Lab 2 - Design Your Team's "Flag"

There are many ways to go about designing the flag for this contest. The basic idea is you are going to create a trail of clues that leads to a final goal. The nature of the clues and the final goal are up to you. I'll list a few ideas here though for inspiration.

Possible final goals:

• Be able to log in to a specific user account (such as root or support) on a specific machine
• Modify a website or specific file
• Add a user to a specific machine

• Stenography - embed a username, password, machine name, etc in an image on a website. The user can then use xvi32 or another hex editor to view the image and find the hidden information.
• Password cracking - turn off shadow passwords and let any user on the machine read the encrypted password file (/etc/passwd). The user would the use John the Ripper or another password cracker to retrieve easy passwords in the file. Variation: put the encrypted password file on a website.
• Network traffic - have a plaintext login occur over the network. The user can see this by using tcpdump on either the source or destination machines. You can use several utilities to regularly send login information over the network. The easiest utility would be ncftpget which is a command-line FTP utility that allows you to specify the username, password, remote machine and remote file all on the command line.
• Tell them - you can give the users a starting username, password and machine from which they can look for other clues.
• Trust relationships - several login utilities can be configured to allow logins from trusted sources without a password. For example, SSH can use public key authentication mode, which combined with a password-less public key would let anyone with access to the public key file log in to the machine as the user. rlogin and its family of protocols can be similarly configured to allow another machine to log in without a password.
• Password-less sudo - this is similar to setting up a trust relationship, except it allows a user to elevate their privileges on the current machine instead of logging in to another machine.