Computer Security and Networks: Exercise 1
Deadline: 1 February 2024, 4pm
1 Getting the VM working
You first need to download the VM image and install it, as per canvas page.
There are many user accounts on the VM; you begin the module with access to just
one:
Username: employee427, password: employee427
You must use your own copy of the VM for this (and every other) exercise.
You must not share your VM with other students.
In the home directory you will find a token split into two files theFirstTokenPart1
and theFirstTokenPart2. The token is the concatention of these two files. Submit this
token on the website:
https://www.cs.bham.ac.uk/internal/courses/comp-sec/token
This token system is not yet operational. A canvas annoucement will be made when
this system has been set up.
[1 mark]
2 Access Control
For this exercise you need to explore the other home directories on the VM and find out
more about what is going on at the company, in particular you need to find two tokens, get
the shadow file and then crack some passwords to find two more tokens. The VM contains
a number of access control vulnerabilities and you need to find and exploit these to access
files that are protected.
1. Look in the directories /home/carolmiller , /home/charlegarcia /home/jakkinkade
and /home/nikadler, somewhere in there are two files that contain tokens; these files
are protected by the access control system. Search the home directories for these files
and find access control flaws that allow you to read the files. Submit the two tokens
you find to the token submission website.
1
[3 marks each]
2. By exploiting mistakes in the access control settings of the VM, find a way to read
the /etc/shadow password hash file.
Once you have the shadow file, install a password cracker and try to crack the passwords for the staff accounts aarushsanders and alayahpritchard. You may use
any password cracker you like – “John the Ripper” is probably easiest. (N.B. you
will need the “jumbo” version of john the ripper if you want to crack SHA hashes).
This program is already installed on the VM. The canvas page for the assignments
also contains a link to a suitable wordlist.
The staff accounts aarushsanders and alayahpritchard each contain a token.
Cracking the passwords to these accounts will allow you to log in as these users
and read the tokens. Find these tokens and submit them to the token submission
如有需要，請加QQ：99515681 或WX：codehelp