Mainframe Hacking CYOA

Had a great time playing through the amazing game created by Phil Young (Soldier of Fortran @mainframed767). What makes thing project amazing is that it was written in HyperCard 2.4 and runs only on the old Apple Macintosh systems (Macintosh 7.0.1) as seen in a screenshot below. So getting into it requires a dedication that a “hacker” should have. The idea is brilliant and introduces people to the concept of Mainframe hacking (many people don’t even know what Mainframes were or are )

The game can be played online from Archive.org’s simulation here https://archive.org/details/MainframeHackingCYOA  or local if you download the images from Archive.org

https://archive.org/download/MainframeHackingCYOA/HyperCardBootSystem7.img 
https://archive.org/download/MainframeHackingCYOA/MainframeHacker.img

You can use the minivmac (https://github.com/jsdf/minivmac) or the pce (http://www.hampa.ch/pce/download.html) both work fine for the MainframeHackingCYOA. I have managed to run the game on simulated Alpha DS25 via alphavm or on a MIPS CI20 development board (running the retro CDE)

Since we got this far I wanted to take an opportunity to describe my experience during the gameplay and show some interesting points this game makes. Again big thanks to Soldier of Fortran for this gem !

We start the game simply by being curious.  I recommend to go through this yourself .. before reading the below.

And enter the Cyberspace

Who would not like to pick up a phone like the Matrix dudes did  ?

OPSEC at its best

Lets Dial in – no time for bed

Honestly who remembers the BBS days ? Seems like eons ago.

If you are using a non Macintosh keyboard, the zxcvbnm,./ keys are shifted by one to the right.

So we check what is available for reading

Interesting E Corp … and the logo :)  Mr. Robot style :)  and a password ECoprp@18 but no username …..

And here are the instructions from the SYSOP what to do.

So off we go to Connect

Now this is quite informative. Nmap, Metasploit and Hydra is a daily bread to any security researcher but  c3270( curses-based IBM host access tool) not so much (http://x3270.bgp.nu/download.html)

So we first run an nmap scan and probe open ports to determine service/version info and start hacking…

Here we learn briefly about TSO, CICS and the VTAM on the Mainframes and the corresponding nmap NSE scripts that can be used for enumeration. Lets check that telnet port first …

So we ran the VTAM enumeration against the telnet port 23 we have found earlier and learn about the TSOPRD, TSODEV, CICSPRD1 and CICSPRD2  applids. We can use the information to enumerate the CICS on the Mainframe as seen below. Remember that we have a password from the leaked Ecorp document off the BBS ( ECorp@18) so we use these credentials for CICS enumeration here … Lets query the TSODEV and see what  information comes out.

To get the list of valid usernames we can use FTP brute via  Hydra in this example to bruteforce using the known password (ECorp@18)

So here we get a list of valid users ” x003 , x888 and x420 ” OK, we have gathered enough information so we can get to the final stage of attacking TSO and CICS

Now if you get lucky and choose a privileged user from the above you can finish the game quickly .. x420 looks like it must have some weight …  what I did however was using x003 and TSO attack

Before we priv escalate lets search  the Warnings

SYS1.PARMLIB is in WARN mode ..hmm  .. what does search BPX.* reveal ?

Not much rights there, so lets see what we get from SURROGAT

I knew it x420 must have some higher powers. So we try the last possibility here APF Authorized

Escalate Privileges … (man I wish hacking was this easy ..)

But I got stuck here .. maybe I have done something wrong ..

Update 31.05. Silly me … typing in wrong commands is typical .. so you need to enter SYS2.OLDLIB 

And then we are done

Another method is via CICS attack  – since I already got the info that x420 will be the super user … I went straight into attacking the CICS  -> starting over

And skipping to the CICS part… this time we use the x420 user and the ECorp@18 creds

heh ..another user x525 … lets see what CICSPwn brings

Reverse Shell nothing ….

Bind shell gets through

And sending the Result

Thank you @mainframed767  this was fun to play through (a little tricky with the keyboard shift… but fun)

So we have learned a few things here … time to study the above code from this git repo github.com/ayoul3

https://github.com/ayoul3/cicspwn 
https://github.com/ayoul3/Privesc
https://github.com/ayoul3/Rexx_scripts
https://github.com/ayoul3/JCL_scripts
https://github.com/ayoul3/wc3270_hacked

Here are the @mainframed767  Youtube resources about Mainframe security

And maybe starting to learn from scratch using HERCULES https://github.com/hercules-390/hyperion

 

 

 

 

Advertisement

About astr0baby

Please run Adblock or similar... we have been told to do so since Carl Sagan wrote the Contact .
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.