A new Crack the Hacker Challenge from author Ed Skoudis

Attempt this challenge, formulate your answers by July 2, 2004, and compete to win a prize! Details below…

The year was 1936. Indiana Jones had saved the world again, snatching the Ark of the Covenant from evil Nazis in a swash-buckling, face-melting adventure. The Ark, of course, was an object of incredible power, rendering invincible any army that carried it into battle. But the world did not have to worry any more about bad guys abusing the awesome force of the Ark. After the eminent archeologist retrieved it from the Nazis, Uncle Sam stored the Ark in a non-descript crate stenciled, “Top Secret. Army Intel. #9906753. Do Not Open!” and loaded it into a giant warehouse with millions of other crates. Safely guarded by the bureaucratic complexity of the United States Government, the Ark was gathering dust, never to be found again. Or so everyone thought…

For, you see, the Government did create a single record of the location of the Ark, and stored this information on a very early computer system. It is not widely known that, in the late 1930’s, the U.S. Government built a vast computer the size of an entire city, buried under Washington DC itself. This gigantic machine, called WINIAC, ran a primordial version of Windows 2003 Server. Amazingly (or perhaps not!), the 1936 incarnation of Windows 2003 running on WINIAC was identical in every aspect to the version Microsoft would release over sixty-five years later. WINIAC stored a hodgepodge of historically interesting files, including an original draft of the U.S. Constitution (with its Preamble proclaiming “Information wants to be free, d00dz!”), a war dialer that William Tecumseh Sherman wrote in his spare time, and even the source code for a primitive Linux kernel cobbled together by Nikola Tesla (blatantly plagiarized by Linus Torvalds decades later). But the most interesting document of all stored on WINIAC was a small text file named “LostArk.txt”, containing the location of the warehouse and the exact spot of the Ark, along with the identification number “9906753” and the words “Ark of the Covenant” inside the file.

Now, flash forward to the summer of 2004. In an effort to get schoolchildren interested in history, the U.S. Government connected the aging WINIAC machine to the Internet. Within mere minutes, a group of Neo-Nazis continuously scanning the Internet for vulnerable government computers hacked into WINIAC by exploiting an unpatched buffer overflow vulnerably. The bad guys quickly installed WinVNC, giving them remote access of the system’s GUI. As the Neo-Nazis started rifling through WINIAC, they began to discover many of the historically interesting files it housed. Within a few hours, the Neo-Nazi attackers realized that this very machine might hold the file with the location of the long-lost treasure that their ideological forefathers craved, LostArk.txt!

Meanwhile, in the data center where WINIAC was controlled, a system administrator walked past the main WINIAC console. Out of the corner of his eye, he spotted the mouse cursor moving on its own, opening a command prompt on the machine. Although no one was sitting at the keyboard, a phantom appeared to be typing commands. The sysadmin quickly realized that the machine might have been compromised. To handle this incident, the sysadmin knew he’d have to turn to an expert.

Indiana Jones had long since retired and bequeathed his archeology consulting practice to his great-grandson named New Jersey Jones, or “Jersey” for short. However, unlike his great-grandpa, Jersey didn’t dig around in the dirt for artifacts. Computer archeology, better known as digital forensics, was his specialty, and he had sifted for some of the most important treasures of all time. Upon arriving at the data center and sitting down at WINIAC’s console, Jersey hit the F7 key on the command window where the attacker had typed. The system responded by displaying the command history of that session, as shown below.

Jersey’s eyes opened wide when he realized that the attackers were obviously searching for the Lost Ark of the Covenant! To thwart their plans, he quickly disconnected WINIAC from the Internet, and set about deciphering the commands that the attackers were using.

And that’s where you come in… please help New Jersey Jones keep the Lost Ark out of the hands of Neo-Nazis by answering the following questions:

Questions:

1) What was the purpose of the attacker’s “dir” and “find” commands?
2) What was the purpose of the attacker’s “strings” command?
3) What was the purpose of the attacker’s “lads” command?
4) What was the purpose of the attacker’s “dd” command?
5) Where else might the file be hidden on the system, and how would the attacker (as well as New Jersey Jones) find it? Be creative!

Submit your answers by July 2, 2004 to jersey@counterhack.net. The three best answers, as judged by Ed Skoudis, will win a copy of his book, Malware: Fighting Malicious Code. By the way, if you are interested in some swash-buckling, face-melting fun without the wait, you can speed up the whole process and just buy a copy of the Malware book here!