The Terminal - Hacking Manual

Guessing Passwords

We have recovered a shredded list of passwords from a nearby dumpster. Despite our best efforts to piece it back together, it is still hard to make out the passwords. Below are our best guesses for the passwords of each user - perhaps with a bit of extra work you can work which are correct?

You will have a number of attempts to log in before the password is reset. Using our cracked login program, you will be able to see how many characters were correct - the right letter in the right position - for each attempt. You should be able to work out the password using this information.

Inputting the incorrect password too many times will lead to a password reset, and you'll have to start again.

Guessing Visual Passwords

Some organisations use a visual password system. Users select images to identify themselves, and this selection is then used for authentication. Fortunately for us, people usually pick images based on the things that they like...

The visual login process will present you with four images - three from the user's selected images, and one which was not selected by the user. Use the table below to identify the user based on the images you are presented with, and select the three correct images

Selecting an incorrect image will result in a temporary lockout.

Cracking Programs

You'll sometimes need to modify the code of programs on the computer you're attempting to gain access to in order to bypass security checks. Brush off your programming skills and open your hex editor...

A program is made up of a number of lines of code, where each line consists of 6 numbers. A hex editor will allow you to modify the lines of code one-by-one, replacing one value in the line with another value. Note that in some cases, you will need to remember the value that you are replacing for following lines.

Follow the rules below in order to determine the correct actions for each line. If you don't follow the instructions below carefully, the system will detect your attempts to modify the program, and revert it to its original state.

1. If this is the first line in the program go to (d), else go to (b)
2. If this is the last line go to (j), else go to (c)
3. If you made a change to the previous line, go to (g), else go to (d)
4. If the line has one or more 9s, replace the last number in the line by 7, else go to (e)
5. If the line contains one or more zeros, replace the first occurence with 9, else go to (f)
6. If the line contains more than 3 odd numbers, reduce the first odd number by 1, else go to (k)
7. If the line has more than one zeros, replace the first number in the line with the number that was replaced in the previous line, else go to (h)
8. If the line contains more than one 9s, replace the first occurence with the number of the column in the last line which was edited, else go to (i)
9. If the line contains one or more values which match the value inserted in the previous line, replace the first occurence with zero, else go to (k)
10. Replace the final value with the number of lines (excluding this line) which have been modified.
11. Do not edit the line.

Decrypting Filesystems

Some systems you encounter will have encrypted filesystems, which will need to be unencrypted before you can progress further with a hack. A disgruntled employee at one of the big security firms leaked some of the encryption keys, which should allow you to progress

Our decryption program will present you with a section of encrypted data. Use the table below to enter the correct plain-text data - decryption can then take place based on this information.

Entering the incorrect key will cause data corruption, and recovering from this will waste valuable time.

Disabling Hardware Security

Some of our target devices have hardware security support in the form of on-board expansion chips. These will prevent us from gaining access unless we can somehow disable them. Luckily we were able to 'obtain' a copy of the hardware specifications, which should help you bypass this protection.

Each system may have one or more security chip on its motherboard, with an associated pull-down resistor. In order to bypass the security system, you must remove the chip, its pull-down resistor, or both, based on the information in the below tables. Removing a chip or resistor is achieved by simply left-clicking on it.

Once you have the correct hardware configuration, click the power button to the bottom left of the screen to restart the computer. Booting the system with an incorrect hardware configuration may affect the system clock, which may reduce the amount of time you have before you are logged out.

Table 1: This table shows the values of the different resistors, based on the coloured markings on the resistor.

Table 2: Use the last character of the security chip's identifier and the value of the chip's pull-down resistor to determine the correct action.

Table 3: Use the row given by table 2, and the first character of the terminal name to determine the correct action.

Key:

• N: remove nothing.
• C: remove the chip.
• R: remove the resistor.
• B: remove both.
• T3, row#: Consult table 3, looking at the specified row.

Network Management

Some systems obtain login information from a remote authentication server. The easiest way around this is to reconfigure the network so that they are connected to one of our servers instead!

The network manager allows you to make network connections between devices in a network. Each device is represented as a symbol in a grid. Your goal is to use the arrow keys to draw a path from the computer you are attempting to hack (the source, S) to our rogue authentication server (the destination, D). You cannot visit a node in the network grid more than once.

Some networks contain gateway switches (G). When connecting the source to the destination, you must make sure to go through all such switches on the way. Most networks also contain firewalls (x) - our server cannot communicate through these devices and so they must be avoided.

Attempts to configure the network such that it doesn't meet the above requirements will fail, and the network configuration will roll back to its previous state.

Below are some possible network configurations you will encounter. The source and destination devices are identified by IP addresses, which are included with the diagram.

S . . . x x
x . . . x x
x x G x x x
. . . . G .
G . . . . .
x x x x x D

S . . G x x
. . . . x x
. x . . x x
. . x . G .
G . . x . .
x x . . . D

S . . G x x
. . . . . x
. x . . G x
. . x . x .
G . . . . .
x x . . . D

. x D x x .
. x . . x .
x x x . x x
. . . . . .
. x x x x .
. . . S . G

. x x D x .
. x . . x .
x x . x x x
. . . . . .
. x x x x .
G . S . . .

D . . . x x
. x x . x x
. x x G x x
. . . . . x
x . x x . x
x G . . . S

Minehunt

The minehunt game is a poorly written Minesweeper clone, installed on many of our target systems. The aim is to clear all the squares not containing mines, without uncovering a mine. Flags can be placed to mark known mine locations. Winning the game is not your aim here, however: analysis Minehunt's assembly code has revealed that it is possible to gain elavated permissions if certain actions are performed in the right order

To trigger the exploit in the Minehunt game, follow the below steps:

1. Use the mine count and size of board to determine which layout you have been presented with.
2. Place flags (right click) on all but one of the mines, as indicated below.
3. Detonate (left click) the final mine. With some board layouts, the time at which the final mine is detonated (whether the number of seconds in the counter is odd or even) is critical in triggering the exploit.

Below are all possible board layouts you may encounter. Use the following key to determine which mines should be flagged, and which should be detonated: