CentraleSupélecDépartement informatique
Plateau de Moulon
3 rue Joliot-Curie
F-91192 Gif-sur-Yvette cedex
1CC1000 - Information Systems and Programming - Homework: Escape the Shell!

Goal

The goal of this activity is to use the right shell commands to discover hidden passwords. You learned some of the commands in the quiz that introduced the second tutorial. In this activity you'll learn other commands.

You need to connect to a remote server, where you'll find a set of directories and files that lead you through a kind of treasure hunt.

Connection to the remote server.

Go through the following steps to connect to the remote server:

  1. Follow this link to connect to MyDocker, a virtual environment manager provided by CentraleSupélec.
  2. Click on Connexion avec le CAS and log in with your CentraleSupélec credentials (using your email and usual password).
  3. Click on the button Demander un environnement (click first on SIP Escape the shell if you cannot see this button).

If an error arises, log out from the website (with the Déconnexion button) and restart the procedure.

Login to your Shell

Open a terminal on your computer. You can use the terminal provided by VS Code, or a stand-alone terminal (Terminal on macOS or Linux, Git Bash on Windows).

Go the MyDocker page and:

  1. Copy the ssh command given in section Accès SSH à "Escape the Shell". Paste this command into the terminal and execute it. A message will appear asking you whether you want to connect to this machine. Type yes and the return key.
  2. Copy the password from the MyDocker page, paste it into the terminal and press the return button. Note that when you paste the password into the terminal, nothing is displayed. That is normal.

If no error arises, you should be connected to a remote virtual environment.

Notes on the ssh command

SSH stands for Secure Shell. It is a network protocol used to open a connection to a remote machine using a shell. The SSH server installed on the remote machine usually listens to port 22 for incoming connections. The SSH protocol belongs to the layer 5 of the OSI model.

The SSH command that you copied from MyDocker has the following format:

ssh <username>@<machineAdress(IP or domain name)> -p <portNumber>

Note that the port number specified in the command that you copied is not 22. This is due to the fact that the remote server created by MyDocker is a "chunk" of a physical computer, also called a Docker container. We use different ports to distinguish the chunks. The fact that port 22 is the default for the SSH protocol does not mean that we cannot choose to use a different one.

Becoming root (easier said than done...)

In any computer we can create multiple accounts associated to different users. Some users may have administrator privileges, which gives them the right to do actions (e.g., installing applications) that other regular users are not allowed to do. There is also a special user, usually referred to as root, with special, almost unlimited powers on the machine.

The aim of anyone who wants to take over a computer system is to have access to the root account.

The machine you are connected to right now has several user accounts. You logged in with an account assigned to you. But there is a flaw. Hidden in your directories there is a password to gain access to another user account. Once you gain access to the other user account, another password is hidden that allows you to access yet another user account. The game ends when you finally discover the password of the root account.

 

While you type a password in the terminal, nothing is displayed, as if you weren't typing nothing at all. This is normal, passwords are not displayed for obvious security reasons.

 

You might find this Bash cheat sheet useful.

 

When you're done, remember to shut down the virtual environment by clicking on the button "Eteindre l'environnement" in MyDocker.

SOLUTION

  • level0 
 cd ..
 cat README.txt
  • level1 
 cat .password_to_level2
  • level2 
 cat password_to_level3.zip.part.* foo/bar/missing_part/password_to_level3.zip.part.e >password_to_level3.zip
 unzip password_to_level3.zip
 cat password_to_level3.txt
  • level3 
 exit
 chmod +r ../level3/password_to_level4.txt
 cat ../level3/password_to_level4.txt
  • level4 
 bzip2 -d password_to_level5.txt.b64.bz2
 base64 -d password_to_level5.txt.b64
  • level5 
 export PATH=/bin:/usr/bin
 cat password_to_level6.txt
 /bin/su level6

ou 

 /bin/cat password_to_level6.txt
 /bin/su level6
  • level6 
 cd
 /usr/bin/wget http://localhost
 /bin/cat index.html
 /usr/bin/wget http://localhost/root.password
 /bin/cat root.password