Microcorruption - Overview, level 1, level 2

Overview

This is a war game where you are tasked with defeating a lock - it's a computerized lock that sounds really forbidding but ultimately turns out to have more holes than a sieve. The game does a good job of staying playable for new people as it has several versions that are all pretty much the same but the minor differences prevent cut and paste jobs.

Additionally, the makers of the game do a nice job of leading the player down different paths to explore not only different attack vectors but also prevent the same one from working over and over again.

As a side note, I originally started this game with the intention that my son would learn a little about computing. He didn't make it much past the first few levels - apparently prying locks open to steal imaginary bearer bonds isn't exciting enough. I suppose that is a good thing on some levels. But he did learn about the binary, octal and hexadecimal number system - which is a solid start. You can view our (my, at this point) progress as "SamnDad" on the website.

Some notes about the environment:

<action src dest>

This is the format for the assembly language for the game. This style is generally considered the reverse of Intel x86 assembly language which  puts the destination before the source.

little endian

0x1234 goes into the registers as 3412

Despite not having intel style syntax for the language the processor is little endian like many Intel processors.

Thanks Texas Instruments for being weird.
 

cmp a b yields flags based on result of: b-a ...  Good to remember for flags.

Useful websites for delving into the particulars of the processor:

http://www.ti.com/sc/docs/products/micro/msp430/userguid/as_5.pdf

http://en.wikipedia.org/wiki/TI_MSP430

New Orleans – level 1

I set a breakpoint at main and again at create_password. Create_password seemed like a good place to start, and I thought it was odd that it ran before the getsn() was called and as I watched the memory it filled in a string of letters as a I stepped it through. Naturally I tried that string, and it worked.

Interestingly the game appears to be designed for there to be a preferred solution because when I tried to overflow the buffer and trample the code, it cut me off at 100 characters despite that I entered 300 characters. This overflow works in later levels but not earlier levels. And so the game appears to be designed to train you to look for certain things.

Key learning elements: how the interface works, stepping through code and using the tools and understanding the user interface.

Sydney – level 2

The program stores the incoming password and puts it at 43a0, above which starting at 4400 is the code itself.  

Sets SP to point at 43a0 (first letters of incoming _password) and preserves SP in r15 where the incoming pass starts.

Compares a literal (0x4624 - F$) to 0x00(r15) which means r15+0 offset. As it turns out that literal is part of the password.

Jumps to (44ac) if not zero.

Whereupon it clears r14 and puts r14 into r15 and returns...

r15 has 0.

r15 is tested for 0, and if not zero goes to unlock door.

R15 0 goes to fail.

This repeats 4 times basically, so the password is hard coded not in memory but in the code itself in the form of looking for things to test against.

So: 4624 6a70, 574c, 5554

or: F$jpWLUT

EXCEPT that endian-ness counts:

2446706a4c575455

$FpjLWTU

Key learning elements: endian-ness, identifying key components of the code and stepping through those parts, flags and comparison.

Notably, buffer overflow is prevented at these early levels.

PXE - Preboot eXecution Environment - Let's PXE! (Part 2)

LET'S PXE!

Now that DHCP is working, it's time to get to the PXE stuff. I got the image file striaght from Ubuntu for my server. I found the files here:
http://cdimage.ubuntu.com/netboot/12.04/

I used curl for single files and wget (poorly but somewhat effectively) for an AMD64 build. I figured one build to start and see if I could just get that working even. Curled the pxe version from ubuntu proper (above).

I used the basic format of curl, done as root (probably foolish). In retrospect it
would have been smarter to curl it as a user into a temporary dir and then move it as root or sudo. Anyhow:

curl url/file > file

or you can

curl -O url/file to keep the existing name.

wget -r -l 0 url/  (copies *everything*) but if you point it right at the stuff you
want, you can kill it halfway through, copy over the other things and delete the extra junk which is what I did.

It is probably easier to just curl the 20 or so small boot-screens files than to use wget.

To start with you can put the kernel, initrd and boot-screens directory in
/var/lib/tftpboot/ Go ahead, just dump it in for now.

Assuming you have curled initrd and linux from ubuntu, now edit
/var/lib/tftpboot/pxelinux.cfg/default to look like this:

$ sudo vim /var/lib/tftpboot/pxelinux.cfg/default

# D-I config version 2.0
# include ubuntu-installer/amd64/boot-screens/menu.cfg
# default ubuntu-installer/amd64/boot-screens/vesamenu.c32
include boot-screens/menu.cfg
default boot-screens/vesamenu.c32
prompt 0
timeout 0
label ubuntu distro xxxx
  menu default
  kernel linux
  append initrd=initrd.gz
so, now in /var/lib/tftpboot/ we should have the following, all of it from ubuntu:

$ ls -l

drwxr-xr-x 2 root root        4096 May 12 08:25 boot-screens
-rw-r--r-- 1 root root 21256771 May 12 02:21 initrd.gz
-rw-r--r-- 1 root root  5778968 May 12 02:22 linux
-rw-r--r-- 1 root root    26461 Apr 19 13:22 pxelinux.0
drwxr-xr-x 2 root root     4096 May 12 07:19 pxelinux.cfg

FOR NOW, just read the following - or come back to it later and skip down to:
*fire up your client!*

WHAT THINGS ARE - ubuntu boot-screens

# boot-screens - a directory of text files that show dialogue for OS selection
# vesamenu.c32 - an executable that gets the ball rolling: as far I can tell this is a glorified jpg, but you need it.
# f1.txt - f10.txt - text files mostly for errors during load
# *.cfg    - primarily text files that allow specific configuration beyond the default screen. You may choose to update the paths in these to accurately reflect where the kernels are. For instance, the path provided by most of these cfg files says something like:

menu default
kernel ubuntu-installer/amd64/blahblahblah/ubuntu64/linux

but you should change them to where the linux file really is. On my server that same line reads: 

menu default
kernel ubuntu64/linux


The following detail caused me a fair bit of grief: 

RECALL that the path to all files in PXE are considered to start at /var/lib/tftpboot/  REGARDLESS of whether the path begins with / or not....    / does not operate as an absolute path with tftp in this case.

WHAT THINGS ARE - pxelinux.cfg

pxelinux.0  -  a modified version of part of an open source project called syslinux. Although pxelinux.0 is primarily a Linux loader, it is capable of loading other operating systems. It operates by using configuration files located on a TFTP server to provide boot instructions.

pxelinux.cfg - the directory where those config files that say which operating system to use (based on the choice you select on your client).

/var/lib/tftpboot/pxelinux.cfg/default - where the magic happens. this is important. this is where you set up what the options for OS will be. Each entry choice has the form:
label <label name>
    menu <which menu to use>
    kernel <relative path to kernel for this choice from /var/lib/tftpboot/>
    append initrd=<relative path to initrd for this chioce from /var/lib/tftpboot>

So, using my example of how I configured my directories and where I put my OS choices as indicated previously in the directory structure sample, the menu choice for the 64 bit Ubuntu 14.04 OS looks like this:

label 64 bit ubuntu 14.04
  menu default
  kernel 14ubuntu64/linux
  append initrd=14ubuntu64/initrd.gz

as many as you want, just configure them here and put the corresponding files in the matching locations.

FIRE UP YOUR CLIENT!

Since you have enabled DHCP you should just be able to plug your client box into your network, hit f12, select your OS and follow the instructions. If it were that easy, the text would have ended by now

 

C L I E N T

You need a box that is pxe capable, I worked with a lot of ancient equipment and not all of it had that capability.  Anything 64 bit is probably a safe bet, but check the bios to ensure your client can do it.

A couple of different difficulties you may run into with your client:

 - is your client pxe capable?
 - is your client configured to pxe?
    * perhaps you have to hit f12?
    * have you adjusted the bios to try pxe first rather than look to the drives?
    * do you need to adjust the NIC settings in the bios?
 - can you tail the logs on the pxe server to verify that your client and server are talking?
      * on my server (batman): $ tail -f /var/log/syslogs    > May 12 07:33:48 batman dhcpd: DHCPDISCOVER from 00:1a:xx:xx:xx:xx via eth0
    > May 12 07:33:49 batman dhcpd: DHCPOFFER on 1xx.2xx.xxx.xxx to 00:1a:xx:xx:xx:xx via eth0
    > May 12 07:33:52 batman dhcpd: DHCPREQUEST for 1xx.2xx.xxx.xxx (1xx.2xx.xxx.xxx) from 00:1a:xx:xx:xx:xx via eth0
    > May 12 07:33:52 batman dhcpd: DHCPACK on 1xx.2xx.xxx.xxx to 00:1a:xx:xx:xx:xx via eth0 - if you don't see this sort of conversation between your client and the server, then perhaps:
      * your client isn't plugged into a swtich port that is on the same vlan as the server
      * other plug problems, bad cable
      * dhcp not configured correctly on the server
      * the switch is ancient and is S... L...O... W... . . . . . make sure the light has a chance to turn green. This happened to me, really.

SERVING MORE THAN ONE OS

If you want to have your server host multiple OS there are a variety of ways to go about this. I preferred putting all my different OS kernels and initrd files into their own directories - a little more work but ultimately nice and clean. Alternatively you could give each of them a unique identifier and dump it all into one directory. The reality is that how the client knows where they are and what to load is based in the config files.

that being said here is what my /var/lib/tftboot dir looks like

/var/lib/tftpboot$ ls -l
drwxr-xr-x 2 root root  4096 May  8 04:19 12ubuntu32
drwxr-xr-x 2 root root  4096 May  8 03:52 12ubuntu64
drwxr-xr-x 2 root root  4096 May 12 02:22 14ubuntu64
drwxr-xr-x 2 root root  4096 May 12 07:06 boot-screens
drwxr-xr-x 2 root root  4096 May  8 02:46 coreos
-rw-r--r-- 1 root root 26461 Apr 19 13:22 pxelinux.0
drwxr-xr-x 2 root root  4096 May 12 07:19 pxelinux.cfg
in each directory is its own initrd and kernel:

/var/lib/tftpboot/14ubuntu64$ ls -l
-rw-r--r-- 1 root root 21256771 May 12 02:21 initrd.gz
-rw-r--r-- 1 root root  5778968 May 12 02:22 linux

WHERE IS EVERYTHING AGAIN?

dhcp activity:   server        /var/log/syslog          dir
dhcp leases:     server        /var/lib/dhcp            dir
dhcp config:     server        /var/lib/dhcp/dhcpd.conf file
dhcp service:    server        isc-dhcp-server          service
hosts you know:  server/client /etc/hosts               file
pxe config:      server        /var/lib/tftpboot/pxelinux.cfg/default         file
OS options:      server        /var/lib/tftpboot/MY_OS/ (kernel and initrd)

TREMENDOUS THANKS!

blkperl - my primary mentor

https://help.ubuntu.com/community/PXEInstallServer
http://blog.alainodea.com/en/ipxe-smartos

Also good:
http://askubuntu.com/questions/412574/pxe-boot-server-installation-steps-in-ubuntu-server-vm
https://help.ubuntu.com/community/UbuntuLTSP/StaticIPsWithDHCP
https://help.ubuntu.com/community/isc-dhcp-server

tailing the logs can be helpful too: sudo tail -f /var/log/syslog

Additional hugely complicated reading:
http://www.openbsd.org/faq/faq6.html

PXE - Preboot eXecution Environment - Setting Up DHCP

PXE - Setting Up DHCP

For fun in one of the labs I set up my own PXE server and made notes about the problems that I encountered in doing so. If you aren't really sure what PXE is, a decent description exists at wikipedia. In a nutshell the client sends/ broadcasts a request for a Network Bootstrap Path. The server authenticates that the request comes from a legit source and, if so, sends the path to the client. The client then executes the path and installs the given OS.

I am running an older 64 bit Dell Poweredge with Ubunutu 12.04.

To get started you will want to do a little bit of reading if you haven't already. I found the following two posts to most informative:

https://help.ubuntu.com/community/PXEInstallServer
http://blog.alainodea.com/en/ipxe-smartos

So do a little bit of background reading if you haven't yet, but odds are you already looked at those which is why you are here. If you already have DHCP configured skip those parts.

Got DHCP?

After I read these through a few times, I noted that I had several constraints. I needed at least one box to be the client. Several desktops exist in the lab that will likely serve (they did not). Additionally when I started, DHCP in the lab was broken so I had to see if I could get that resolved too.

You'll need:

isc-dhcp-server which is the dhcp server and handles networking. You'll also need tftpd-hpa which is Trivial File Transfer Protocol and it handles the transfer of the OS from the server to the client.

$> sudo apt-get install isc-dhcp-server 
$> sudo apt-get install tftpd-hpa   

Create or edit  /etc/default/tftpd-hpa with the following content (may already exist):

    # /etc/default/tftpd-hpa
    TFTP_OPTIONS="--secure --verbose"
    TFTP_USERNAME="tftp"
    TFTP_DIRECTORY="/var/lib/tftpboot"
    TFTP_ADDRESS="0.0.0.0:69"

Most of it was already there, but I added verbose.
   
$> sudo service tftpd-hpa restart
     

Editing dhcpd.conf

Now create or edit /etc/dhcp/dhcpd.conf

with the following content (adjust the subnet, range and domain-name as required):

    server ip:     1xx.2xx.2xx.2xx  // this will be same as 'next-server'
    gateway:    1xx.2xx.2xx.1xx
    subnet:        1xx.2xx.2xx.1xx
    netmask:    255.255.255.xxx
    filename:    determined by OS we will be loading basically.

So you'll need the information about your gateway, subnet and netmask. I found that information by asking around. So the file will look something like:


#----------------------------------------------------
subnet 1xx.2xx.2xx.1xx netmask 255.255.255.xxx {
  pool {
    range 1xx.2xx.2xx.2xx 131.2xx.2xx.2xx;  
    next-server 1xx.2xx.2xx.2xx;
    filename="pxelinux.0"
  }
}
#-----------------------------------------------------

But since no one was going to be authoritative about Dynamic Host Configuration Protocol in the labs, I asked if I could and so got permission. Now the file looks like this:

#-----------------------------------------------------
 18 # If DHCP server is the official DHCP server for the local
 19 # network, the authoritative directive should be uncommented.
 20  authoritative;
 :
 :
 34 subnet 1xx.2xx.2xx.1xx netmask 255.255.255.2xx {
 35 # option definitions common to all supported networks...
 36 # subnet mask advises client to use that mask
 37 # broadcast-address: where all clients receive messages from
 38 # option routers tells the client that the gateway is there
 39 default-lease-time 600;
 40 max-lease-time 7200;
 41 option subnet-mask          255.255.255.2xx;    # /27 - cidr
 42 option broadcast-address    1xx.2xx.2xx.2xx;    # town crier
 43 option routers              1xx.2xx.2xx.1xx;    # the gateway
 44 option domain-name-servers  1xx.2xx.2xx.2xx;    # DNS server
 45 option domain-name          "foo.bar.org";      # our domain!
 46   pool {
 47     range 1xx.2xx.2xx.1xx 1xx.2xx.2xx.2xx;      # I control
 48     # range 2xx-2xx; if not authoritative so I can be less
 49     # controlling :)
 50     next-server 1xx.2xx.2xx.2xx;                # pxe server
 51     filename="/pxelinux.0";                     # pxe loader
 52   }
#----------------------------------------------------------------------------------
The pxe server is the next-server and is presumably your server that you control. The client is the one who (assuming you have a PXE enabled machine - check the bios) when you hit f12 gets an ip now from your dhcp server and then is provisioned by the server with the OS you select. You can test what you have so far by plugging in a box and seeing if you get assigned an IP address.

Next Up: LET'S PXE!

Bandit - overthewire.org final stages

The key to most of these final stages was snooping around in the areas described. Using cat to view a file or strings to look into the guts of an executable was an important step in being able to discern what was going on at the level.
For example, for level 21, you wanted to get to the right place then take a look at the script that was being run.

bandit21@melinda:/etc/cron.d$> cat /usr/bin/cronjob_bandit22.sh 

#!/bin/bash

chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv 

Now that we see that the password is being placed in a file in /tmp. /tmp is meant to be like a scratch pad or an extra hand to briefly hold onto something. We can see however that the script then does a chmod or 'change mode' which sets permissions on the file in to be readable by anyone. For a perms primer try:
http://www.tldp.org/LDP/GNU-Linux-Tools-Summary/html/x9543.htm

Now that you know where the file containing the password is just take a look at it:

$> cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Level 23: The trick here is that since you know what is being run by virtue of being able to view the script you can duplicate the output of the script. The output of the script is the name of a file in which the next password is created. So, by duplicating the output of the script you have the file name where the data is stored.

$> echo I am user bandit23 | md5sum

8ca319486bfbbc3663ea0fbe81326349 -

$> cat /tmp/8ca319486bfbbc3663ea0fbe81326349

Finally we hit the last level which wants us to write a script. I guess I had written a few specifically for the game by this point even though the game says this will be your first one. A bash script starts with a sh-bang! That is: #! and then is generally followed by /bin/bash, so the first line of a bash script should look pretty much like:

#!/bin/bash

More on that here: http://tldp.org/LDP/Bash-Beginners-Guide/html/sect_02_02.html

So you could write a simple script to do the thing that gives you the answer and it certainly is good practice to do so if you haven't written very many, and it's always fun to explore the environment of the game by seeing how it reacts when you give it the script  .... 
or you can game the game.

And isn't that what hacking is really all about? Why write a script when a thousand other people before you already have? As we know the code of the script you would write are the same as what everyone else has already written and the answer already stored in a predictable location. Use what we did in level 23 to achieve the same result, the file may still be hanging around in /tmp with the answer just waiting for you to find it. The same vulnerability of temp that we learned about in level 23 still exists to be exploited.

Hope you have enjoyed the tour of bandit. And don't keep . in your path!

Bandit - overthewire.org 15-19

Level 15 wants you to use SSL. At the time of writing this, the heartbleed fiasco is still in recent memory, and I actually did this level only a month or so before the news broke. Funny that the site actually indicates that "HEARTBEATING" is a problem, as it turns out heartbleed was the real problem. *rimshot*

Despite that, the level was straight forward with the command format:

openssl s_client -quiet -connect localhost:port

Level 16 was a little more fun because I got to write a script, which may not have been the most efficient way, but was pretty short and good practice for fun:

#!/bin/bash

for port in {31000..32000}; do                       

        echo "cluFn7wTiGryunymYOu4RcffSxQluehd"  |  \
        timeout 2 openssl s_client -quiet -connect  \
        localhost:$port                             \
        2>/dev/null >>/tmp/geo250/results.txt
done

Line by line this does the following:
* sets the magic cookie indicating that this is a bash script.
* assigns a number to port and for each number
* echoes the required password to
* the server at the port specified previously in the loop (but only hold the connection open for 2 seconds tops) using openssl and then
* dump any error messages in the trash and the good stuff in a file called results
* repeat until done.

Man pages and a little help from your pal google can bring you up to speed on the details if you want to delve deeper into openssl.

In the file you get the private key for the next level. You'll want to use that key as if it were your own. I copied results.txt to my machine and edited it so that only private key info was in the file. Chmod 600 results.txt so that it is private and then you can ssh -i /path_to/results.txt user@host.com to get in.

Level 18 was pretty fun too: you try to log in, then you get trolled and booted. However, if the password is valid you can still run commands on the server, you just have to do it by putting the command as part of the ssh command just by appending it to the ssh command. For example:

$> ssh user@host.org ps ps -ef | grep foo >> logfile.txt 

will ssh to host.org as user and run the command: "ps -ef | grep foo" and put the results in a file called logfile on your machine. So, in this case to get the password from the file on the machine you could run a command like:

ssh bandit18@bandit.labs.overthewire.org cat password
which will dump the password to your screen. After which the connection will be closed - in fact with this kind of command, the connection will be closed even if you don't have someone trying to boot you out and troll you. Now that you havae the password, the world (or at least the next level) is your oyster.

Bandit - overthewire.org 10-14

I really enjoyed bandit, as there were many commands that I just don't get to use with any kind of day to day regularity. Most of my training has been self directed as they don't teach Linux in physics or computer science; you are expected to know it or learn it yourself.

For example, the level 11 the password was encrypted using rot13. Fortunately I had heard of that protocol years ago and all that remained really was to write a one liner to decode the file, which for fun I turned that into a script called rot13.sh that takes a file as argument 1 and generates a new file given by argument 2. Careful, you can clobber things because it doesn't really check to make sure of anything at all.


#!/bin/bash
# ultimate secret encryption protocol rot13
set -e
if [ -z "$2" ]; then
    cat $1 | tr 'A-Za-z' 'N-ZA-Mn-za-m'
else
    cat "$1" | tr 'A-Za-z' 'N-ZA-Mn-za-m' > "$2"
fi



Learning things on your own is fun and rewarding, but sometimes it is nice to have direction. To that end becoming involved with an organization dedicated to providing IT has been extremely helpful for me. I have taken advantage of as much of their training program as possible. But even then, sometimes basic things get skipped over, like the command: file.

File target

will tell you what kind of file the target is: a bin(ary), ASCII text, gzip or what have you because you can't necessarily tell by the extension. The extensions are meant to be helpful indicators but they are by no means enforced. This was a fairly important command for level 12. Because the file had been compressed multiple times you needed to use the file command to determine how which compression tool to use next, and when you were done compressing. The file command looks at various properties of the file itself in an attempt to determine the information. You can consult the man pages (of course!) for more information on the specifics there, as I recall there are magic cookies waiting if you do.

Lastly, level 13 gives you someone's private key. Ouch! If you have that it is probably better than the password itself assuming that the other person uses ssh to move around. You just have to copy the key into your .ssh directory, chmod 700, then ssh -i ~/.ssh/privatekey user@destination.org.

Keys are a great thing, and if you haven't set your own private key up, try it just for fun. It's just a file so it doesn't take up any room really, but you want to keep it protected if you are ever going to use it. There are lots of good instructions out there about how to:

ssh-keygen -b 4096 

what it does, and so on. Some of my favorite additional commands once you are up and running are

ssh-agent bash 

and

ssh-add -t 3600

to add an hour of no password prompting, particularly if I am running ssh for-loops for things. Probably at some point there will be something more robust than this, but by setting your bit level nice and high you are presumably making it hard for people to eavesdrop. And yes, the encryption offered by RSA keys rivals my super secret encryption protocol rot13 even.

Bandit - overthewire.org 1-9

"Bandit" at http://overthewire.org/wargames/ is a great introductory war game if you haven't tried this kind of thing before. You use basic linux/unix skills to get the password to the next level, and every level the challenge evolves and gets a little harder or different. All of this takes place from the command line.

I won't go over the first few levels, if you are interested in this sort of thing and know what ssh and a terminal are, you can get through them with no difficulty. But don't get get put off by how simple they are because there are still some fun things ahead.

Starting at level 5, we are using find to find the password for the next level on the server. Find is a really fun command - I might use it as follows if I don't really have a clue where to start looking for something:

find / target 2> /dev/null | grep target > results.txt

which says "look everywhere for the target, be quiet about it, just give me what I am looking for without all the other things and put it in result.txt please". Of course there are less intense search methods like locate and which as well.

For the levels 5 and 6, I got to use some specific flags that I don't normally use: -readable, -group, -size, and -user. They are all fairly straightforward with -size having a few additional options, which you can of course look up. In particular, I solved them with the following commands, respectively:

find / * -readable -size 1033c 2> /dev/null

find -user bandit7 -size 33c -group bandit6 2> /devl/null

Levels 7, 8, 9 were a little different thematically in that you didn't actually need to find the file, but rather find that data within the file using strings and grep. Grep is common enough: cat foo | grep bar is a basic use where foo is the file and bar is the word you want to find. Strings is perhaps a little more on the reversing side of the house; a good preview of looking at a binary to see if anything in there looks promising - sometimes there is some low hanging fruit to be had with it. 

However I thought the most interesting challenge of the three was level 8. The idea was that they had hidden a needle in a stack of needles. The file is some 1,000 line (or more text file) where there are 100 or so different and unique strings, and the rest of the lines are duplicates of those 100 or so patterns. Except for one line which is the target - the needle hidden in the stack of needles.

To solve it I used: 

cat data.txt | sort -n | uniq -u 

I had an idea that those two would be what was required, in fact I have a one liner that I use to get the number of different logins on a computer: 

who | cut -d' ' -f1 | sort -u | wc -l

Which brings me to a point about these kind of games. Even if you aren't interested in reversing, CTF or pwning your own, you can really learn a lot from these exercises. For starters just getting more and different problems to solve using tools you are familiar with already will help you attain mastery with those tools because you will be using them in a different manner than you are accustomed to, which may perhaps lead to learning to use different flags than you normally would.

And for those of you who are beginners, you can vastly expand your knowledge of the tools. Just by playing the game you will be learning new things, thinking creatively about how to solve a problem, and gaining a better understand of the vulnerabilities you have to consider when working as a system administrator.