June 4, 2013

The NetHack Challenge Detailed Review

During the Positive Hack Days III forum, the NetHack competition for experts in network security was held. The participants were to obtain access to five network devices and capture flags stored in the devices during 50 minutes. The game network included typical network infrastructure vulnerabilities discovered by the Positive Technologies experts during security analysis and penetration tests. Today we would like to bring to you attention a detailed review of the contest tasks.


To add a special appeal to the contest, the game infrastructure was prepared according to a legend. Here it is.

An equipment crash has occurred on a large hydroelectric power station, resulting in the loss of connection between the central Industrial Control System (ICS) and water discharge units. Ongoing showers in the nearby territories significantly increased water inflow to the storage pond. Specialists estimate that the pond will be overflown in fifty minutes, the water will pour over the dam flooding the city. To prevent the disaster, one should obtain access to the five faulty units and reconnect them to the central ICS, ensuring the possibility of opening emergency sluices.

The contest layout

The game infrastructure was built according to the following layout:

The participants were to get access to five network devices, find md5 flags left in their configuration and enter them into a form on a special web page. The participant who found and entered all five flags was awarded the first prize.

Obtaining the first flag

Entrance in R1 is easy, we just need to use the account 'cisco' with the password 'cisco'. We get the first flag at once:

Obtaining the second flag

To obtain the second flag we need certain skills. The first thing we should do once we entered into the device is to look through configuration and neighboring devices in the network.


We find out that we are connected to Router3 via Fa0/1. Router2 is missing and we can see too many interfaces. Both of these facts sound suspicious, so we execute the following command:


The Fa1/10 interface is administratively shut down, which is very strange. After opening up the interface, we look at the neighboring devices again.

Finally, we can see Router2. Now we need to find out its IP address.

We're trying to enter the device using the account cisco/cisco. But it is not so easy.
Judging from the response time, we can suggest that a centralized authentication is in use. We find information about radius server in Router1 configuration.

So we need to close radius for Router2. Shutting down the Fa0/1 interface would be enough. Now we try to enter Router2 once again.


So we need to close radius for Router2. Shutting down the Fa0/1 interface would be enough. Now we try to enter Router2 once again.

Great! We have entered into the second device and even got more privileges. We are lucky, the password 'enable' was not defined. By looking through the configuration we learn that we have several possible flags. Trying to enter them. Only one line fits as md5, so it is the flag.

Obtaining the third flag

If we try to enter into Router3 using the account cisco/cisco, it won't work. Let's try to find the account we need. Taking another look at Router2 configuration. Now we see the following line:

We can easily get the password, because type 5 is reversible encryption. So the password is Tf7NszYCnd.
Now we are ready for Router3. This time we attempt to enter using a new account 'admin':


Perfect. We are in the third host. Searching for our flag:

Obtaining the fourth flag

It is the most difficult part. We enable cdp in the Fa0/1 interface and check the neighboring devices:  


Then we try to enter into Router4 and find out that radius is used. We take a long look at Router3 configuration and see writable 'community string PHDays2013'. After changing the routing, we can try to take Router4 configuration using snmp protocol.

We got the configuration and found out that ospf is set on Router4. Now we need to enter our path to radius. We can do it this way:


We need to enter into the device using cisco/cisco and find the fourth flag.


Obtaining the last flag

We check the neighboring devices, find out Router5 IP address and try to enter via ssh or telnet. Unfortunately, it does not work. We take another look at the configuration and now we see ACL in the outgoing interface Fa0/1 blocking the traffic to Router5 port 80:


We remove ACL from the interface, enter the path we need and try to enter:


Now we just need to find the flag:


The winner

The fighting was stubborn: none of the contestants could take the lead over the rivals. The PHDays forum participants could watch the battle due to special visualization on a large screen in one of the halls.


The time assigned for the final was not enough to define the winner, because no one could capture all the flags. As a result, 15 extra minutes were added, which decided the outcome of the contest. In the last seconds of the extra time, Stanislav Mironov, a specialist in network administration (Perm, Russia) managed to capture the fifth flag. Stanislav was the only one who solved the task. Yuri Shkodin took second place, and Sergey Stankevich came third. Participants captured four flags each. Congratulations!

That's all for today! We will be happy to answer your questions.


  1. I don't understand that why are you using 5 routers? You can do this using 3 also but i think that you have your own concept for providing the information!

  2. This comment has been removed by a blog administrator.