Untitled

.:: On the Christmas Day of 1994... ::.

[subsystem 6: worth 3500 points]

~=~=~=~=~=~=~=~=~=~

The final code to disable MS-42 positronic network is jealously
guarded by a host with an extremely strong password. All our efforts
to crack its accounts failed in vain.

However, our undercover agents were able to map the network
configuration out before having their brains wiped out by Messy. They
discovered the presence of an ancient form of trust relationship
between two hosts, "server"--whose IP address is 172.16.1.1--and
"x-terminal"--with an IP address set to 172.16.1.100. In particular,
"x-terminal" completely trusts "server" and asks for no password when
connections come from "server" itself!

Unfortunately, we have not been able to hack into "server" (no weak
accounts) nor into "x-terminal", which stores the secret code. In
addition, the network 172.16.1.0/24 is only reachable via a VPN
gateway Messy set up.

There are good news, tho. We were able to get access to the VPN
gateway and installed a backdoor for our future use: the time has come
now to show the machines WE deserve to live! The information about the
gateway from which our final attack will be fired up are:

   Host: <host>
   Port: <port>
   Protocol: ssh
   User: SusanCalvin
   Password: <password>

We are pretty sure that a key point for a successful attack against
the trust relationship requires to flood a service on 172.16.1.1
("server"). Unfortunately, Messy is very good at detecting flooding or
DoS attempts (and syncookies are on too): we cannot be noisy at all!
Luckily, we have found out that "server" can be tricked into disabling
specific ports: all you have to do is to send 10 or more spoofed TCP
segments at a very low speed (1 sec/per segment) with the payload
"disable". A similar behavior can be exploited to re-enable a
previously disabled port: sending 1 TCP segment with the "enable"
payload would do.

The secret code is on 172.16.1.100 ("x-terminal") under the user
"tsutomu". You are our only hope...