Skip to content
Snippets Groups Projects
Commit f55e69e8 authored by Zdenek Vydra's avatar Zdenek Vydra
Browse files

Update training definition

parent 854c18c8
No related branches found
No related tags found
No related merge requests found
......@@ -19,6 +19,6 @@
src: passlist.txt
dest: /home/kypo/passlist.txt
owner: kypo
mode: 0755
mode: 0644
...
\ No newline at end of file
......@@ -6,40 +6,68 @@
"state" : "UNRELEASED",
"show_stepper_bar" : true,
"levels" : [ {
"title" : "How to connect to the sandbox",
"title" : "Info",
"max_score" : 0,
"level_type" : "INFO_LEVEL",
"order" : 0,
"estimated_duration" : 0,
"content" : "Info about accessing the game level was moved to the game level."
"content" : "The purpose of this demo is to showcase and test capabilities of the kypo project. It consists of this info level, two game levels, test and assesment."
}, {
"title" : "Connecting Via Telnet",
"max_score" : 100,
"level_type" : "GAME_LEVEL",
"order" : 1,
"estimated_duration" : 5,
"estimated_duration" : 15,
"flag" : "Top_Secret_Flag",
"content" : "Your task in this simple level is to connect to the server via **`telnet`** on port **`2323`** using **`test:password`** and get the flag.\n\n## GUI access\n1. In the topology overview, click the button in the top-right corner of the graph, then **`Expand All`**, **`client`** and **`Generate console URL`**. After a few moments, **`Open link`** next to the **`Generate console URL`** should appear.\n\n2. Login using username **`kypo`** and password **`kypo`** for root access.\n\n## SSH from local machine\n1. Use the **`Get SSH Access`** button to download **`ssh-access.zip`**.\n\n2. Extract the **`ssh-access.zip`** file to the **`~/.ssh/`** directory.\n\n ```shell\n $ unzip ssh-access.zip -d ~/.ssh/\n ```\n\n You will get following files:\n \n ```shell\n ~/.ssh/pool-id-<pool_ID>-sandbox-id-<sbx_ID>-user-config - The SSH configuration file.\n ~/.ssh/pool-id-<pool_ID>-sandbox-id-<sbx_ID>-user-source.sh - The configuration script.\n ~/.ssh/pool-id-<pool_ID>-sandbox-id-<sbx_ID>-user-key - The sandbox user SSH private key.\n ~/.ssh/pool-id-<pool_ID>-sandbox-id-<sbx_ID>-user-key.pub - The sandbox user SSH public key.\n ```\n\n3. Execute the extracted source script in the current shell using the **`source`** command with the path to the KYPO proxy SSH private key. The source script that will set the **`ssh`** command and the **KYPO proxy SSH private key**, which is available to instance operator.\n\n ```shell\n $ source ~/.ssh/pool-id-<pool_ID>-sandbox-id-<sbx_ID>-user-source.sh PATH_TO_KYPO_PROXY_PRIVATE_KEY\n ```\n\n4. Connect to the client to **`kypo`** user. \n\n ```shell\n $ ssh kypo@client\n ```",
"solution" : "1. To connect to the server use command **` telnet server 2323`**, then enter username **`test`** and password **`password`**.\n\n2. Get the flag using **`cat flag.txt`** and submit it. \n",
"content" : "Your task is to connect to the server and get the flag. You know that there is a **`telnet`** service running on the server and that **`alice`** has a weak password. The flag is in alices home directory. There is a list of common passwords placed in your home directory for your convenience.\n\nBelow are two options how to connect to the client from which you can connect to the server.\n\n## GUI access\n1. In the topology overview, click the button in the top-right corner of the graph, then **`Expand All`**, **`client`** and **`Generate console URL`**. After a few moments, **`Open link`** next to the **`Generate console URL`** should appear.\n\n2. Login using username **`kypo`** and password **`kypo`**.\n\n3. You may want to run **`/bin/bash`** to get a friendlier shell.\n\n## SSH from local machine\n1. Use the **`Get SSH Access`** button to download **`ssh-access.zip`**.\n\n2. Extract the **`ssh-access.zip`** file to your **`~/.ssh/`** directory.\n\n ```shell\n $ unzip ssh-access.zip -d ~/.ssh/\n ```\n\n You will get following files:\n \n ```shell\n ~/.ssh/pool-id-<pool_ID>-sandbox-id-<sbx_ID>-user-config - The SSH configuration file.\n ~/.ssh/pool-id-<pool_ID>-sandbox-id-<sbx_ID>-user-source.sh - The configuration script.\n ~/.ssh/pool-id-<pool_ID>-sandbox-id-<sbx_ID>-user-key - The sandbox user SSH private key.\n ~/.ssh/pool-id-<pool_ID>-sandbox-id-<sbx_ID>-user-key.pub - The sandbox user SSH public key.\n ```\n\n3. Execute the extracted source script in the current shell using the **`source`** command with the path to the KYPO proxy SSH private key. The source script that will set the **`ssh`** command and the **KYPO proxy SSH private key**, which is available to instance operator.\n\n ```shell\n $ source ~/.ssh/pool-id-<pool_ID>-sandbox-id-<sbx_ID>-user-source.sh PATH_TO_KYPO_PROXY_PRIVATE_KEY\n ```\n\n4. Connect to the client to **`kypo`** user. \n\n ```shell\n $ ssh kypo@client\n ```",
"solution" : "1. Look for open ports using the command **`nmap server`**. You can see **ssh** running on port **22** and some other service running on port **2323**. This has to be the **telnet** service.\n\n2. You know that **alice** has a weak password so you can try a dictionary attack. A list of common passwords is ready in your home directory. One of possible tools to make a password attack is **hydra**. A command to find the password is **`hydra -l alice -P passlist.txt telnet://server:2323`**. This will reveal alices password **bacon**.\n\n3. Now you can connect to the server by using **`telnet server 2323`**, entering username **`alice`** and her password **`bacon`**.\n\n4. To read the flag you can use **`cat flag.txt`**. Use the flag to get to the next level.\n",
"solution_penalized" : true,
"hints" : [ {
"title" : "Correct Command",
"content" : "Use `telnet server 2323` and enter username and password to connect.",
"hint_penalty" : 50,
"title" : "Connecting using telnet",
"content" : "The command to connect using telnet is **`telnet server <port>`**, where **`<port>`** is the number of port on which the telnet server is running. You will be prompted to enter username and password.",
"hint_penalty" : 10,
"order" : 2
}, {
"title" : "Tool for password attacks",
"content" : "Common tools for password attacks are **hydra** and **medusa**. Consult their help commands or man pages to find appropriate options to perform the attack. You can use the list of common passwords in your home directory.",
"hint_penalty" : 40,
"order" : 1
}, {
"title" : "Port Number",
"content" : "The server is listening at port `2323`.",
"hint_penalty" : 0,
"title" : "Tool to find open ports.",
"content" : "A common tool to find open ports is **nmap**. It has many options, but you will suffice with **`nmap server`** to find the open ports.",
"hint_penalty" : 20,
"order" : 0
} ],
"incorrect_flag_limit" : 10,
"attachments" : [ ]
}, {
"title" : "Privilege Escalation",
"max_score" : 100,
"level_type" : "GAME_LEVEL",
"order" : 2,
"estimated_duration" : 15,
"flag" : "Cant_Guess_This",
"content" : "Great, you managed to login to the server as **alice** but there is not much you can do as **alice**. Can you find a way to become **root**? The flag is in roots home directory.",
"solution" : "1. One of common privilege escalation attack vectors is badly configured **sudo**. To see what you can use sudo for, use the **`sudo --list`** command.\n\n2. You can see that the only command you can use sudo on is **`less /home/alice/flag.txt`**. There is not much to see in the flag, but you can run this as **root**. Is there a way to get a shell?\n\n3. There is, all you have to do is enter **`!sh`** while running the **`sudo less /home/alice/flag.txt`** to get a root shell.\n\n4. To get the flag, use **`cd`** to enter roots home directory and **`cat flag.txt`** to read the flag.",
"solution_penalized" : true,
"hints" : [ {
"title" : "Attack vector",
"content" : "One of common privilege escalation attack vectors is badly configured **sudo**. To see what you can use sudo for, use the **`sudo --list`** command.\n",
"hint_penalty" : 30,
"order" : 0
}, {
"title" : "Using the privilege escalation",
"content" : "You have probably figured out that you can run **sudo** on a certain **less** command. To get a shell enter **`!sh`** while running the **less** command.",
"hint_penalty" : 60,
"order" : 1
} ],
"incorrect_flag_limit" : 10,
"attachments" : [ ]
}, {
"title" : "Test Example",
"max_score" : 0,
"level_type" : "ASSESSMENT_LEVEL",
"order" : 2,
"order" : 3,
"estimated_duration" : 5,
"questions" : "[{\"question_type\":\"FFQ\",\"correct_choices\":[\"flag.txt\"],\"answer_required\":true,\"order\":0,\"penalty\":10,\"points\":100,\"text\":\"What was the flag filename?\"},{\"question_type\":\"MCQ\",\"choices\":[{\"text\":\"Yes\",\"order\":0,\"is_correct\":false},{\"text\":\"No\",\"order\":1,\"is_correct\":true}],\"answer_required\":true,\"order\":1,\"penalty\":10,\"points\":100,\"text\":\"The telnet service was running on default port.\"},{\"question_type\":\"EMI\",\"rows\":[\"HTTP\",\"SSH\",\"HTTPS\",\"Telnet\"],\"cols\":[\"22\",\"23\",\"80\",\"443\"],\"correct_answers\":[{\"x\":0,\"y\":2},{\"x\":1,\"y\":0},{\"x\":2,\"y\":3},{\"x\":3,\"y\":1}],\"answer_required\":true,\"order\":2,\"penalty\":10,\"points\":100,\"text\":\"Assosiate services with their default port numbers.\"}]",
"instructions" : "A simple test.",
......@@ -48,11 +76,11 @@
"title" : "Assesment Example",
"max_score" : 0,
"level_type" : "ASSESSMENT_LEVEL",
"order" : 3,
"order" : 4,
"estimated_duration" : 5,
"questions" : "[{\"question_type\":\"MCQ\",\"choices\":[{\"text\":\"Graphical user interface of KYPO\",\"order\":0,\"is_correct\":false},{\"text\":\"SSH\",\"order\":1,\"is_correct\":false}],\"answer_required\":true,\"order\":0,\"penalty\":0,\"points\":0,\"text\":\"How did you connect to the client?\"},{\"question_type\":\"EMI\",\"rows\":[\"Everything went smoothly\",\"The User Interface is nice\",\"The test was easy\"],\"cols\":[\"Very much\",\"A little bit\",\"Not really\",\"Not at all\"],\"correct_answers\":[],\"answer_required\":true,\"order\":1,\"penalty\":0,\"points\":0,\"text\":\"Do you agree that... ?\"},{\"question_type\":\"FFQ\",\"correct_choices\":[],\"answer_required\":false,\"order\":2,\"penalty\":0,\"points\":0,\"text\":\"How would you improve this demo?\"}]",
"instructions" : "Please answer the questions. The last question is voluntary.",
"assessment_type" : "QUESTIONNAIRE"
} ],
"estimated_duration" : 15
}
"estimated_duration" : 40
}
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment