Tutorial Hacker Evolution

7/23/2019 Tutorial Hacker Evolution

1/21

Level 0

Below is the in-game tutorial text in its entirety (copyright Exosyphen Studios of course):

he first level in the game is a simple tutorial! in which you will get to learn all aspects of the game" #ou

can also follow the instructions you receive in the game" $s soon as you start the level! you receive a

message" he message instructs you to crac% the following server: desk-11.corporate.com" ype the

following command in the console to crac% the server:

crack desk-11.corporate.com

&ait for the crac% to finish" $fter this! the first level o'ective is completed" #ou can press * to see the

level o'ectives and their status"

+ext! we should connect to des%-,,"corporate"com and loo% for a hint for the next server" ur second

o'ective is to hac% into the main corporate server" ype the following command to connect to desk-

11.corporate.com:

connect desk-11.corporate.com

+ext! type:

ls

to view what files are availa'le on the server" here is one file availa'le! called: access.log" o display its

contents! type:

cat access.log

#ou will notice a hint to: desk-25.corporate.com" he host it not visi'le on the target map" o reveal it! use

thescancommand:

scan desk-25.corporate.com

+ext! type:

logout

to disconnect from desk-11.corporate.com"

+ow! it.s time to hac% desk-25.corporate.com" he server has an encryption %ey which must 'e decrypted

first" o do this! type:

decrypt desk-25.corporate.com

&ait for the decrypt process to finish" +ext! you will have to hac% the service running on port */ on desk-

25.corporate.com" o do this! type:


2/21

crack desk-25.corporate.com 25

and wait for the crac% to finish" +ext! we have to connect to desk-25.corporate.comand read the

instructions in the file that is present on the server" o do this! type:

connect desk-25.corporate.com 25

cat instructions.txt

logout

+ote: #ou can scroll the console window contents with the mouse! or using the g1p2g3n %eys"

+ow! you have to follow the instructions in the file! to hac% into main.corporate.com" irst! you have to

reveal the server on the target map" o do this! type:

scan main.corporate.com

#ou will notice that it has a */4 'its encryption %ey" #ou have to setup a 'ounced lin% to avoid 'eing

traced when decrypting this encryption %ey" o do this! clic% on : desk-11.corporate.comand desk-25.corporate.com" #ou will notice that they have 'een added to the 'ounced lin%" +ow you can proceed to

decrypt the encryption %ey" ype:

decrypt main.corporate.com

&ait for the decrypt process to finish" +ote: o learn more a'out 'ounced lin%s! type: bouncehelpin the

console"

+ext! you will have to hac% the service running on port 55 on main.corporate.com" he password is ,4

characters long! so you have to leave the 'ounced lin% in place to 'e a'le to do this" ype:

crack main.corporate.com 99

and wait for the crac% to finish" $fter you are finished! remove the hosts from the 'ounced lin%! 'y clic%ing

on them" +ote: 1se the 'ounced lin%s carefully! as you can only 'ounce 6 times through a hac%ed host"

+ext! you will have to crac% the service running on port 75" 8t uses an ,9 character long password! so

even using a 'ounced lin%! you will still get traced" here is another way for this" ind the password" o do

this! connect tomain.corporate.comon port 55! and loo% inside the password.datfile:

connect main.corporate.com 99

cat password.dat

logout

he password is: mywordismypassword" 1se the password to crac% the service running on port 75:

login main.corporate.com mywordismypassword


3/21

he second level o'ective is now completed" (ress * to view your o'ectives)" +otice that there is

some money availa'le on main.corporate.com" o transfer it! connect to the server and transfer the

money in * chun%s! to avoid 'eing traced:


transfer 1000

transfer 500

logout

&ait for each transfer to finish! 'efore starting the next one! and logout when you are done"

+ext! you receive a new message with further instructions" $lso! it.s a good time to reduce your trace level

(you can see this in the system panel window)" o do this! type:

killtrace

3on.t use it more than once at this time! as you will need the money to finish the level" Each time you use

thekilltracecommand! your 8 address is changed! and you are charged /00 for this service" +ote:8f your trace level reaches ,00;! you lose the game and have to restart the level"

Let.s read the new instructions" ype:


cat instructions2.txt

logout

#our next target is secure.corp.net" 1se the scancommand to reveal it on the map:

scan secure.corp.net

1se a 'ounced lin% to decrypt its encryption %ey" $fter you have setup a 'ounced lin% through , server!

type:

decrypt secure.corp.net

and wait for the decrypt process to finish" he service running on port ,75 has a 47 character long

password! which you can.t hac% now" o hac% this service! you must retrieve and use an exploit" o do

this! type:


download securecontrol149.exploit

logout

exec securecontrol149.exploit secure.corp.net

o complete your 6rd level o'ective! you have to retrieve and upload the virus file to secure.corp.net" o

do this! type:


4/21


download x!irus.bin

logout

connect secure.corp.net 149

upload x!irus.bin

logout

&ait for each command to finish! 'efore typing the next one" #our 6rd level o'ective is now completed"

#ou will notice that your trace level has reached a pretty high value" #ou must reduce it in order to avoid

'eing traced and to complete your 7th level o'ective (reduce your trace level 'elow 40;)" o reduce your

trace level! you have to connect to each server you have hac%ed! and delete the logs! using

the deletelogscommand" o do this! type:


deletelogs

logout


deletelogs

logout


deletelogs

logout

connect secure.corp.net 149

deletelogs

logout

#our trace level should 'e low enough now" o complete the last o'ective (and the level)! you must o'tain

*000 in your account"


5/21

discovering all servers on the level" here.s /00 on that server! 'ut it.s not worth the trou'le considering

how much you.ll ac% up your trace level in order to get it"

Below is an alternative set of instructions - more compact and efficient! 'ut lac%ing the educational

element:

scan desk-11.corporate.com

crack desk-11.corporate.com


deletelogs

ls

cat access.log

+otice the entry for desk-25.corporate.com"

scan desk-25.corporate.comlogout

decrypt desk-25.corporate.com

crack desk-25.corporate.com 25


deletelogs

ls

cat instructions.txt

logout

scan main.corporate.com

$dd desk-11.corporate.comto the 'ounce lin%" +ote the tutorial text erroneously calls for two hosts on the

'ounce lin%! while a single one is sufficient"

decrypt main.corporate.com

crack main.corporate.com 99

=emove desk-11.corporate.comfrom the 'ounce lin%"


deletelogs

lscat password.dat

+ow you %now the password for the service on port 75: mywordismypassword

logout

login main.corporate.com mywordismypassword


6/21

$dd desk-25.corporate.comto the 'ounce lin%" his allows us to transfer all ,/00 in a single transaction"


transfer 1500

deletelogs

ls

download securecontrol149.exploit

download x!irus.bin

cat x!irus.bin

+ote the virus source: secret.exosyphen.com

scan secret.exosyphen.com

cat instructions2.txt

logout

scan secure.corp.net


7/21

Level ,

Before you start wor%ing on your o'ectives! notice where your instructions are coming from: root@xenti-

com.net" hat.s your clue as to a hidden server on the level:

scan xenti-com.net

+otice it has no encryption %ey and the service running on port */ re>uires no password" Let.s have

a loo%:

connect xenti-com.net 25

ls

$ha! there.s an exploit for remote access service running on port 555! which we could use to gain access

to the other service on this server?

download remoteaccess999.exploit

logout

exec remoteaccess999.exploit xenti-com.net


ls


8/21

8t gets even more interesting? here.s another exploit here - this one for port 75 - manual override" Let.s

get it too and gra' the money while here as well:

download manualo!erride49.exploit

transfer 500

deletelogs

logout

+ow that we.ve pilfered everything we could get our hands on from xenti-com.net! let.s start with our

o'ectives"

#our first order of 'usness is to hac% into the server of the u'lic @ar =egistration Service

(pcrs.citycom.net) and delete its data'ase so your car can.t 'e scanned:

scan pcrs.citycom.net

&onderful? &e could use the remote access exploit and save on the glo'al trace hi%eup:

exec remoteaccess999.exploit pcrs.citycom.net

connect pcrs.citycom.net 999

ls

delete database-kernel

logout

#our first o'ective is now complete"

+ow let.s hac% into the traffic signal:

scan ctrl-45.citycom.net

8t gets 'etter and 'etter? $ren.t you glad you hac%ed that hidden serverA Let.s use the manual override

exploit here:

exec manualo!erride49.exploitctrl-45.citycom.net

connect ctrl-45.citycom.net 49

ay attention to the welcome message" 8t mentions something a'out drill-rgn"

ls

$ha! there.s that file"

cat drill-rgn

&ell! we already %new a'out node.citycom.net! so nothing new here" 8dle curiosity might come in handy

later though"""

Let.s get 'ac% to our o'ective" &e need to delete the file controlling the red light:


9/21

delete control-red

he second o'ective is now complete"

+ow for those who are curious why deleting the red control file would loc% the light on red! let.s examine

the light control script (you can s%ip this since it.s not part of the solution):

cat light-controller

$ha! if the file doesn.t exist! the light is set on that color and the script terminates" 8nteresting way of

coding""" Still! myself 'eing a professional programmer! 8 couldn.t help 'ut notice a 'ug in the script" nce

the traffic light script gets running! it.ll no longer ma%e those initial chec%s and instead it will loop through

the remaining files" So the real effect of deleting the red control file is the light will cycle 'etween yellow

and green only" ow did this 'ug ever slip through C$ testing 8 wonder""" $nyway! 'ac% to our o'ectives"

logout

Even though the third o'ective has 'een chec%ed since the 'eginning of the level! we.ll need money todrop our trace level eventually! so it.s a good idea to stoc% up" hat.s what the $< at the corner is for!

rightA

scan atm.central-bank.com

retty easy to hac% (ignore the advice for using a 'ounced lin% - you don.t need it) and it has 7000 for

our efforts" +ow that we have three servers hac%ed! we can use them in a 'ounce lin% to get the entire

sum in a single transfer using our puny ,


10/21

+ow that our trace level is in the 60-s! let.s concentrate on the guy.s cell phone" irst! let.s see that cell

phone tower and what can we gather from there:

scan 2-45.gsm

his is a 'it tougher than the previous servers" #ou need a 'ounced lin% for 'oth decryption and crac%ing

the password on the remote monitor service (no handy exploits anymore""")" =emove all hosts from the

'ounce lin% and add atm.central-bank.comalone"

decrypt 2-45.gsm

crack 2-45.gsm

=emove atm.central-bank.comfrom the 'ounce lin%"

connect 2-45.gsm

deletelogs

ls

Before we proceed with the handsetpool file as directed! there.s an interesting tid'it in the errors log file:

cat error.log

See! the camera connection was lost" hat.s the other hidden server on the level"

scan camera-"5.citycom.net

&e won.t get anything out of hac%ing into the camera! 'ut this gets us the /00 end level 'onus for

discovering all servers and it only costs us ,; glo'al trace level"

+ow let.s go 'ac% to the handestpool file:

cat handsetpool

%! time to use our logic" he instruction says to figure out the channel from the handsetpool file" &e

%now our stal%er is sitting tight! so the only fixed2sta'le phone must 'e his" &e need to loo% into channel 6

to find his cell phone address:

cat channel-"

&ell! that was easy" is phone.s address is channel-3.2-45.gsm"

scan channel-".2-45.gsm

logout

his one is even tougher to crac%" &e.ll need * hosts in the 'ounce lin% to decrypt it and to crac% each of

its * services" &e do want to crac% them 'oth so we can tap the ,/00 within"

$dd 2-45.gsmand xenti-com.netto the 'ounce lin%"


11/21

decrypt channel-".2-45.gsm

crack channel-".2-45.gsm 9#

+otice xenti-com.netdropped from the 'ounce lin%" he game actually has a 'ug and says we are using a

single host in the 'ounce lin%! 'ut that.s wrong" &e use 'oth hosts in the 'ounce lin%! 'ut xenti-com.net.s

'ounce count dropped to Dero and it.s no longer usea'le" $dd atm.central-bank.comto the 'ounce lin% to

ma%e it two servers again after the previous crac% finishes"

crack channel-".2-45.gsm 99

+ow we see another game 'ug in addition to the one we saw a'ove" he lin% is reported with a single

host and as 8 mentioned a'ove this is wrong" owever! 'oth hosts had a single 'ounce count remaining

and only 2-45.gsmdropped to Dero! while atm.central-bank.comremained at 'ounce count of , (it should

have dropped to Dero as well)" #ou can leave it in the 'ounce lin% or replace it with another server if you

want" $t any rate! you need one server in the 'ounce lin% 'efore you proceed so you can transfer all

,/00 in one go"

connect channel-".2-45.gsm 9#transfer 1500

deletelogs

hew! we shed whopping ,5; of trace level? Let.s get 'ac% to hac%ing"

ls

download call.log

logout

=emove the only server from the 'ounce lin% (if any)"


upload call.log

logout

+ow all 'ut o'ective 7 are completed" ype killtraceas many times as needed to drop your trace

level 'elow /0; and you are done" 8 ended with 7/; trace level and //00" +ote that it.s not worth

pursuing upgrades ust yet since you have only 6/00 of disposa'le money and the upgrades you are

after are at 7000"

Level 2

Let.s start 'y loo%ing at the xenti-com.netserver which is openly visi'le and accessi'le this time:

scan xenti-com.net


ls


12/21

&ell! there.s a cell phone troan we.ll need later on! 'ut no handy exploits this time so we.ll have to rely on

regular crac%ing" his does mean we.ll need >uite a 'it of dough to cover our trac%s"""

download cell-tro$an.app

logout

+ow let.s have a loo% at the cell tower:

scan 45-2011.tower.gsm

&ell! it.s a good thing we have the open xenti-com.netserver! since we need it for hac%ing into the cell

tower" $dd it to the 'ounce lin%"

decrypt 45-2011.tower.gsm

+ow remove xenti-com.netfrom the 'ounce lin%"

crack 45-2011.tower.gsm 1"9connect 45-2011.tower.gsm 1"9

deletelogs

killtrace

ls

cat handset.pool

here.s a single sta'le2fixed channel - channel 4" Let.s investigate:

scan channel-%.45.gsm

logout

&e got a hold of the assailant.s cell phone" ime to hac% it" $dd 45-2011.tower.gsmto the 'ounce lin%"

decrypt channel-%.45.gsm

crack channel-%.45.gsm 299

=emove 45-2011.tower.gsmfrom the 'ounce lin%"

connnect channel-%.45.gsm 299

deletelogs

killtrace

ls

cat sync.log

+otice the guy is periodically sync-ing his cell phone with his computer" +aturally we need the last 8

address"

scan 24".14"."5.99


13/21

&e.ll need two hosts in the 'ounce lin% for this one" $dd channel-6.45.gsmand xenti-com.netto the

'ounce lin%"

decrypt 24".14"."5.99

crack 24".14"."5.99 21

+otice xenti-com.netdropped from the 'ounce lin%" =emove channel-6.45.gsmfrom the 'ounce lin% as

well"

connect channel-%.45.gsm 21

deletelogs

killtrace

ls

8n order to wipe out his computer! we need to delete his @ drive:

delete dri!e-c.encrypted

logout

#our second o'ective is now complete" he instructions call for finding the guy.s cell phone again and

upload a troan" &e already got the troan from xenti-com.net! so let.s concentrate on locating the cell

phone again" &e need to see where did channel 4 get transferred to in the S< tower"

connect 45-2011.tower.gsm 1"9

ls

cat switcho!er

$ccording to the log! channel 4 got transferred to channel * in the same tower" &eird"""

scan channel-2.99.gsm

Before we get out of here! let.s try all the other cell phones! we might find a hidden server""" #es? channel

5 has some'ody in range?

scan channel-9.45.gsm

+otice there.s some money on it too! so it.s worth hac%ing" or now we have sufficient money! so let.s get

'ac% to our o'ective" $dd channel-6.45.gsmto the 'ounce lin%

decrypt channel-2.99.gsm

&ith that host spent we need another host to 'ounce through for crac%ing the password" $dd 45-

2011.tower.gsmto the 'ounce lin%" 8t.ll 'e spent after this as well"

crack channel-2.99.gsm 299

connect channel-2.99.gsm 299

deletelogs


14/21

killtrace

upload cell-tro$an.app

ur 6rd o'ective is now complete" &hile here! let.s start wor%ing on the 7th o'ective as well"

ls

download gps.log

+otice there.s yet another file that didn.t exist 'efore" Let.s investigate"

cat wireless.log

$ha! the guy was snooping for wireless networ%s""" e managed to find a wireless cafe! so let.s

investigate:

scan wireless.cafe.com

+ice - more money"

logout

+ow we need to find that military satellite" he only unexplored lead we have is that guy.s computer and

the second service running on it" owever! we are in a 'it of >uandary" &e need * hosts in the 'ounce

lin% in order to crac% the password and we only have the guy.s new cell phone address to 'ounce

through" ime to explore the side servers we found a'out (and get the money while at it too)"

decrypt channel-9.45.gsm

$dd channel-2..gsmto the 'ounce lin%"

crack channel-9.45.gsm 9999

connect channel-9.45.gsm 9999

transfer 1500

deletelogs

killtrace

logout

=emove channel-2..gsmfrom the 'ounce lin%"

decrypt wireless.cafe.com

$dd channel-.45.gsmto the 'ounce lin%"

crack wireless.cafe.com 200

connect wireless.cafe.com 200

transfer 1500

deletelogs


15/21

killtrace

logout

$dd wireless.ca!e.comto the 'ounce lin% too"

crack 24".14"."5.99 99

+otice channel-.45.gsmis now spent for 'ouncing" =emove wireless.ca!e.comfrom the 'ounce lin% as

well"

connect 24".14"."5.99 99

deletelogs

ls

+ice! let.s get that exploit and loo% through the other files"

download targetlock999.exploit

cat control.h

here was nothing in the source file! 'ut the header has a surprise - the address of the military satellite"

scan link-245.satellite.military

logout

$dd 243.143.35.and wireless.ca!e.comto the 'ounce lin%"

decrypt link-245.satellite.military

crack link-245.satellite.military ###

wireless.ca!e.comis now spent! 'ut we no longer need 'ouncing" =emove 243.143.35.from the

'ounce lin% as well"

exec targetlock999.exploit link-245.satellite.military

connect link-245.satellite.military 999

deletelogs

upload gps.log

logout

he guy is now history" &e are almost done here" +ote we need to free up some space for the

identification file 'efore we download it"

delete cell-tro$an.app

connect link-245.satellite.military ###

download id.file

hat finishes the fourth o'ective" &e should have enough money at this point for the last o'ective! and

as for the trace level - execute killtraceif necessary to drop 'elow 90 - you should already 'e 'elow

90 if following the guide step 'y step" 8 ended the level with F9; trace level and //00"


16/21

Level 3

his level is solved while dancing on a tight rope 'alancing your money and trace level" $ny step astray

and you lose trace points! which means money" his level you also get your first upgrade - an 9m'ps

modem"

8 started this level with //00 and F9; glo'al trace level"

or starters! ignore the advice to use your old password" 8t won.t wor% and will unnecessarily add ,; toyour trace level" Loo% around instead:

scan access.xenti-corp.com

+otice the service on port ,0*7 has the L$+ router address on it" Let.s investigate:

scan lan-router.xenti-corp.com

$'out this time you should receive an email from your security department" +ote the server it.s sent from:

scan sec.xenti-corp.net

inally a server we can hac% into" 8nterstingly! the security department has the wea%est level of security"""

But first! we need to drop our trace level a 'it"

killtrace

killtrace

killtrace

decrypt sec.xenti-corp.net

crack sec.xenti-corp.net 992

crack sec.xenti-corp.net 999

connect sec.xenti-corp.net 999

deletelogs

ls

+ice - two exploits here"

download lanstatus#0#1.exploit

download secureimap99".exploit

logout


17/21

Let.s use the exploits we ust got to fully hac% the security server and open one of the ports of the L$+

router:

exec secureimap99".exploit sec.xenti-corp.net

exec lanstatus#0#1.exploit lan-router.xenti-corp.com

killtrace

+ow we can finally achieve our first o'ective:

crack access.xenti-corp.com 1024

$dd sec.xenti-corp.netto the 'ounce lin%"

crack access.xenti-corp.com

=emove sec.xenti-corp.netfrom the 'ounce lin%"

connect access.xenti-corp.com

deletelogs

logout

killtrace

+ow it.s time to tac%le the L$+ router" $dd 'oth sec.xenti-corp.netand access.xenti-corp.comtothe 'ounce lin%"

decrypt lan-router.xenti-corp.com

=emove sec.xenti-corp.netand access.xenti-corp.comfrom the 'ounce lin%" &e already openedport 909,! so we can finally connect to the L$+ router" &e can cover our trac%s now since we won.t need

to crac% its other port"

connect lan-router.xenti-corp.com #0#1

deletelogs

ls

&e are told to loo% for Gohn.s computer and the logical place is the router.s 3@ ta'le:

cat dhcp-table

scan $ohn-4".xenti-corp.com

logout

=ight after we do this! we get a mail from an old ac>aintance - Steve" +otice his challenge and ta%e him

up on it"

scan mail.ste!e.ser!er

killtrace

killtrace


18/21

decrypt mail.ste!e.ser!er

exec secureimap99".exploit mail.ste!e.ser!er

crack mail.ste!e.ser!er 99

connect mail.ste!e.ser!er 99

deletelogs

download documents2%1.exploit

logout

killtrace

ood old Steve saves us the trou'le of crac%ing one of Gohn.s services"

exec documents2%1.exploit $ohn-4".xenti-corp.com

connect $ohn-4".xenti-corp.com %1

ls

+otice the credit card receipt there"

cat cc-receipt.pdf

$ha! we now have an $< to replenish our money" +otice how we still haven.t touched the money in

sec"xenti-corp"net" &e.ll do so after we upgrade our modem with money from the $


19/21

ime to tac%le the $


20/21

connect ground2.ste!e.ser!er 21

deletelogs

ls

Splendid - another exploit we can use on Gohn.s computer?

download documents1%0.exploit

logout

exec documents1%0.exploit $ohn-4".xenti-corp.com


ls

ere.s the letter! 'ut it re>uires all of our memory""" Let.s clean up first"

logout

delete documents1%0.exploit

delete documents2%1.exploit

delete lanstatus#0#1.exploitdelete secureimap99".exploit


download letter-1101200#.doc

logout

connect mail.ste!e.ser!er 99

upload letter-1101200#.doc

logout

+ow all that remains is to hac% that camera server and ta%e care of our trace level" But first! where is the

camera serverA =emem'er the $H8 file you saw on the first service we crac%ed on Gohn.s computerA Let.s

investigate"


ls

cat cam.a!i

logout

$ha! as expected! the $H8 file contains the address of the camera that too% it"

scan camsur!.xenti-com.net

he camera server has a password that re>uires 6 'ounce lin%s" Luc%ily! with Gohn.s computer now fully

hac%ed we have 6 hosts we can use for hac%ing"

$dd#ohn-43.xenti-corp.comto the 'ounce lin%"

decrypt camsur!.xenti-com.net

$dd atm-12.!csb.comand mail.ste"e.ser"erto the 'ounce lin% as well"


21/21

crack camsur!.xenti-com.net ###

mail.ste"e.ser"erhas no more 'ounce 'ounces left" =emove the other servers from the 'ounce lin%as well" &e won.t need more 'ounces anyway"

+ow the only remaining o'ective is to 'ring our trace level 'elow /0;" or starters let.s cover our trac%sat the camera server:

connect camsur!.xenti-com.net ###

deletelogs

logout

+ow simply execute killtraceenough times to 'ring your trace level 'elow /0;" 8 ended up at 7*;

trace level with ,000 in hand"

Tutorial Hacker Evolution

Documents