Hack Lu
Winners
Paulo won the first prize, luck was on his side :)
Lisa got a 6 pack of good belgian beer because she was the fastest.
Paulo won the first prize, luck was on his side :)
Lisa got a 6 pack of good belgian beer because she was the fastest.
Hack.lu contest
First things first! The hack contest was not about technology or geek exploits and leet code, it was focussed on social engineering.
The files used in the scenario are here
Why?
Simply because today the biggest issue we encounter is the
human factor. Our goal was to show that no matter what security
you use it can be easy circumvented by a user with bad habits.
What?
Users were challenged to find an encrypted file (gpg), decrypt it and show us the content.
The challenge
Clearly, if you achieved to decrypt the file no matter which scenario you took you counted as a winner.
Our scenario:
First things first! The hack contest was not about technology or geek exploits and leet code, it was focussed on social engineering.
The files used in the scenario are here
Why?
Simply because today the biggest issue we encounter is the
human factor. Our goal was to show that no matter what security
you use it can be easy circumvented by a user with bad habits.
What?
Users were challenged to find an encrypted file (gpg), decrypt it and show us the content.
The challenge
Clearly, if you achieved to decrypt the file no matter which scenario you took you counted as a winner.
Our scenario:
- Company name: Oilrig
- Computer username : JohnyBgood
- Computer operater : oilrigoper
- Computer admin : root
- CEO user: manager The basic idea is that JohnyBgood can become oilrigoper, and from oilrigoper one can become root.
Once root one should find the "manager account".
Now, JohnyBgood is fanatic about cars, Chevys are his favorites. ( A picture with a chevy impala was found on the desk).
The password for JohnyBgood is chevyimpala, however an open shell was available by swapping with ctrl+alt+f*
To become oilrigoper you use either su or you logout and login with another account. But desktop access would be the easiest way if you are not a linux guru. In the directory of JohnyBgood there is a pdf file containing the operator contact details. The telephone number of the operator is the password of oilrigoper.
To become root the oilrigoper needs to perform an su, the passwords for the root accounts are described in a document which could be found in the oilrigoper directory. The logic for the password was fairly simple, <machinename>+variable. Watch carefully the + sign is part of the password and did not mean 'add'. In our case the password = oilserver1+Zxiza
Once you have root, you can read the mail from the manager account. Somewhere in the mails there is a password for the gpg key. With this password you can decrypt confidential data stored somewhere on the machine which should not be used by external people.
That's it! Simple right? We appreciate your feedback so do send it to info at conostix dot com.