Exploitation Specialist: Sure! Here are useful searches:
@@ -288,14 +288,14 @@ Exploitation Specialist: But you can be much more specific with search operators
Exploitation Specialist: Once you find a promising module, use "info exploit/path/to/module" to learn more about it.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
- -> exploitation_hub
=== launching_exploits ===
Exploitation Specialist: Once you've identified the right exploit module, launching it follows a standard workflow.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Exploitation Specialist: The process is: select the module, configure options, choose a payload, and launch the attack.
@@ -320,7 +320,7 @@ Exploitation Specialist: Let's walk through a typical exploitation scenario.
Exploitation Specialist: If successful, you'll get a shell on the target!
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [What payloads should I use?]
Exploitation Specialist: The payload depends on what you want to achieve and what the exploit supports.
@@ -339,7 +339,7 @@ Exploitation Specialist: Let's walk through a typical exploitation scenario.
Exploitation Specialist: linux/x86/meterpreter/reverse_tcp - Meterpreter for Linux
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [What if the exploit doesn't work?]
Exploitation Specialist: First, run "show options" and verify all settings, especially IP addresses.
@@ -352,7 +352,7 @@ Exploitation Specialist: Let's walk through a typical exploitation scenario.
Exploitation Specialist: Some exploits are unreliable and may need multiple attempts.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [What can I do once I have a shell?]
Exploitation Specialist: With a Windows shell, you can run commands like:
@@ -373,14 +373,14 @@ Exploitation Specialist: Let's walk through a typical exploitation scenario.
Exploitation Specialist: We'll cover post-exploitation in more depth in later labs.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
- -> exploitation_hub
=== armitage_intro ===
Exploitation Specialist: Armitage is a free and open source graphical interface for Metasploit with powerful automation features.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Exploitation Specialist: It was created to make Metasploit more accessible and to automate repetitive tasks in penetration testing.
@@ -397,7 +397,7 @@ Exploitation Specialist: Armitage can scan networks, automatically suggest attac
Exploitation Specialist: However, experienced penetration testers often prefer msfconsole for its power and speed.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [How do I start Armitage?]
Exploitation Specialist: First, initialize the Metasploit database if you haven't already:
@@ -414,7 +414,7 @@ Exploitation Specialist: Armitage can scan networks, automatically suggest attac
Exploitation Specialist: If prompted, allow Armitage to start the Metasploit RPC server.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [What does the Armitage interface show?]
Exploitation Specialist: Armitage displays a visual network map showing discovered hosts.
@@ -427,14 +427,14 @@ Exploitation Specialist: Armitage can scan networks, automatically suggest attac
Exploitation Specialist: The interface makes it easy to see the big picture of a network and what you've compromised.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
- -> exploitation_hub
=== armitage_usage ===
Exploitation Specialist: Let me walk you through using Armitage to scan and exploit targets.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Exploitation Specialist: Armitage integrates scanning, vulnerability analysis, and exploitation into a streamlined workflow.
@@ -449,7 +449,7 @@ Exploitation Specialist: Armitage integrates scanning, vulnerability analysis, a
Exploitation Specialist: Any previously scanned hosts in the database will also appear automatically.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [How does Armitage suggest attacks?]
Exploitation Specialist: Armitage analyzes the operating system and services detected on each host.
@@ -462,7 +462,7 @@ Exploitation Specialist: Armitage integrates scanning, vulnerability analysis, a
Exploitation Specialist: Right-click a host and select "Attack" to see suggested exploits categorized by service.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [How do I launch an attack in Armitage?]
Exploitation Specialist: Right-click the target host and select "Attack"
@@ -475,7 +475,7 @@ Exploitation Specialist: Armitage integrates scanning, vulnerability analysis, a
Exploitation Specialist: You can then right-click the compromised host to interact with shells or run post-exploitation modules.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [How do I interact with a compromised system?]
Exploitation Specialist: Right-click the compromised (red) host.
@@ -488,14 +488,14 @@ Exploitation Specialist: Armitage integrates scanning, vulnerability analysis, a
Exploitation Specialist: Armitage also has menu options for common post-exploitation tasks.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
- -> exploitation_hub
=== vulnerability_databases ===
Exploitation Specialist: Beyond Metasploit, there are numerous online vulnerability databases you should know about.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Exploitation Specialist: These databases provide detailed information about known vulnerabilities, even if exploits aren't publicly available.
@@ -512,7 +512,7 @@ Exploitation Specialist: Different databases have different focuses and informat
Exploitation Specialist: Packet Storm Security (packetstormsecurity.com) - Security tools, exploits, and advisories.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [What information do these databases provide?]
Exploitation Specialist: Vulnerability databases typically include:
@@ -529,7 +529,7 @@ Exploitation Specialist: Different databases have different focuses and informat
Exploitation Specialist: Information about whether exploits exist in the wild.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [Do all vulnerabilities have CVEs?]
Exploitation Specialist: No! This is an important point.
@@ -544,14 +544,14 @@ Exploitation Specialist: Different databases have different focuses and informat
Exploitation Specialist: This is why checking multiple sources and forums is important.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
- -> exploitation_hub
=== exploit_db ===
Exploitation Specialist: The Exploit Database (Exploit-DB) is an extensive database focused on vulnerabilities with working exploits.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Exploitation Specialist: It's maintained by Offensive Security (the makers of Kali Linux) and contains thousands of exploits with source code.
@@ -566,7 +566,7 @@ Exploitation Specialist: Kali Linux includes a local copy of the entire database
Exploitation Specialist: The database also categorizes exploits by type: remote, local, web application, DoS, etc.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [How do I use the local Exploit-DB copy?]
Exploitation Specialist: On Kali Linux, exploits are stored in /usr/share/exploitdb/
@@ -577,7 +577,7 @@ Exploitation Specialist: Kali Linux includes a local copy of the entire database
Exploitation Specialist: There's also an index file with descriptions: less /usr/share/exploitdb/files_exploits.csv
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [What's searchsploit?]
Exploitation Specialist: Searchsploit is a command-line tool for searching the local Exploit-DB copy.
@@ -590,7 +590,7 @@ Exploitation Specialist: Kali Linux includes a local copy of the entire database
Exploitation Specialist: To download an exploit to your current directory: searchsploit -m windows/remote/11539.py
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [How do I use standalone exploits from Exploit-DB?]
Exploitation Specialist: Standalone exploits often require some manual setup:
@@ -605,14 +605,14 @@ Exploitation Specialist: Kali Linux includes a local copy of the entire database
Exploitation Specialist: Always understand what an exploit does before running it!
~ instructor_rapport += 5
~ haxolottle_rapport += 5
- -> exploitation_hub
=== commands_reference ===
Exploitation Specialist: Let me provide a comprehensive commands reference for this lab.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Exploitation Specialist: **Initial Scanning:**
@@ -647,7 +647,7 @@ Exploitation Specialist: msfconsole (start Metasploit console)
Exploitation Specialist: msf > services -p 21 -R (and set RHOSTS)
~ instructor_rapport += 3
~ haxolottle_rapport += 3
+ [Show me Metasploit scanning modules]
Exploitation Specialist: **Metasploit Port Scanners:**
@@ -666,7 +666,7 @@ Exploitation Specialist: msfconsole (start Metasploit console)
Exploitation Specialist: msf auxiliary(tcp) > back
~ instructor_rapport += 3
~ haxolottle_rapport += 3
+ [Show me searching for exploits]
Exploitation Specialist: **Searching for Exploits:**
@@ -685,7 +685,7 @@ Exploitation Specialist: msfconsole (start Metasploit console)
Exploitation Specialist: msf > info exploit/windows/ftp/easyftp_cwd_fixret
~ instructor_rapport += 3
~ haxolottle_rapport += 3
+ [Show me launching exploits]
Exploitation Specialist: **Launching Exploits:**
@@ -706,7 +706,7 @@ Exploitation Specialist: msfconsole (start Metasploit console)
Exploitation Specialist: msf exploit(...) > exploit
~ instructor_rapport += 3
~ haxolottle_rapport += 3
+ [Show me post-exploitation commands]
Exploitation Specialist: **Post-Exploitation Commands (Windows):**
@@ -729,7 +729,7 @@ Exploitation Specialist: msfconsole (start Metasploit console)
Exploitation Specialist: cat flag (read flag file)
~ instructor_rapport += 3
~ haxolottle_rapport += 3
+ [Show me Armitage commands]
Exploitation Specialist: **Armitage Setup:**
@@ -752,7 +752,7 @@ Exploitation Specialist: msfconsole (start Metasploit console)
Exploitation Specialist: 5. Right-click compromised host → Interact → Command shell
~ instructor_rapport += 3
~ haxolottle_rapport += 3
+ [Show me Exploit-DB commands]
Exploitation Specialist: **Exploit Database:**
@@ -767,14 +767,14 @@ Exploitation Specialist: msfconsole (start Metasploit console)
Exploitation Specialist: searchsploit -m windows/remote/11539.py
~ instructor_rapport += 3
~ haxolottle_rapport += 3
- -> exploitation_hub
=== challenge_tips ===
Exploitation Specialist: Let me give you practical tips for succeeding in the exploitation challenges.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Exploitation Specialist: **Finding Vulnerable Services:**
@@ -797,7 +797,7 @@ Exploitation Specialist: Import results into Metasploit for easier targeting: db
Exploitation Specialist: If the exploit fails, restart the Windows VM and try again.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [Tips for exploiting the Linux server?]
Exploitation Specialist: The Linux server has multiple potentially vulnerable services.
@@ -812,7 +812,7 @@ Exploitation Specialist: Import results into Metasploit for easier targeting: db
Exploitation Specialist: Some Linux exploits are more reliable than others - you may need to try a few.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [Tips for using Armitage?]
Exploitation Specialist: Armitage is great for beginners because it suggests attacks automatically.
@@ -825,7 +825,7 @@ Exploitation Specialist: Import results into Metasploit for easier targeting: db
Exploitation Specialist: If Armitage seems to hang, check the console tab at the bottom for error messages.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [General troubleshooting advice?]
Exploitation Specialist: Always verify your IP addresses with "show options" before running exploits.
@@ -838,7 +838,7 @@ Exploitation Specialist: Import results into Metasploit for easier targeting: db
Exploitation Specialist: Be patient - some exploits take time to establish connections.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
+ [Where are the flags?]
Exploitation Specialist: For the Windows server, look on a user's Desktop.
@@ -857,14 +857,14 @@ Exploitation Specialist: Import results into Metasploit for easier targeting: db
Exploitation Specialist: Read flags with: cat flag
~ instructor_rapport += 5
~ haxolottle_rapport += 5
- -> exploitation_hub
=== ready_for_practice ===
Exploitation Specialist: Excellent! You're ready to start practical exploitation.
~ instructor_rapport += 10
~ haxolottle_rapport += 10
~ exploitation_mastery += 10
Exploitation Specialist: You now understand how to move from scanning to exploitation - the core of penetration testing.
@@ -886,7 +886,7 @@ Exploitation Specialist: In this lab, you'll scan two servers, identify vulnerab
Exploitation Specialist: Good luck, Agent {player_name}. Time to put your skills to the test.
~ instructor_rapport += 10
~ haxolottle_rapport += 10
- -> exploitation_hub

398
story_design/ink/game_scenarios/feeling_blu_ctf.ink
View File

@@ -12,61 +12,61 @@ VAR challenge_mode = "guided" // "guided" or "ctf"
EXTERNAL player_name
=== start ===
CTF Challenge Coordinator: Welcome, Agent {player_name}. I'm your coordinator for the "Feeling Blu" CTF Challenge.
Haxolottle: Welcome, Agent {player_name}. I'm your coordinator for the "Feeling Blu" CTF Challenge.
~ instructor_rapport = 0
~ ctf_mastery = 0
CTF Challenge Coordinator: This is your final test - a comprehensive Capture The Flag challenge that brings together everything you've learned.
Haxolottle: This is your final test - a comprehensive Capture The Flag challenge that brings together everything you've learned.
CTF Challenge Coordinator: You'll exploit a web server, gain access, escalate privileges, and hunt for flags. This simulates a real-world penetration test from start to finish.
Haxolottle: You'll exploit a web server, gain access, escalate privileges, and hunt for flags. This simulates a real-world penetration test from start to finish.
CTF Challenge Coordinator: Before we begin, you need to choose how you want to approach this challenge.
Haxolottle: Before we begin, you need to choose how you want to approach this challenge.
-> choose_path
=== choose_path ===
CTF Challenge Coordinator: How do you want to tackle this CTF challenge?
Haxolottle: How do you want to tackle this CTF challenge?
+ [Pure CTF mode - minimal guidance, maximum challenge]
~ challenge_mode = "ctf"
CTF Challenge Coordinator: Excellent choice! You'll get the full Capture The Flag experience.
Haxolottle: Excellent choice! You'll get the full Capture The Flag experience.
CTF Challenge Coordinator: I'll give you the tools and objectives, but you'll need to figure out the approach yourself.
Haxolottle: I'll give you the tools and objectives, but you'll need to figure out the approach yourself.
CTF Challenge Coordinator: Use everything you've learned: scanning, exploitation, privilege escalation, and persistence.
Haxolottle: Use everything you've learned: scanning, exploitation, privilege escalation, and persistence.
CTF Challenge Coordinator: Only come back for hints if you're truly stuck. Good luck!
Haxolottle: Only come back for hints if you're truly stuck. Good luck!
~ ctf_mastery += 20
-> ctf_mode_hub
+ [Guided mode - walk me through the techniques]
~ challenge_mode = "guided"
CTF Challenge Coordinator: A wise choice for learning! I'll guide you through each phase with explanations.
Haxolottle: A wise choice for learning! I'll guide you through each phase with explanations.
CTF Challenge Coordinator: You'll learn web application exploitation, brute forcing, post-exploitation, and privilege escalation with structured guidance.
Haxolottle: You'll learn web application exploitation, brute forcing, post-exploitation, and privilege escalation with structured guidance.
CTF Challenge Coordinator: This approach ensures you understand not just how to exploit, but why each technique works.
Haxolottle: This approach ensures you understand not just how to exploit, but why each technique works.
~ instructor_rapport += 10
-> guided_mode_hub
=== ctf_mode_hub ===
CTF Challenge Coordinator: This is CTF mode - you're on your own! Here's what I can tell you:
Haxolottle: This is CTF mode - you're on your own! Here's what I can tell you:
CTF Challenge Coordinator: Target: A web server running on your victim VM.
Haxolottle: Target: A web server running on your victim VM.
CTF Challenge Coordinator: Objectives: Find multiple flags, gain shell access, escalate to root.
Haxolottle: Objectives: Find multiple flags, gain shell access, escalate to root.
CTF Challenge Coordinator: Tools available: Nmap, Dirb, Nikto, Metasploit, OWASP ZAP, and more.
Haxolottle: Tools available: Nmap, Dirb, Nikto, Metasploit, OWASP ZAP, and more.
+ [What tools should I start with?]
CTF Challenge Coordinator: Think about the attack methodology: reconnaissance, scanning, exploitation, post-exploitation, privilege escalation.
Haxolottle: Think about the attack methodology: reconnaissance, scanning, exploitation, post-exploitation, privilege escalation.
CTF Challenge Coordinator: Start by discovering what's running: Nmap for services, Dirb and Nikto for web enumeration.
Haxolottle: Start by discovering what's running: Nmap for services, Dirb and Nikto for web enumeration.
CTF Challenge Coordinator: Look for hidden files, admin panels, and leaked credentials.
Haxolottle: Look for hidden files, admin panels, and leaked credentials.
~ instructor_rapport += 5
@@ -93,63 +93,63 @@ CTF Challenge Coordinator: Tools available: Nmap, Dirb, Nikto, Metasploit, OWASP
-> END
=== ctf_recon_hints ===
CTF Challenge Coordinator: Alright, here's a hint for reconnaissance:
Haxolottle: Alright, here's a hint for reconnaissance:
CTF Challenge Coordinator: Start with Nmap to identify services and versions: nmap -sV TARGET_IP
Haxolottle: Start with Nmap to identify services and versions: nmap -sV TARGET_IP
CTF Challenge Coordinator: Use Dirb to find hidden directories: dirb http://TARGET_IP
Haxolottle: Use Dirb to find hidden directories: dirb http://TARGET_IP
CTF Challenge Coordinator: Use Nikto for web vulnerabilities: nikto -h http://TARGET_IP
Haxolottle: Use Nikto for web vulnerabilities: nikto -h http://TARGET_IP
CTF Challenge Coordinator: Look carefully at discovered files - some contain very useful information about usernames and passwords!
Haxolottle: Look carefully at discovered files - some contain very useful information about usernames and passwords!
CTF Challenge Coordinator: The CMS being used might have known exploits. Identify what CMS is running.
Haxolottle: The CMS being used might have known exploits. Identify what CMS is running.
~ instructor_rapport += 5
-> ctf_mode_hub
=== ctf_exploit_hints ===
CTF Challenge Coordinator: Here's a hint for exploitation:
Haxolottle: Here's a hint for exploitation:
CTF Challenge Coordinator: You should have discovered Bludit CMS running on the server.
Haxolottle: You should have discovered Bludit CMS running on the server.
CTF Challenge Coordinator: Search Metasploit for Bludit exploits: search bludit
Haxolottle: Search Metasploit for Bludit exploits: search bludit
CTF Challenge Coordinator: You'll need both a username and password - these might have been leaked in hidden files.
Haxolottle: You'll need both a username and password - these might have been leaked in hidden files.
CTF Challenge Coordinator: If you only have the username, consider brute-forcing the password using OWASP ZAP.
Haxolottle: If you only have the username, consider brute-forcing the password using OWASP ZAP.
CTF Challenge Coordinator: The Bludit vulnerability allows arbitrary code execution and should give you a Meterpreter shell.
Haxolottle: The Bludit vulnerability allows arbitrary code execution and should give you a Meterpreter shell.
~ instructor_rapport += 5
-> ctf_mode_hub
=== ctf_privesc_hints ===
CTF Challenge Coordinator: Here's a hint for privilege escalation:
Haxolottle: Here's a hint for privilege escalation:
CTF Challenge Coordinator: After gaining initial access, check what sudo commands your user can run: sudo -l
Haxolottle: After gaining initial access, check what sudo commands your user can run: sudo -l
CTF Challenge Coordinator: If your user can run certain commands with sudo, look for ways to escape from those commands to get a root shell.
Haxolottle: If your user can run certain commands with sudo, look for ways to escape from those commands to get a root shell.
CTF Challenge Coordinator: The 'less' command is particularly interesting - it can execute shell commands with !<command>
Haxolottle: The 'less' command is particularly interesting - it can execute shell commands with !<command>
CTF Challenge Coordinator: If you can run 'less' with sudo, you can escape to a root shell!
Haxolottle: If you can run 'less' with sudo, you can escape to a root shell!
~ instructor_rapport += 5
-> ctf_mode_hub
=== switch_to_guided ===
CTF Challenge Coordinator: Switching to guided mode. I'll walk you through the complete solution.
Haxolottle: Switching to guided mode. I'll walk you through the complete solution.
~ challenge_mode = "guided"
-> guided_mode_hub
=== guided_mode_hub ===
CTF Challenge Coordinator: Welcome to guided mode. I'll walk you through each phase of the challenge.
Haxolottle: Welcome to guided mode. I'll walk you through each phase of the challenge.
+ [Part 1: Information gathering and reconnaissance]
-> phase_1_recon
@@ -181,417 +181,417 @@ CTF Challenge Coordinator: Welcome to guided mode. I'll walk you through each ph
-> END
=== web_tools_intro ===
CTF Challenge Coordinator: Let me introduce the key web security tools you'll need.
Haxolottle: Let me introduce the key web security tools you'll need.
~ instructor_rapport += 5
CTF Challenge Coordinator: **Dirb** is a web content scanner that finds hidden files and directories using dictionary attacks.
Haxolottle: **Dirb** is a web content scanner that finds hidden files and directories using dictionary attacks.
CTF Challenge Coordinator: **Nikto** is a web vulnerability scanner that checks for dangerous files, outdated software, and misconfigurations.
Haxolottle: **Nikto** is a web vulnerability scanner that checks for dangerous files, outdated software, and misconfigurations.
CTF Challenge Coordinator: **OWASP ZAP** is an intercepting proxy that lets you capture, modify, and replay HTTP requests - perfect for brute forcing.
Haxolottle: **OWASP ZAP** is an intercepting proxy that lets you capture, modify, and replay HTTP requests - perfect for brute forcing.
+ [How do I use Dirb?]
CTF Challenge Coordinator: Dirb is straightforward: dirb http://TARGET_IP
Haxolottle: Dirb is straightforward: dirb http://TARGET_IP
CTF Challenge Coordinator: It uses a built-in dictionary to test common paths like /admin/, /backup/, /config/, etc.
Haxolottle: It uses a built-in dictionary to test common paths like /admin/, /backup/, /config/, etc.
CTF Challenge Coordinator: Pay attention to discovered files - they often contain credentials or sensitive configuration data.
Haxolottle: Pay attention to discovered files - they often contain credentials or sensitive configuration data.
CTF Challenge Coordinator: Right-click discovered URLs to open them in your browser and examine their contents.
Haxolottle: Right-click discovered URLs to open them in your browser and examine their contents.
~ instructor_rapport += 5
+ [How do I use Nikto?]
CTF Challenge Coordinator: Nikto scans for web vulnerabilities: nikto -h http://TARGET_IP
Haxolottle: Nikto scans for web vulnerabilities: nikto -h http://TARGET_IP
CTF Challenge Coordinator: It checks for over 6,000 security issues including dangerous files, server misconfigurations, and known vulnerabilities.
Haxolottle: It checks for over 6,000 security issues including dangerous files, server misconfigurations, and known vulnerabilities.
CTF Challenge Coordinator: The output shows each finding with references for more information.
Haxolottle: The output shows each finding with references for more information.
CTF Challenge Coordinator: Nikto results help you understand what attacks might be successful.
Haxolottle: Nikto results help you understand what attacks might be successful.
~ instructor_rapport += 5
+ [How do I use OWASP ZAP?]
CTF Challenge Coordinator: OWASP ZAP acts as a proxy between your browser and the web server.
Haxolottle: OWASP ZAP acts as a proxy between your browser and the web server.
CTF Challenge Coordinator: It intercepts HTTP requests and responses, allowing you to modify and replay them.
Haxolottle: It intercepts HTTP requests and responses, allowing you to modify and replay them.
CTF Challenge Coordinator: This is incredibly useful for brute forcing login forms, especially those with CSRF protection.
Haxolottle: This is incredibly useful for brute forcing login forms, especially those with CSRF protection.
CTF Challenge Coordinator: You can also use it to bypass IP-based rate limiting with the X-Forwarded-For header.
Haxolottle: You can also use it to bypass IP-based rate limiting with the X-Forwarded-For header.
~ instructor_rapport += 5
- -> {challenge_mode == "ctf": ctf_mode_hub | guided_mode_hub}
=== phase_1_recon ===
CTF Challenge Coordinator: Phase 1 is all about information gathering - discovering what you're dealing with before launching attacks.
Haxolottle: Phase 1 is all about information gathering - discovering what you're dealing with before launching attacks.
~ instructor_rapport += 5
CTF Challenge Coordinator: The attack methodology follows this sequence: reconnaissance, scanning, exploitation, post-exploitation, and privilege escalation.
Haxolottle: The attack methodology follows this sequence: reconnaissance, scanning, exploitation, post-exploitation, and privilege escalation.
CTF Challenge Coordinator: Each phase builds on the previous, so thorough reconnaissance is crucial.
Haxolottle: Each phase builds on the previous, so thorough reconnaissance is crucial.
+ [What should I scan for?]
CTF Challenge Coordinator: Start with network reconnaissance: nmap -sV TARGET_IP
Haxolottle: Start with network reconnaissance: nmap -sV TARGET_IP
CTF Challenge Coordinator: This identifies open ports, running services, and software versions.
Haxolottle: This identifies open ports, running services, and software versions.
CTF Challenge Coordinator: Then scan the web application: dirb http://TARGET_IP
Haxolottle: Then scan the web application: dirb http://TARGET_IP
CTF Challenge Coordinator: Follow up with: nikto -h http://TARGET_IP
Haxolottle: Follow up with: nikto -h http://TARGET_IP
CTF Challenge Coordinator: Look for admin panels, configuration files, backup files, and anything that might contain credentials.
Haxolottle: Look for admin panels, configuration files, backup files, and anything that might contain credentials.
~ instructor_rapport += 5
+ [What am I looking for specifically?]
CTF Challenge Coordinator: You're looking for several things:
Haxolottle: You're looking for several things:
CTF Challenge Coordinator: What CMS (Content Management System) is running? This tells you what exploits might work.
Haxolottle: What CMS (Content Management System) is running? This tells you what exploits might work.
CTF Challenge Coordinator: Are there leaked credentials in discovered files? Check text files, logs, and backups.
Haxolottle: Are there leaked credentials in discovered files? Check text files, logs, and backups.
CTF Challenge Coordinator: Is there an admin login page? You might need to access it.
Haxolottle: Is there an admin login page? You might need to access it.
CTF Challenge Coordinator: What server software and versions are running? This helps identify known vulnerabilities.
Haxolottle: What server software and versions are running? This helps identify known vulnerabilities.
CTF Challenge Coordinator: There's also a flag hidden in one of the discovered files!
Haxolottle: There's also a flag hidden in one of the discovered files!
~ instructor_rapport += 5
+ [Walk me through the reconnaissance process]
CTF Challenge Coordinator: Here's the step-by-step process:
Haxolottle: Here's the step-by-step process:
CTF Challenge Coordinator: 1. Run Nmap: nmap -sV -p- TARGET_IP (scan all ports with version detection)
Haxolottle: 1. Run Nmap: nmap -sV -p- TARGET_IP (scan all ports with version detection)
CTF Challenge Coordinator: 2. Run Dirb: dirb http://TARGET_IP (find hidden directories and files)
Haxolottle: 2. Run Dirb: dirb http://TARGET_IP (find hidden directories and files)
CTF Challenge Coordinator: 3. Run Nikto: nikto -h http://TARGET_IP (identify web vulnerabilities)
Haxolottle: 3. Run Nikto: nikto -h http://TARGET_IP (identify web vulnerabilities)
CTF Challenge Coordinator: 4. Browse discovered URLs - open them in Firefox to see what they contain
Haxolottle: 4. Browse discovered URLs - open them in Firefox to see what they contain
CTF Challenge Coordinator: 5. Look for patterns: usernames on the website, admin pages, leaked files
Haxolottle: 5. Look for patterns: usernames on the website, admin pages, leaked files
CTF Challenge Coordinator: 6. Document everything - the CMS name, discovered usernames, any found credentials
Haxolottle: 6. Document everything - the CMS name, discovered usernames, any found credentials
CTF Challenge Coordinator: The reconnaissance might reveal Bludit CMS with an admin login at /admin/
Haxolottle: The reconnaissance might reveal Bludit CMS with an admin login at /admin/
~ instructor_rapport += 5
- -> guided_mode_hub
=== phase_2_exploitation ===
CTF Challenge Coordinator: Phase 2 is exploitation - using discovered vulnerabilities to gain access.
Haxolottle: Phase 2 is exploitation - using discovered vulnerabilities to gain access.
~ instructor_rapport += 5
CTF Challenge Coordinator: Based on your reconnaissance, you should have identified Bludit CMS running on the server.
Haxolottle: Based on your reconnaissance, you should have identified Bludit CMS running on the server.
CTF Challenge Coordinator: Bludit has known vulnerabilities that we can exploit using Metasploit.
Haxolottle: Bludit has known vulnerabilities that we can exploit using Metasploit.
+ [How do I find Bludit exploits?]
CTF Challenge Coordinator: In Metasploit, search for Bludit: search bludit
Haxolottle: In Metasploit, search for Bludit: search bludit
CTF Challenge Coordinator: You'll find several modules. Look for ones related to code execution or file upload.
Haxolottle: You'll find several modules. Look for ones related to code execution or file upload.
CTF Challenge Coordinator: Use info to read about each exploit: info exploit/linux/http/bludit_upload_images_exec
Haxolottle: Use info to read about each exploit: info exploit/linux/http/bludit_upload_images_exec
CTF Challenge Coordinator: This particular exploit allows arbitrary code execution through image upload functionality.
Haxolottle: This particular exploit allows arbitrary code execution through image upload functionality.
~ instructor_rapport += 5
+ [What do I need to exploit Bludit?]
CTF Challenge Coordinator: The Bludit exploit requires several pieces of information:
Haxolottle: The Bludit exploit requires several pieces of information:
CTF Challenge Coordinator: RHOSTS: The target IP address
Haxolottle: RHOSTS: The target IP address
CTF Challenge Coordinator: BLUDITUSER: The Bludit admin username (should have been discovered during recon)
Haxolottle: BLUDITUSER: The Bludit admin username (should have been discovered during recon)
CTF Challenge Coordinator: BLUDITPASS: The admin password (might have been leaked, or you'll need to brute force it)
Haxolottle: BLUDITPASS: The admin password (might have been leaked, or you'll need to brute force it)
CTF Challenge Coordinator: TARGETURI: Typically / (the root of the web server)
Haxolottle: TARGETURI: Typically / (the root of the web server)
CTF Challenge Coordinator: The exploit will give you a Meterpreter shell if successful!
Haxolottle: The exploit will give you a Meterpreter shell if successful!
~ instructor_rapport += 5
+ [What if I don't have the password?]
CTF Challenge Coordinator: If you found the username but not the password, you have options:
Haxolottle: If you found the username but not the password, you have options:
CTF Challenge Coordinator: Check all discovered files thoroughly - passwords are sometimes leaked in config files or backups
Haxolottle: Check all discovered files thoroughly - passwords are sometimes leaked in config files or backups
CTF Challenge Coordinator: If truly not found, you can brute force it using OWASP ZAP (covered in optional Phase 3)
Haxolottle: If truly not found, you can brute force it using OWASP ZAP (covered in optional Phase 3)
CTF Challenge Coordinator: Bludit has CSRF protection and rate limiting, making brute forcing tricky but possible
Haxolottle: Bludit has CSRF protection and rate limiting, making brute forcing tricky but possible
~ instructor_rapport += 5
+ [Walk me through the exploitation]
CTF Challenge Coordinator: Here's the complete exploitation process:
Haxolottle: Here's the complete exploitation process:
CTF Challenge Coordinator: 1. Start Metasploit: msfconsole
Haxolottle: 1. Start Metasploit: msfconsole
CTF Challenge Coordinator: 2. Search: search bludit
Haxolottle: 2. Search: search bludit
CTF Challenge Coordinator: 3. Use the upload_images exploit: use exploit/linux/http/bludit_upload_images_exec
Haxolottle: 3. Use the upload_images exploit: use exploit/linux/http/bludit_upload_images_exec
CTF Challenge Coordinator: 4. Show options: show options
Haxolottle: 4. Show options: show options
CTF Challenge Coordinator: 5. Set target: set RHOSTS TARGET_IP
Haxolottle: 5. Set target: set RHOSTS TARGET_IP
CTF Challenge Coordinator: 6. Set username: set BLUDITUSER admin (or discovered username)
Haxolottle: 6. Set username: set BLUDITUSER admin (or discovered username)
CTF Challenge Coordinator: 7. Set password: set BLUDITPASS <discovered_password>
Haxolottle: 7. Set password: set BLUDITPASS <discovered_password>
CTF Challenge Coordinator: 8. Run exploit: exploit
Haxolottle: 8. Run exploit: exploit
CTF Challenge Coordinator: If successful, you'll get a Meterpreter shell! This is your foothold in the system.
Haxolottle: If successful, you'll get a Meterpreter shell! This is your foothold in the system.
~ instructor_rapport += 5
- -> guided_mode_hub
=== phase_3_bruteforce ===
CTF Challenge Coordinator: Phase 3 is optional - brute forcing the Bludit password if you only have the username.
Haxolottle: Phase 3 is optional - brute forcing the Bludit password if you only have the username.
~ instructor_rapport += 5
CTF Challenge Coordinator: Bludit has protections against brute forcing: CSRF tokens and IP-based rate limiting.
Haxolottle: Bludit has protections against brute forcing: CSRF tokens and IP-based rate limiting.
CTF Challenge Coordinator: OWASP ZAP can bypass these protections with the right configuration.
Haxolottle: OWASP ZAP can bypass these protections with the right configuration.
+ [How does CSRF protection work?]
CTF Challenge Coordinator: CSRF (Cross-Site Request Forgery) tokens are randomly generated by the server.
Haxolottle: CSRF (Cross-Site Request Forgery) tokens are randomly generated by the server.
CTF Challenge Coordinator: The server sends a token in each response, and the client must include it in the next request.
Haxolottle: The server sends a token in each response, and the client must include it in the next request.
CTF Challenge Coordinator: This prevents simple replay attacks because each request needs the current token.
Haxolottle: This prevents simple replay attacks because each request needs the current token.
CTF Challenge Coordinator: OWASP ZAP can extract tokens from responses and insert them into requests automatically.
Haxolottle: OWASP ZAP can extract tokens from responses and insert them into requests automatically.
~ instructor_rapport += 5
+ [How does rate limiting protection work?]
CTF Challenge Coordinator: After a certain number of failed login attempts from the same IP, Bludit blocks that IP temporarily.
Haxolottle: After a certain number of failed login attempts from the same IP, Bludit blocks that IP temporarily.
CTF Challenge Coordinator: You'll see messages like "Too many incorrect attempts. Try again in 30 minutes."
Haxolottle: You'll see messages like "Too many incorrect attempts. Try again in 30 minutes."
CTF Challenge Coordinator: However, we can bypass this using the X-Forwarded-For HTTP header.
Haxolottle: However, we can bypass this using the X-Forwarded-For HTTP header.
CTF Challenge Coordinator: By randomizing the X-Forwarded-For IP, we make each attempt appear to come from a different client.
Haxolottle: By randomizing the X-Forwarded-For IP, we make each attempt appear to come from a different client.
~ instructor_rapport += 5
+ [Walk me through the ZAP brute force process]
CTF Challenge Coordinator: This is complex, so pay attention:
Haxolottle: This is complex, so pay attention:
CTF Challenge Coordinator: 1. Launch OWASP ZAP and configure it as a proxy
Haxolottle: 1. Launch OWASP ZAP and configure it as a proxy
CTF Challenge Coordinator: 2. Install the random_x_forwarded_for_ip.js script from the ZAP community scripts
Haxolottle: 2. Install the random_x_forwarded_for_ip.js script from the ZAP community scripts
CTF Challenge Coordinator: 3. Browse to the Bludit login page through ZAP
Haxolottle: 3. Browse to the Bludit login page through ZAP
CTF Challenge Coordinator: 4. Attempt a login to capture the HTTP request in ZAP's history
Haxolottle: 4. Attempt a login to capture the HTTP request in ZAP's history
CTF Challenge Coordinator: 5. Right-click the POST request and select "Fuzz..."
Haxolottle: 5. Right-click the POST request and select "Fuzz..."
CTF Challenge Coordinator: 6. Select the password field and add a payload with common passwords
Haxolottle: 6. Select the password field and add a payload with common passwords
CTF Challenge Coordinator: 7. Add the X-Forwarded-For script as a message processor
Haxolottle: 7. Add the X-Forwarded-For script as a message processor
CTF Challenge Coordinator: 8. Launch the fuzzer and look for different HTTP response codes
Haxolottle: 8. Launch the fuzzer and look for different HTTP response codes
CTF Challenge Coordinator: Successful logins typically return 301 or 302 (redirect) instead of 200 (error message).
Haxolottle: Successful logins typically return 301 or 302 (redirect) instead of 200 (error message).
~ instructor_rapport += 5
- -> guided_mode_hub
=== phase_4_post_exploit ===
CTF Challenge Coordinator: Phase 4 is post-exploitation - exploring the compromised system and hunting for flags.
Haxolottle: Phase 4 is post-exploitation - exploring the compromised system and hunting for flags.
~ instructor_rapport += 5
CTF Challenge Coordinator: You should have a Meterpreter shell from the exploitation phase.
Haxolottle: You should have a Meterpreter shell from the exploitation phase.
CTF Challenge Coordinator: Now it's time to explore the system, understand your access level, and find flags.
Haxolottle: Now it's time to explore the system, understand your access level, and find flags.
+ [What Meterpreter commands should I use?]
CTF Challenge Coordinator: Essential Meterpreter commands for exploration:
Haxolottle: Essential Meterpreter commands for exploration:
CTF Challenge Coordinator: getuid - Shows your current username
Haxolottle: getuid - Shows your current username
CTF Challenge Coordinator: sysinfo - System information (OS, architecture, etc.)
Haxolottle: sysinfo - System information (OS, architecture, etc.)
CTF Challenge Coordinator: pwd - Print working directory
Haxolottle: pwd - Print working directory
CTF Challenge Coordinator: ls - List files in current directory
Haxolottle: ls - List files in current directory
CTF Challenge Coordinator: cat filename - Read file contents
Haxolottle: cat filename - Read file contents
CTF Challenge Coordinator: cd /path - Change directory
Haxolottle: cd /path - Change directory
CTF Challenge Coordinator: shell - Drop to OS shell (Ctrl-C to return to Meterpreter)
Haxolottle: shell - Drop to OS shell (Ctrl-C to return to Meterpreter)
~ instructor_rapport += 5
+ [Where should I look for flags?]
CTF Challenge Coordinator: Flags are hidden in various locations:
Haxolottle: Flags are hidden in various locations:
CTF Challenge Coordinator: Check your current directory - there might be a flag right where you land
Haxolottle: Check your current directory - there might be a flag right where you land
CTF Challenge Coordinator: Look in user home directories: /home/username/
Haxolottle: Look in user home directories: /home/username/
CTF Challenge Coordinator: Different users might have different flags
Haxolottle: Different users might have different flags
CTF Challenge Coordinator: Eventually, you'll need to check /root/ but that requires privilege escalation
Haxolottle: Eventually, you'll need to check /root/ but that requires privilege escalation
CTF Challenge Coordinator: Some flags might be in encrypted files - note encryption hints for later
Haxolottle: Some flags might be in encrypted files - note encryption hints for later
~ instructor_rapport += 5
+ [How do I switch users?]
CTF Challenge Coordinator: To switch users, you need to drop to an OS shell first:
Haxolottle: To switch users, you need to drop to an OS shell first:
CTF Challenge Coordinator: From Meterpreter, run: shell
Haxolottle: From Meterpreter, run: shell
CTF Challenge Coordinator: Now you have a Linux shell. Use: su username
Haxolottle: Now you have a Linux shell. Use: su username
CTF Challenge Coordinator: However, you'll need the user's password to switch
Haxolottle: However, you'll need the user's password to switch
CTF Challenge Coordinator: If you discovered the Bludit admin user's password earlier, you can switch to that user
Haxolottle: If you discovered the Bludit admin user's password earlier, you can switch to that user
CTF Challenge Coordinator: Return to Meterpreter with Ctrl-C when done
Haxolottle: Return to Meterpreter with Ctrl-C when done
~ instructor_rapport += 5
- -> guided_mode_hub
=== phase_5_privesc ===
CTF Challenge Coordinator: Phase 5 is privilege escalation - gaining root access to fully control the system.
Haxolottle: Phase 5 is privilege escalation - gaining root access to fully control the system.
~ instructor_rapport += 5
CTF Challenge Coordinator: Your initial shell is likely running as the www-data user (the web server user) with limited privileges.
Haxolottle: Your initial shell is likely running as the www-data user (the web server user) with limited privileges.
CTF Challenge Coordinator: To access all system files and read flags in /root/, you need to escalate to root.
Haxolottle: To access all system files and read flags in /root/, you need to escalate to root.
+ [How do I check my privileges?]
CTF Challenge Coordinator: From a shell, check your privileges:
Haxolottle: From a shell, check your privileges:
CTF Challenge Coordinator: whoami - Shows your username
Haxolottle: whoami - Shows your username
CTF Challenge Coordinator: id - Shows UID, GID, and groups
Haxolottle: id - Shows UID, GID, and groups
CTF Challenge Coordinator: sudo -l - Lists commands you can run with sudo
Haxolottle: sudo -l - Lists commands you can run with sudo
CTF Challenge Coordinator: Note: You might need a proper TTY terminal first: python3 -c 'import pty; pty.spawn("/bin/bash")'
Haxolottle: Note: You might need a proper TTY terminal first: python3 -c 'import pty; pty.spawn("/bin/bash")'
CTF Challenge Coordinator: This spawns a proper terminal that sudo will accept.
Haxolottle: This spawns a proper terminal that sudo will accept.
~ instructor_rapport += 5
+ [What's the sudo privilege escalation method?]
CTF Challenge Coordinator: When you run sudo -l, you'll see what commands you can run as root.
Haxolottle: When you run sudo -l, you'll see what commands you can run as root.
CTF Challenge Coordinator: If you can run /usr/bin/less with sudo, that's your ticket to root!
Haxolottle: If you can run /usr/bin/less with sudo, that's your ticket to root!
CTF Challenge Coordinator: The 'less' command is a pager for viewing files, but it can also execute shell commands.
Haxolottle: The 'less' command is a pager for viewing files, but it can also execute shell commands.
CTF Challenge Coordinator: When viewing a file with less, press ! followed by a command to execute it.
Haxolottle: When viewing a file with less, press ! followed by a command to execute it.
CTF Challenge Coordinator: Since less is running with sudo privileges, any command you run will execute as root!
Haxolottle: Since less is running with sudo privileges, any command you run will execute as root!
~ instructor_rapport += 5
+ [Walk me through getting root access]
CTF Challenge Coordinator: Here's the complete privilege escalation process:
Haxolottle: Here's the complete privilege escalation process:
CTF Challenge Coordinator: 1. Drop to shell from Meterpreter: shell
Haxolottle: 1. Drop to shell from Meterpreter: shell
CTF Challenge Coordinator: 2. Spawn a proper terminal: python3 -c 'import pty; pty.spawn("/bin/bash")'
Haxolottle: 2. Spawn a proper terminal: python3 -c 'import pty; pty.spawn("/bin/bash")'
CTF Challenge Coordinator: 3. Check sudo permissions: sudo -l
Haxolottle: 3. Check sudo permissions: sudo -l
CTF Challenge Coordinator: 4. You should see you can run less on a specific file
Haxolottle: 4. You should see you can run less on a specific file
CTF Challenge Coordinator: 5. Run that command with sudo: sudo /usr/bin/less /path/to/file
Haxolottle: 5. Run that command with sudo: sudo /usr/bin/less /path/to/file
CTF Challenge Coordinator: 6. When the file is displayed, type: !id
Haxolottle: 6. When the file is displayed, type: !id
CTF Challenge Coordinator: 7. You should see uid=0 (root!) in the output
Haxolottle: 7. You should see uid=0 (root!) in the output
CTF Challenge Coordinator: 8. Now type: !/bin/bash
Haxolottle: 8. Now type: !/bin/bash
CTF Challenge Coordinator: 9. You now have a root shell! Verify with: whoami
Haxolottle: 9. You now have a root shell! Verify with: whoami
CTF Challenge Coordinator: Now you can access /root/ and find the final flags!
Haxolottle: Now you can access /root/ and find the final flags!
~ instructor_rapport += 5
- -> guided_mode_hub
=== complete_walkthrough ===
CTF Challenge Coordinator: Here's the complete solution walkthrough from start to finish:
Haxolottle: Here's the complete solution walkthrough from start to finish:
~ instructor_rapport += 10
~ ctf_mastery += 20
CTF Challenge Coordinator: **Phase 1 - Reconnaissance:**
Haxolottle: **Phase 1 - Reconnaissance:**
CTF Challenge Coordinator: nmap -sV -p- TARGET_IP
Haxolottle: nmap -sV -p- TARGET_IP
CTF Challenge Coordinator: dirb http://TARGET_IP
Haxolottle: dirb http://TARGET_IP
CTF Challenge Coordinator: nikto -h http://TARGET_IP
Haxolottle: nikto -h http://TARGET_IP
CTF Challenge Coordinator: Browse discovered files, find admin login at /admin/, discover Bludit CMS, find leaked credentials
Haxolottle: Browse discovered files, find admin login at /admin/, discover Bludit CMS, find leaked credentials
CTF Challenge Coordinator: **Phase 2 - Exploitation:**
Haxolottle: **Phase 2 - Exploitation:**
CTF Challenge Coordinator: msfconsole
Haxolottle: msfconsole
CTF Challenge Coordinator: search bludit
Haxolottle: search bludit
CTF Challenge Coordinator: use exploit/linux/http/bludit_upload_images_exec
Haxolottle: use exploit/linux/http/bludit_upload_images_exec
CTF Challenge Coordinator: set RHOSTS TARGET_IP
Haxolottle: set RHOSTS TARGET_IP
CTF Challenge Coordinator: set BLUDITUSER admin (or discovered username)
Haxolottle: set BLUDITUSER admin (or discovered username)
CTF Challenge Coordinator: set BLUDITPASS discovered_password
Haxolottle: set BLUDITPASS discovered_password
CTF Challenge Coordinator: exploit
Haxolottle: exploit
CTF Challenge Coordinator: **Phase 3 - Post-Exploitation:**
Haxolottle: **Phase 3 - Post-Exploitation:**
CTF Challenge Coordinator: getuid, sysinfo, ls, cat flag.txt (in current directory)
Haxolottle: getuid, sysinfo, ls, cat flag.txt (in current directory)
CTF Challenge Coordinator: shell
Haxolottle: shell
CTF Challenge Coordinator: su bludit_admin (with discovered password)
Haxolottle: su bludit_admin (with discovered password)
CTF Challenge Coordinator: cat ~/flag.txt (in that user's home)
Haxolottle: cat ~/flag.txt (in that user's home)
CTF Challenge Coordinator: **Phase 4 - Privilege Escalation:**
Haxolottle: **Phase 4 - Privilege Escalation:**
CTF Challenge Coordinator: python3 -c 'import pty; pty.spawn("/bin/bash")'
Haxolottle: python3 -c 'import pty; pty.spawn("/bin/bash")'
CTF Challenge Coordinator: sudo -l (discover you can run less on a specific file)
Haxolottle: sudo -l (discover you can run less on a specific file)
CTF Challenge Coordinator: sudo /usr/bin/less /path/to/file
Haxolottle: sudo /usr/bin/less /path/to/file
CTF Challenge Coordinator: !id (verify root)
Haxolottle: !id (verify root)
CTF Challenge Coordinator: !/bin/bash (spawn root shell)
Haxolottle: !/bin/bash (spawn root shell)
CTF Challenge Coordinator: cd /root && ls (find final flags)
Haxolottle: cd /root && ls (find final flags)
CTF Challenge Coordinator: That's the complete solution! Try to replicate it yourself now that you understand the approach.
Haxolottle: That's the complete solution! Try to replicate it yourself now that you understand the approach.
-> guided_mode_hub

110
story_design/ink/game_scenarios/phishing_social_engineering.ink
View File

@@ -32,7 +32,7 @@ VAR completed_spoofing = false
VAR completed_attachment = false
// Instructor relationship
VAR instructor_rapport = 0
VAR haxolottle_rapport = 0
VAR ethical_awareness_shown = false
// External variables
@@ -43,7 +43,7 @@ EXTERNAL player_name
// ===========================================
=== start ===
~ instructor_rapport = 0
~ haxolottle_rapport = 0
Social Engineering Specialist: Welcome, Agent {player_name}. I'm your instructor for human factors and social engineering.
@@ -55,12 +55,12 @@ Social Engineering Specialist: Clear on that? We're learning these techniques to
* [Absolutely. I understand the ethical boundaries]
~ ethical_awareness_shown = true
~ instructor_rapport += 15
~ haxolottle_rapport += 15
You: Understood completely. Authorized testing only, controlled environments, defensive purpose.
Social Engineering Specialist: Perfect. That's exactly the mindset we need. Let's begin.
-> social_engineering_hub
* [Yes, I'm clear on the scope]
~ instructor_rapport += 5
~ haxolottle_rapport += 5
You: Clear on the ethical constraints.
Social Engineering Specialist: Good. Remember that throughout.
-> social_engineering_hub
@@ -102,7 +102,7 @@ Social Engineering Specialist: What aspect of social engineering and phishing wo
=== human_factors_intro ===
~ intro_human_factors_discussed = true
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Social Engineering Specialist: Human factors. The foundation of social engineering attacks.
@@ -123,7 +123,7 @@ Social Engineering Specialist: The classic saying: "The user is the weakest link
-> social_engineering_hub
=== human_vulnerabilities ===
~ instructor_rapport += 10
~ haxolottle_rapport += 10
Social Engineering Specialist: Excellent question. Multiple factors make humans vulnerable:
@@ -137,11 +137,11 @@ Social Engineering Specialist: **Information asymmetry**: Attackers know tricks
Social Engineering Specialist: **Scale**: Attackers can send thousands of phishing emails. They only need one person to click. The defender has to get it right every time.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
-> social_engineering_hub
=== human_factors_defense ===
~ instructor_rapport += 10
~ haxolottle_rapport += 10
Social Engineering Specialist: Good instinct. Defense requires layered approaches:
@@ -155,7 +155,7 @@ Social Engineering Specialist: **Culture**: Create organizational culture where
Social Engineering Specialist: **Regular testing**: Conduct simulated phishing campaigns to identify vulnerable users and improve training. What we're doing here—authorized, controlled testing.
~ instructor_rapport += 10
~ haxolottle_rapport += 10
-> social_engineering_hub
// ===========================================
@@ -164,7 +164,7 @@ Social Engineering Specialist: **Regular testing**: Conduct simulated phishing c
=== phishing_basics ===
~ phishing_basics_discussed = true
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Social Engineering Specialist: Phishing. One of the most effective attack vectors in cybersecurity.
@@ -191,7 +191,7 @@ Social Engineering Specialist: Once they open that attachment, the attacker gain
-> social_engineering_hub
=== spear_phishing_explanation ===
~ instructor_rapport += 10
~ haxolottle_rapport += 10
Social Engineering Specialist: Important distinction.
@@ -205,11 +205,11 @@ Social Engineering Specialist: This lab simulates spear phishing. You'll researc
Social Engineering Specialist: In real-world APT (Advanced Persistent Threat) attacks, spear phishing is often the initial compromise. High-value targets get carefully researched, precisely targeted emails.
~ instructor_rapport += 10
~ haxolottle_rapport += 10
-> social_engineering_hub
=== phishing_success_rates ===
~ instructor_rapport += 8
~ haxolottle_rapport += 8
Social Engineering Specialist: Disturbingly successful.
@@ -226,11 +226,11 @@ Social Engineering Specialist: The economics favor attackers: sending 10,000 phi
Social Engineering Specialist: And one successful compromise can be enough. One executive's email account, one developer's credentials, one system admin's access—that's your foothold.
~ instructor_rapport += 8
~ haxolottle_rapport += 8
-> social_engineering_hub
=== convincing_phishing ===
~ instructor_rapport += 10
~ haxolottle_rapport += 10
Social Engineering Specialist: The art of the convincing phish. Several key elements:
@@ -248,7 +248,7 @@ Social Engineering Specialist: **Psychological triggers**: Authority (from execu
Social Engineering Specialist: Combine these elements, and you create emails that even security-aware users might trust.
~ instructor_rapport += 10
~ haxolottle_rapport += 10
-> social_engineering_hub
// ===========================================
@@ -257,7 +257,7 @@ Social Engineering Specialist: Combine these elements, and you create emails tha
=== reconnaissance_intro ===
~ reconnaissance_discussed = true
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Social Engineering Specialist: Reconnaissance. The foundation of targeted attacks.
@@ -284,7 +284,7 @@ Social Engineering Specialist: **Interest identification**: What are targets pas
-> social_engineering_hub
=== recon_timeframes ===
~ instructor_rapport += 8
~ haxolottle_rapport += 8
Social Engineering Specialist: Depends on the operation and target value.
@@ -298,12 +298,12 @@ Social Engineering Specialist: The more valuable the target, the more reconnaiss
Social Engineering Specialist: For this lab, you'll spend 15-30 minutes on reconnaissance. Enough to understand the organization and personalize attacks, but compressed for training purposes.
~ instructor_rapport += 5
~ haxolottle_rapport += 5
~ completed_reconnaissance = true
-> social_engineering_hub
=== osint_tools ===
~ instructor_rapport += 10
~ haxolottle_rapport += 10
Social Engineering Specialist: Many tools assist OSINT:
@@ -323,7 +323,7 @@ Social Engineering Specialist: **Shodan**: Search engine for internet-connected
Social Engineering Specialist: For this exercise, you'll manually browse the target website. Simple, but effective for understanding the process.
~ instructor_rapport += 10
~ haxolottle_rapport += 10
~ completed_reconnaissance = true
-> social_engineering_hub
@@ -333,7 +333,7 @@ Social Engineering Specialist: For this exercise, you'll manually browse the tar
=== email_spoofing_intro ===
~ email_spoofing_discussed = true
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Social Engineering Specialist: Email spoofing. Fundamental to convincing phishing.
@@ -359,7 +359,7 @@ Social Engineering Specialist: Modern defenses exist: SPF, DKIM, DMARC—technol
-> social_engineering_hub
=== email_authentication ===
~ instructor_rapport += 10
~ haxolottle_rapport += 10
Social Engineering Specialist: Good question. Email authentication mechanisms:
@@ -373,11 +373,11 @@ Social Engineering Specialist: When properly implemented, these make spoofing mu
Social Engineering Specialist: Many organizations haven't configured DMARC. Many email servers don't strictly enforce these policies. Spoofing remains viable in many scenarios.
~ instructor_rapport += 10
~ haxolottle_rapport += 10
-> social_engineering_hub
=== spoofing_technique ===
~ instructor_rapport += 8
~ haxolottle_rapport += 8
Social Engineering Specialist: In this lab, spoofing is straightforward.
@@ -393,11 +393,11 @@ Social Engineering Specialist: Other spoofing approaches:
Social Engineering Specialist: The simulation simplifies this to focus on social engineering tactics rather than technical bypasses.
~ completed_spoofing = true
~ instructor_rapport += 5
~ haxolottle_rapport += 5
-> social_engineering_hub
=== email_design_problems ===
~ instructor_rapport += 10
~ haxolottle_rapport += 10
Social Engineering Specialist: Excellent critical thinking.
@@ -415,7 +415,7 @@ Social Engineering Specialist: Classic security challenge: replacing widely-depl
Social Engineering Specialist: Lesson: technical debt and legacy systems create enduring vulnerabilities. Design security in from the start, because retrofitting is painful.
~ instructor_rapport += 15
~ haxolottle_rapport += 15
-> social_engineering_hub
// ===========================================
@@ -424,7 +424,7 @@ Social Engineering Specialist: Lesson: technical debt and legacy systems create
=== malicious_attachments_intro ===
~ malicious_attachments_discussed = true
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Social Engineering Specialist: Malicious attachments. The payload delivery mechanism.
@@ -451,7 +451,7 @@ Social Engineering Specialist: The choice depends on your target. Different role
-> social_engineering_hub
=== attachment_targeting ===
~ instructor_rapport += 10
~ haxolottle_rapport += 10
Social Engineering Specialist: Matching attachments to targets—critical for success.
@@ -467,13 +467,13 @@ Social Engineering Specialist: **General principle**: Send what the target expec
Social Engineering Specialist: In this simulation, targets have preferences. Some will only open specific file types. Pay attention to their roles and feedback.
~ instructor_rapport += 10
~ haxolottle_rapport += 10
~ completed_attachment = true
-> social_engineering_hub
=== macro_explanation ===
~ macros_discussed = true
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Social Engineering Specialist: Office macros. Powerful and frequently exploited.
@@ -500,7 +500,7 @@ Social Engineering Specialist: Social engineering comes into play: "This documen
-> social_engineering_hub
=== macro_creation ===
~ instructor_rapport += 10
~ haxolottle_rapport += 10
Social Engineering Specialist: Creating a malicious macro—walkthrough:
@@ -524,12 +524,12 @@ Social Engineering Specialist: **Step 6**: Save as .odt or .ods. Attach to phish
Social Engineering Specialist: When victim opens document and enables macros (or if their security is set to low), your payload executes.
~ instructor_rapport += 10
~ haxolottle_rapport += 10
~ completed_attachment = true
-> social_engineering_hub
=== macro_defenses ===
~ instructor_rapport += 10
~ haxolottle_rapport += 10
Social Engineering Specialist: Macro defenses—layered approach:
@@ -553,11 +553,11 @@ Social Engineering Specialist: The challenge: many organizations legitimately us
Social Engineering Specialist: Defense-in-depth: combine technical controls, user awareness, and policy. No single measure is perfect.
~ instructor_rapport += 10
~ haxolottle_rapport += 10
-> social_engineering_hub
=== executable_payloads ===
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Social Engineering Specialist: Executable malware payloads. More direct than macros.
@@ -580,7 +580,7 @@ Social Engineering Specialist: Works better with technical targets who might exp
-> social_engineering_hub
=== msfvenom_payloads ===
~ instructor_rapport += 10
~ haxolottle_rapport += 10
Social Engineering Specialist: msfvenom. Metasploit Framework's payload generator.
@@ -604,12 +604,12 @@ Social Engineering Specialist: When victim runs the malware, it connects back to
Social Engineering Specialist: msfvenom can generate payloads for any platform, architecture, and access method. Incredibly versatile tool.
~ instructor_rapport += 10
~ haxolottle_rapport += 10
~ completed_attachment = true
-> social_engineering_hub
=== executable_disguises ===
~ instructor_rapport += 8
~ haxolottle_rapport += 8
Social Engineering Specialist: Disguising executables—social engineering and technical tricks:
@@ -625,7 +625,7 @@ Social Engineering Specialist: **Pretext engineering**: Convince target they nee
Social Engineering Specialist: In practice, getting users to run raw executables is harder than macro documents. But with right pretext and target, it works.
~ instructor_rapport += 8
~ haxolottle_rapport += 8
-> social_engineering_hub
// ===========================================
@@ -634,7 +634,7 @@ Social Engineering Specialist: In practice, getting users to run raw executables
=== reverse_shells_intro ===
~ reverse_shells_discussed = true
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Social Engineering Specialist: Reverse shells. The goal of attachment-based phishing.
@@ -659,7 +659,7 @@ Social Engineering Specialist: Why reverse? Several advantages:
-> social_engineering_hub
=== reverse_shell_mechanics ===
~ instructor_rapport += 10
~ haxolottle_rapport += 10
Social Engineering Specialist: Reverse shell mechanics—simple but elegant:
@@ -683,11 +683,11 @@ From network monitoring, looks like victim initiated connection to external IP.
Social Engineering Specialist: Tools like netcat, msfvenom payloads, custom scripts—all create reverse shell connections.
~ instructor_rapport += 10
~ haxolottle_rapport += 10
-> social_engineering_hub
=== post_exploitation_basics ===
~ instructor_rapport += 10
~ haxolottle_rapport += 10
Social Engineering Specialist: Post-exploitation. What you do after gaining access.
@@ -712,7 +712,7 @@ Basic netcat shells are fragile—no TTY, limited interaction, easily disconnect
Social Engineering Specialist: For this lab, simple shell is sufficient to read flags and demonstrate access.
~ instructor_rapport += 10
~ haxolottle_rapport += 10
-> social_engineering_hub
// ===========================================
@@ -720,7 +720,7 @@ Social Engineering Specialist: For this lab, simple shell is sufficient to read
// ===========================================
=== attack_workflow ===
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Social Engineering Specialist: Complete attack workflow for this lab:
@@ -767,7 +767,7 @@ Social Engineering Specialist: **Phase 6 - Objective**:
// ===========================================
=== challenge_tips ===
~ instructor_rapport += 5
~ haxolottle_rapport += 5
Social Engineering Specialist: Practical tips for the simulation:
@@ -815,7 +815,7 @@ Social Engineering Specialist: **Troubleshooting**:
=== ethics_discussion ===
~ ethics_discussed = true
~ instructor_rapport += 10
~ haxolottle_rapport += 10
Social Engineering Specialist: Critical topic. Ethical considerations.
@@ -844,11 +844,11 @@ Social Engineering Specialist: **Professional responsibility**: Security profess
~ ethical_awareness_shown = true
You: Clear on the ethics. Authorized testing, defensive purpose, professional responsibility.
Social Engineering Specialist: Excellent. Remember that throughout your career.
~ instructor_rapport += 15
~ haxolottle_rapport += 15
-> social_engineering_hub
=== ethical_hacking_discussion ===
~ instructor_rapport += 15
~ haxolottle_rapport += 15
Social Engineering Specialist: "Ethical hacking" without authorization is a contradiction.
@@ -866,11 +866,11 @@ Social Engineering Specialist: **Proper approach**: If you identify a vulnerabil
Social Engineering Specialist: The distinction is consent. Authorized testing with consent is ethical. Unauthorized testing without consent is not—even with "good intentions."
~ instructor_rapport += 20
~ haxolottle_rapport += 20
-> social_engineering_hub
=== pentest_process ===
~ instructor_rapport += 15
~ haxolottle_rapport += 15
Social Engineering Specialist: Legitimate penetration testing process:
@@ -902,7 +902,7 @@ Social Engineering Specialist: **Reporting**:
Social Engineering Specialist: This structured, authorized, documented process is what makes penetration testing ethical and legal. Everything else is unauthorized hacking.
~ instructor_rapport += 15
~ haxolottle_rapport += 15
-> social_engineering_hub
// ===========================================
@@ -939,7 +939,7 @@ Social Engineering Specialist: Remember: in the simulation, victims provide feed
Social Engineering Specialist: This is iterative social engineering. First attempt might fail. Adjust and try again. That's realistic—real attackers iterate too.
{instructor_rapport >= 60:
{haxolottle_rapport >= 60:
Social Engineering Specialist: You've demonstrated strong understanding and good ethical awareness. You're well-prepared for this exercise.
}

764
story_design/ink/game_scenarios/post_exploitation.ink
View File

File diff suppressed because it is too large Load Diff