Aamna Abbas BEIS-05 (A)

ASSIGNMENT – MASTER THE BASICS

QUESTION – 1:
Embark on a virtual heist with the OverTheWire Bandit challenge! Your mission, should you choose to accept it,
is to breach the security layers of the Bandit system. Complete the first 10 tasks. Compile a concise report detailing
your progress, strategies, and any lessons learned. This hands-on exercise will make you proficient in Linux
command-line. Good luck, agents! (10 mks) (First 10 tasks) https://overthewire.org/wargames/bandit/
TASK 0:
The goal of this level is to log into the game using SSH. The host to which you need to connect
is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0.
Step 1: Logging into the remote server
1. Firstly, we have to connect to the remote server using ssh (secure shell socket)
Command used: ssh -p 0000 username@remoteadress

Command used: ssh -p 2220 [email protected]

2. Secondly, we need to enter the password to access this game server.
3. The password is given by bandit0.
 Aamna Abbas BEIS-05 (A)

Step 2: Finding the password for Level 1

1. Now, the next goal is to find the password to log into the level 1.
2. We are going to use the ls command to list all the files in the current directory.
3. The file storing the password for level 1 is readme.
4. Now, we use the cat command to read the content of the file.
5. The password retrieved for level 1 is given ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If
6. Now, using the exit command to log out of the bandit0 level.
Commands used: ls, cat, exit

_________________________________________________________________________________________

LEVEL 1:
The password for the next level is stored in a file called - located in the home directory.

Step 1: Logging into level 1

1. Firstly, we log into the level by using the password that we found in the level 0.
Command used: ssh -p 2220 [email protected]

Step 2: Finding the password for level 2

2. Now, the next goal is to find the password to log into the level 2.
3. We, are going to use the ls command to list all the files in the current directory.
4. The file storing the password for level 2 is “-“.
5. Now, we need to use the cat command but the file name starts with a special character and the
regular command won’t work so we use cat ./- or cat < -
6. The password retrieved for level2is given ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If
7. Now, using the exit command to log out of the bandit1 level.
Commands used: ls, cat, exit
Aamna Abbas BEIS-05 (A)

_________________________________________________________________________________________

LEVEL 2:
The password for the next level is stored in a file called spaces in this filename located in the home
directory.

Step 1: Logging into level 2

1. Firstly, we log into the level by using the password that we found in the level 1.
Command used: ssh -p 2220 [email protected]

Step 2: Finding the password for level 3

2. Now, the next goal is to find the password to log into the level 3.
3. We are going to use the ls command to list all the files in the current directory.
4. The file storing the password for level 3 is “spaces in the filename”.
5. Now, we need to use the cat command but the file name has spaces in it and the regular command
won’t work so we use cat “spaces in this filename” or ‘spaces in this filename’
6. The password retrieved for level 3 is given MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx
7. Now, using the exit command to log out of the bandit2 level.
Commands used: ls, cat, exit

_________________________________________________________________________________________

LEVEL 3:
The password for the next level is stored in a hidden file in the inhere directory.

Step 1: Logging into level 3

1. Firstly, we log into the level by using the password that we found in the level 2.
Aamna Abbas BEIS-05 (A)

Command used: ssh -p 2220 [email protected]

Step 2: Finding the password for level 4

2. Now, the next goal is to find the password to log into the level 4.
3. We are going to be using the cd command to change the directory to inhere.
4. We are going to use the ls command to list all the files in the inhere directory.
5. We did not see any file so it must mean that the file where the password is stored is hidden.
6. We use the command ls -a to find the hidden file.
7. The hidden file named …Hiding-From-You is shown.
8. Now, we need to use the cat command to see the password.
9. The password retrieved for level 4 is given 2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ
10. Now, using the exit command to log out of the bandit3 level.
Commands used: ls, cd, ls -a, cat, exit

_________________________________________________________________________________________

LEVEL 4:
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your
terminal is messed up, try the “reset” command.

Step 1: Logging into level 4

1. Firstly, we log into the level by using the password that we found in the level 3.
Command used: ssh -p 2220 [email protected]

Step 2: Finding the password for level 5

1. Now, the next goal is to find the password to log into the level 5.
2. We are going to be using the cd command to change the directory to inhere.
3. We are going to use the ls command to list all the files in the inhere directory.
4. Now, we are going to use the file command to find the type of the file.
5. However, it is a very monotonous work so we use a for loop to check all of these at once.
Command used: for i in $(ls); do file ./$i ; done
6. Now, the only human readable file is the file named -file07.
7. Now, using the cat command to find the password.
8. The password retrieved for level 5 is given 4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw
Aamna Abbas BEIS-05 (A)

9. Now, using the exit command to log out of the bandit4 level.
Commands used: ls, file, cd, cat, exit

_________________________________________________________________________________________

LEVEL 5:
The password for the next level is stored in a file somewhere under the inhere directory and has all
of the following properties:
 human-readable
 1033 bytes in size
 not executable

Step 1: Logging into level 5

1. Firstly, we log into the level by using the password that we found in the level 4.
Command used: ssh -p 2220 [email protected]

Step 2: Finding the password for level 6

2. Now, the next goal is to find the password to log into the level 6.
3. We are going to be using the cd command to change the directory to inhere.
4. We are going to use the ls command to list all the files in the inhere directory.
5. As, we used ls 19 further directories were shown each having 9 more files.
6. It would be very time consuming to use the regular commands to find the file size using du command,
file type using file so we use a special command to find the file having all the properties shown above.
Command used: file . -type f -size 1033c -readable -not -executable -readable
7. We have the found the file having the following path in the inhere directory.
Path followed: ./maybehere07/.file2
8. Now, using the cat command to find the password.
Aamna Abbas BEIS-05 (A)

9. The password retrieved for level 6 is given HWasnPhtq9AVKe0dmk45nxy20cvUa6EG.

10. Now, using the exit command to log out of the bandit5 level.
Commands used: ls, file, cd, du, cat, exit

_________________________________________________________________________________________

LEVEL 6:
The password for the next level is stored somewhere on the server and has all of the following
properties:
 owned by user bandit7
 owned by group bandit6
 33 bytes in size

Step 1: Logging into level 6

1. Firstly, we log into the level by using the password that we found in the level 5.
Command used: ssh -p 2220 [email protected]

Step 2: Finding the password for level 7

1. Now, the next goal is to find the password to log into the level 7.
2. As the file is on the server somewhere and we don’t know the name so we can’t use ls command.
3. We use the following command to find the file having the following properties.
4. find / -type f -size 33c -user bandit7 -group bandit6
5. A lot of files having errors are being shown so in order to find only the useful files we use
2</dev/null
6. The path to the file containing the password is found that is
/var/lib/dpkg/info/bandit7.password
7. Now, using the cat command to find the password.
8. The password retrieved for level 7 is given morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj.
9. Now, using the exit command to log out of the bandit6level.
Commands used: find, exit, cat
Aamna Abbas BEIS-05 (A)

_________________________________________________________________________________________

LEVEL 7:
The password for the next level is stored in the file data.txt next to the word millionth.

Step 1: Logging into level 7

1. Firstly, we log into the level by using the password that we found in the level 6.
Command used: ssh -p 2220 [email protected]

Step 2: Finding the password for level 8

2. Now, the next goal is to find the password to log into the level 8.
3. We use the grep command to find the word ‘millionth’ in the file, the grep command also shows the
words next to it and out password stored is shown.
4. grep “millionth” data.txt
5. The password retrieved for level 8 is given dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc
6. Now, using the exit command to log out of the bandit7 level.
Commands used: grep, exit, ls

______________________________________________________________________________________

LEVEL 8:
The password for the next level is stored in the file data.txt and is the only line of text that occurs only
once.

Step 1: Logging into level 8

1. Firstly, we log into the level by using the password that we found in the level 7.
Command used: ssh -p 2220 [email protected]

Step 2: Finding the password for level 9

1. Now, the next goal is to find the password to log into the level 9.
2. Firstly, we use the ls command to list all the files.
Aamna Abbas BEIS-05 (A)

3. The file found is named as data.txt.

4. Uniq command can only find and separate single lines when the lines are adjacent, for this purpose
we have to use the sort command first to sort the data into adjacent lines.
5. We use the pipe operator to apply the second command to the output of the first command.
6. Uniq -u is used to print the single line in the data.
Command used: sort data.txt | uniq -u
7. The password retrieved for level 9 is given 4CKMh1JI91bUIZZPXDqGanal4xvAg0JM
8. Now, using the exit command to log out of the bandit8 level.
Commands used: ls, sort, uniq, exit

_________________________________________________________________________________________
LEVEL 9:
The password for the next level is stored in the file data.txt in one of the few human-readable strings,
preceded by several ‘=’ characters.

Step 1: Logging into level 9

1. Firstly, we log into the level by using the password that we found in the level 8.
Command used: ssh -p 2220 [email protected]

Step 2: Finding the password for level 10

1. Now, the next goal is to find the password to log into the level 9.
2. We know that the file only has a few human readable lines and the rest is data, we use strings
command to separate the human readable lines from raw data.
3. Grep command is used to find the lines where “=” is used.
4. Command used: strings data.txt | grep “=”
5. The password retrieved for level 10 is given FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey.
6. Now, using the exit command to log out of the bandit9 level.
Commands used: strings, grep, exit
Aamna Abbas BEIS-05 (A)

LEVEL 10:
The password for the next level is stored in the file data.txt, which contains base64 encoded data

Step 1: Logging into level 10

1. Firstly, we log into the level by using the password that we found in the level 9.
Command used: ssh -p 2220 [email protected]

Step 2: Finding the password for level 11

1. Now, the next goal is to find the password to log into the level 11.
2. Firstly, we use the cat command to output the data stored in the file.
3. We receive data in the encrypted form, using base64 encryption and the decrypted version would
have the password stored.
Command used: base64 -d data.txt.
4.The password retrieved for level 11 is given dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr
5.Now, using the exit command to log out of the bandit10 level.
Commands used: cat, base64, exit

Question – 2. Join the adventure on TryHackMe's Advent of Cyber 2023 room. Here there are a number of
tasks and you have to practice only one task as mentioned against your names in the attached list. Submit
step by step walkthrough. You will have to present in the class about the challenge and what you learnt. (30
mks)

https://tryhackme.com/r/room/adventofcyber2024

ADVENT OF CYBER DAY 3: LOG ANALYSIS

Aamna Abbas BEIS-05 (A)

Introduction:
In this task, we have two main operations: Operation Blue and Operation Red.
 Operation Blue: We have identified a vulnerability related to Remote Code Execution (RCE) and will
use Security Operations Centers (SOC) log analysis to identify which IP address performed the web
shell on the Frosty Pines server.
 Operation Red: We will learn how the shell was uploaded to the server to gain access to the server's
system.
Previous Knowledge:
To solve this, you should have a basic understanding of:
1. ELK (Elasticsearch, Logstash, Kibana), especially Kibana Query Language (KQL) for log analysis.
2. RCE (Remote Code Execution)
3. Web Shell
Key Terms:
 ELK: A stack of open-source products – Elasticsearch, Logstash, and Kibana – used for searching,
analyzing, and visualizing log data in real-time.
 KQL: Kibana Query Language used to query data in Kibana.
 RCE: Remote Code Execution, a type of vulnerability that allows an attacker to run arbitrary code on
a target machine.
 Web Shell: A script that enables remote administration of a machine, allowing the execution of
commands on the server.
Steps of Operation Blue:
This part focuses on investigating the attack using log analysis tools. Key things to capture include:
BLUE: Where was the web shell uploaded to?
Answer format: /directory/directory/directory/filename.php
BLUE: What IP address accessed the web shell?
Data Provided:
1. Access Kibana
Navigate to MACHINE_IP:5601 to investigate the attack.
Answer the blue questions by analyzing the logs in Kibana.
2.Select ELK Collection
Review the logs of the attack on Frosty Pines Resorts by selecting the "frostypines-resorts" collection within
ELK.
Aamna Abbas BEIS-05 (A)

Use the date and time range between 11:30 and 12:00 on October 3rd, 2024 when reviewing the logs.

Detailed Steps:
1.Start the AttackBox and Target Machine
2.Open Firefox and enter the IP address of the Kibana server. The following screen will appear.

3.Select the Log Collection

4.Change the log collection to the Frosty Pines Resort.

5.Set the Date and Time Range

6.Change the date to October 3rd, 2024, from 11:30 to 12:00.

7.Update the query to get the relevant data.

8.Narrow down the search by typing message: "shell.php".
Aamna Abbas BEIS-05 (A)

9.Filter by Client IP
10.Identify the IP that tried to run commands using the shell.php file.

11.Capture the two answers to the blue questions

Steps of Operation Red:

This part focuses on the attack itself and how it was carried out. Key things to capture include:
RED: What is the contents of the flag.txt?
Detailed Steps:
Aamna Abbas BEIS-05 (A)

1.Firstly, inorder to access the Frosty Pines Resorts website (http://frostypines.thm), you will need to reference
it in your hosts file. On the AttackBox, this can be done by executing the following command in a terminal:
Echo “MACHINE_IP frostypines.thm” >> /etc/hosts

2. Now , we open the frosty pines web portal onto the firefox server as shown below.

3. There are no file uploads on the home page, so we go to the rooms page where we still cant upload
anything.

4. We go to the login page where we can try to insert our default credentials.
Aamna Abbas BEIS-05 (A)

5. Now, we have access to the admin account.

6. Now, we go to the add a new room page, where we see an option to upload a file.
Aamna Abbas BEIS-05 (A)

7. Now, we will use the command line to save the code as shell.php on desktop.

8. Inorder to execute the file, it is very necessary for us to know the location of the fie, for that purpose
we use F12 key to have access to the development tools. Now, we will go to the network where we can
find the file shell.php and its address as well.

The adress found was /media/iamges/room/shell.php

 Aamna Abbas BEIS-05 (A)

9. Now, we use the address of this file and try to access it at the server.
Frostypines.thm/media/images/room/shell.php

10. Now, we use the ls command to find the files around us and we find the flag.xt file.
11. Now, we use the cat command to find the content and the flage is captured as

12. We have now captured the answer to the red question

Conclusion:
In this task, we successfully conducted two main operations: Operation Blue and Operation Red.
Operation Blue: focused on identifying a vulnerability related to Remote Code Execution (RCE). Through
Security Operations Centers (SOC) log analysis in Kibana, we identified where the web shell was uploaded
and pinpointed the IP address that accessed it.
Operation Red: concentrated on understanding how the shell was uploaded to gain system access. We
navigated the Frosty Pines Resorts web portal, identified the upload point, and determined the shell's location.
By executing the shell, we accessed the server, located the flag.txt file, and retrieved its contents.
Throughout this task, we applied our understanding of ELK (Elasticsearch, Logstash, Kibana), Kibana Query
Language (KQL), and web shells. This practical experience reinforced our knowledge and demonstrated the
importance of thorough log analysis and vulnerability assessment in cybersecurity operations.
_________________________________________________________________________________________

Question – 3. Tabulate a Cyber security policy (1-2 pages) as mentioned against your name for MCS. You may
take help from NIST guidelines (Search them).

University Cybersecurity Policy: Virus and Spyware Protection

1. Purpose and Scope

 Aamna Abbas BEIS-05 (A)

This policy establishes guidelines to protect the University’s IT systems, networks, and user devices from viruses,
spyware, and other forms of malicious software. It aligns with the NIST Cybersecurity Framework to ensure the
integrity, confidentiality, and availability of the University's data. This policy applies to all students, faculty, staff,
contractors, and other users of university systems, networks, and devices.

2. Protection Measures
The University adopts a multi-layered approach to cybersecurity, following the NIST Cybersecurity Framework
(CSF)’s five key functions: Identify, Protect, Detect, Respond, and Recover.

a. Identify
Asset Management: Maintain an inventory of all hardware, software, and devices in use. Prioritize systems
handling sensitive data for enhanced protection.
Risk Assessment: Regularly assess vulnerabilities across university systems to identify risks related to viruses and
spyware.

b. Protect
Antivirus and Anti-malware Software
1. Install and update antivirus/anti-malware software on all devices to detect and block malicious software.
2. Enable automatic updates and schedule regular scans to ensure real-time protection.
Software Updates and Patch Management
1. Keep operating systems, applications, and antivirus software updated to close security vulnerabilities.
2. Implement a patch management program to ensure timely deployment of security patches.
Email Security
1. Scan all incoming emails for viruses, malicious attachments, and links.
2. Use email filtering tools to detect phishing and educate users on how to recognize suspicious emails.
Secure Browsing and External Devices
1. Use browsers with security features like phishing filters, pop-up blockers, and HTTPS.
2. Scan external devices (USB drives, etc.) for malware before connecting to university systems.

Endpoint Protection and Firewalls

1. Equip devices with host-based firewalls to monitor and block suspicious traffic.
2. Configure network firewalls to block unauthorized access and malicious traffic.
User Education and Awareness
1. Provide mandatory cybersecurity training to raise awareness about virus and spyware risks.
 Aamna Abbas BEIS-05 (A)

2. Remind users regularly about safe browsing and file downloading practices.

c. Detect
Continuous Monitoring
1. Implement network and endpoint monitoring to detect signs of viruses and spyware.
2. Use intrusion detection systems (IDS) and automated tools to identify suspicious activities.
Log Management
1. Collect and review logs from devices, security tools, and network traffic to detect malware infections early.
Anomaly Detection
1. Identify unusual behavior, such as unauthorized data transfers or unexpected network activity, that may signal
an infection.

d. Respond
Incident Response Plan
1. Develop and maintain an incident response plan for virus and spyware outbreaks.
2. If an infection occurs, disconnect affected systems immediately to prevent further spread.
Containment and Remediation
Use antivirus and anti-malware tools to remove infections.
Restore systems from clean backups and ensure all traces of the infection are eradicated.
Communication
1. Notify affected users and departments promptly with instructions for remediation and protection.
2. Provide updates throughout the response process.
Post-Incident Analysis
1. Review the incident to understand the cause, evaluate the response, and update security measures as necessary.

e. Recover
Backup and Restoration
1. Regularly back up critical data and ensure secure storage for easy restoration after an infection.
2. Restore data and systems from backups to minimize disruptions and data loss.
Continuous Improvement
 Aamna Abbas BEIS-05 (A)

1. After each incident, assess and enhance virus and spyware protection measures.
2. Update training materials, detection tools, and incident response plans based on lessons learned.

3. Compliance and Enforcement

All University users are required to comply with this policy. Non-compliance may result in disciplinary actions,
including loss of access to university systems or other consequences in line with University conduct policies.

4. Review and Updates

This policy will be reviewed annually and updated as necessary to address emerging threats, technological
changes, or regulatory requirements. Any significant changes will be communicated to all affected users.