You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: docs/cubespace-instructor/2-ins-red-raider.md
+14-4
Original file line number
Diff line number
Diff line change
@@ -68,17 +68,27 @@ The way to prevent this attack would be to block the attacker system at the sour
68
68
69
69
70
70
71
-
The process described above will run endlessly on a loop for the duration of the scenario. If teams remove the pirate account, it will attempt to add it back. If teams leave the deepspace network and return, it will try all attack efforts again on a loop. If the attacker system ever loses access, it will loop in place until access is restored. The real solution is to block the attacker IP at the gateway firewall.
71
+
The pirate attack process described above runs endlessly for the duration of the scenario.
72
+
73
+
- If teams remove the pirate account, the attack process attempts to add it back.
74
+
- If teams leave the deepspace network and return, the attack process tries again on a loop.
75
+
- If the attacker system loses access, it loops in place until access is restored.
76
+
77
+
Unless teams block the pirate attacker, they are continuously attacked. The real solution here is to block the attacker IP at the gateway firewall.
78
+
79
+
!!! info
80
+
81
+
Blocking the attack is not required to solve this challenge. However, not blocking the attack while the ship is within range of the pirate's deepspace network can lead to issues with the `ship-critical-system` Docker containers as described above.
72
82
73
83
## Gaining access to the Pirate Codex
74
84
75
85
Attacking the raider-codex-decoder can be done with the same policy kit exploit, though it would be tricky to figure out this is what led to the account creation. Teams would need to research this exploit to know how to conduct it and read their own codex-decoder logs to understand it.
76
86
77
-
The easier way - and the way described in this guide - is to discover that the same`pirate|phantom`credentials will work on the raider-decoder's SMB share.
87
+
The easier way - and the way described in this guide - is to discover that the same`pirate|phantom`credentials added to your codex-decoder system will work on the raider-decoder's SMB share.
78
88
79
-
John the Ripper can assist in this. Simply extract the /etc/shadowcontents for the pirate account and the/etc/passwdcontents for the pirate account from the codex-decoder.
89
+
John the Ripper can assist. Extract the codex-decoder system's `/etc/shadow` file contents for the pirate account and the`/etc/passwd` file contents for the pirate account from the codex-decoder. I.e., *both* the `/etc/shadow` and `/etc/passwd` file contents are on the codex-decoder system.
80
90
81
-
From an operator-terminal you can ssh to the decoder and collect those files:
91
+
From an operator-terminal, you can ssh to the decoder and collect those files:
82
92
83
93
-`ssh user\@10.5.5.19`
84
94
-`sudo less /etc/shadow` > copy this text out for at least the pirate account line
0 commit comments