How to Hack Like It's 1987 (An Introduction to the Telehack Retro Game)

May 16, 2020 12:15 AM
637251579467928146.jpg

Whether you miss the good old days of Telnet or you want to know what hacking was like when security was nothing but an afterthought, Telehack is the game for you. The text-based hacking game is a simulation of a stylized combination of ARPANET and Usenet, circa 1985 to 1990, with a full multi-user universe and player interactions, including 26,600 hosts.

Before cloud computing, social media, and online shopping, there existed something called ARPANET, the precursor to the internet as we know it. When ARPANET expanded in the '80s, it became the wild west of computers. PCs were just becoming a thing and were no longer reserved for prestigious universities and national laboratories. And hacking didn't even become illegal until 1986 when the Federal Computer Fraud and Abuse Act became law.

After that, pop culture made hackers out to be super intelligent savants capable of doing anything with a computer, and movies like "WarGames" exacerbated the notion.

Hacking back then was far from what we'd be able to recognize today, involving modems and literally dialing up a computer. And hacks were much simpler, sometimes as simple as changing a file name. There's actually a fascinating Nova documentary that involves the story of a computer scientist discovering KGB hackers back in 1990. Watch it, and you'll see just how far we've come.

Thanks to the hard work of Forbin, who's named after the chief designer of a supercomputer in the "Colossus: The Forbin Project" movie, we can all experience that same style of hacking without having to camp out in a computer lab or use a jerry-built pager.

Telehack has quite a few amazing features:

  • Over 26,000 simulated hosts, with historically accurate ghost users gathered from UUCP network maps.
  • Group chats with relay, and one-on-one chats with send or talk.
  • Reconstructed Usenet archives from the Wiseman collection.
  • A BASIC interpreter.
  • Adventure, Zork, and other Z-code text adventure games.
  • And naturally hidden hosts and programs that you can only find by hacking Telehack itself.

If any of that sounds fun to you, then let's see how you can become part of the experience too. You don't even need to open a terminal window to play.

Step 1: Access Telehack

While you could use telnet telehack.com to telnet directly into the game, it's not the best option as far as security goes; leaving Telnet enabled on a Windows machine can leave you quite vulnerable. Instead, I recommend connecting via SSH or merely using the telehack.com website. SSH is the safer of the two as you'll be using an encrypted tunnel.

If you're going to SSH, two great clients are PuTTY or my personal favorite, the secure shell app for Chrome. When you go to connect, use the IP address 64.13.139.230 and port 6668. Once you've connected, you'll default to a guest user account, and the basic commands will be displayed.

Connected to TELEHACK port 75

It is 4:06 pm on Friday, May 15, 2020 in Mountain View, California, USA.
There are 45 local users. There are 26639 hosts on the network.

  Type HELP for a detailed command list.
  Type NEWUSER to create an account.

May the command line live forever.

Command, one of the following:
  2048        ?           a2          ac          advent      basic
  bf          c8          cal         calc        ching       clear
  clock       cowsay      date        echo        eliza       factor
  figlet      finger      fnord       geoip       help        hosts
  ipaddr      joke        login       mac         md5         morse
  newuser     notes       octopus     phoon       pig         ping
  primes      privacy     qr          rain        rand        rfc
  rig         roll        rot13       sleep       starwars    traceroute
  units       uptime      usenet      users       uumap       uupath
  uuplot      weather     when        zc          zork        zrun

.

Step 2: Create an Account

With a connection established, it's time to create an account with the newuser command. You'll be asked whether you're under the age of 13, and if you want to read the privacy policy; you can simply respond n to each assuming you're over 13 years old.

.newuser
Are you under 13 years of age? (y/N) n
Read privacy policy? (Y/n) n

Your username must be between two and nine characters in length, beginning with a lowercase letter. It can only contain lowercase letters and digits.

Username: hoid
Password: ************
Re-enter password: ************

Next, you'll be asked if you want to enable a recovery email. I strongly recommend that you do, as you don't want to lose all of your efforts just because you forgot a password. Once you've retrieved the verification code from your email and entered it in the terminal, your user account will be created.

Enable password resets via e-mail? (Y/n) y
E-mail address:
A verification code has been sent.
Enter "resend" to resend the verification code.
Verification code:  ****
Logged in as user HOID.

Step 3: Check Your 'Email'

The first thing you should notice after your account is created — before your first command prompt even appears — is the message that you've got mail.

You have mail.
@

This email is far from the Gmail you're likely used to. It's all command-line based with no GUI at all. You can see the entire process of how these emails would have been sent in the following 1980s-era BBC special.

To check your first email, you need to run the mail command. Doing so will display the mail version and revision date, which is 1983! The second line will display the number of emails in your inbox. Starting with the third line, you will see >N and the name of the sender, age of the message, and the email's title. In this case, we have a welcome email from the creator of the game, Forbin.

@mail
Mail version 1.1 6/6/83.  Type ? for help.
1 message
>N 1 forbin 4m Welcome to Telehack!
&

To open an email, use read and then the number of the email. So in our case, we can read Forbin's email with the read 1 command (though, if you only have one email, you can actually skip the number).

From: forbin
To: hoid
Date: Tue, 15 May 2020 09:50:42 -0700
Subject: Welcome to Telehack!

Thank you for checking out Telehack!

You can get started by reading telehack.txt.
If you get stuck, try going into RELAY to ask a question,
or check out the user-maintained Telehack Wiki:
  http://telehack.wikia.com/

Have fun!
    - Forbin

Once you've read an email, you can delete it with delete and then the number of the email, such as delete 1. Or, if it's only one email, delete by itself should work.

After you've read all the emails, you can close the program with exit. An easy way to tell where you are is by the command prompt. When you have & prompt, it means you're in your email, and @ means you're the root user of your Telehack account.

&exit
@

When you log out of your mail, you'll get your first achievement, postmaster!

operator: +priv POSTMASTER. nice job..
@

Step 4: Check Your Local Directory

Now, let's take a look around and see what we have access to. Use the ls command to show all of the files in the current working directory.

@ls
  advent.gam       againstip.txt    basic.man        basic15.a2
  bbslist.txt      c8test.c8        changelog.txt    colossus.txt
  command.txt      crackdown.txt    do-well.txt      etewaf.txt
  finger.txt       fnord.txt        future.txt       graph.png
  hammurabi.bas    ien137.txt       jfet.a2          johnnycode.txt
  k-rad.txt        learncode.txt    leaves.txt       lem.bas
  lostpig.gam      mastermind.bas   notes.txt        orange-book.txt
  oregon.bas       porthack.exe     privacy.txt      rogue.gam
  rootkit.exe      satcom.man       smile.c8         starwars.txt
  sysmon.txt       telehack.txt     underground.txt  unix.txt
  wardial.exe      wumpus.bas       xmodem.exe       zork.gam
@

You'll see quite a few files, and most importantly, four executables: rootkit, wardial, porthack, and xmodem. These will be our first tools for hacking other hosts on the network. There are also quite a few text files you can read. Let's take the advice of the email and start with telehack.txt, which can be read with the more telehack.txt command.

@more telehack.txt
                                Telehack

    Telehack is a simulation of a stylized arpanet/usenet, circa 1985-1990.
    It is a full multi-user simulation, including 26,600 hosts and BBS's
    from the early net, thousands of files from the era, a collection of
    adventure and IF games, a working BASIC interpreter with a library of
    programs to run, simulated historical users, and more.

Connecting
----------

On the web: http://telehack.com/

or open a shell and type

    telnet telehack.com

Telehack is accessible via

  * Telnet on ports 23 (the standard telnet port), 443, 1337, 8080 and 31173
  * HTTP on port 80 (the standard HTTP port)
  * SSH on port 6668
  * FTP on port 21 (the standard ftp port) NOTE: The FTP server is RFC 959
  compliant and will likely not work with more modern FTP clients

Accessibility
-------------

Non-sighted users: please type STTY /dumb after connecting to telehack.
This will invoke plain terminal mode in the Z-code games and avoid using
ANSI cursor addressing.

For users connecting with Teletypes or other Teleprinter Terminal setups
please type STTY /tty after connection to switch telehack into a more Teletype
friendly mode.

About this Document
-------------------

Telehack is case-insensitive.  Commands are often shown in uppercase to
distinguish them from surrounding text.  Note that you do not need to type
commands in all-caps.  For example:

    Type DIR for a list of files
operator: +priv RTFM. congrats
--More--(6%)

The file contains all kinds of information about using and accessing Telehack, as well as how to get help and unstuck. The Enter or Down Arrow key will scroll down a single line at a time while Space bar will page down. The B key can be used to go back a page.

I strongly suggest that you read through this file as information could be quite useful if you end up getting into the game. When you make it to EOF (end of file), you'll even find a nice little Easter egg.

EOF
---

    http://www.youtube.com/watch?v=Y6ljFaKRTrI

@

Step 5: See Who's Online & Check Your Score

If you're like me (very competitive), then something you'll be very interested in is checking who's online and comparing scores. To see other users, we can run the finger command, which will show us all kinds of interesting information such as username and status, what port they're on, when they last logged in, and what they're doing, as well as where they are in the world.

@finger
TELEHACK SYSTEM STATUS  15-May-20  12:10:41
51 users  load 0.00  up 51d

  port username   status                last what      where
  ---- --------   ------                ---- ----      -----
  0    operator   System Operator       6m             console
* 85   hoid       Hoid                  0s   finger    [REDACTED]
  43   -                                2s             Ho Chi Minh, Vietnam
  39   gamax      GAMAx                 11s  telekomb  Modena, Italy
  57   -                                1m             Santa Rosa, CA
  31   forbin     Starfish Prime        4m   relay     Mountain View, CA
  60   underwood  Tough TTY             8m   relay     London, UK
  74   mendax     Mendax                9m   relay     Pompano Beach, FL
  53   chuk       Shut up and dance     9m             San Francisco, CA
  68   deltas1x   Supreme HACKERMAN     14m  relay     Pineville, NC
  75   b077       ooga booga            16m  relay     Kermit, WV
  81   -                                19m            Aguadilla, Puerto Rico
  58   smittyone  Original Kinkster     22m  relay     Hull, UK
  82   partyman   Czech Hacker :D       24m  pppd      Prague, Czechia
  84   nsamrsoc   NSA MRSOC-SIGINT      28m  ptycon    San Antonio, TX
@

While users do seem to be from the United States predominately, there are quite a few logged in from every corner of the globe.

If you're curious about a particular user, you have two options. You can check a specific user's detailed stats with finger {username}. If they look like they might be doing something exciting, try using the link {port number} command. If they're not running a program to block the action, you'll be able to see what they're typing in the console in real-time.

@finger hoid
USER: hoid
   status message:        Hoid
   system level:          3 (USER)
   location:              [REDACTED]
   first login:           23m
   last active:           0s
   system connects:       1
   commands executed:     9

   user status bits:
     RTFM           Was that so hard?          15-May-20  12:02:10
     POSTMASTER     I read your e-mail         15-May-20  11:56:47
     ACCT           Registered User            15-May-20  11:50:42

No plan.
@

The finger command also works on NPC users when you start encountering them on remote hosts.

Step 6: Connect to Other Computers on ARPANET

On the internet, you're used to being able to navigate to any website or server you want to — it's not like that on ARPANET. Instead, you can only access hosts one hop away from you, i.e., those that you have a direct connection to. To access the table of hosts available to you, run the netstat command. The list of hosts is different from the user list and seems to be based on geographical location or random generation.

@netstat
 host     organization                          location
 ----     ------------                          --------
 acract   American Computer Rental, Inc.        Arlington, VA
 adaptex  Adaptec Inc.                          Grapevine, Texas
 dustbin  cisco Systems                         Menlo Park, CA
 los      O'Reilly Associates                   Gilford, CT
 mimsy    University of Maryland, College Park  College Park, MD
 oddjob   University of Chicago                 Chicago, Illinois
 omalos   Technical University of Crete, Chani  Greece
 oracle   Oracle Corporation                    Belmont, CA
 tandem   Tandem Computers, Inc.                Cupertino, CA
 ucselx   San Diego State University            San Diego, CA
 veritas  VERITAS Software                      Santa Clara, CA
@

In modern times, guest user access is disabled by default and considered a security risk, but in the good old days, it was considered a courtesy to have guest accounts on your computer for anyone that wished to use it. It's one of those funny little quirks of times long past when security wasn't yet a significant concern in people's minds.

Use telnet {hostname} to access one of the hosts.

@telnet mimsy
Trying...
Connected to MIMSY

- Connected to University of Maryland, College Park -
Username:

Once you're connected, use guest as the login, and you should be granted guest user access.

Username: guest
DEC Vax-8600 4.3BSD

Last interactive login on Tue May 15 12:26:43 CDT 2020

Note: modem lines have changed.
   New number: 301.405.2749
/etc/motd:
  Note: KABACHOK has ROOT here as of Mon May 15 09:02:18 CDT 2020
mimsy$

There are a few things you should take note of when you log in to a new host. You might see a phone number that can be used to dial and connect to the network using xmodem. But most importantly, for us, and in the context of the game, is /etc/motd, if it's active and displaying a note that that particular user has rooted the host.

To be clear, the user is another player. It essentially means they own the host, and they have captured the flag, so to speak. One of your goals in the game should be getting as many root user accounts as possible. Unfortunately, for the moment, we're stuck with guest user access, which is the lowest level and has very restricted privileges.

The command prompt will help you keep track of where you are. For example, when logged in to a host, it will have the host's name and then $ for a regular user and @ for a root account.

You can spend some time exploring around the guest user account using standard Linux commands like cd and ls. When you're ready to leave, you can use exit or Control-D to disconnect from the remote host.

mimsy$
%connection closed
@

Step 7: Gain User Access

Guest user access won't get us very far, so let's change that. Now that we're familiar with navigating around the network, we can start scanning for available ports and try to exploit them. Luckily, we have a tool just for that.

If you remember from our directory, we have porthack.exe. That's the tool we can use to gain access to a user account on a host. Use run porthack.exe or simply porthack in your default terminal and use y to continue.

@run porthack.exe

    ///////////////////////////////////////
   //  Porthack 2.0          by FORBIN  //
  ///////////////////////////////////////

Continue? (y/n) y

Now, if you remember the hostname from before, just use that, but if you want to see the table of hosts again, you can now use the ? mark. Eventually, you'll want to scan all of the hosts, but for now, just the one will do.

enter host (? for list): ?

 host     organization                          location
 ----     ------------                          --------
 acract   American Computer Rental, Inc.        Arlington, VA
 adaptex  Adaptec Inc.                          Grapevine, Texas
 dustbin  cisco Systems                         Menlo Park, CA
 los      O'Reilly Associates                   Gilford, CT
 mimsy    University of Maryland, College Park  College Park, MD
 oddjob   University of Chicago                 Chicago, Illinois
 omalos   Technical University of Crete, Chani  Greece
 oracle   Oracle Corporation                    Belmont, CA
 tandem   Tandem Computers, Inc.                Cupertino, CA
 ucselx   San Diego State University            San Diego, CA
 veritas  VERITAS Software                      Santa Clara, CA

enter host (? for list): mimsy

Now the program will run a port scan just like Nmap would and returns its findings. All of the hosts tend to have a lot of ports open. You'll probably see quite a few that you're unfamiliar with, such as Tivoli Object Dispatcher.

probing MIMSY for open sockets...

 port service   desc
 ---- -------   ----
 21   ftp       File Transfer [Control]
 23   telnet    Telnet
 79   finger    Finger
 94   objcall   Tivoli Object Dispatcher
 171  multiplex Network Innovations Multiplex
 513  login     remote login a la telnet

Once you pick a port, porthack will run a buffer overflow, an attack where the program starts writing on boundary memory after it exceeds the data capacity of a buffer. Porthack uses it to run code that will add you as a user. Machines during this period were particularly vulnerable to it because of the limited memory capacity they had, measured in kilobytes and megabytes, as opposed to the gigabytes of terabytes we're used to today.

If there's a rhyme or reason to which ports are vulnerable, I have yet to discern it. They may be randomly chosen in the game, but at least one port will be vulnerable to every host. I tend just to work my way down the port list.

If you ever lose access to that host, the same port will be vulnerable again, so it might be worth taking notes as you go along.

port to try? 21
attempting buffer overrun against port 21/ftp...
%porthack error - buffer overrun exploit failed
...try another port

port to try? 171
attempting buffer overrun against port 171/multiplex...

  * mimsy security compromised *

installing TSR loopjacker...
adding user HOID to system accounts...
uploading command aliases to remote shell...

** porthack complete **

Type TELNET MIMSY to login.

  Note:  To login, use your current username and password.
  Your credentials have been installed on the remote system
  and will grant you access.
operator: +priv HACKER. nice job

Congratulations! Just like that, you've compromised your first system and got the hacker achievement! Now you can use a command like rlogin {hostname} to automatically log in to that host and have all the privileges of a full user.

@rlogin mimsy
Trying...
Connected to MIMSY

- Connected to University of Maryland, College Park -

Username:
Password:
DEC Vax-8600 4.3BSD

Last interactive login on Tue May 15 12:36:10 CDT 2020

Note: modem lines have changed.
   New number: 301.405.2749
/etc/motd:
  Note: KABACHOK has ROOT here as of Mon May 15 09:02:18 CDT 2020
mimsy$

Step 8: Steal Some Programs

We can take this hack one step farther and steal sensitive documents and programs from the host. To do so, we need to access the file transfer protocol (FTP) server. From your home terminal, use ftp {host name} and then type in your username and password manually.

@ftp mimsy
Connected to mimsy.
220 mimsy FTP server (Version 4.109 Wed Nov 19 21:52:18 CST 1986) ready.
Name (mimsy:hoids): hoids
331 Password required for hoid
Password: ************
230 User hoid logged in
Remote system type is UNIX.
Using BIN mode to transfer files.
ftp>

From here, we can look for useful programs with ls .exe, which will show us everything in the directory filtered for files ending in .exe.

ftp> ls *.exe
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rwxr-xr-x  1 bin  bin   136651 Jul 13  1981 killproc.exe
226 Transfer complete
ftp>

The game guarantees that there will be one useful program on every host. In this case, we found killproc.exe, which is a program that we can use to kill another user's process. It's beneficial for getting root on a host when someone else already has it. Download the file with get {file name}.

ftp> get zcheat.exe
200 PORT command successful
150 Opening BIN mode data connection for killproc.exe (136651 bytes)
100% |===================================================>|
226 Transfer complete
136651 bytes received in 29 secs (4.60 kB/s)

While we're here, we can also add files to the host from our local machine. The first thing you should always add is porthack.exe, which will allow you to hack hosts connected to this compromised host. Use the put {file name} command.

ftp> put porthack.exe
200 PORT command successful
150 Opening BIN mode data connection for porthack.exe (27542 bytes)
100% |===================================================>|
226 Transfer complete
27542 bytes sent in 8 secs (3.36 kB/s)

When you're done, exit ftp.

ftp> exit
221 Goodbye.

Step 9: Start Your Hacker Quest

Moving between random 1980s machines and hacking them can be entertaining on its own, but if you're the kind of person that needs a goal or narrative of some sort, then I've got just the thing for you. Go to the Telehack terminal and type in the command quest and press Enter.

@quest

QUEST

Hacker Quest Challenge 1.14
  maintained and adjudicated by -=[ DarkNet / Continuity ]=-

Preparing your challenge..........done

Your challenge is:

    Hack your way to the host: INMET
    The host contains this file: QX17471.SYS
    Read this file and it will give you further instructions.

Good luck!

@

Now you have the exciting task of finding a particular host out of the over 26,000 on the network! That host has a file giving you further commands that will lead you on to yet other hosts and mysteries. On your quest, you'll hack hundreds of other hosts, find more executables, and uncover all kinds of long lost data.

To start your quest, I recommend gaining user accounts on all of the tier 1 hosts available to you.

That can be achieved by displaying the hosts with netstat and using the porthack.exe to gain a user account. Netstat will help you keep track of which hosts you have compromised by putting a * next to them.

@netstat
  host     organization                          location
  ----     ------------                          --------
* acract   American Computer Rental, Inc.        Arlington, VA
* adaptex  Adaptec Inc.                          Grapevine, Texas
* dustbin  cisco Systems                         Menlo Park, CA
* los      O'Reilly Associates                   Gilford, CT
* mimsy    University of Maryland, College Park  College Park, MD
* oddjob   University of Chicago                 Chicago, Illinois
* omalos   Technical University of Crete, Chani  Greece
* oracle   Oracle Corporation                    Belmont, CA
* tandem   Tandem Computers, Inc.                Cupertino, CA
* ucselx   San Diego State University            San Diego, CA
* veritas  VERITAS Software                      Santa Clara, CA

From there, you should be able to log in to each of the hosts with rlogin and run netstat again to pivot into the networks available to that host. Going on like this, you should be able to find your target eventually. If you're having trouble finding your quest target, universities always make great pivot points because they tend to have the most connections to other hosts.

mimsy$ netstat
  host                   organization                          location
  ----                   ------------                          --------
  ames                   NASA Ames Research Center             Moffett Field, CA
  anagld                 Analytics, Inc.                       Columbia, MD
  aplcen                 Johns Hopkins University, APL Center  Laurel, MD
  arinc                  Aeronautical Radio, Inc.              Annapolis, MD
  black-silicon          Black Silicon, Fortress Of Computati  McLean Virginia
  blenny                 Roy's Retirement Research             Silver Spring Mary
  casemo                 CASE / Datatel, Inc.                  Annapolis Junction
  cp1                    Chesapeake & Potomac Tel. Companies,  Silver Spring, MD
  cvl                    Center for Automation Research, Univ  College Park, MD
  elsie                  National Institutes of Health         Bethesda, MD
  eneevax                Elec. Eng. Dept., U of Maryland, Col  College Park, MD
  fe2o3                  Private                               New Jersey
  fnord                  Inst. For Adv. Comp. Studies, Univer  College Park, MD
  hqda-ai                US Army Artificial Intelligence Cent  Washington, DC
  kzin                   Kzinti Embassy, McLean Virginia       McLean Virginia
  mama                   The Soup Kitchen                      Virginia
  mbph                   Department of Biophysics, Univ. of    Baltimore, MD
  nat-3                  White Spot (North)                    VA USA
  nbs-amrf               National Bureau of Standards, Automa  Gaithersburg, MD
  nmrdc1                 Naval Medical Research & Development  Bethesda, MD
  pixcom                 Pix Technologies Corporation          College Park, MD
  prometheus             Prometheus II, Ltd.                   College Park, MD
& ramstein-piv-1.af.mil  Ramstein Air Base                     GERMANY
  rayssd                 Raytheon Company                      Portsmouth, RI
  rlgvax                 Computer Consoles, Inc., Office Syst  Reston, Virginia
  rutgers                Rutgers - The State University of Ne  Piscataway, NJ
  thinc                  Tomorrow's Horizons, Inc. (THINC)     Bethesda, MD
  tigger                 Palindrome ONLINE                     Richardson, Texas
  umiacs                 Inst. For Adv. Comp. Studies, Univer  College Park, MD
  uunet                  UUNET Technologies, Inc               Falls Church, VA
  wb3ffv                 Advanced Business Solutions, Inc.     Baltimore, MD
  widener                Widener University Computer Science   Chester, PA
mimsy$

Go forth and conquer the Telehack universe! May the command-line live forever! And thanks for reading. If you have any questions, you can ask here or on Twitter @The_Hoid.

Cover image via The Double-O-Kid/Prism Pictures; Screenshots by Hoid/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!