training.json 10.9 KB
Newer Older
1
2
3
{
  "title" : "KYPO Cyber Range Training Platform - Demo Content",
  "description" : "The demo contains all types of levels to demonstrate the training capabilities of the KYPO Cyber Range Platform.",
Dominik Pilár's avatar
Dominik Pilár committed
4
  "prerequisites" : [ ],
5
6
7
8
9
10
11
12
  "outcomes" : [ ],
  "state" : "UNRELEASED",
  "show_stepper_bar" : true,
  "levels" : [ {
    "title" : "Info",
    "level_type" : "INFO_LEVEL",
    "order" : 0,
    "estimated_duration" : 0,
Juraj Paluba's avatar
Juraj Paluba committed
13
    "content" : "# Demo Summary\n\nThe demo contains all types of levels to demonstrate the training capabilities of the KYPO Cyber Range Platform.\n\n**Note**: It is recommended to use the Chrome browser. In case you run into difficulties with submitting the answer, try to Log out and Log in again. \n\n| Level | Level Name | Level Type |\n|:------:|------| ------ |\n| 1. | Info | Info |\n| 2. | Finding Open Ports | Training |\n| 3. | Connecting via Telnet | Training |\n| 4. | Privilege Escalation | Training |\n| 5. | Test Example | Assessment |\n| 6. | Assessment Example | Assessment |\n\n## Info\n\nThe level contains this information page.\n\n## Finding open ports\n\nThe level provides information on how to connect to a sandbox. In general, there are two possible options. The first option is to use the platform'a GUI to connect to the machine via Spice console. The second option is to connect through SSH with a generated config file and keys.\n\nThis level's small challenge is to scan open ports.\n\n## Connecting Via Telnet\n\nThis level's challenge is to connect to the server machine without a password and discover the secret answer.\n\n## Privilege Escalation\n\nThis demo's bigger challenge is to gain root privileges and read an answer available only to a root user. Enjoy! \n\n## Test Example\n\nThe level contains a simple example of a test. Tests can be used, for example, for additional testing of students for grading purposes.\n\n## Assessment Example\n\nThe level contains a simple example of a test. For example, the tests can be used to verify the learning outcomes or for collecting feedback.\n"
14
15
16
  }, {
    "title" : "Finding open ports",
    "max_score" : 50,
Juraj Paluba's avatar
Juraj Paluba committed
17
    "level_type" : "TRAINING_LEVEL",
18
19
    "order" : 1,
    "estimated_duration" : 10,
Juraj Paluba's avatar
Juraj Paluba committed
20
21
22
23
    "answer" : "2323",
    "answer_variable_name": null,
    "content" : "Your goal is to get access to a **server**. You know that there is a **telnet** service running on the server but it is not running on the default port. Your first task is to find the **port** on which the telnet service is running. The answer is the port number.\n\nBelow are two options how to connect to the client from which you can connect to the server.\n\n## GUI access\n1. In the topology overview, click the button in the top-right corner of the graph, then **`Expand All`**, **`client`** and **`Generate console URL`**. After a few moments, **`Open link`** next to the **`Generate console URL`** should appear.\n\n2. Login using username **`kypo`** and password **`kypo`**.\n\n## SSH from local machine\n1. Use the **`Get SSH Access`** button to download **`ssh-access.zip`**.\n\n2. Extract the **`ssh-access.zip`** file to your **`~/.ssh/`** directory.\n\n    `$ unzip ssh-access.zip -d ~/.ssh/`\n\n3. Execute the extracted source script in the current shell using the **`source`** command with the path to the KYPO proxy SSH private key. The source script that will set the **`ssh`** command and the **KYPO proxy SSH private key**, which is available from instance operator.\n\n    `$ source ~/.ssh/pool-id-<pool_ID>-sandbox-id-<sbx_ID>-user-source.sh PATH_TO_KYPO_PROXY_PRIVATE_KEY`\n\n4. Connect to the client to **`kypo`** user. \n\n    `$ ssh kypo@client`",
    "solution" : "1. Connect to the client using either of the options.\n\n2. Look for open ports using the command **`nmap server`**. You can see **ssh** running on port **22** and some other service running on port **2323**. This has to be the **telnet** service.\n\n3. Enter **`2323`** as the answer.",
24
25
26
27
28
29
30
    "solution_penalized" : true,
    "hints" : [ {
      "title" : "Tool to find open ports",
      "content" : "A common tool to find open ports is **nmap**. You can learn how to use nmap using **`nmap --help`** or by searching online.",
      "hint_penalty" : 20,
      "order" : 0
    } ],
Juraj Paluba's avatar
Juraj Paluba committed
31
    "incorrect_answer_limit" : 10,
32
33
34
35
    "attachments" : [ ]
  }, {
    "title" : "Connecting via Telnet",
    "max_score" : 100,
Juraj Paluba's avatar
Juraj Paluba committed
36
    "level_type" : "TRAINING_LEVEL",
37
38
    "order" : 2,
    "estimated_duration" : 10,
Juraj Paluba's avatar
Juraj Paluba committed
39
40
41
42
    "answer" : "Top_Secret_Flag",
    "answer_variable_name": null,
    "content" : "Now you have the port number and you would like to connect, but you don't have any credentials. Luckily you know that user **`alice`** has a weak password. You might be able to guess it. The answer is in alices home directory. There is a list of common passwords placed in your home directory for your convenience.\n\n",
    "solution" : "1. You know that **alice** has a weak password so you can try a dictionary attack. A list of common passwords is ready in your home directory. One of possible tools to make a password attack is **hydra**. A command to find the password is **`hydra -l alice -P passlist.txt telnet://server:2323`**. This will reveal alices password **`bacon`**.\n\n2. Now you can connect to the server by using **`telnet server 2323`**, entering username **`alice`** and her password **`bacon`**.\n\n3. To read the answer you can use **`cat flag.txt`**. The answer is **`Top_Secret_Flag`**.\n",
43
44
45
46
47
48
49
50
51
52
53
54
    "solution_penalized" : true,
    "hints" : [ {
      "title" : "Connecting using telnet",
      "content" : "The command to connect using telnet is **`telnet <host> <port>`**, so in our case **`telnet server 2323`**. You will be prompted to enter an username and password.",
      "hint_penalty" : 10,
      "order" : 1
    }, {
      "title" : "Tool for password attacks",
      "content" : "Common tools for password attacks are **hydra** and **medusa**. Consult their help commands or man pages to find appropriate options to perform the attack. You can use the list of common passwords stored in your home directory. Use **`ls`** to list files.",
      "hint_penalty" : 20,
      "order" : 0
    } ],
Juraj Paluba's avatar
Juraj Paluba committed
55
    "incorrect_answer_limit" : 10,
56
57
58
59
    "attachments" : [ ]
  }, {
    "title" : "Privilege Escalation",
    "max_score" : 100,
Juraj Paluba's avatar
Juraj Paluba committed
60
    "level_type" : "TRAINING_LEVEL",
61
62
    "order" : 3,
    "estimated_duration" : 15,
Juraj Paluba's avatar
Juraj Paluba committed
63
64
65
66
    "answer" : "Cant_Guess_This",
    "answer_variable_name": null,
    "content" : "Great, you managed to login to the server as **alice** but there is not much you can do as **alice**. Can you find a way to become **root**? The answer is in the root directory.\n\nOne of common privilege escalation attack vectors is badly configured **sudo**. To see what you can use sudo for, use the **`sudo --list`** command.\n",
    "solution" : "1. You can see that the only command you can use sudo on is **`less /home/alice/flag.txt`**. There is not much to see in the flag, but you can run this as **root**. Is there a way to get a shell?\n\n2. There is, all you have to do is enter **`!sh`** while running the **`sudo less /home/alice/flag.txt`** to get a root shell.\n\n3. To get the answer, use **`cd`** to enter the root directory and **`cat flag.txt`** to read the answer. The answer is **`Cant_Guess_This`**.",
67
68
69
70
71
72
73
    "solution_penalized" : true,
    "hints" : [ {
      "title" : "Using the privilege escalation",
      "content" : "You have probably figured out that you can run **sudo** on a certain **less** command. To get a shell run **`sudo less /home/alice/flag.txt`**, enter the password. Type **`!sh`** to get a root shell.",
      "hint_penalty" : 60,
      "order" : 0
    } ],
Juraj Paluba's avatar
Juraj Paluba committed
74
    "incorrect_answer_limit" : 10,
75
76
77
78
79
80
    "attachments" : [ ]
  }, {
    "title" : "Test Example",
    "level_type" : "ASSESSMENT_LEVEL",
    "order" : 4,
    "estimated_duration" : 5,
Dominik Pilár's avatar
Dominik Pilár committed
81
82
    "questions" : [ {
      "question_type" : "FFQ",
Juraj Paluba's avatar
Juraj Paluba committed
83
      "text" : "What was the name of a file storing the answer?",
Dominik Pilár's avatar
Dominik Pilár committed
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
      "points" : 100,
      "penalty" : 0,
      "order" : 0,
      "answer_required" : true,
      "choices" : [ {
        "text" : "flag.txt",
        "correct" : true,
        "order" : 0
      } ]
    }, {
      "question_type" : "MCQ",
      "text" : "The Telnet service was running on the default port.",
      "points" : 100,
      "penalty" : 0,
      "order" : 1,
      "answer_required" : true,
      "choices" : [ {
        "text" : "Yes",
        "correct" : false,
        "order" : 0
      }, {
        "text" : "No",
        "correct" : true,
        "order" : 1
      } ]
    }, {
      "question_type" : "EMI",
      "text" : "Match services with their default port numbers.",
      "points" : 100,
      "penalty" : 0,
      "order" : 2,
      "answer_required" : true,
      "extended_matching_options" : [ {
        "text" : "22",
        "order" : 0
      }, {
        "text" : "23",
        "order" : 1
      }, {
        "text" : "80",
        "order" : 2
      }, {
        "text" : "443",
        "order" : 3
      } ],
      "extended_matching_statements" : [ {
        "text" : "HTTP",
        "order" : 0,
        "correct_option_order" : 2
      }, {
        "text" : "SSH",
        "order" : 1,
        "correct_option_order" : 0
      }, {
        "text" : "HTTPS",
        "order" : 2,
        "correct_option_order" : 3
      }, {
        "text" : "Telnet",
        "order" : 3,
        "correct_option_order" : 1
      } ]
    } ],
147
148
149
150
151
152
153
    "instructions" : "A simple test.",
    "assessment_type" : "TEST"
  }, {
    "title" : "Assessment Example",
    "level_type" : "ASSESSMENT_LEVEL",
    "order" : 5,
    "estimated_duration" : 5,
Dominik Pilár's avatar
Dominik Pilár committed
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
    "questions" : [ {
      "question_type" : "MCQ",
      "text" : "How did you connect to the client?",
      "points" : 0,
      "penalty" : 0,
      "order" : 0,
      "answer_required" : true,
      "choices" : [ {
        "text" : "Graphical user interface of KYPO",
        "correct" : false,
        "order" : 0
      }, {
        "text" : "SSH",
        "correct" : false,
        "order" : 1
      } ]
    }, {
      "question_type" : "EMI",
      "text" : "Do you agree that... ?",
      "points" : 0,
      "penalty" : 0,
      "order" : 1,
      "answer_required" : true,
      "extended_matching_options" : [ {
        "text" : "Very much",
        "order" : 0
      }, {
        "text" : "A little bit",
        "order" : 1
      }, {
        "text" : "Not really",
        "order" : 2
      }, {
        "text" : "Not at all",
        "order" : 3
      } ],
      "extended_matching_statements" : [ {
        "text" : "Everything went smoothly",
        "order" : 0
      }, {
        "text" : "The User Interface is nice",
        "order" : 1
      }, {
        "text" : "The test was easy",
        "order" : 2
      } ]
    }, {
      "question_type" : "FFQ",
      "text" : "How would you improve this demo?",
      "points" : 0,
      "penalty" : 0,
      "order" : 2,
      "answer_required" : false
    } ],
208
209
210
211
    "instructions" : "Please answer the questions. The last question is voluntary.",
    "assessment_type" : "QUESTIONNAIRE"
  } ],
  "estimated_duration" : 45
Dominik Pilár's avatar
Dominik Pilár committed
212
}