7

I feel like this isn't the best place to ask this (since there's no single right answer), but I can't think of a better place. If you have a better recommendation, could you please recommend it and I can move the question rather than just having it closed outright?

I'm teaching a class of high-school students about general Linux security. At a high level I want them to be able to take a given Linux server and know how to harden it against common security issues - e.g. closing old accounts, using a strong pw hashing algorithm, make sure no strange processes are running or run at boot. Their skill-level is a broad range, and I'm looking for ways to motivate them to use what we've been discussing (e.g. look at crontab; look at users and group configurations; look at open ports).

I have been given $200 to hold a competition to encourage them, and I thought maybe I could purchase a bunch of Amazon gift cards in $10 increments. The idea would be to "hide" the redemption codes in various places on our sandbox server for the kids to find. For example, I could store the passwords in plaintext, and have one of the example user accounts assigned a password of one of the codes. Or maybe I could set up a cron job to log one of the codes to a system log every 30 seconds.

What I'm looking for is places/methods to hide these codes such that someone looking to secure the server would stumble across them.

Thanks!

loneboat
  • 1,434
  • 1
  • 12
  • 16

2 Answers2

5

I can think of a few ideas:

  • put the codes inside a file running at boot, discoverable when the user run strings on it

  • put the codes on suid scripts (you should never ever have suid scripts)

  • put codes on world-writable binaries on /sbin

  • put codes on world-readable config files somewhere

  • put codes on tmp files

  • put codes as a chain name on iptables

Things like that.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • 6
    Another evil trick: unmount `/tmp`, write a file to the underlying file system (i.e. the `/tmp` directory in the root filesystem) and then re-mount `/tmp`. Can only be found by enumerating inodes or guessing the trick and unmounting it. – Polynomial Sep 04 '14 at 21:46
  • 1
    @Polynomial: Wow. Yes that's evil. I think that's beyond our current skillset at this point. Awesome though - thanks again! – loneboat Sep 04 '14 at 21:56
  • @Polynomial if you have mount, just mount an image that contains a setuid root backdoor. – rook Sep 05 '14 at 17:40
  • @Rook The idea wasn't to exploit it, but rather to hide a file somewhere for a challenge. – Polynomial Sep 05 '14 at 17:51
3

Setting up system to be hacked and judging the results is commonly known as a Capture The Flag (CTF). There are a lot of open source CTFs out there, root-the-box is a great CTF that focuses more on post-exploitation and has puzzles for neophytes. There is also Damn Vulnerable Linux, which is an educational tool.

A more simplistic CTF would be to have Easter-eggs in the form of user accounts which could be obtained using the following attacks. I chose the following three because I have seen them int he real world:

In a real world situation the above attacks would take place in post-exploitation. Penetration testers and blackhats will use tools like Metasploit's post exploitation modules, Weevly, and Veil-Pillage to help automate this process.

Community
  • 1
rook
  • 46,916
  • 10
  • 92
  • 181