Had a great time playing through the amazing game created by Phil Young (Soldier of Fortran @mainframed767). What makes thing project amazing is that it was written in HyperCard 2.4 and runs only on the old Apple Macintosh systems (Macintosh 7.0.1) as seen in a screenshot below. So getting into it requires a dedication that a “hacker” should have. The idea is brilliant and introduces people to the concept of Mainframe hacking (many people don’t even know what Mainframes were or are )
The game can be played online from Archive.org’s simulation here https://archive.org/details/MainframeHackingCYOA or local if you download the images from Archive.org
https://archive.org/download/MainframeHackingCYOA/HyperCardBootSystem7.img https://archive.org/download/MainframeHackingCYOA/MainframeHacker.img
You can use the minivmac (https://github.com/jsdf/minivmac) or the pce (http://www.hampa.ch/pce/download.html) both work fine for the MainframeHackingCYOA. I have managed to run the game on simulated Alpha DS25 via alphavm 
or on a MIPS CI20 development board (running the retro CDE)
Since we got this far I wanted to take an opportunity to describe my experience during the gameplay and show some interesting points this game makes. Again big thanks to Soldier of Fortran for this gem !
We start the game simply by being curious. I recommend to go through this yourself .. before reading the below.
And enter the Cyberspace
Who would not like to pick up a phone like the Matrix dudes did ?
OPSEC at its best
Lets Dial in – no time for bed
Honestly who remembers the BBS days ? Seems like eons ago.
If you are using a non Macintosh keyboard, the zxcvbnm,./ keys are shifted by one to the right.
So we check what is available for reading
Interesting E Corp … and the logo :) Mr. Robot style :) and a password ECoprp@18 but no username …..
And here are the instructions from the SYSOP what to do.
So off we go to Connect
Now this is quite informative. Nmap, Metasploit and Hydra is a daily bread to any security researcher but c3270( curses-based IBM host access tool) not so much (http://x3270.bgp.nu/download.html)
So we first run an nmap scan and probe open ports to determine service/version info and start hacking…
Here we learn briefly about TSO, CICS and the VTAM on the Mainframes and the corresponding nmap NSE scripts that can be used for enumeration. Lets check that telnet port first …
So we ran the VTAM enumeration against the telnet port 23 we have found earlier and learn about the TSOPRD, TSODEV, CICSPRD1 and CICSPRD2 applids. We can use the information to enumerate the CICS on the Mainframe as seen below. Remember that we have a password from the leaked Ecorp document off the BBS ( ECorp@18) so we use these credentials for CICS enumeration here … Lets query the TSODEV and see what information comes out.
To get the list of valid usernames we can use FTP brute via Hydra in this example to bruteforce using the known password (ECorp@18)
So here we get a list of valid users ” x003 , x888 and x420 ” OK, we have gathered enough information so we can get to the final stage of attacking TSO and CICS
Now if you get lucky and choose a privileged user from the above you can finish the game quickly .. x420 looks like it must have some weight … what I did however was using x003 and TSO attack
Before we priv escalate lets search the Warnings
SYS1.PARMLIB is in WARN mode ..hmm .. what does search BPX.* reveal ?
Not much rights there, so lets see what we get from SURROGAT
I knew it x420 must have some higher powers. So we try the last possibility here APF Authorized
Escalate Privileges … (man I wish hacking was this easy ..)
But I got stuck here .. maybe I have done something wrong .. but there was no way to go back from this screen and I suspect this to be a deadlock. Only thing at this moment was to reload the simulation and start over … since I already got the info that x420 will be the super user … I went straight into attacking the CICS -> starting over
And skipping to the CICS part… this time we use the x420 user and the ECorp@18 creds
heh ..another user x525 … lets see what CICSPwn brings
Reverse Shell nothing ….
Bind shell gets through
And sending the Result
Thank you @mainframed767 this was fun to play through (a little tricky with the keyboard shift… but fun)
So we have learned a few things here … time to study the above code from this git repo github.com/ayoul3
https://github.com/ayoul3/cicspwn https://github.com/ayoul3/Privesc https://github.com/ayoul3/Rexx_scripts https://github.com/ayoul3/JCL_scripts https://github.com/ayoul3/wc3270_hacked
Here are the @mainframed767 Youtube resources about Mainframe security
And maybe starting to learn from scratch using HERCULES https://github.com/hercules-390/hyperion
