The following story line is a work of fiction, and any resembalence or name space collision to anyone, living or dead, past or present, is completely coincidental.
JPanic, rumoured to herald from the trumpets of the digital gods, who incarnated this mythical beast to dominate the digital underground. Upon this immaculate conception he ruled over the 90s VX Scene, sprinkling his magic, 16 bits at a time.
Introducing techniques to the scene so advanced for that time, they seemed alien. JPanic caused quite the Immortal Riot wherever he roamed.
As technology progressed, word size increased to 64bits, Russians gained dominance in crimeware, and gigabit network connections became the norm (except in Australia), the presence of JPanic seemingly disappeared. For those in the know, the beast has been quietly sleeping in the underground, for over a decade now, not seen or heard of since the great #hpaus war of 1999. But something is a-miss, disturbing rumblings from the underground have been detected recently, some even claim the sleeping giant has awoken, and he’s fucking pissed…
Meanwhile, young up-start, Buo, still scarred by the memories of JPanic mercilessly beating Retch to within an inch of his life at Seccon 98, is forging himself a fine and noble career as a anti-malware analyst. Loved by all, Buo has quickly established himself as the young rising star and golden boy at Lambsky AntiVirus. One boring day while trawling through malware samples, Buo comes across something interesting!
A mysterious sample submitted by a dormant honeypot in Pakistan that has not reported anything for the past 5 years. The sample is packed in a strange and unrecognisable format. Buo gives his friend Silvio a call and describes the characteristics of the sample: ‘an obfuscated decryptor which unpacks an obfuscated body, with both the decryptor and body changing on each execution’. Silvio advises Buo that it sounds like a polymorphic virus and not to worry. Buo rolls his eyes and sighs as he puts the phone down and gets back to work.
After several days of carefully stepping through assembly code, peeling back several layers of obfuscation, and circumnavigating numerous anti-debugging tricks, Buo is finally able to take a small glimpse inside a tiny portion of the packed sample. He manages to capture a string located at offset 0x7dfb
CAPZLOQ TECHNIQ II ELECTRIC BOOGALOO ... JPANIC > BUO
A cold chill shoots up Buo’s spine…. (and Buo wee’s himself a little)
Assist JPanic on his crusade to cleanse the Internet or help Buo stop JPanic before it is too late!
The CTF game is made up of a series of levels based on the scallywag behaviour of JPanic, and the heroics of our white-knight Buo. All the levels can be played at your own leisure and level difficulty ranges from easy to moderate.
Buo takes the malicious sample home to examine it further. While reversing a particularly difficult part of the code, Buo jumps on to openrce.org to ask for assistance and ideas. A user called ‘Sepultura’ (AKA Jpanique) responds…
Upon completion, the following is displayed
Jpanic ponders… ‘did I check Buo’s desktop carefully’ as he accidentally stumbles over a waste paper basket he had been scrawling notes on to.
Buo has once mentioned on openrce.org that he keeps all sorts of useful information on his desktop background picture, in order to keep information fresh in his mind. Getting that background picture information may provide information for future compromise.
The background picture revealed a network map of Buo’s home network, amongst other things. The “file server” target looks interesting.
It looks like you’ll need to compromise it via the desktop computer, as there is no direct route externally from the network to this server.
Documents from the file server reveals an analysis of JPanic’s work-in-progress “Hammertime” virus code at c:\hammertime. We need to see how much of the code has been analysed.
You’ll need to disable the counter measures, privilege escalate, or compromise the system somehow to get the code.
You may need to bounce off the file server in order to compromise the machine.
Upon completion, the following text is displayed:
JPanic learns that Buo has been telling all and sundry about his work in progress and the discovery so far. Buo suspects that virus author is Australian, and the Australian Federal Police are quite interested in opening a case. Additionally, Buo has been in frequent contact to Mikko Hypponen who is on his way to Australia to be a guest judge on Australian Idol.
Media attention is not something that Jpanic wants at this time.
JPanic was a little sloppy when he owned up Buo as the IDS running on Buo’s network has recorded an IP address which has accessed his file server. Buo is very concerned to learn that someone has penetrated his home network, and he has no idea what they’ve done and if they have left a backdoor behind. The only thing Buo has to work with is an IP address. After some quick research Buo finds that the IP address belongs to a shell box located in Russia. The shellbox is locked down pretty hard and Buo is unable to hack it. Through some quick cmlh style ‘google hacking’ Buo is able to discover that people using the shell box often visit a particular virus trading forum.
Buo believes that he can find out some more information about who owned his home desktop by hacking the Virus Training Underground web forum system. Help Buo penetrate the forum and find some interesting information.
The aim of this mission will be to compromise their database information about the users of the system.
Now that the database has been compromised from Operation Touchy Owl, it is time to try and crack some users passwords in order to log in to the website
With access to the website obtained, it is now time to try and get access to the administrator account.
Now that administrator access to the website has been obtained, investigate the possibilities further and see if shell access can be obtained to that host.
It is suspected that this host may be useful for further client side attacks and information gathering techniques against virus developers and traders.
Investigate the system for files and information that may be used for future attacks.
Upon completion, the following is displayed:
Buo comes across 4 strange binaries named
Buo has a feeling the files contain some important information about the attacker. He stashes the files away to take a look at later. Lets see what other problems Buo can find with the host.
Examine the host and look for misconfiguration that disclose a lot of information that allows further compromises to happen.
Upon completion, the following is displayed:
Investigating the secret directory Buo discovers a note
‘Gday Dark Angel, The proof of concept code you require can be found in the files wild-amphibian, necessary-griffin, congested-demon, and enraged-bandicoot. Tell Retch to get off your nutz. Your pal, Sepultura.’ Buo also finds a bunch of encrypted messages which he stores away to take a look at later.
Interesting… Sepultra was the same guy on the reverseengineering subreddit. Buo decides taking a look at the binaries is a high priority now.
During Operation Desert Muskrat an unusual binary was found on that system.
During Operation Desert Muskrat an unusual binary was found on that system.
During Operation Desert Muskrat an unusual binary was found on that system.
During Operation Desert Muskrat an unusual binary was found on that system. Cursory examination indicates that is an exploit of some type.
Upon completing that level, the following text is displayed
From analysing the files Buo is able to discovers that the POC files contain concept code that has also been used in the mysterious sample captured by the honeypot. Buo is able to link Sepultura to the sample, giving him something solid to chase.
During Operation Desert Muskrat some snippets of emails was found that referenced a shell script for parsing XML files. Based off the following exchange, it might be possible to exploit the shell script to get access to this persons system.
First you need to gather the file containing the XML data. The specific information that we’re after is in the
As part of the operations investigating JPanic, we’ve managed to capture some potentially interesting information from his network communications. Investigate the packet capture to find out more.
As part of the operations investigating JPanic, we’ve managed to capture some potentially interesting information from his network communications. Investigate the packet capture to find out more.
As part of the operations investigating JPanic, we’ve managed to capture some potentially interesting information from his network communications. Investigate the packet capture to find out more.
As part of the operations investigating JPanic, we’ve managed to capture some potentially interesting information from his network communications. Investigate the packet capture to find out more.
During the Fearsome Crocodile operation, we found that that JPanic planned to flee his his current residence and hide from law enforcement. We have found a note that appears to be encrypted.
During the Fearsome Crocodile operation, we found that that JPanic planned to flee his his current residence and hide from law enforcement. We have found a note that appears to be encrypted.
During the Fearsome Crocodile operation, we found that that JPanic planned to flee his his current residence and hide from law enforcement. We have found a note that appears to be encrypted.
During the Fearsome Crocodileoperation, we found that that JPanic planned to flee his his current residence and hide from law enforcement. We have found a note that appears to be encrypted.
During the Fearsome Crocodile operation, we found that that JPanic planned to flee his his current residence and hide from law enforcement. We have found a note that appears to be encrypted.
JPanic needs some 0day to help propagate his worm. He hears about a stash being sat on by DevineInt. A menacing call to Retch reveals that DevineInt’s server contains suitable code. Scan that machine and see if you can compromise it.
Log into the plunging-wolverine account with the token you got from the Fabled Scorpion level. Take a look at /home/level0 directory.
Log into the parched-loudmouth account with the password ‘parched-loudmouth’ (without quotes). Take a look at /home/level1 directory.
Log into the parched-loudmouth account with the password ‘parched-loudmouth’ (without quotes). Take a look at /home/level2 directory.
Log into the unproved-otter account with the password ‘unproved-otter’ (without quotes). Take a look at /home/level3 directory.
There is a Web server that on port 20000 on exploit-exercises.com that takes HTTP requests in reverse. Make a request for /token.
There is a web server on port 20001 on exploit-exercises.com that requires authentication. You can perform a timing attack on the authentication scheme. There is a logic issue with the code in that if a byte matches, the request takes longer to process.
JPANIC STRIKES BACK
JPanic has decided to strike back against the Lambsky company. With 75% market share, he’s decided to throughly embarass the company via simultaneous assaults on their mailing list, company blog, and virus update procedure. Get started by examining the robots.txt and audit the software password reset functionality.
Next up on the jpanic revenge is the BuoAV company blog. Gain access to the blog administrative account.
Last, but not least, is the admin access page for the BuoAV company.
You’ll have to use information you’ve gathered from early on in order to do this. This Buo picture may come in use!
BUO GOES ON HOLIDAY – asciijump @ 10.10.50.8