Since it’s not feasible to redistribute Microsoft Windows, you will need to provide and setup a Windows XP SP2 32bit image, and then install SandboxIE.
Do not download or install any updates for Windows.
Configure SandboxIE to restrict everything as much as possible. Create the directory c:\hammertime, make the file c:\hammertime\token.txt. Configure SandboxIE to forbid access to that directory for restricted processes. Once SandboxIE is configured, start up a sandboxed Internet Explorer.
You can test if Internet Explorer is appropriately restricted by trying to access file://c:/hammertime/token.txt, it should prevent access to that file.
The desktop picture should be created (via MS Paint), and stored in c:\windows\system32, and set as the background picture. There should be some obvious information stored there, such as a token, and this image.
The desktop picture should also have a rough diagram of the network with the FreeBSD server’s machine.
Create a file called “auth details.txt” with the contents of “admin / Sizzlechest”. Put that file in the recycling bin.
During the Ruxcon CTF, the admin / Sizzlechest was obtained by visiting a physical location. Hard to replicate that online though :-)
The network layout for Irate Manticore should look like the following:
[external network] - [vm host] - [irate manticore and glowing marsupial]
The network for irate-manticore and glowing-marsupial should be set up so that all traffic from them is NAT’d, and that no external network traffic is able to reach it. Due to the variety of virtual machine software and operating system combinations possible, more specific instructions are not provided.
You may wish to save the machine state now, so that you can go back to a pristine image as required.
Ensure that Internet Explorer is maximized, along with another application (such as notepad). In Internet Explorer, navigate to your chosen URL.
During the Ruxcon 2012 CTF, this part of the code was automated by polling the main CTF website and gettig the target URL from it.
Install a FreeBSD 8.2 x86 system, and enable the telnet service by uncommenting a line in /etc/inetd.conf, and restarting inetd. You may wish to install socat as well to make the attackers job a bit easier.
The aim behind Irate Manticore and Glowing Marsupial is to demonstrate network pivoting by first completing a client side attack, using the client side’d machine to attack the FreeBSD system, and then finally using the FreeBSD system to exploit the original machine to bypass SandboxIE.
Touchy Owl is distributed as a bootable cd-rom image, therefore, no special setup instructions are required.
Touchy Owl requires port 80 to be reachable, either via port forwarding, or suitable network setup.
Wild Amphibian is distributed as a zip file, so nothing special is required.
Storming Bear is distributed as a zip file, so nothing special is required.
Screaming Jesus is distributed as a zip file, so nothing special is required.
Fabled Scorpion is distributed as a bootable cd-rom image, therefore, no special setup instructions are required.
Fabled Scorpion requires port 79, and 22 to be reachable, either via port forwarding, or suitable network setup.
Please follow the instructions on the Selfish Dragonfly page.
Vicious Platypus is distributed as a bootable cd-rom image, therefore, no special setup instructions are required.
One of the levels of fabled-scorpion requires a SMTP server - by default it will connect to mailinator.com.