NITE Team 4 Military Hacking Division

I’ve begun playing NITE Team 4 Military Hacking Division and I like the game.

A few things to note for when comparing it to real hacking are some of the commands and programs used although realistically you can alias the commands to use these names (Such as netscan instead of nmap and Hydra being a web browser instead of a web access cracking tool)

This whole thing is basically a spoiler so read at your own risk

Main Missions

Operation Withering Dusk – Phase 1

These are my RAW notes
————————————————————–

Target is: corocoins.io with mission objective to track the owner of the Wallet Key: 0x1b807a71edc5ab17ab5e54a909cea9

AlphaBlue

email.corococoins.io vulnerable
Port 80
Tech: OutlookWebAccess
Cross-site Request Spoof
UDP

Active Directory
/ad/key_database/kyc

Arther Robert has matching Birthday as in Active Directory File

Lat: 47.5 Lon: 19.1
drivers license: NJU-441
Car Tracked

eleventenmedia.com #Billboards Network

modulus.eleventenmedia.com #DNS AUTHORITY
UDP
SNMP
Tech: PHP-7.0.4
port 80

A.Gunsberg
ps-4ru7f4.mecachemws.com # storage account

26 years old #based on IRL year
Arthur
Gunsberg

coin #invenstment
forint #? Discount Forex?
bagy #girlfriend
Tamas #Brother
budapest #city

M1nt_Stat3

s.polgar@farkaslearning.com
———————————————————
ns2.farkaslearning.com
Apache-2.0
80
SOAP
TCP

#MITM
##No ARP Targets
##LLMNR
###ROUTE Research Lab only
####Packet Sniffer Successful
Hash Sniffed
s.polgar::farkaslearning:44E6AA64E113B1E2B5D5DB4AABAEF22C:96766E61E7B9C7084951C8430D1CCA0C

#Network Scan
/it/active-directory #AD
/project-manager/repo/ #File System

#AD
/it/active-directory
Susan Polgar
Project Manager

Password Policy
NTML
10 characters minimum
Number
Symbol
Uppercase

24 max characters
Rainbow Table used

R3ach_FOR_the_$Ky

#File System Traversal
/project-manager/repo/
File Downloaded
TODO File found

Luka Boltzmann
Network Technician
l.boltzmann@farkaslearning.com
it@farkaslearning.com

____________________________________

uplink51.farkaslearning.com
RemoteDesktop
33845
segfault
SST

#Network Scan
/it/active-directory #AD
/project-manager/repo/ #Files
##Digging
All good

128.221.14.1 #router
192.168.212.23 #HOST

241.248.50.106 #Uplink Satalite IP
#private who is
#Password Crack not resolving
#Finger print works

226ms #ping

Nofity Luka

SET
uplink51.farkaslearning.com #Target Domain not found
Not on linked in
Manual not working
————————————————–
241.248.50.106
5544
PowerShell
SST
Spoofed Execution Code

#File Traversal

/projects/uplink51/files

Operation Castle Ivy

Part 3

Nathan Lightman is a sketch crypto trader under investigation

From the privious mission I have access to his dossier, phone and banking records.

Associates:
Jim – Computer Savvy Friend – Text message
Freddie Stuart – Contacts

Trade info XMR (Monero) 8ALp…XEV

Node ID: A771-091C
Endpoint: trade.cryptnet.auction

#Mission Start
They said that there was a file in the localhost file explorer. After manually spydering through the system I find it in China’s MSS file (Why though,.. This isn’t engaging gameplay)

I have the cryptnet subdomain url.
Hydra is basically the web browser and I connected to the domain with that. (This is so wrong and confusing vs Hydra in reality)

Cryptnet Access

Wallet ID: cel79…fe3
Account id: a9f7…5f2

Uploaded Payload to the account and Dr Ripper (Almst instantaneously) clicked on it opening up a shell on his device.

Agent Dylan literally tells you what to do here so it’s great.

MITH ARP Style
192.168.1.1 or .254 is usually the router
URL Snapper to figure out that this is next level stuff 🔥

Part 4 FINAL

A dicey Geopolitical situation with the allied country of Germany involving spy technology that isn’t meant to be discovered there fantastic.

GPS Cordinates Given
Lat 52, Long 13

Drone has a heat map and DRONE STRIKE enabled
I won’t mess aound with the latter for obvious moral reasons.

URL “Stalker” with MITH nets me
https://hauze.systems/smarthouse.protocol/house-107/user/dfriedel/keepalive

Rip out the functional part of that URL
hauze.systems
With Hydra hint I get logged in.

Hauze System

Spydering around I find a BBQ 🍗 so It’s time for some hotdogs (in a sense if there’s a straggler dog there)

Heatmap is lit as a Christmas tree now.
The BBQ is at 121 c and the Filters work in F so conversion time (Roughly x2 since -40 is the same for both F and C and it goes up from there)

With 150-200+ and 50+ degrees of variation, it’s narrowed to 3 targets. Process of elimination will decide the actual target the DRONE STRIKE AWAY

Since this is a game process of elimination is also possible with the drone strike, finding the target being the bottom left

Confirming Drone Strike

Here there is a decision to be made. Only 1 completes the objective and has minimal collateral damage (RIP Dr. Ripper)

1 Destroy the keyfob for no exessive casualties

2 Destroy the keyfob and the German authorities

3 allow the device to be taken

I can sleep at night and got the job done 😁

Operation Dark Sentinel 

File on Local host 
Social Engneering Hint

Shared Info 
Drone report – No casualties great
Property Deed – Grantor (Owner) Marcel Moeller; Grantee (Renter) Dan Friedel
Burnt Business Card – www.krugerservices.de
Building Ruins Satalialate View – Wow it’s an Accurate Drone

Mission Start

sfuzz DNS search on krugerservices.de & fingerprints

www.krugerservices.de – UP TO DATE
mail.krugerservices.de (139.36.222.199) – UP TO DATE
blog.krugerservices.de – UP TO DATE
139.36.222.199 – UP TO DATE

All are UP TO DATE so Social Engneering access now.

SE Options
krugerservices.de
PDF (Always plausible)
Reverse Shells are fun
Property Damage Lawsuit following a drone strike is plausibly forwarded from Marcel Moeller

Got in

Connection >> 80.237.160.14

No new domains from Internal DNS scan
NO WIFI

Network Scan & dig

/erp/accounting/finances VULNERABLE SimplERP 9090
/srv-01/timesheets
/srv-02/printers
/srv-03/backup/clients
/srv-03/backup/renters

(ERP = Enterprise Resource Planner)

TCP/IP
custom SOAP 
Assasin Rootkit is specifically for SimplERP

Got in with new document access for Xkeyscore
Xkey score with Dan Friedel and the ERP database reveals John Schaffer the Rental Manager

John Schaffer has a lot of houses he manages with people whose names are on the documentation

John X Jan = Nothing Major per Agent Dylans Commentary
John x Andrea = Nothing Noteworthy
John x Erik = Nothing Noteworthy
John x Martin B = Nothing Suspicious 
John x Martin G = Nothing Noteworthy
John x Michelle = Nothing Suspicious
John x Sophie = Nothing Suspicious

The prompt for Mission Complete comes up

Part 2

Deep Xkeyscore document forensics to find a link

I have the following people and I’m checking for travel chatter & ID’s from the German database.

JanP
AIRLINE – NO RECORDS
ANIMAL Registry – NO RECORDS
TAXI – Destination Hookshot Games
ER – NO RECORDS
POLICE REPORTS – NONE
TAX – NO RECORDS

Martin B
AIRLINE – NO RECORDS
ANIMAL Registry – NO RECORDS
TAXI – Null-Byte Offices
ER – NO RECORDS
POLICE REPORTS – NONE
TAX – NO RECORDS

Michelle F
AIRLINE – NO RECORDS
ANIMAL Registry – NO RECORDS
TAXI – Novelty Publishing Offices
ER – NO RECORDS
POLICE REPORTS – NONE
TAX – NO RECORDS

Sophie A
AIRLINE – NO RECORDS
ANIMAL Registry – NO RECORDS
TAXI – InsuraDebt Offices
ER – NO RECORDS
POLICE REPORTS – NONE
TAX – NO RECORDS

Hookshot Games
Marina Wannemaker CFO
m.wannemaker@hookshotgames.com
shop.hookshotgames.com | 80 | CRM4.0 VULN
UDP
Custom SOAP
UP TO DATE ERP Filesystem Found

Null-Byte
Kristian Baier
kristianbaier@null-byte.com
support.null-byte.com | 8082 | Sharepoint-2007 | VULN
TCP/IP
Custom SOAP
UP TO DATE ERP Filesystem Found

Novelty Publishing
Tim Koning 
timkonig@noveltypublishing.com
SE method
admin.noveltypublishing.com
UP TO DATE ERP Filesystem Found

InsuraDebt
Swen Gerber
s.gerber@insuradebt.com
m.insuradebt.com | 80 | PHP-7.0.4 | VULN
UDP
Crafted SNMP
UP TO DATE ERP Filesystem Found
NO WIFI

Looking for third party link

MITM SNAPPER REOCCURING URL IP ADDRESS – 19.16.177.159

Fingerprint – 19.16.177.159 = Known Botnet Signature
Mission Complete

Part 3

New intel of Jorge Hirsch’s daily activities
 
Typically Takes 15 minutes to get to and from work usually with the only variant being a minor 45 minute stop at the market 
 
Hacking Wifi as there are times listed in the intel
 
Cracking HS_Games_Employees Wifi
 
Pinpointed his mobile device from Wifi Connection logs
 
No Hotspot
 
Outbound call to Maximilian
Inbound to Matthias
 
ERP is using a default password on IP address 10.212.102.180
Username: MeCacheAdmin
Password: Mecache4u!
 
File Browser to connect to the IP address
 
ID cards in this drive
 
Cross-referencing the Temporary ID cards with another company will net us the culprit
 
Similar ERP System Architecture so the default IP might work Keyword since it has default login info
 
Carl Hoffman has temp id’s at 2 companies and an email on this one
 
carl@carlhoffman-it.de
 
DNS
www.carlhoffman-it.de
 
Social Engineering due to access to target email
Zip file for plausible Project files
IT Support Template with Email Subject IT Support Needed
Hookshot Games is a previous client so it’s plausible
 
Connected
 
A network scan reveals /Users/Hoffman/C$
Password crack target with Username Hoffman
 
Prince.config
FName: Carl
LName: Hoffman
Age 33 (Bruteforce)
Hint1: IT (Related Word)
 
User: hoffman
Pass: ChaosReigns
 
Document with records of consulting services to all 4 companies
 
Mission Complete
 

Part 4

Time to go undercover as a dark web hacker

Connect to C2 @ 37alpha.onion in the C2 Registry

NO WIFI

Network Scan returns an employee directory and levels 01-05

digs return service SimplERP with ports 1111 – 5555 for the level

Active Directory for employee Directory

File Browser for level 1-5

NO Default ERP IP Address 10.212.102.180 VULN

/level01
Level 1 Password Info
User: book1
Pass: CodexGigas
Files:

Correlation between Paradise lost, dots and the ASCII table
Potentially the number of dots referencing to letters

7 1 = G
8 5 = U
8 3 = S
8 4 = T
6 5 = A
8 6 = V
6 9 = E

Illustrations of Paradise Lost by Gustave Doré

I’m in

/level02
Level 2 Password Info
User: book2
Type: Medium
Spydering around I find a picture of George Scovell, The Level 3 puzzle with a dictionary cipher and 30 occult sigils representing some of the 72 demon sigils divided into multiple file systems into groups of 5

Geroge Scovell was a military General 
Known for cracking the Portugal Code & replaced with the Great Paris Code or the Great Cipher, with the last character of certain words being used in the cipher

The numbers represent the password. Considering that the first number does not go above 30 (Sigils present) and the second number does not go above 5 (Letter count?) then it’s safe to assume that this is in reference to the sigils

2 . 1 A
8 . 3 R
3 . 4 S
11 . 1 G
22 . 3 O
13 . 2 E
17 . 3 T
12 . 5 I
29 . 4 A

ARSGOETIA
One of the 5 books in the Grimore called The Lesser Key of Solomon or for short “The Lemegeton” focusing on the practice of conjuration of demons or in Ancient Greek, Goetia.

Visual Representation of the Demons

/level03
Level 3 Password Info
User: book3
Type: Hard
Spyder Results

Substitution Cipher Index chart?
Picture of Julius Cesar (Cesar Cipher)
The level 4 Cipher Text Password

NKOWYXEW

Using Uplink51 AI I test 13 with no dice then I check the chart

Looks like the positioning of the bottom row is 16 from the standard alphabet so it’s rot 16

Decoded string: daemonum

And I’m in

/level04
Level 4
User: book4
Type: Nightmare

Spyder results

Level 5 Password Hint
Network.mtgl file with a network topology
(MTGX files are maltego file formated)

SECUREBACKUP.IO

SimNight Avalon (Game?) > vpn.simnight.com > Backdoor > The Following

/sys/lab/clients
/sys/lab/core
/sys/lab/suppliers

Time to hack vpn.simnight.com
Port 1723
CiscoVPNClient
UDP
Content Spoofing

And I’m in

NO WIFI
NO MITM

A Network Scan
/sys/lab/clients
/sys/lab/core
/sys/lab/suppliers

2 use ERP with default IP address hole patched

The core is vulnerable with
Service: Synt
Port: 31337

UDP
Crafted SNMP

now connected into backup.simnight.com

Active Directory Found (AD)
Backup files found

Daily backup Policy
User: backupadmin
Path: backup.securebackup.io

Password Cracking Filesystem (Like Hydra in reality)
eHarmony + Rockyou + John the ripper = Under 5 Minutes of cracking time (Acceptable for a single sitting attack)

And I’m in

Password for level 5 is angel

Going back to 37alpha.onion

/level05
Level 5
User: jmilton

Welcomed to a seeming path of light

Mission Complete

Bounties

Infiltrating Big Pharma – CSIS

Infiltration of Pharmaceutical Companies to find the ERP servers with a Target URL of aventech.com

DNS sFuzz & OSINT

www.aventech.com UPDATED

vpn.aventech.com VULN

Port: 4501

Tech: CiscoVPNClient

Exploit DB: UDP & Content Spoofing

FOXACID

localhost >> vpn.aventech.com

No new records for Internal DNS

Network Scan

/printer/b-w

/printer/color

/server-01/accounting/msexchange

/server-01/hr/msexchange

/server-02/sales/mssql

/server-03/accounting/erp (PATH OF THE ERP SERVER)

NO VULNS VIA DIG

NO WIFI

NO ARP

Downed US Drone – GCHQ G7.0001

145.155.189.0
Thursday 21:00
Find the person responsible
 
The info I have is an IP address and a time so I know that Wi-Fi will be involved.
 
The only dns tools that do IP addresses are Osint Scans and Whois comes up private
 
Osintscan  145.155.189.0 -s google.com bing.com -d 1000
 
Pulls up
udiwdp.kqyx1rvr4o.com
a5hsd5.ct7etrhqzb.com
 
osintscan ct7etrhqzb.com -s google.com bing.com -d 1000
 
After a bit of DNS exploring, I find login.sf-drones.com
 
And it’s vulnerable after scanning it
 
UDP
crafted SMTP
 
network scan results in the inaccessible file system /sys/drones
Worth a shot. Now time to check out the wifi like the mission hinted in the beginning
After checking out the airodump and cracking the handshake of the wireless network there’s the device that connected on Thursday around 21:00 and turns out it’s a Huawei phone. After a bit of digging around the phone messages, emails, and notes I find that the owner of the phone is Zi Feng

GCHQ G7.0002

GCHQ is looking for proof that G-NOME is selling data in the dark
 
Their website is: g-nome.org
Objective: Find the operation project name for the data sale
 
Social Engineering Doesn’t work for the G-NOME domain
 
Doing an osintscan with Google and Bing resulting in 
 
store.g-nome.org | PayPal-v5.3 | 80
 
Now opening up Foxacid after doing Exploit Research
SST
Alpha Exploit
 
—–  localhost >> store.g-nome.org —–
Network Scan finds
 
/main-srv01/staff  Active Directory Vulnerable
 

Foxacid on the AD server

/main-srv01/staff
ActiveDirectory
445
SPX
Assasin
Crafted SNMP

XKey Score popped Up
Financial Records pull up that they’ve got 4 months of runway

Cunningham does data
Peter is CEO
Chloe is the project manager

Peter spoke with Chloe about the companies finances and then asked Spencer to speak to Naomi to prep samples to Sell the data and prevent a paper trail

It’s called Project Upward Spiral mentioned in the documents between Naomi and Spencer

 

Missing Reporter GCHQ G7.0003?

Finding Sebastian Bird from the globalgazette.com by finding the company name he was investigating.

DNS
www.globalgazette.com
uk.globalgazette.com
world.globalgazette.com
contactus.globalgazette.com
m.globalgazette.com

contactus.globalgazette.com 80 | MSExchange
TCP/IP
Alpha

IN

Network Scan

AD /srv1/members

Bird’s file pulls up a filebrowser cache location
gg-w6a2xb.mecachemws.com
user: s.bird
Usinig known info to narrow password scope

peabody – accolade
BJA – Brittish Journalism Awards
reporter – what he is
samantha – Sister

Password found in
Linked In
Social Media

Logged in and he was investigating GNOME for selling genetic information

 

Surefire Arms Crowd Control Equipment – GCHQ G7.0007

surefirearms.com R&D
 
PDF
IT Support
r&d SERVER ACCESS
 
projects.login
 
Crowd control equipment part of the weapons division
 
Vulnerable Domains
dfleet.surefirearms.com 6363 PowerShell
 
administration.surefirearms.com 80 PHP-7.0.4 CLEARED
 
rnd-ftp.surefirearms.com 21 CiscoVPNClient
 
___________________________________
login-wd.surefirearms.com 6655 CiscoVPNClient Weapons Division
 
UDP
Content Spoofing
 
/database/serial_numbers
Weapons Division Database Manager is
 
erle.borlaug
k33pingthe_worldsafe
 
Password Cracked with ROCKYOU
 
________
 
Auction Schedule Thursday at 1600
Apple Phone
 
+44 7700 900856
Burner phone
_____________________
 
Crowd Control package Reassigned to the Security Division
 
 
login-sec.surefirearms.com 1156 OracleAppServer
TCP/IP Custom SOAP
 
/sec/op_wallfly_results
 
 
maddison.lawson Director of Security (Very difficult to crack password according to Matilda)
 
matilda.creswell
 
password hint
$the onlyenglishwordwiththreeconsucutivedoubleletters 1984$   (There are other words Bookkeeper is one of the most popular words)
 
$bookkeeper1984$
 
___________________
 
Wi-fi Device select brute-force (in admin file tells when she has her check in times)
 
LG
Checking Hot spot = connects to a new network which contains a file directory after doing a network scan
 
/sec/encryptions
 
 
BOAR Cipher
Cipher Text Delta-Level Encryption of dirt on countries
 
A – 11    B – 12    C – 13    D – 14    E – 15    F – 21    G – 22    H – 23    I – 24    K – 25    L – 31    M – 32    
N – 33   O – 34    P – 35    Q – 41     R – 42   S – 43    T – 44     U – 45   V – 51   W – 52   X – 53    Y – 54    Z – 55
 
Cracks 
South Africa
1 | 4 | 4 | 2 | 1 | 3 | 3 | 4 | 4 | 3 | 3 | 4 | 2 | 3 | 3
4 | 2 | 5 | 2 | 3 | 4 | 3 | 3 | 5 | 2 | 5 | 4 | 4 | 4 | 3
d | r  | u | g | c | o | n | s | u | m | p | t |  i | o | n
SFZAdrug.jpg
 
Mexico
1|3|1|1|2|3|1|1|3|3|4|4|3 |3|4|2|3|3|1|1|3|3 |1|1|2|4|1|3|3|4|4|3 |3|4|2|3 |3|1 |4|4 |3|2 |1|3|1|1 |2|1|5|2|3|4
3|4|3|1|4|3|5|3|4|3|3|5|2 |5|4|4|4|3|3|1|3|3 |1|2|4|3|3|4|3|3|5|2 |5|4|4|4 |3|4 |2|5 |3|5 |5|3|2|5 |3|1|1|4|4|2
c|o|c|a |i |n|e|c|o|n|s|u|m|p|t |i |o|n|c|a|n |n| a|b|i |s|c|o|n|s|u|m|p|t |i |o |n |d|r |u |n|k |e |n|b|e|h |a|v|i |o|r
SIMZBurg.wmv
 
I got a better idea as instead of doing this manually I could just write a solid python code ONCE and it would solve these more effectively. The code isn’t finished since my internet shut down so I have part of a functioning program which converts the cipher text to numbers so I can decrypt manually.
 
China
mgbcsarmwrfsbtafcqrbaqebcfdasqckysgtlbedftlcguccznlmy
32221213431142325242214312441121134142121141151213211
41143411325544322443112151421443113224513135533313254
officials meeting with far left radicals briefcase exchanged
SFCNExchange.jpg
 
EU
mgbcuiiravsrcntfllcmhdhiasqcdosltgtpesofzyuoeim
32221213452424421151434213334421313113322314232
41143411314344331442244351543342155544534152432
officials visit shady brothel possible pedophile ring
SFEUBrothel.jpg
 
Indonesia
mgbcqmbhgnqasuafwosvquncntfpmntqdoapmbsipkqtikldrtfimrxynrdioh
32221213413212232233411143451121523443514145331333442135323344
41143411353212432435254144242531144244212432425354334214243423
Officials engaging in predatory behavior towards women possibly minors
SFIDPredator.wmw
 
Turkey
vroqtfntnrnccqmblaceaiuokhspktscuwdooxxo
5142344144213344334233131341321231111315
1124453425234335254443134552143434535334
various drug consumption and public indecency
SFTRDrug.wmv
 
Brazil
odfcteqldcokdrcosohpkouopoevqogtkhspkts
341421134415413114133425144213344334233
525344534353415514134224425234335254443
President sex tape at an orgy. Drug consumption
SFBROrgy.wmv
 
I finished the python program 1.0.
 
 
Italy
officials engaging in sexual aggression on a Japanese official’s aide
SFITAttack.wmv
 
Russia
officials meeting with far right radicals brief-case exchanged
SFRUExchange.jpg
 
Saudi Arabia
Officials partaking in homo sexual sex party
SFSASex.wmv
 
India
Officials attacking a homeless man for fun (wtf)

SFINAttack.wmv

Germany
Proof of president’s Parkinson’s disease.
SFGEParkinson.wmv
Australia
Prime minister racist rant against Chinese officials. Drunk behavior
SFAURacism.wav
United States
Officials hiring prostitutes. Cocaine consumption.
SFUSProstitute.wmv
Canada
Prime minister adultery with Japanese mistress. BDSM
SFCAPMBDSM.wmv
France
Prime minister receiving bribes from secret chinese investors.

SFFRBribe.jpg

Argentina
Officials meeting with CIA agents. Briefcase exchanged.
SFARExchange.jpg
South Korea

Officials meeting with members of the Yakuza. Cocaine consumption.
SFKRYakuza.jpg

Scroll Up