On March 25, we opened registration for , is a Game for fans and connoisseurs of the Linux operating system. Some statistics: 1117 people registered for the game, 317 of them found at least one key, 241 successfully completed the task of the first stage, 123 - the second and 70 passed the third stage. Today our game has come to an end and we congratulate our winners!
- The first place was taken by Alexander Teldekov.
Alexander said to himself that he is the most typical system administrator. Lives in Volgograd, has been administering various Unix-like systems for twenty years. I managed to work in Internet providers, a bank, a system integrator. Now he works remotely in a small company, is engaged in cloud infrastructure for a large foreign customer. Likes to read, listen to music. About the Game, Alexander said that he liked the game in general, he loves such puzzles. In one of the companies at the interview, I did something similar to Hackerrank, it was interesting. - Second place - Roman Suslov.
Roman from Moscow. He's 37 years old. Works as a Linux/Unix engineer at Jet Infosystems. At work, I have to deal with the administration and troubleshooting of Linux / Unix systems + SAN. Interests are very different: Linux systems, programming, reverse engineering, information security, Arduino. About the Game, Roman noted that he liked the game as a whole. “I stretched my convolutions a little and got distracted from the gray everyday life of everyday work. 🙂 I would like more tasks, otherwise I didn’t have time to get into the taste as the game was already over. ” - The third is alex3d.
Alex lives in Moscow, is engaged in software development. "Thanks for the contest, it was interesting to test my google-fu skill."
Also in the ranking of the top 10 players:
- Yevgeniy Saldayev
- Markel Mokhnachevsky
- Konstantin Konosov
- Pavel Sergeev
- Vladimir Bovaev
- Ivan Bubnov
- Pavlo Klets
We understand that there are many options for solving all our problems, some of the possible solutions are described below.
1. First stage
We called it "Are you sure you're an admin?", since the task was quite simple - to fix a warm lamp service.
1.1. Interesting Facts:
Two players found the first key in the first 15 minutes of the game, and in the first hour we had three leaders who completed the task.
1.2. Task
You went to work in a company where for a long time there was no competent information technology specialist. Before you can begin to clean up, you need to solve a burning problem that blocks the work of the office.
The cleaner snagged the power cable of the server cabinet with a mop. Power has been restored, but a very important website is still down. The website is important because the company is not very concerned with information security, and on the main page of this one you can find in clear text the administrator password from the CEO's computer.
The other day the password was changed, but everyone forgot the new one, the director cannot work. Rumor has it that there were other keys on this machine that could help us decipher the backed up accounting records.
Everyone is waiting for a prompt solution to the issue!
1.3. Decision
1. The first step is to change the root password on the virtual machine in order to gain access to it. When starting, we notice that this is Ubuntu 16.04 Server.
To reset the root password, restart the machine, at boot, at the moment the grub menu is displayed, go to editing the Ubuntu item with the “e” button. Edit the line linux, add to the end init=/bin/bash. We are loaded through Ctrl+x, we receive bash. Remount the root with rw, change the password:
$ mount -o remount,rw /dev/mapper/ubuntu--vg-root
$ passwdDon't forget about sync, reboot.
2. The condition says that the web server is not working for us, look:
$ curl localhost
Not Found
The requested URL / was not found on this server.
Apache/2.4.18 That is, in fact, Apache is running, but it responds with a 404 code. We look at the config:
$ vim /etc/apache2/sites-enabled/000-default.confThere is also a key - StevenPaulSteveJobs.
Checking the path /usr/share/WordPress - there is no such thing, but there is /usr/share/wordpress. Edit the config and restart Apache.
$ systemctl restart apache23. We try again, we get an error:
Warning: mysqli_real_connect(): (HY000/2002): Connection refused in /usr/share/wordpress/wp-includes/wp-db.php on line 1488DB not running?
$ systemctl status mysql
Active: active (running)
What's the matter? Need to figure it out. To do this, you need to access MySQL, how to do this is described in . One of the documentation points recommends that we write the option skip-grant-tables в /etc/mysql/mysql.conf.d/mysqld.cnf. There is also a key here - AugustaAdaKingByron.
Correcting user rights 'wp'@'localhost'. We start MySQL, make it available over the network, commenting the option in the config skip-networking.
4. After the done actions, the web server starts, but the site still does not work, because
Warning: require_once(/usr/share/wordpress/wp-content/themes/twentysixteen/footer.php): failed to open stream: Permission denied in /usr/share/wordpress/wp-includes/template.php on line 562Edit file permissions.
$ chmod 644 /usr/share/wordpress/wp-content/themes/twentysixteen/footer.php
We refresh the page, go to the site and find the key - BjarneStroustrup! We've found all three keys, our director can work, we've decrypted the accounting files. Everyone is happy, and you have a lot of work ahead of you to establish infrastructure, backups and security in the company.
2. Second stage
It was necessary to solve the problem of collecting analytics. Everyone loves analytics - who and where and in what quantities they go. We came up with a case, but which all engineers in life can face in one form or another.
2.1. Interesting facts
One of our players entered the correct key in the first 10 minutes of the game, and in the first hour we had a leader who completed the task.
2.2. Task
You went to work in a company, managers came to you and asked you to find out who sent letters from Africa. You need to build the top 21 recipient addresses based on them. The first letters of recipient addresses are the key. One thing: the mail server through which the letters were sent is not loaded. Everyone is waiting for a prompt solution to the issue!
2.3. Decision
1. The server does not boot due to a non-existent swap partition in fstab, at boot the system tries to mount it and crashes. How to download?
Download the image, we have downloaded CentOS 7, boot from the Live CD/DVD (Troubleshooting -> Rescue), mount the system, edit /etc/fstab. Immediately we find the first key - GottfriedWilhelm11646Leibniz!
Create swap:
$ lvcreate -n swap centos -L 256M
$ sync && reboot2. There is no password, as always, you need to change the root password on the virtual machine. We already did this in the first task. We change and successfully go to the server, but it immediately goes into reboot. The server is overloaded at such a speed that there is no time to even look at all the logs carefully. How to understand what is happening?
Again, we boot from livecd, carefully study the system logs and, just in case, look into the cron, since such a frequency. There we find the problem and the second key - Alan1912MathisonTuring!
Need in /etc/crontab delete or comment out a line echo b > /proc/sysrq-trigger.
3. After that, the server has loaded, and you can complete the task of the managers: “What are the addresses of Africa?” This information is generally publicly available. You can find this information on the Internet using the phrases “ip address africa”, “geoip database”. To solve the problem, you can use freely available address distribution bases (geoip). We used the database as a reference , available under the Creative Commons Attribution-ShareAlike 4.0 license.
Let's try to solve our problem using only Linux system utilities, but in general it can be solved in a huge number of ways: using text filtering utilities and using scripts in various programming languages.
First, just get the "sender-recipient IP" pairs from the mail log /var/log/maillog (let's build a table of email recipients - sender's IP). This can be done with the following command:
$ cat /var/log/maillog | fgrep -e ' connect from' -e 'status=sent' | sed 's/[]<>[]/ /g' | awk '/connect from/ {ip=$11} /status=sent/ {print $10" "ip}' > log1.txtAnd before we continue with compiling the African address database, let's take a look at the top sender IP addresses.
$ cat log1.txt | cut -d' ' -f1 | sort | uniq -c | sort -r | head -n 40
5206 [email protected]
4165 [email protected]
3739 [email protected]
3405 [email protected]
3346 [email protected]
Among all, the first three recipients from the top clearly stand out in terms of the number of letters. If you grep the IP addresses of senders that were sent to addresses from this top 3, you can see a clear predominance of certain networks:
$ cat log1.txt | fgrep '[email protected]' | cut -d' ' -f2 | sort | cut -d'.' -f1 | uniq -c | sort -r | head
831 105
806 41
782 197
664 196
542 154
503 102
266 156
165 45
150 160
108 165Most of the networks 105/8, 41/8, 196/8,197/8 are allocated by AFRINIC - one of the five regional Internet registrars that distribute Internet resources. AFRINIC allocates address space in Africa. And 41/8 refers to AFRINIC at all.
https://www.nic.ru/whois/?searchWord=105.0.0.0
https://www.nic.ru/whois/?searchWord=41.0.0.0
Thus, the answer to the problem, in fact, is in the log itself.
$ cat log1.txt | fgrep -e '105.' -e '41.' -e '196.' -e '197.' -e '154.' -e '102.' | awk '{print $1}' | sort | uniq -c | sort -r | head -n 21
4209 [email protected]
3313 [email protected]
2704 [email protected]
2215 [email protected]
1774 [email protected]
1448 [email protected]
1233 [email protected]
958 [email protected]
862 [email protected]
762 [email protected]
632 [email protected]
539 [email protected]
531 [email protected]
431 [email protected]
380 [email protected]
357 [email protected]
348 [email protected]
312 [email protected]
289 [email protected]
282 [email protected]
274 [email protected]At this stage, we get the string "LinuxBenedictTorvadst".
Correct key: "LinusBenedictTorvalds".
The resulting string contains a typo in relation to the correct key in the 3 extreme characters. This is due to the fact that the networks we have chosen are not entirely allocated to African countries and to the way emails are distributed by IP addresses in our log.
With sufficient refinement of the largest networks allocated to African countries, an exact answer can be obtained.:
$ cat log1.txt | fgrep -e' '105.{30..255}. -e' '41. -e' '196.{64..47}. -e' '196.{248..132}. -e' '197.{160..31}. -e' '154.{127..255}. -e' '102.{70..255}. -e' '156.{155..255}. | awk '{print $1}' | sort | uniq -c | sort -r | head -n 21
3350 [email protected]
2662 [email protected]
2105 [email protected]
1724 [email protected]
1376 [email protected]
1092 [email protected]
849 [email protected]
712 [email protected]
584 [email protected]
463 [email protected]
365 [email protected]
269 [email protected]
225 [email protected]
168 [email protected]
142 [email protected]
111 [email protected]
96 [email protected]
78 [email protected]
56 [email protected]
56 [email protected]
40 [email protected]
The problem can also be solved in another way.
We download MaxMind, unpack it, and the following three commands also solve our problem.
$ cat GeoLite2-Country-Locations-ru.csv | grep "Африка" | cut -d',' -f1 > africaIds.txt
$ grep -Ff africaIds.txt GeoLite2-Country-Blocks-IPv4.csv | cut -d',' -f1 > africaNetworks.txt
$ grepcidr -f africaNetworks.txt log1.txt | cut -d' ' -f1 | sort | uniq -c | sort -r | head -n21
One way or another, we eventually calculated the statistics, and the managers got the data they needed to work!
3. The third stage
The third stage is somewhat similar to the first - you also need to fix the warm lamp service, but everything is more difficult than in the first task.
3.1. Interesting facts
In the first 15 minutes, three players found the first key, 2 hours and 20 minutes after the start of the stage, our winner completed the task.
3.2. Task
You went to work for a company where all company documents are stored on an internal Wiki server. Last year, the engineer ordered 3 new disks for the server in addition to the existing one, arguing that for system fault tolerance it is necessary to put disks in some arrays. Unfortunately, a few weeks after their installation, the engineer went to rest in India and did not return.
The server worked flawlessly for several years, but a couple of days ago the company's network was hacked. As instructed, the security officers removed the disks from the server and sent them to you. During transportation, one disk was irretrievably lost.
It is necessary to restore the Wiki to work, first of all, the content of the wiki pages is of interest. A piece of text that was on one of the pages of this wiki is the password from the 1C server and is urgently needed to unlock it.
In addition, somewhere on the wiki pages or in another place there were passwords from the log server and the video surveillance server, which it is also desirable to recover, without which it is impossible to investigate the incident. As always, we expect a prompt resolution of the issue!
3.3. Decision
1. We try to boot one by one from the disks that we have and everywhere we get the same message:
No bootable medium found! System halted
You have to boot from something. Booting from a Live CD/DVD (Troubleshooting -> Rescue) saves again. When loading, we try to find the boot partition, we don’t find it, we get into the shell. We are trying to study what and how with disks. It is known that there are three of them. There are more tools for this in the 7th version of CentOS, where there are commands blkid or lsblk, which show us all the information about the disks.
How and what we do:
$ ls /dev/sd*It is immediately clear that
/dev/sdb1 - ext4
/dev/sdb2 - часть lvm
/dev/sda1 и /dev/sdc1 - части рейда
/dev/sda2 и /dev/sdc2 - про них ничего не известно на текущий моментWe mount sdb1, it can be seen that this is the boot partition of CentOS 6.
$ mkdir /mnt/sdb1 && mount /dev/sdb1 /mnt/sdb1Obviously, we go to the grub section and find the first key there - James191955Gosling in an unusual file.
2. We study pvs and lvs, as we work with LVM. We see that there should be 2 physical volumes, one is not located and swears at the lost uid. We see that there should be 2 logical volumes: root and swap, while root is partially lost (the P attribute of volume). Can't install, sorry! We really need him.
There are 2 more disks, we look at them, assemble and mount them:
$ mdadm --examine --verbose --scan
$ mdadm --assemble --verbose --scan
$ mkdir /mnt/md127 && mount /dev/md127 /mnt/md127
We look, it is clear that this is the boot partition of CentOS 6 and a duplicate of what is already on /dev/sdb1, and here again the same key - DennisBMacAlistairCRitchie!
Let's see how it's put together /dev/md127.
$ mdadm --detail /dev/md127
We see that it was supposed to be assembled from 4 disks, assembled from two /dev/sda1 и /dev/sdc1, they were supposed to be numbers 2 and 4 in the system. We assume that from /dev/sda2 и /dev/sdc2 you can also collect an array. It is not clear why there is no metadata on them, but this is on the conscience of the admin, who is somewhere in Goa. We assume that there should be RAID10, although there are options. We collect:
$ mdadm --create --verbose /dev/md0 --assume-clean --level=10 --raid-devices=4 missing /dev/sda2 missing /dev/sdc2
We look at blkid, pvs, lvs. We find that we have collected a physical volume, which we previously lacked.
Immediately repaired lvroot, mount it, but first activate VG:
$ vgchange -a y
$ mkdir /mnt/lvroot && mount /dev/mapper/vg_c6m1-lv_root /mnt/lvroot
And everything is there, including the key in the root home directory - /root/sweet.
3. We are still trying to revive our server so that it starts normally. All logical volumes from our /dev/md0 (where we found everything) drag and drop to /dev/sdb2, where the entire server originally worked.
$ pvmove /dev/md0 /dev/sdb2
$ vgreduce vg_c6m1 /dev/md0We extinguish the server, remove disks 1 and 3, leave the second one, boot from Live CD / DVD into Rescue. We find the boot partition, restore the bootloader in grub:
root (hd0,0)
setup (hd0)
We tear off the boot disk and boot successfully, but the site does not work.
4. There are two options to launch the site: configure Apache from scratch or use the already configured nginx with php-fpm:
$ /etc/init.d/nginx start
$ /etc/init.d/php-fpm start
Finally, you need to start MySQL:
$ /etc/init.d/mysqld start
It does not start, and the answer lies in /var/log/mysql. As soon as you solve the problem with MySQL, the site will work, on the main page there will be a key - RichardGCCMatthewGNUStallman! Now we have access to 1C, and employees will be able to receive a salary. And as always, you have a lot of work ahead of you to establish infrastructure and security in the company.
We can also once again share the list of books that helped us and our participants prepare for the game: .
Thank you for being with us! Stay tuned for announcements of the next games!
Source: habr.com