7

I feel like this isn't the best place to ask this (since there's no single right answer), but I can't think of a better place. If you have a better recommendation, could you please recommend it and I can move the question rather than just having it closed outright?

I'm teaching a class of high-school students about general Linux security. At a high level I want them to be able to take a given Linux server and know how to harden it against common security issues - e.g. closing old accounts, using a strong pw hashing algorithm, make sure no strange processes are running or run at boot. Their skill-level is a broad range, and I'm looking for ways to motivate them to use what we've been discussing (e.g. look at crontab; look at users and group configurations; look at open ports).

I have been given $200 to hold a competition to encourage them, and I thought maybe I could purchase a bunch of Amazon gift cards in $10 increments. The idea would be to "hide" the redemption codes in various places on our sandbox server for the kids to find. For example, I could store the passwords in plaintext, and have one of the example user accounts assigned a password of one of the codes. Or maybe I could set up a cron job to log one of the codes to a system log every 30 seconds.

What I'm looking for is places/methods to hide these codes such that someone looking to secure the server would stumble across them.

Thanks!

loneboat
  • 241
  • 1
  • 7
  • You may want to place higher valued eggs at places that are more difficult to find. For example, you may have an egg that can only be found with multiple steps of cryptic clues, say run a web server running on port 80 giving clues in the HTTP Headers to connect to another server running on non standard port. The website then give clues that it is vulnerable to SQL injection. The database might contain clues that the final code can be found by running string on the binary of a forged standard tool (e.g. string ls). – Lie Ryan Sep 05 '14 at 04:25

4 Answers4

6

  • Run an nc listener that echo's out one of the voucher codes when you telnet or nc to it. If they look at the file, they get it too. 

    #!/bin/sh
nc -i 2 -l -p 3128 -c "echo amazoncode"

    Name it something useful, like squid

  • Create some local firewall rules with names or parameters of amazon codes.

    iptables -N amazoncode -P ACCEPT
iptables -I INPUT -j amazoncode

  • Fail some ssh logins with the code as a username.

  • Run an unsecured or badly secured mysql instance with some databases containing codes.

You might get some wise guys that just grep -r amazoncode though without some obfuscation methods. Which shows some ingenuity if they can figure out a regex, but doesn't help much with security.

Matt
  • 8,991
  • Good call on the grep. Can't fault them for being crafty, but don't want them to steal the whole contest. :-) We're considering just posting our own hashes of the Amazon codes which they can redeem to us for the actual codes. This will also allow us to monitor which ones have been dispensed at any given time as well. Thanks! – loneboat Sep 04 '14 at 21:50
5

I don't know if this method is something that might interest the students.

  1. I create a file as amazoncode with the original code.

    cat amazoncode
125622234

  2. Now, encrypt the file using the below command.

    openssl aes-128-cbc -salt -in amazoncode -out amazoncode.aes -k somepassword
    • somepassword is the password that you set for the file.

  3. Now, remove the original file.

    rm amazoncode

  4. Now, instruct the students that the amazon gift code is encrypted and if they need the code they have to decrypt it. You can also share the original command used for encryption and password to the students.

  5. The students can figure out from the original command that they should do the reverse to decrypt the file which is as below. You can as well tell them -d option is for decryption and the encrypted file should be the input to produce the code as the output. Here, you could as well tell the students to figure out the decryption technique from the man page of openssl.

     openssl aes-128-cbc -d -salt -in amazoncode.aes -out amazoncode

  6. Now, I get the code after learning some encryption/decryption techniques as well.

    cat amazoncode
125622234

Actually the openssl password could be put as a hidden file inside the user's home directory. Then, the students will as well come to know how to access the hidden files and get the openssl password from there and then try the decryption.

Ramesh
  • 39,297
3

Some ideas:

  • Plain-text file in a user's home directory ("Amazon Code.txt" or something else obvious), world-readable
  • Plain-text file in a user's home directory, not world-readable but the user has an easily-guessed password
  • Process with the key obfuscated in the source-code, but it calls something else (say system("sleep 864000 $key")) that exposes the key in ps output
  • Same, but run from crontab and only has its child sleep for a few seconds
  • Process with the key obfuscated in the source-code, but it opens a TCP socket and prints the key to anyone who connects
david
  • 433
3

Perhaps a 'funny' script in the ~/bin/ or /etc/bin/. Do something like replace the functionality of LS, cat or CD to behave a little differently and give them a bit of a tip-off that something is amiss, (the first one that comes to mind is to have ls/cd has a change to list/move the wrong folder) and have the code listed in a comment of the sh file.

Perhaps run a process that consumes excessive amounts of ram/opens strange ports; have the process name be an amazon code.

Sidney
  • 259