Congratulations to everyone who completed Lab 1: Basic OS Skills from the Human Connection Challenge: Season 1.

This is a walkthrough guide written by one of our community members, udhav, who offered to give their perspective on the challenge. Interestingly, udhav approached this challenge by completing some of the tasks in the graphical user interface (GUI) instead of the command line.

This isn’t the official walkthrough but one user’s interpretation. Remember, there are often multiple ways to approach a challenge, so if you used a different method and succeeded, that's perfectly fine. The goal is to learn!

Check out the official walkthrough guide here.

We’ve redacted some of the answers to avoid any spoilers! We’ve also used placeholders in some of the commands that would give away an answer directly, so if you see anything enclosed in angle brackets, such as <filename>, make sure you replace it with the actual value, such as example.txt.

Over to you udhav...

Questions

Question 1: What is the token inside ssh-token.txt?

Use the given credentials to log into Target 1. There you will find ssh-token.txt.

Question 2: What is the UID of the user?

Type the command id to get the UID of the current user.

Question 3: What command can the user run as root?

Type the sudo -l command. This will list the user's privileges and check what specific commands the user can run as root.

Question 4: What is the status of the screen-cleanup service?

Use the systemctl utility to check the status of any service. Type the command:

systemctl status <Service-Name>

Question 5: What is the decoded filename?
In the same directory, we are given another file start-here.txt, which contains a Base64-encoded string. Use the base64 utility (which comes pre-installed in the Linux distribution) with the flag -d in order to decode the string.

echo “encode-string” | base64 -d

Question 6: Find the decoded file on the system.
The decoded string we got in the previous question will give us the name of a file. To find that file on the system use find and grep.

find / | grep "<decoded-string>"

Question 7: What is the string within the file?
Once you locate the binary, you can use strings to display all the strings that a binary contains.

strings < path-to-the-binary >

Question 8: Find a filename that contains the string.
To find the file containing the string from the previous question on the system, use find and grep.

find / | grep "< string >"

Question 9: What is the token inside the file?
Run cat on that file to get the token.

cat <path-to-the-file/filename>

Question 10: Identify a binary with SUID permissions enabled that is vulnerable.
To find out the binaries with SUID permissions, type the command: 

find / -type f -perm -u=s 2>/dev/null | xargs ls -lah

• Find /: This will find in the root directory traversing every directory present
• -type f: This will limit the results to files only. This will exclude the directories.
• -perm -u=s: This checks for the files that have an SUID bit set to ‘s’.
• 2>/dev/null: This will redirect any error to the /dev/null for clean output.
• | xargs: This will pipe out the results for the command before | and will provide it to the xargs.
• ls -lah: This will list all the files with their permissions and modified dates.

 

This command will return five binaries. Explore each one to find out which one is vulnerable.

Question 11: What date was the binary file last modified?

You can find the answer to this question using the command in the previous question.

SUID is a special permission where we can execute a command with the owner’s privileges. So, we can execute the vulnerable binary with root privileges.

Privilege escalation

For privilege escalation, we have found a binary with root privileges.

Methodology:

We can edit the /etc/sudoers file:

<binary> /etc/sudoers

Give root permissions to our current user.

lucy ALL=(ALL:ALL) ALL

Then, we can switch to the root user.

To switch users, type the command sudo su.

Question 12: What is the token inside /root/escalated.txt?

Navigate to the /root folder. There you can see the file escalated.txt. 

In this file you are given the last token for the Linux system and the credentials for the Windows machine, to which you have to connect through RDP.

Windows Machine

Use the credentials extracted from the Linux system to connect to the Windows machine. The Target 2 IP is given.

To connect to the Windows machine we will use the xfreerdp tool.

xfreerdp /u:USERNAME /p:PASSWORD /cert:ignore /v:<WINDOWS-IP>

Question 13: What is the computer name?

After connecting successfully, open Control Panel and click System and Security > System. You can find the details of the Windows machine here.

 

Question 14: What is the OS version?
Use the steps mentioned in the previous question to find the OS version.

Question 15: What is the user's RID?
Run the command whoami /all. The RID is the last four digits of the SID.

Question 16: What is the name of the service with the display name (also known as the caption) “Security Center”?
To see the list of services, open Computer Management > Services and Application. Here you can find all the services.

 

Question 17: What user is a member of the “Sales” group?
Click Computer Management > System Tools > Local Users & Groups. Here you can check all the Users & Groups details.

 

Question 18: Other than Users, what group is the user Fred a member of?
Inside the Users folder, in Computer Management > System Tools > Local Users & Groups, by double-clicking on the user, we can analyze the participation of each user in different groups.

 

Question 19: Identify a set of administrator credentials in the Windows registry.
Press the Windows key + r, then type regedit. Open the Windows registry.
Press CTRL + F. Search for the string "administrator"
Press F3 until you get the password.

 

Or, a quicker way is to use the command prompt to search for the password. You can use a registry query for that.

1. Open cmd and run the following command:

reg query HKLM /f "administrator" /s /t REG_SZ

• HKLM is the registry hive where we have to search for the string.
• /f is used to find the pattern.
• "administrator" is the pattern to identify.
• /s is for recursive search.
• /t is the type of file we are looking for, like REG_SZ.

 

Question 20: What is the user's password?
You can find the admin password in the registry from the previous question.

Question 21: What is the token inside the user's home directory?
If you try to open C:\Users\<administrator user>, a dialogue box will open asking for the administrator’s password, which we found in the registry. Entering that password gives us access to the user’s folder, where the tokens for this task and future tasks reside.

 

Question 22: Add a new user, Chase, to the system. The file user-token.txt will be created in your current user’s home directory once you've done this.
To add a new user to the system:
Open Control Panel > User Accounts > User Accounts > Manage another account. You will have to enter the admin’s username and password again here.
Then click Add a user account.
Enter a username, password, and password hint for the new user.
After adding a user, repeat the steps mentioned in the previous question to see the user-token.txt file.

 

Question 23: Add the user Chase to the group Marketing. The file group-token.txt will be created in your current user’s home directory once you've done this.
For this, open Computer Management with administrator privileges. Run as administrator and go to System Tools > Local User & Groups > Groups. Select the Marketing group, and add Chase to it.

 

Question 24: What is the token inside group-token.txt?
Repeat the steps mentioned in Question 21. You will find group-token.txt.

My key takeaways:

• Exploring the Windows registry: This challenge provided valuable hands-on experience with the Windows Registry. I gained a deeper understanding of the registry’s structure, its role in system and application settings, and how specific keys can influence system behavior. This knowledge enhanced my troubleshooting skills, especially for scenarios where configuration issues impact system performance or application functionality.
• Linux privilege escalation using SUID-permitted commands: SUID-enabled editors can be exploited to gain root by modifying the sudoers file. This highlights the need to audit SUID permissions on such binaries to prevent unauthorized privilege escalation.
• Windows user management
• Connecting to Windows using RDP

Thank udhav!

Remember, this is just one interpretation of how to solve this challenge. To understand how the author intended this challenge to be completed, check out the official walkthrough guide here.

Please join me in thanking udhav for this comprehensive walkthrough in the comments below.