Lab Project

 

Project Lab

Step 1 Holiday Hack Challenge 2017

1.       Go to this link: https://holidayhackchallenge.com/2017/

2.       As you go over the material I would like you to focus on at least the first two steps in the Challenge.  From these steps below the green items are what I would like you to answer for me.

3.       SCOPE: For this entire challenge, you are authorized to attack ONLY the Letters to Santa system at l2s.northpolechristmastown.com AND other systems on the internal 10.142.0.0/24 network that you access through the Letters to Santa system. You are also authorized to download data from nppd.northpolechristmastown.com, but you are not authorized to exploit that machine or any of the North Pole and Beyond puzzler, chat, and video game components of the Holiday Hack Challenge.

4.       This technical challenge gives you an opportunity to apply an attack against a vulnerability in Apache Struts servers that was discovered in 2017.  There were two vulnerabilities, one in March and one in September.  The first vulnerability was used in a famous attack, most likely after a company failed to patch it quickly.  Hopefully after all the publicity surrounding the Struts vulnerabilities, companies have applied the proper patches to their web servers and this challenge is just an enlightening exercise.

5.       What are the names and CVE numbers of the two Apache Struts vulnerabilities from 2017?  (The links in the first paragraph of this lesson will be helpful.)

6.       Which vulnerability was part of the famous attack?

7.       Any other information you can find about the site.

Step 2 Reconnaissance of a web site

Inspect the website https://l2s.northpolechristmastown.com.  View Page Source, or Chrome or Firefox Developer Tools should be helpful. 

1.       What type of software was the web site written with?

2.       What is the IP address associated with https://l2s.northpolechristmastown.com?

3.       What is the IP address associated with https://dev.northpolechristmastown.com?

4.       Any other information you can find about the site.

Step 3 Linux Challenge

1.       Register a new account, and log in.  https://2017.holidayhackchallenge.com/login

2.       The problem here is that the Linux “find” command is not easily accessible.

210pro1

      

3.    Bushy’s tweet is a clue.

4.       The key part is, “How am I supposed to know where “find” normally is?!”  The linux terminal is based on Ubuntu.  Kali is also based on Ubuntu.  Hmmm.  If you can answer Bushy’s question you can solve the challenge. Using which or whereis

5.       The command you used to find elftalkd, and the command you used to start efltalkd.