Blog Post

The Human Connection Blog
11 MIN READ

The Human Connection Challenge Lab 1: Basic OS Skills - Walkthrough Guide (Official Version)

BethHolden's avatar
BethHolden
Icon for Immerser rankImmerser
16 days ago

Time’s Up! Congratulations to everyone who completed Lab 1: Basic OS Skills from the Human Connection Challenge: Season 1.

In this walkthrough, I'll share some strategies for efficiently completing the lab, based on my perspective as the author. Remember, there are often multiple ways to approach a challenge, so if you used a different method and succeeded, that's perfectly fine! The goal is to learn, and I hope these notes help clarify any steps and reinforce key concepts for the next challenge. 

This challenge has ended, but the lab remains available for practice. While prizes are no longer up for grabs, you can still complete the lab and use this walkthrough for support if needed. 

I’ve also used placeholders in some of the commands that would give away an answer directly, so if you see anything enclosed in angle brackets, such as <filename>, please make sure you replace it with the actual value, such as example.txt.

With all that considered, let's get started.

Overview

Task: Use SSH to log into Target 1 with the provided credentials.

Question 1: What is the token inside ssh-token.txt?

You’ll first need to open a Terminal on the Kali Desktop. Next, find the credentials in the Credentials tab, which are lucy:0ct0b3r90, and use the following command to SSH into Target 1:

ssh lucy@<Target 1 IP Address>

After pressing Enter on this command, you’ll be prompted to confirm that you want to continue connecting by typing yes. Then, you’ll be prompted to enter the password.

Once logged in as Lucy, you can use ls to find any files within the current directory – which includes ssh-token.txt. From here, you can use cat to read the file’s contents:

cat ssh-token.txt

This command will then print the token onto the screen. 

Question 2: What is the user’s UID?

You can find the user’s unique ID (UID), by running:

id

This will return the UID, group ID (GID), and the groups Lucy is a part of.  

Question 3: What command can the user run as root?

You can find what commands the user can run as root with the command:

sudo -l

The output will show the full binary path of the command, so you can enter either the path or the command itself as the answer. 

Question 4: What is the status of the screen-cleanup service?

To check the status of any service on a Linux machine, you can use the systemctl command followed by status and the service name:

systemctl status screen-cleanup

This will show you the status of the screen-cleanup service.

Task: Decode start-here.txt.

Question 5:  What is the decoded filename?

You can find the start-here.txt file in the current directory (/home/Lucy) by running ls. You can then view the file content by running:

cat start-here.txt

The string within the file appears to be Base64-encoded. To decode this string, you can use the command base64 along with the -d flag and the filename:

base64 -d start-here.txt

The decoded string will reveal the filename.

Task: Find the decoded file on the system.

Question 6: What is the string within the file?

There are two steps to finding the answer to this question. First, you need to find the file; then, you need to find the string within it.

Now that you know the filename, you can search the system for it using find. You can use this command to search for any filenames in the entire file system by adding a forward slash (/), which represents the root of your file system:

find / -name "<filename>"

Remember to replace <filename> with the actual filename!

This command returns a list of directories, but any lines with Permission denied at the end indicate that find didn’t have access to search in that directory. This will leave you with a line that shows the directory the file is in. 

If you want to avoid seeing any of these Permission denied messages, you can also add this string to the end of your command:

find / -name "<filename>" 2>/dev/null

The string 2>/dev/null will discard any error messages the command produces, which is incredibly useful for suppressing Permission denied messages for any directories your current user doesn’t have read permissions for. Using this command will reveal the single directory – handy!

Now that you’ve found the file, you’re halfway to solving this question.

If you were to just cat this file, you’d be greeted with an interesting output – lots and lots of funny formatted characters! The string is hidden somewhere amidst this output and would be challenging to find just by reading the entire output, so let’s take a shortcut.

To find any strings within this file, you need to use the strings command:

strings /etc/apt/<filename>

This will return a single string – much faster!

Task: Find a filename that contains the string.

Question 7: What is the token inside the file?

You’ve found the string, so let’s look for filenames that contain it. 

As in the previous question, you can use find to search for files in the system. But, this time, you can add two asterisks (*) to the beginning and end of the string and enclose the entire string in quotation marks (“).

find / -name "*<string>*" 2>/dev/null

The asterisk character is a wildcard that represents any characters, so this will match any file or directory name that contains the string anywhere in the name.

This command will show a filename with the string in it, and you can then cat the file to find the token inside of it:

cat /mnt/.profile/.conf/<filename>

Task: Identify a binary with SUID permissions enabled that is vulnerable.

Question 8: What date was the binary file last modified?

To identify what binaries have SUID enabled, you can continue to use find with some slightly different parameters. To do this, you can use the following command:

cat /mnt/.profile/.conf/<filename>

The -perm -u=s flag looks for files with the user (u) set to (=) setuid (s) permissions, which allows the user to run the file with the same permissions as the file’s owner. The -type f specifies that the command should find files – rather than directories or links.

With this command, you’ll identify five potential binaries. To find out which one is vulnerable, you can begin to test them – such as by trying to use su to log in as root. You also already know from a previous question that the user can only run one command as sudo.

You'll find that you’re able to use a binary with the permissions of the owner – root! However, first, you need to identify what date the binary file was last modified with:

ls -la /usr/bin/<binary>

This command displays file details like permissions, owner, group, size, and last modification time. Use the displayed date as the answer.

Task: Escalate your privileges using the vulnerable binary.

Question 9:  What is the token inside /root/escalated.txt?

Now that you know you can run the binary as root, you can escalate your privileges by editing the /etc/sudoers file and giving root permissions to the current user.

<binary> /etc/sudoers

In this file, you’ll need to enter the following line in the # User privilege specification section underneath the root user:

lucy ALL=(ALL:ALL) ALL

Then, save the file with CTRL + O and exit with CTRL + Z. You can now switch to the root user with the command:

sudo su

Enter the password for Lucy when prompted – and you’re in! You can now read the file in the root directory with:

cat /root/escalated.txt

Within this file, you’ll find a token and a set of credentials for Target 2.

Task: Use RDP to log in to Target 2 with the provided credentials in /root/escalated.txt.

Question 10: What is the computer’s name?

With the newly found credentials in /root/escalated.txt, you’ll need to exit the SSH session you currently have with the Lucy user and use RDP into Target 2.

To do this, you can use this command:

xfreerdp /v:<Target 2 IP Address> /u:<username> /p:<password> /dynamic-resolution

When prompted, you’ll need to enter Y to trust the certificate.

When the RDP session loads, you’ll be greeted with a Windows desktop. You should now click Start and type Command Prompt to search for the application, then click on Command Prompt to open it.

To find the computer name, you can run hostname (the same as you would with a Linux machine):

hostname

The computer's name will then be printed. 

Question 11: What is the OS version?

To find the operating system version, you can use the systeminfo command:

systeminfo

This will return a full list of system configuration details, including the OS version.

Question 12: What is the user's RID?

The user's Relative Identifier (RID) is part of the Security Identifier (SID) that uniquely identifies the user. You can find this information in a couple of ways, such as with the whoami command, like this:

whoami /all

This command returns a wealth of information about the user, such as the SID, group, and privileges information. 

Alternatively, you can also find this answer by running a longer command with wmic (Windows Management Instrumentation Command-line) that solely returns the SID:

wmic useraccount where name='<username>' get sid

The RID is the last four numbers in the SID.

Question 13: What is the name of the service with the display name (also known as the caption) “Security Center”?

To find the service name, you can use the sc (Service Control) command that’s used for communicating with services in Windows. You can then specify the command option GetKeyName that retrieves the name for a service:

sc GetKeyName "Security Center"

The answer will be displayed after Name =. 

Alternatively, you can use wmic to return all running services and their captions:

wmic service where (state="running") get name, caption

Question 14: What user is a member of the 'Sales' group?

To interact with system resources, you can use the net command with a range of subcommands. 

For this question, use the net and localgroup commands with the group name (Sales) to list all users who are members of that group.

net localgroup Sales

All group members will then be printed out.

Question 15: Other than 'Users,' what group is user Fred a member of?

Similar to the previous question, you can use net, but this time with the user subcommand, which manages local users to display various information about the user account Fred:

net user Fred

The returned information includes the full name, last password change, groups the user is a member of, and more.

Task: Identify a set of administrator credentials in the Windows registry.

Question 16: What is the user's password?

For this question, you’ll need to search the Windows registry using the reg query command. You can then specify that you want to search in the HKLM (HKEY_LOCAL_MACHINE) registry hive, which contains system-related information, and /f administrator as a search option to find keys, values, or data that match administrator.

To further specify, you can add /t REG_SZ to only search for string values that match administrator and /s to search in all subdirectories of the specified path. Altogether, this creates a single command:

reg query HKLM /f administrator /t REG_SZ /s

Running this command alone will still produce a number of results, as administrator is a common string in the HKLM registry. Some results will contain URLs or directory paths, but one will reveal a username containing the string administrator and a password.

Task: Connect to the administrator account.

Question 17: What is the token inside the user's home directory?

You now have the administrator account username and password – perfect! But if you try to use RDP to log into the account, you’ll find the user hasn’t been added to the Remote Desktop Users Group, so you need to find another way in…

One way to do this is by using runas, which lets you run specific tools and programs with permissions different from those of your current user’s account. Here you can specify who you want to run as with /user: and what command you want to execute as them.

Altogether, the full command could look something like this:

runas /user:<username> "powershell -Command \"Start-Process cmd -Verb RunAs\""

This command will start a new PowerShell command session (powershell -Command) and run the Command Prompt (cmd) as a process (Start-Process) with elevated permissions (-Verb RunAs). The backslashes (\) are used to escape the inner double quotation marks, meaning that the whole command can be treated as a single string. 

When you run this, you’ll be prompted for the administrator’s password – which you know!

Once entered, a new Command Prompt will be opened as the administrator account. From here, you can view the contents of the user’s home directory to see what files it contains with dir:

dir C:\Users\<username>\token.txt

This will show that a token.txt file is present in the directory, which you can use type to read its contents:

type C:\Users\<username>\token.txt

The token will then be revealed. 

Task: Add a new user, Chase, to the system. Once you've done this, the file user-token.txt will be created in your current user’s home directory.

Question 18: What is the token inside user-token.txt?

Because you have administrator privileges, you can interact with the system on an elevated level and perform tasks such as managing and adding user accounts.

To add a user to the system, you follow a similar syntax to one of the previous questions by using net and user together. Next, you specify the name of the user you want to add (Chase) and specify /add to confirm you want to create a new user:

net user Chase /add

Once the system has successfully added the user, a success message will appear on the command line. From here, a token file named user-token.txt will then be generated in the current user’s home directory, which you can use type to read its contents:

type C:\Users\<username>\user-token.txt

The contents of this file will confirm you have added the user Chase and give you a token. 

Task: Add the user Chase to the group Marketing. Once you've done this, the file group-token.txt will be created in your current user’s home directory.

Question 19: What is the token inside group-token.txt?

To add a user to a group, you can use net localgroup as you did previously to interact with system groups. Next, you’ll need to specify what group you want to manage (Marketing), the user you want to add (Chase), and /add to confirm you want to add the user:

net localgroup Marketing Chase /add

When the user has been added to the group, a success message will appear like it did for the previous question. This time, a file named group-token.txt will be generated in the current user’s home directory, which you can use type to read its contents:

type C:\Users\<username>\group-token.txt

The token will be inside this file, and you’ll have completed the challenge – congratulations!

Tools

The only tools you need for the lab are standard command-line tools in Unix-like and Windows operating systems. 

Tips

Remember, you can suppress error messages produced by a command by adding 2>/dev/null to the end of the command. This will save you key time by avoiding any results that produce a Permission denied message.

If you want to learn more about Linux or Windows command lines, please visit our collections: Linux CLI and Windows Basics.

Conclusion

The steps I’ve laid out here aren’t the only way to find the answers to the questions, as long as you find the answer, you did it – well done! You can also find out how Community user completed this challenge – including using the Windows GUI as an alternative route – by visiting walkthrough guide.

If you found another way to find some of these answers and think there’s a better way to do it, please post them in the comments below!

I hope you enjoyed the challenge and I’ll see you for the next one.

Updated 16 days ago
Version 2.0
No CommentsBe the first to comment