Whether you miss the good old days of Telnet or you want to know what hacking was like when security was nothing but an afterthought, Telehack is the game for you. The text-based hacking game is a simulation of a stylized combination of ARPANET and Usenet, circa 1985 to 1990, with a full multi-user universe and player interactions, including 26,600 hosts.
Before cloud computing, social media, and online shopping, there existed something called ARPANET, the precursor to the internet as we know it. When ARPANET expanded in the '80s, it became the wild west of computers. PCs were just becoming a thing and were no longer reserved for prestigious universities and national laboratories. And hacking didn't even become illegal until 1986 when the Federal Computer Fraud and Abuse Act became law.
After that, pop culture made hackers out to be super intelligent savants capable of doing anything with a computer, and movies like "WarGames" exacerbated the notion.
Hacking back then was far from what we'd be able to recognize today, involving modems and literally dialing up a computer. And hacks were much simpler, sometimes as simple as changing a file name. There's actually a fascinating Nova documentary that involves the story of a computer scientist discovering KGB hackers back in 1990. Watch it, and you'll see just how far we've come.
Thanks to the hard work of Forbin, who's named after the chief designer of a supercomputer in the "Colossus: The Forbin Project" movie, we can all experience that same style of hacking without having to camp out in a computer lab or use a jerry-built pager.
Telehack has quite a few amazing features:
- Over 26,000 simulated hosts, with historically accurate ghost users gathered from UUCP network maps.
- Group chats with relay, and one-on-one chats with send or talk.
- Reconstructed Usenet archives from the Wiseman collection.
- A BASIC interpreter.
- Adventure, Zork, and other Z-code text adventure games.
- And naturally hidden hosts and programs that you can only find by hacking Telehack itself.
If any of that sounds fun to you, then let's see how you can become part of the experience too. You don't even need to open a terminal window to play.
Step 1: Access Telehack
While you could use telnet telehack.com to telnet directly into the game, it's not the best option as far as security goes; leaving Telnet enabled on a Windows machine can leave you quite vulnerable. Instead, I recommend connecting via SSH or merely using the telehack.com website. SSH is the safer of the two as you'll be using an encrypted tunnel.
If you're going to SSH, two great clients are PuTTY or my personal favorite, the secure shell app for Chrome. When you go to connect, use the IP address 64.13.139.230 and port 6668. Once you've connected, you'll default to a guest user account, and the basic commands will be displayed.
Connected to TELEHACK port 75
It is 4:06 pm on Friday, May 15, 2020 in Mountain View, California, USA.
There are 45 local users. There are 26639 hosts on the network.
Type HELP for a detailed command list.
Type NEWUSER to create an account.
May the command line live forever.
Command, one of the following:
2048 ? a2 ac advent basic
bf c8 cal calc ching clear
clock cowsay date echo eliza factor
figlet finger fnord geoip help hosts
ipaddr joke login mac md5 morse
newuser notes octopus phoon pig ping
primes privacy qr rain rand rfc
rig roll rot13 sleep starwars traceroute
units uptime usenet users uumap uupath
uuplot weather when zc zork zrun
.
Step 2: Create an Account
With a connection established, it's time to create an account with the newuser command. You'll be asked whether you're under the age of 13, and if you want to read the privacy policy; you can simply respond n to each assuming you're over 13 years old.
.newuser
Are you under 13 years of age? (y/N) n
Read privacy policy? (Y/n) n
Your username must be between two and nine characters in length, beginning with a lowercase letter. It can only contain lowercase letters and digits.
Username: hoid
Password: ************
Re-enter password: ************
Next, you'll be asked if you want to enable a recovery email. I strongly recommend that you do, as you don't want to lose all of your efforts just because you forgot a password. Once you've retrieved the verification code from your email and entered it in the terminal, your user account will be created.
Enable password resets via e-mail? (Y/n) y
E-mail address:
A verification code has been sent.
Enter "resend" to resend the verification code.
Verification code: ****
Logged in as user HOID.
Step 3: Check Your 'Email'
The first thing you should notice after your account is created — before your first command prompt even appears — is the message that you've got mail.
You have mail.
@
This email is far from the Gmail you're likely used to. It's all command-line based with no GUI at all. You can see the entire process of how these emails would have been sent in the following 1980s-era BBC special.
To check your first email, you need to run the mail command. Doing so will display the mail version and revision date, which is 1983! The second line will display the number of emails in your inbox. Starting with the third line, you will see >N and the name of the sender, age of the message, and the email's title. In this case, we have a welcome email from the creator of the game, Forbin.
@mail
Mail version 1.1 6/6/83. Type ? for help.
1 message
>N 1 forbin 4m Welcome to Telehack!
&
To open an email, use read and then the number of the email. So in our case, we can read Forbin's email with the read 1 command (though, if you only have one email, you can actually skip the number).
From: forbin
To: hoid
Date: Tue, 15 May 2020 09:50:42 -0700
Subject: Welcome to Telehack!
Thank you for checking out Telehack!
You can get started by reading telehack.txt.
If you get stuck, try going into RELAY to ask a question,
or check out the user-maintained Telehack Wiki:
http://telehack.wikia.com/
Have fun!
- Forbin
Once you've read an email, you can delete it with delete and then the number of the email, such as delete 1. Or, if it's only one email, delete by itself should work.
After you've read all the emails, you can close the program with exit. An easy way to tell where you are is by the command prompt. When you have & prompt, it means you're in your email, and @ means you're the root user of your Telehack account.
&exit
@
When you log out of your mail, you'll get your first achievement, postmaster!
operator: +priv POSTMASTER. nice job..
@
Step 4: Check Your Local Directory
Now, let's take a look around and see what we have access to. Use the ls command to show all of the files in the current working directory.
@ls
advent.gam againstip.txt basic.man basic15.a2
bbslist.txt c8test.c8 changelog.txt colossus.txt
command.txt crackdown.txt do-well.txt etewaf.txt
finger.txt fnord.txt future.txt graph.png
hammurabi.bas ien137.txt jfet.a2 johnnycode.txt
k-rad.txt learncode.txt leaves.txt lem.bas
lostpig.gam mastermind.bas notes.txt orange-book.txt
oregon.bas porthack.exe privacy.txt rogue.gam
rootkit.exe satcom.man smile.c8 starwars.txt
sysmon.txt telehack.txt underground.txt unix.txt
wardial.exe wumpus.bas xmodem.exe zork.gam
@
You'll see quite a few files, and most importantly, four executables: rootkit, wardial, porthack, and xmodem. These will be our first tools for hacking other hosts on the network. There are also quite a few text files you can read. Let's take the advice of the email and start with telehack.txt, which can be read with the more telehack.txt command.
@more telehack.txt
Telehack
Telehack is a simulation of a stylized arpanet/usenet, circa 1985-1990.
It is a full multi-user simulation, including 26,600 hosts and BBS's
from the early net, thousands of files from the era, a collection of
adventure and IF games, a working BASIC interpreter with a library of
programs to run, simulated historical users, and more.
Connecting
----------
On the web: http://telehack.com/
or open a shell and type
telnet telehack.com
Telehack is accessible via
* Telnet on ports 23 (the standard telnet port), 443, 1337, 8080 and 31173
* HTTP on port 80 (the standard HTTP port)
* SSH on port 6668
* FTP on port 21 (the standard ftp port) NOTE: The FTP server is RFC 959
compliant and will likely not work with more modern FTP clients
Accessibility
-------------
Non-sighted users: please type STTY /dumb after connecting to telehack.
This will invoke plain terminal mode in the Z-code games and avoid using
ANSI cursor addressing.
For users connecting with Teletypes or other Teleprinter Terminal setups
please type STTY /tty after connection to switch telehack into a more Teletype
friendly mode.
About this Document
-------------------
Telehack is case-insensitive. Commands are often shown in uppercase to
distinguish them from surrounding text. Note that you do not need to type
commands in all-caps. For example:
Type DIR for a list of files
operator: +priv RTFM. congrats
--More--(6%)
The file contains all kinds of information about using and accessing Telehack, as well as how to get help and unstuck. The Enter or Down Arrow key will scroll down a single line at a time while Space bar will page down. The B key can be used to go back a page.
I strongly suggest that you read through this file as information could be quite useful if you end up getting into the game. When you make it to EOF (end of file), you'll even find a nice little Easter egg.
EOF
---
http://www.youtube.com/watch?v=Y6ljFaKRTrI
@
Step 5: See Who's Online & Check Your Score
If you're like me (very competitive), then something you'll be very interested in is checking who's online and comparing scores. To see other users, we can run the finger command, which will show us all kinds of interesting information such as username and status, what port they're on, when they last logged in, and what they're doing, as well as where they are in the world.
@finger
TELEHACK SYSTEM STATUS 15-May-20 12:10:41
51 users load 0.00 up 51d
port username status last what where
---- -------- ------ ---- ---- -----
0 operator System Operator 6m console
* 85 hoid Hoid 0s finger [REDACTED]
43 - 2s Ho Chi Minh, Vietnam
39 gamax GAMAx 11s telekomb Modena, Italy
57 - 1m Santa Rosa, CA
31 forbin Starfish Prime 4m relay Mountain View, CA
60 underwood Tough TTY 8m relay London, UK
74 mendax Mendax 9m relay Pompano Beach, FL
53 chuk Shut up and dance 9m San Francisco, CA
68 deltas1x Supreme HACKERMAN 14m relay Pineville, NC
75 b077 ooga booga 16m relay Kermit, WV
81 - 19m Aguadilla, Puerto Rico
58 smittyone Original Kinkster 22m relay Hull, UK
82 partyman Czech Hacker :D 24m pppd Prague, Czechia
84 nsamrsoc NSA MRSOC-SIGINT 28m ptycon San Antonio, TX
@
While users do seem to be from the United States predominately, there are quite a few logged in from every corner of the globe.
If you're curious about a particular user, you have two options. You can check a specific user's detailed stats with finger {username}. If they look like they might be doing something exciting, try using the link {port number} command. If they're not running a program to block the action, you'll be able to see what they're typing in the console in real-time.
@finger hoid
USER: hoid
status message: Hoid
system level: 3 (USER)
location: [REDACTED]
first login: 23m
last active: 0s
system connects: 1
commands executed: 9
user status bits:
RTFM Was that so hard? 15-May-20 12:02:10
POSTMASTER I read your e-mail 15-May-20 11:56:47
ACCT Registered User 15-May-20 11:50:42
No plan.
@
The finger command also works on NPC users when you start encountering them on remote hosts.
Step 6: Connect to Other Computers on ARPANET
On the internet, you're used to being able to navigate to any website or server you want to — it's not like that on ARPANET. Instead, you can only access hosts one hop away from you, i.e., those that you have a direct connection to. To access the table of hosts available to you, run the netstat command. The list of hosts is different from the user list and seems to be based on geographical location or random generation.
@netstat
host organization location
---- ------------ --------
acract American Computer Rental, Inc. Arlington, VA
adaptex Adaptec Inc. Grapevine, Texas
dustbin cisco Systems Menlo Park, CA
los O'Reilly Associates Gilford, CT
mimsy University of Maryland, College Park College Park, MD
oddjob University of Chicago Chicago, Illinois
omalos Technical University of Crete, Chani Greece
oracle Oracle Corporation Belmont, CA
tandem Tandem Computers, Inc. Cupertino, CA
ucselx San Diego State University San Diego, CA
veritas VERITAS Software Santa Clara, CA
@
In modern times, guest user access is disabled by default and considered a security risk, but in the good old days, it was considered a courtesy to have guest accounts on your computer for anyone that wished to use it. It's one of those funny little quirks of times long past when security wasn't yet a significant concern in people's minds.
Use telnet {hostname} to access one of the hosts.
@telnet mimsy
Trying...
Connected to MIMSY
- Connected to University of Maryland, College Park -
Username:
Once you're connected, use guest as the login, and you should be granted guest user access.
Username: guest
DEC Vax-8600 4.3BSD
Last interactive login on Tue May 15 12:26:43 CDT 2020
Note: modem lines have changed.
New number: 301.405.2749
/etc/motd:
Note: KABACHOK has ROOT here as of Mon May 15 09:02:18 CDT 2020
mimsy$
There are a few things you should take note of when you log in to a new host. You might see a phone number that can be used to dial and connect to the network using xmodem. But most importantly, for us, and in the context of the game, is /etc/motd, if it's active and displaying a note that that particular user has rooted the host.
To be clear, the user is another player. It essentially means they own the host, and they have captured the flag, so to speak. One of your goals in the game should be getting as many root user accounts as possible. Unfortunately, for the moment, we're stuck with guest user access, which is the lowest level and has very restricted privileges.
The command prompt will help you keep track of where you are. For example, when logged in to a host, it will have the host's name and then $ for a regular user and @ for a root account.
You can spend some time exploring around the guest user account using standard Linux commands like cd and ls. When you're ready to leave, you can use exit or Control-D to disconnect from the remote host.
mimsy$
%connection closed
@
Step 7: Gain User Access
Guest user access won't get us very far, so let's change that. Now that we're familiar with navigating around the network, we can start scanning for available ports and try to exploit them. Luckily, we have a tool just for that.
If you remember from our directory, we have porthack.exe. That's the tool we can use to gain access to a user account on a host. Use run porthack.exe or simply porthack in your default terminal and use y to continue.
@run porthack.exe
///////////////////////////////////////
// Porthack 2.0 by FORBIN //
///////////////////////////////////////
Continue? (y/n) y
Now, if you remember the hostname from before, just use that, but if you want to see the table of hosts again, you can now use the ? mark. Eventually, you'll want to scan all of the hosts, but for now, just the one will do.
enter host (? for list): ?
host organization location
---- ------------ --------
acract American Computer Rental, Inc. Arlington, VA
adaptex Adaptec Inc. Grapevine, Texas
dustbin cisco Systems Menlo Park, CA
los O'Reilly Associates Gilford, CT
mimsy University of Maryland, College Park College Park, MD
oddjob University of Chicago Chicago, Illinois
omalos Technical University of Crete, Chani Greece
oracle Oracle Corporation Belmont, CA
tandem Tandem Computers, Inc. Cupertino, CA
ucselx San Diego State University San Diego, CA
veritas VERITAS Software Santa Clara, CA
enter host (? for list): mimsy
Now the program will run a port scan just like Nmap would and returns its findings. All of the hosts tend to have a lot of ports open. You'll probably see quite a few that you're unfamiliar with, such as Tivoli Object Dispatcher.
probing MIMSY for open sockets...
port service desc
---- ------- ----
21 ftp File Transfer [Control]
23 telnet Telnet
79 finger Finger
94 objcall Tivoli Object Dispatcher
171 multiplex Network Innovations Multiplex
513 login remote login a la telnet
Once you pick a port, porthack will run a buffer overflow, an attack where the program starts writing on boundary memory after it exceeds the data capacity of a buffer. Porthack uses it to run code that will add you as a user. Machines during this period were particularly vulnerable to it because of the limited memory capacity they had, measured in kilobytes and megabytes, as opposed to the gigabytes of terabytes we're used to today.
If there's a rhyme or reason to which ports are vulnerable, I have yet to discern it. They may be randomly chosen in the game, but at least one port will be vulnerable to every host. I tend just to work my way down the port list.
If you ever lose access to that host, the same port will be vulnerable again, so it might be worth taking notes as you go along.
port to try? 21
attempting buffer overrun against port 21/ftp...
%porthack error - buffer overrun exploit failed
...try another port
port to try? 171
attempting buffer overrun against port 171/multiplex...
* mimsy security compromised *
installing TSR loopjacker...
adding user HOID to system accounts...
uploading command aliases to remote shell...
** porthack complete **
Type TELNET MIMSY to login.
Note: To login, use your current username and password.
Your credentials have been installed on the remote system
and will grant you access.
operator: +priv HACKER. nice job
Congratulations! Just like that, you've compromised your first system and got the hacker achievement! Now you can use a command like rlogin {hostname} to automatically log in to that host and have all the privileges of a full user.
@rlogin mimsy
Trying...
Connected to MIMSY
- Connected to University of Maryland, College Park -
Username:
Password:
DEC Vax-8600 4.3BSD
Last interactive login on Tue May 15 12:36:10 CDT 2020
Note: modem lines have changed.
New number: 301.405.2749
/etc/motd:
Note: KABACHOK has ROOT here as of Mon May 15 09:02:18 CDT 2020
mimsy$
Step 8: Steal Some Programs
We can take this hack one step farther and steal sensitive documents and programs from the host. To do so, we need to access the file transfer protocol (FTP) server. From your home terminal, use ftp {host name} and then type in your username and password manually.
@ftp mimsy
Connected to mimsy.
220 mimsy FTP server (Version 4.109 Wed Nov 19 21:52:18 CST 1986) ready.
Name (mimsy:hoids): hoids
331 Password required for hoid
Password: ************
230 User hoid logged in
Remote system type is UNIX.
Using BIN mode to transfer files.
ftp>
From here, we can look for useful programs with ls .exe, which will show us everything in the directory filtered for files ending in .exe.
ftp> ls *.exe
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rwxr-xr-x 1 bin bin 136651 Jul 13 1981 killproc.exe
226 Transfer complete
ftp>
The game guarantees that there will be one useful program on every host. In this case, we found killproc.exe, which is a program that we can use to kill another user's process. It's beneficial for getting root on a host when someone else already has it. Download the file with get {file name}.
ftp> get zcheat.exe
200 PORT command successful
150 Opening BIN mode data connection for killproc.exe (136651 bytes)
100% |===================================================>|
226 Transfer complete
136651 bytes received in 29 secs (4.60 kB/s)
While we're here, we can also add files to the host from our local machine. The first thing you should always add is porthack.exe, which will allow you to hack hosts connected to this compromised host. Use the put {file name} command.
ftp> put porthack.exe
200 PORT command successful
150 Opening BIN mode data connection for porthack.exe (27542 bytes)
100% |===================================================>|
226 Transfer complete
27542 bytes sent in 8 secs (3.36 kB/s)
When you're done, exit ftp.
ftp> exit
221 Goodbye.
Step 9: Start Your Hacker Quest
Moving between random 1980s machines and hacking them can be entertaining on its own, but if you're the kind of person that needs a goal or narrative of some sort, then I've got just the thing for you. Go to the Telehack terminal and type in the command quest and press Enter.
@quest
QUEST
Hacker Quest Challenge 1.14
maintained and adjudicated by -=[ DarkNet / Continuity ]=-
Preparing your challenge..........done
Your challenge is:
Hack your way to the host: INMET
The host contains this file: QX17471.SYS
Read this file and it will give you further instructions.
Good luck!
@
Now you have the exciting task of finding a particular host out of the over 26,000 on the network! That host has a file giving you further commands that will lead you on to yet other hosts and mysteries. On your quest, you'll hack hundreds of other hosts, find more executables, and uncover all kinds of long lost data.
To start your quest, I recommend gaining user accounts on all of the tier 1 hosts available to you.
That can be achieved by displaying the hosts with netstat and using the porthack.exe to gain a user account. Netstat will help you keep track of which hosts you have compromised by putting a * next to them.
@netstat
host organization location
---- ------------ --------
* acract American Computer Rental, Inc. Arlington, VA
* adaptex Adaptec Inc. Grapevine, Texas
* dustbin cisco Systems Menlo Park, CA
* los O'Reilly Associates Gilford, CT
* mimsy University of Maryland, College Park College Park, MD
* oddjob University of Chicago Chicago, Illinois
* omalos Technical University of Crete, Chani Greece
* oracle Oracle Corporation Belmont, CA
* tandem Tandem Computers, Inc. Cupertino, CA
* ucselx San Diego State University San Diego, CA
* veritas VERITAS Software Santa Clara, CA
From there, you should be able to log in to each of the hosts with rlogin and run netstat again to pivot into the networks available to that host. Going on like this, you should be able to find your target eventually. If you're having trouble finding your quest target, universities always make great pivot points because they tend to have the most connections to other hosts.
mimsy$ netstat
host organization location
---- ------------ --------
ames NASA Ames Research Center Moffett Field, CA
anagld Analytics, Inc. Columbia, MD
aplcen Johns Hopkins University, APL Center Laurel, MD
arinc Aeronautical Radio, Inc. Annapolis, MD
black-silicon Black Silicon, Fortress Of Computati McLean Virginia
blenny Roy's Retirement Research Silver Spring Mary
casemo CASE / Datatel, Inc. Annapolis Junction
cp1 Chesapeake & Potomac Tel. Companies, Silver Spring, MD
cvl Center for Automation Research, Univ College Park, MD
elsie National Institutes of Health Bethesda, MD
eneevax Elec. Eng. Dept., U of Maryland, Col College Park, MD
fe2o3 Private New Jersey
fnord Inst. For Adv. Comp. Studies, Univer College Park, MD
hqda-ai US Army Artificial Intelligence Cent Washington, DC
kzin Kzinti Embassy, McLean Virginia McLean Virginia
mama The Soup Kitchen Virginia
mbph Department of Biophysics, Univ. of Baltimore, MD
nat-3 White Spot (North) VA USA
nbs-amrf National Bureau of Standards, Automa Gaithersburg, MD
nmrdc1 Naval Medical Research & Development Bethesda, MD
pixcom Pix Technologies Corporation College Park, MD
prometheus Prometheus II, Ltd. College Park, MD
& ramstein-piv-1.af.mil Ramstein Air Base GERMANY
rayssd Raytheon Company Portsmouth, RI
rlgvax Computer Consoles, Inc., Office Syst Reston, Virginia
rutgers Rutgers - The State University of Ne Piscataway, NJ
thinc Tomorrow's Horizons, Inc. (THINC) Bethesda, MD
tigger Palindrome ONLINE Richardson, Texas
umiacs Inst. For Adv. Comp. Studies, Univer College Park, MD
uunet UUNET Technologies, Inc Falls Church, VA
wb3ffv Advanced Business Solutions, Inc. Baltimore, MD
widener Widener University Computer Science Chester, PA
mimsy$
Go forth and conquer the Telehack universe! May the command-line live forever! And thanks for reading. If you have any questions, you can ask here or on Twitter @The_Hoid.
Cover image via The Double-O-Kid/Prism Pictures; Screenshots by Hoid/Null Byte
Comments
No Comments Exist
Be the first, drop a comment!