Intro

Logging my first mission from yesterday. It’s a retelling, so some details might not be exact.

Mission Brief

Passed a test from some shadowy figure, got HackShop access, and then the first mission dropped.

The mission brief: “The client wants the login credentials of the user Daronane. The remote ip of the victim is 54.44.37.52. It’s important that you access the correct machine behind the public ip. The victim’s ip LAN is 172.16.6.7”

Mission Analysis

Target: Daronane’s login. Victim’s public IP: 54.44.37.52. LAN IP: 172.16.6.7.

Initial Probe

Following Grey Hack Single Player Game Guide (1) - MapleGe ’s method, I tried…

First, whois command for the admin email: [email protected]. Sent a “Login issue” email. Got Daronane’s password: pierra.

Tried ssh Daronane@pierra 54.44.37.52 to connect to 54.44.37.52. Failed. Error: incorrect user/password.

Figured I mistyped (manual input, right?). Tried a few more times, even copy-pasting. Still incorrect user/password. Gave up on that.

Browsed the IP. No clues, just “Metlifegroup. Everything you need for your tech company” and a pic (Raspberry Pi?). Guessed it was a forum, and Daronane a user there?

Game Localization

Remembered missing some Exploits tutorial info when hitting HackShop. Searched for game localization. Found [简体中文](simplified Chinese) on the Workshop, subscribed, restarted. UI still English.

Found Workshop download: steam_folder\steamapps\workshop\content\605230\2825584160. README.md said to drop its contents into C:\Users\%UserName%\AppData\LocalLow\Loading Home\Grey Hack\ .

Actually, just custom_lang.json in that folder was enough.

Restarted the game, hit language on the left, picked Chinese. Localized.

Reading the Manual

Read the Exploits section in the localized manual (tbh, it felt almost the same as unlocalized). Still couldn’t wrap my head around it.

Further Exploration

Kept digging for guides, found nada. Then hit Grey Hack: A Relatively Simple Mission - Bilibili .

The term “script kiddie” in the article clicked: Exploits are basically real-world attack scripts.

Misguided Exploration

Grabbed scanlib and scanrouter from HackShop.

Ran scanlib 54.44.37.52. Output: Missing metaxploit. No idea what that meant.

nmap 54.44.37.52 showed two open ports: 22 (SSH) and 80 (HTTP).

scanrouter revealed Kernel_router.so:V1.0.0 on the server. Searched for scripts, found one: “Get access to a shell”, no requirements.

Downloaded it to /home/yexca/hacktool. Navigated there, ran KernelRouterAccess 54.44.37.52. Error: Can't find metaxploit library in the /lib path or the current folder.

Note: Initially, I didn’t rename this script. Later, I renamed it to KernelRouterAccess for clarity in this post. Other scripts mentioned here were also renamed after initial download, differing from their store names.

Error pointed to a missing file. /lib? Was the target server missing the file, thus couldn’t recognize it and grant access?

Rethinking

nmap showed ports 22/80. My guess: victim’s a forum user. So, HackShop for an HTTP script. Found one: “Grant access to the file /etc/passwd and decipher its contents.” Requirement: “Minimum number of 1 users registered in the computer”. Forum implied multiple users, unlikely they’d dev as root.

Downloaded the script, ran HttpPasswd 54.44.37.52 80. Same error: Can't find metaxploit library in the /lib path or the current folder.

No surprise there. scanrouter only found Kernel_router.so:V1.0.0, no libhttp.so or anything similar.

Picked the HTTP script because that article said: “Just get the mission done; no remote connection needed, and local script execution leaves no traces.”

Okay, let’s retry SSH. HackShop for SSH scripts. Found one: “Take advantage of a vulnerability in the ssh service to inject a new password to a registered user.” Requirement: “Any user logged in the computer.” Devs would have logged in, so this should work.

Downloaded, ran SSHPasswd 54.44.37.52 22. Still hit with Can't find metaxploit library in the /lib path or the current folder.

WTF??? Is their /lib totally empty? Am I supposed to try every script type to map /lib contents? I’ll go broke!

On the Right Track

Hit the search engine for guides. Nothing.

Recalled the error: Can't find metaxploit library in the /lib path or the current folder. I only saw /lib and metaxploit before. But “or the current folder”? Did that mean my local script directory? Would I need to download every libssh.so-like dependency just to run an exploit?

Checked the black market, no libssh.so or similar. Recalled apt-get exists in-game (like real Linux). Ran apt-get search ssh. Bingo, libssh.so popped up. apt-get install libssh.so to install SSH.

Installed. Ran SSHPasswd 54.44.37.52 22. Still got Can't find metaxploit library in the /lib path or the current folder.

Seriously, I’m out!!!

Back to HackShop. Scrolled through Tools. metaxploit.so jumped out. Wait, isn’t that the “metaxploit” from the error? Pair that with “current folder” – was it missing this all along?

Downloaded it to the script dir (/home/yexca/hacktool). Since scanrouter only saw Kernel_router.so, I ran KernelRouterAccess 54.44.37.52. Boom! Access granted!

Gaining Access

Got access, first thought: delete logs. FileExplorer.exe to /var/system.log. Permission denied. Guest access, great. Tried /etc/passwd for password files. Still Permission denied. (Seriously, I probed almost every file).

Ugh, what’s the point of this script then?!

SSH script changes passwords, too risky. Switched to the HTTP script to grab passwords. HttpPasswd 54.44.37.52 80. Got: can't read /etc/passwd. Permission denied. Saw I was still guest. I was like…

Ended up using the SSH script. SSHPasswd 54.44.37.52 22, new password 114514. Successfully changed Farraze’s password.

Ran ssh Farraze@114514 54.44.37.52, got into the victim’s machine. cat /etc/passwd pulled the encrypted root password info.

Locally, touch mima.txt, pasted the root password info, then decipher mima.txt. Root password: 44444 (seriously?).

exit to disconnect. ssh root@44444 54.44.37.52 got me in as root.

Inside the Machine

First thing inside: delete logs. Users: Ralancl, Farraze. No Daronane. Still a forum user? Scoured the machine, found zip. (Transferred their cash to my account, btw~).

Mission brief mentioned 172.16.6.7.

ping 172.16.6.7. “Ping successful”. My own machine couldn’t ping it (obvious, it’s an internal network).

nmap 172.16.6.7 for open ports. Got command not found.

Ugh, guess I’ll have to drop my command binaries into /bin on this machine.

Copied. Ran nmap 172.16.6.7 again. Port 3306 open, service employees. What’s employees?

Search engine confirmed: 3306 is usually a DB port. SQL script time.

Password Acquired

Hit HackShop, searched scripts. Found one: “Take advantage of a vulnerability in the sql service to inject a new password to a registered user.” Requirement: “Any user logged in the computer.” DB creation implies users logged in.

Downloaded. SqlChangePasswd 172.16.6.7 3306. Error: Connection refused. Address unreachable. Access denied. Right, DBs are usually whitelisted.

Moved script and metaxploit.so to victim’s /root. Retried the command, set password to 114514 for user Osquel.

Okay, now what? Password changed, but only 3306 is open. Can’t get in! XD

Alright, back to HackShop. Script search. Found one: “Prints the contents of the file /etc/passwd”. Requirement: “Any user logged in the computer.” Same as the last one.

Dropped the script into victim’s /root. SqlPrintPasswd 172.16.6.7 3306. Got all user passwords, Daronane included.

Copied to my machine, decrypted: password pierra.

??? Sent the password to the client. Confirmed???

Seriously…

Epic! (From YouTuber Hei Biaoke)

Afterword

Got the password via email from the start. Then I spent ages getting it again. (Speechless, seriously).

Got 200, but my scripts cost way more (net loss, lol). Still, scripts are reusable, and the exploration was pretty fun!

Guides for this game are practically nonexistent. If you’re looking for one, hope this helps!