A new Crack
the Hacker Challenge from author Ed Skoudis
Attempt this challenge, formulate your
answers by July 2, 2004, and compete to win a prize!
year was 1936. Indiana Jones had saved the world again, snatching the
Ark of the Covenant from evil Nazis in a swash-buckling, face-melting
adventure. The Ark, of course, was an object of incredible power, rendering
invincible any army that carried it into battle. But the world did not
have to worry any more about bad guys abusing the awesome force of the
Ark. After the eminent archeologist retrieved it from the Nazis, Uncle
Sam stored the Ark in a non-descript crate stenciled, “Top Secret.
Army Intel. #9906753. Do Not Open!” and loaded it into a giant warehouse
with millions of other crates. Safely guarded by the bureaucratic complexity
of the United States Government, the Ark was gathering dust, never to
be found again. Or so everyone thought…
For, you see, the Government did create a
single record of the location of the Ark, and stored this information
on a very early computer system. It is not widely known that, in the late
1930’s, the U.S. Government built a vast computer the size of an
entire city, buried under Washington DC itself. This gigantic machine,
called WINIAC, ran a primordial version of Windows 2003 Server. Amazingly
(or perhaps not!), the 1936 incarnation of Windows 2003 running on WINIAC
was identical in every aspect to the version Microsoft would release over
sixty-five years later. WINIAC stored a hodgepodge of historically interesting
files, including an original draft of the U.S. Constitution (with its
Preamble proclaiming “Information wants to be free, d00dz!”),
a war dialer that William Tecumseh Sherman wrote in his spare time, and
even the source code for a primitive Linux kernel cobbled together by
Nikola Tesla (blatantly plagiarized by Linus Torvalds decades later).
But the most interesting document of all stored on WINIAC was a small
text file named “LostArk.txt”, containing the location of
the warehouse and the exact spot of the Ark, along with the identification
number “9906753” and the words “Ark of the Covenant”
inside the file.
Now, flash forward to the summer of 2004.
In an effort to get schoolchildren interested in history, the U.S. Government
connected the aging WINIAC machine to the Internet. Within mere minutes,
a group of Neo-Nazis continuously scanning the Internet for vulnerable
government computers hacked into WINIAC by exploiting an unpatched buffer
overflow vulnerably. The bad guys quickly installed WinVNC, giving them
remote access of the system’s GUI. As the Neo-Nazis started rifling
through WINIAC, they began to discover many of the historically interesting
files it housed. Within a few hours, the Neo-Nazi attackers realized that
this very machine might hold the file with the location of the long-lost
treasure that their ideological forefathers craved, LostArk.txt!
Meanwhile, in the data center where WINIAC
was controlled, a system administrator walked past the main WINIAC console.
Out of the corner of his eye, he spotted the mouse cursor moving on its
own, opening a command prompt on the machine. Although no one was sitting
at the keyboard, a phantom appeared to be typing commands. The sysadmin
quickly realized that the machine might have been compromised. To handle
this incident, the sysadmin knew he’d have to turn to an expert.
Indiana Jones had long since retired and
bequeathed his archeology consulting practice to his great-grandson named
New Jersey Jones, or “Jersey” for short. However, unlike his
great-grandpa, Jersey didn’t dig around in the dirt for artifacts.
Computer archeology, better known as digital forensics, was his specialty,
and he had sifted for some of the most important treasures of all time.
Upon arriving at the data center and sitting down at WINIAC’s console,
Jersey hit the F7 key on the command window where the attacker had typed.
The system responded by displaying the command history of that session,
as shown below.
Jersey’s eyes opened wide when he realized
that the attackers were obviously searching for the Lost Ark of the Covenant!
To thwart their plans, he quickly disconnected WINIAC from the Internet,
and set about deciphering the commands that the attackers were using.
And that’s where you come in…
please help New Jersey Jones keep the Lost Ark out of the hands of Neo-Nazis
by answering the following questions:
1) What was the purpose of the attacker’s
“dir” and “find” commands?
2) What was the purpose of the attacker’s “strings”
3) What was the purpose of the attacker’s “lads” command?
4) What was the purpose of the attacker’s “dd” command?
5) Where else might the file be hidden on the system, and how would
the attacker (as well as New Jersey Jones) find it? Be creative!
Submit your answers by July 2, 2004
The three best answers, as judged by Ed Skoudis, will win a copy of his
book, Malware: Fighting Malicious Code. By the way, if you are
interested in some swash-buckling, face-melting fun without the wait,
you can speed up the whole process and just buy
a copy of the Malware book here!