[POST INITIAL DRAFT FROM 2016]
So you know, everyone was talking about Mr Robot. So I had no choice but to watch it.
It’s a TV series that really tries its best to get the “Hacker scene” details right. And they are actually doing a pretty good job.
As you can see in many other movies and TV series the hacking scenes are utterly ridiculous to say the least. Orphan Black is a series that has a hacking scene to complete some sort of computing sequence and then shows a closeup of a HTML and CSS page. The kind you get when you Right Click => View Source on any web browser. Although this is by far not the worst example since it may even be some sort of phishing or XSS attack, it’s still seems pretty improbable that this kind of info would be stored on a public webpage…
But not Mr. Robot.
This series gives us real Linux shell commands that make actual Linux sense.
Let’s take a look at some of them.
S1E8 12:37 – Tyrell Willig puts down the “bigshot in the suit” attitude aside for a few minutes and starts an SSH session to connect to the server like a pro.
ssh -l tyrell 22.214.171.124
I assume this IP belongs to a proxy or gateway server which will enable SSH access to the actual server in question, CS30. It’s probably be on a different subnet or VLAN then the office network. This is actually a very real and sometimes even best practice, to have only one server allowed SSH through the Firewall and then you can SSH only from that machine to any other server in the internal network.
Now of course out of curiosity, I tried pinging the server IP. no response.
nslookup shows us this IP belongs to a telecommunications company by the name of Suddenlink! The IP can also be geolocated to Muskogee (Oklahoma) – United States, is this the series tech advisor home location?
yoseft@YOSEF-LAPTOP:~$ nslookup 126.96.36.199 Non-authoritative answer: 188.8.131.52.in-addr.arpa name = 47-217-138-201.msk1cmta01.res.dyn.suddenlink.net.
Back to the show.
The following command is typed by Tyrell on server CS30.
find / -type d 1>/dev/null 2> (screen cuts it off)
Now that is a bit odd, if you’re searching for directories, why pipe stdout to /dev/null? the output we see later is from the file /tmp/noaccess
Here we can conjecture that the stderr was piped to /tmp/noaccess. This explains the previous step. Tyrell probably wanted a list of all directories inaccessible to his login…
Indeed the next screen seems to be a vi screen filled with directories which all have the error message “Permission denied”!
A closeup on the “Permission denied” error. Then another closeup on the directory
ls -l /opt/2/task/2/fd1nfo
Here is the location of the notorious fsociety file.
ls -l fsociety
we get the grand “Permission denied” again.
Hmmm.. someone forgot to type sudo?
Are the directories with wrong permissions….? was the directory created immutable? either way, this is pretty realistic scenario and can happen and has happened to me many many times in the real world.
As one of my best mentors for Linux (Hey Adi!) told me once:
“Linux troubleshooting is very simple, 99% of issues are Ownership and Permissions”
Let’s Shell it on!