Here is the Student Asessment
Morning 007s.
Your mission, should you choose to accept it, is to identify and eliminate the hacker who breached our secure data centers.
All the identities of your fellow WDI agents will be open and they will all be in great danger if we don't react fast.
Our security records indicate this following log access to the servers
********************************************************************************************
* Server: //H4rry-Web3.wdiLovesBond.ga
* File: /var/log/nginx/access/20150407-2.log
********************************************************************************************
*
* ________ ________ _________ ____________;_
* - ______ \ - ______ \ / _____ //. . ._______/
* / / / // / / //_/ / // ___ /
* / / / // / / / .-'//_/|_/,-'
* / / / // / / / .-'.-'
* / / / // / / / / /
* / / / // / / / / /
* / /_____/ // /_____/ / / /
* \________- \________- /_/
*
* 2015-04-07 04:32 | SYSTEM BREACH ALERT. IP Detected 72.21.92.59
*
********************************************************************************************
********************************************************************************************
* Server: //f3r-is-the-hacker.wdiLovesBond.ga
* File: /var/log/nginx/error/20150407.log
********************************************************************************************
* http://towel.blinkenlights.nl
*
*
*
* ,-/o"O`--.._ _/(_
* _,-o'.|o 0 'O o O`o--'. e\
* (`o-..___..--''o:,-' )o /._" O "o 0 o : ._>
* ``--o___o..o.'' :'.O\_ ```--.\o .' `--
* `-`.,) \`.o`._
* `-`-.,)****>> Follow the Repo --->>>
*
********************************************************************************************
Your objective is to identify the hacker who intrude us, and save all our fellow classmates from a terrible death. We count on you!
First, we must figure from which city in the world is that IP located. Fast!
Go to IPLocation and input the IP Adress we identified in the logs 72.21.92.59
IP Address | Country | Region | City | ISP |
---|---|---|---|---|
72.21.92.59 | United States | California | Santa Monica | Edgecast Networks Inc. |
There is a website in the logs (http://towel.blinkenlights.nl). What does it contain?
Forbidden
You don't have permission to access / on this server.
Apache Server at towel.blinkenlights.nl Port 80
Dead-end. We can't access his server. We will have to find a work around it. We know that servers can have many ports, and each port will be the entry gate for a different service.
Since the webserver doesn't give us any information about the hacker, we will need to dig deeper.
- Please install Nmap ("Network Mapper") with homebrew
- Find the IP address of
towel.blinkenlights.nl
- Run Nmap , a free and open source utility for network discovery and security auditing. To run it, simply call
nmap IP_ADDRESS
$ brew install nmap
$ ping towel.blinkenlights.nl
PING towel.blinkenlights.nl (94.142.241.111): 56 data bytes
64 bytes from 94.142.241.111: icmp_seq=0 ttl=51 time=280.347 ms
--- towel.blinkenlights.nl ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 280.347/280.347/280.347/0.000 ms
$ nmap 94.142.241.111
Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-07 03:04 HKT
Nmap scan report for 94.142.241.111 (94.142.241.111)
Host is up (0.36s latency).
rDNS record for 94.142.241.111: no-reverse-yet-please-set-it-in-service-menu.coloclue.net
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp filtered ssh
23/tcp open telnet
25/tcp filtered smtp
80/tcp open http
666/tcp open doom
1068/tcp filtered instl_bootc
6129/tcp filtered unknown
6667/tcp open irc
Nmap done: 1 IP address (1 host up) scanned in 43.04 seconds
We should see a list of open services as an output from nmap. Please descrive What does each of the open
services do exactly?
| PORT | STATE | SERVICE | Service Information | |--|--|--|--|--| | 21/tcp | open | ftp | http://en.wikipedia.org/wiki/File_Transfer_Protocol | 23/tcp | open | telnet | http://en.wikipedia.org/wiki/Telnet | | 80/tcp | open | http | http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol | 666/tcp | open | doom | http://en.wikipedia.org/wiki/Doom_(series) | | 6667/tcp | open | irc | http://en.wikipedia.org/wiki/Internet_Relay_Chat |
Please access the hacker's server using the Telnet
protocol.
Good Luck. This message will self-destruct in 10 SECONDS.