Over The Wire Bandit Walk-through 1

For the last few weeks I have been playing a war game at OverTheWire.org called Bandit. The game essentially teaches linux basics. I thought it would be a great opportunity to share what how I came to the results in my blog. This specific blog post goes through levels zero through 3.

Level 0:

This level is simple. The object is to login to the server using SSH, next look for the readme file that  has the password stored in it and read it.

First I log into the server then use the listing command ls to show the files. There is a file named readme so I use the cat command to print the contents of the readme file.

The password for level 1 is boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Level 1:

In level 1 I need to read a file that does not have a traditional filename, but it has a special character as the filename. When reading files in Linux it is necessary to use an escape character to read a file that uses special characters. This is done by using the string combination of ./

For this level I again used ls to read the listing of files in the directory. I see that the directory has a file named -, in order to read a file that is named using a special character I have to use the escape combination of ./ and the cat command.

The password for level 2 is CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2:

This level requires that I read a file that has spaces in it. Again an escape character is needed to do this, if an escape character was not used then cat would try to read each word in the filename as a different file and would likely give an error saying “spaces does not exist in this directory” or something to that degree. The solution to this problem would be to used the escape character \ after each word, and include the space. The command would look like that cat spaces\ in\ this\ filename

Since we use the escape character it continues to read through the file as  if it were one string.

The password for level 3 is UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3:

This level requires that I find a hidden file in the inhere directory. For this level it is necessary to use a few other commands. First I use the change directory to command to change to the inhere directory. Since the file is hidden if I were to ls I would not find any directories. So I have to use a special command that shows all files in a directory. I use the listing all command by using ls with a flag a. The command would be crafted as such ls -a. As can be seen in the screen shot below we see a .hidden file. In order to read the file an escape character is required because the file begins with a special character. I used the forward slash again for this so the command reads cat \.hidden

The password for level 4 is  pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Malware Minute: LockerGoga

Over the last two years, malware known as ransomware has grown significantly. One of the most famous of these was WannaCrypt, also notoriously known as WannCry, which used the eternalblue exploit developed by the NSA and kept secret before NSA data leaks. While WannaCry was crippled due to Marcus Hutchins’ (aka Malware Tech) discovery of a kill switch, this has not prevented other ransomware developers from continuing down the path that the original developers (possibly the Lazarus Group of Pyongyang) developed. Petya then notPetya became household names in the security world, and ransomware became a known threat to many businesses, as well as government agencies thus incentivizing operating systems and anti-virus companies to offer backup packages to subscribers.

  Since the beginning of the year, security researchers have been watching a newer strain of ransomware called LockerGoga. LockerGoga was first submitted to malware database VirusTotal on January 24, 2019 (Rashid, 2019). This specific malware targets the industrial and manufacturing industry, which is very different from other variants of ransomware such as NotPetya and WannaCry, and recently forced Norwegian aluminum manufacturer Norsk Hydro to switch to manual operations (Greenberg, 2019). Ransomware effects users by encrypting all the files on their computer’s hard drives, and delivering a ransom, to the user to pay a ransom, usually in bitcoin, to the developers to receive the encryption key that will decrypt all their files. If the ransom is not paid within a specific amount of time, the data is encrypted forever or wiped from the device. Many organizations that have fallen prey to these types of attacks would be forced to pay the ransom to continue operating unless they had proper off-site backups of their data (see SamSam ransomware and Atlanta, GA).

For the industrial and manufacturing industry ransomware can be very disruptive. According to threat researchers, this strain of malware is particularly disruptive by shutting down computers completely, locking out users, and even making it difficult to pay the ransoms (Greenberg, 2019). Researchers are still determining how LockerGoga is infecting its targets and spreading through networks, unlike similar ransomware, NotPetya and WannaCry, the malware does not have wormlike abilities (Rashid, 2019). MalewareHunterTeam has noted that that the target’s credentials seem to be known prior to initial infection, possibly through Phishing campaigns (Greenberg, 2019).

In many cases of a malware attack, like any development operation, the tools go under continual developments, refining processes and improving their capabilities. Palo Alto Networks’ security research team Unit 42 believes that the group behind LockerGoga is still refining the ransomware and are figuring out how to add command-and-control features by calling undocumented Windows APIs and manipulating dynamically linked windows libraries that handle network connections (Rashid, 2019).

LockerGoga proves the need for proper backups, security policies, and trainings of employees again. Norsk Hydro has declined to pay the ransom but will be looking at a payout in rebuilding in the upwards of 80 Million dollars, having already spent 40 Million in the last week (Rashid, 2019). The cost to recover from this type of attack is often more expensive than the attacks themselves and could easily cause a smaller organization to go bankrupt.

Works Cited

Greenberg, A. (2019). A Guide to LockerGoga, The ransomware Crippling Industrial Firms. WIRED. Retrieved on March 28, 2019, from https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/

Rashid, F. (2019). Researchers Still Unraveling LockerGoga Ransomware. Decipher. Retrieved on March 28, 2019, from https://duo.com/decipher/researchers-still-unraveling-lockergoga-ransomware