Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
12. Bonus: Capture The Flag
SECRET//NOFORN
Capture The Flag
('excerpt' missing)
Setup
On the share (\\FS-01\share\NewDeveloperExercises\CaptureTheFlags) there is a VMVirtual Machine titled "New Developer CTFCapture the Flag Windows 8.1 x64". Copy the VMVirtual Machine folder to your local machine. If VMWare asks, you copied it.
Submitting Answers
Text Here
Challenge 1: Survey
For this challenge you will be collecting information about the target machine (CTFCapture the Flag VMVirtual Machine). This is useful for understanding future deployments against a machine. Surveys can reveal many things about a machine or its network.
Challenge 1: To capture this flag you will need to collect the following information about the CTFCapture the Flag VM.
Machine GUID
- User Name
- Computer Name
Installed Applications
Network Card MACApple Operating System Addresses
- List of all mounted volumes
Process List
Now, have your tool output the survey data (raw) into a file in Desktop\Results\Survey\Survet.txt. Shortly after, you'll have your first flag!
Challenge 2: File Collection
File Collection is also an important part of what we do. Remember the main goal is to enable the collection of FI. In this line of work we run into limitations that aren't always a problem for normal software developers. Unfortunately, we often run into bandwitdth and/or time constraints when trying to retreive information from a target computer. Thus, when designing or configuring a tool, compression, throttling, collection prioritization, and file flattening are things you should consider.
Challenge 2: Collect all of the files from User #?'s user directory (C:\Users\User #?) with the extensions *.doc, *.docx, *.xlsx, and *.pdf. You will then need to reconstruct the collected files in the Results\File Collection folder on the Desktop.
For example, let's say I collected the following files:
C:\Users\User #?\Desktop\Passwords.xlsx
C:\Users\User #?\Pictures\MyContacts.docx
C:\Users\User #?\AppData\Local\Temp\WhereIKeepMyNukes.pdf
Then, the folder structure in the Results\File Collection directory would look like this:
_C
Users
User #?
Desktop
Passwords.xlsx
Pictures
MyContacts.docx
AppData
Local
Temp
WhereIKeepMyNukes.pdf
When you are done, signal the watcher that all files are collected by setting an event with the name {DEC334AC-E1E3-4582-9D4D-75A6201F053B} (See MSDN: OpenEvent and SetEvent). After your files are validated, your second flag should then appear!
Challenge 3: Compression and Encryption
Almost all of our tools utilize some combination of compression and encryption. Whenever we're sending data back over the internet, or storing the data for later exfil, it needs to be protected. The type of compression and encryption used is dependent upon many factors and should be decided on a per tool basis. SecureBuffer (or the buffer library) is a library of readily available compression and encryptoion algorithms (there should never be a need to roll your own compression or encryption - these are very signaturable things). So, for this challenge you will need to download the attached files (ImprovedDummy.exe, PubKey.pem).
Challenge 3: Compress and encrypt the dummy payload to retrieve the flag
- Download the attached files (ImprovedDummy.exe, PubKey.pem)
- Use SecureBuffer/Buffers Library) to compress the binary using ZLIB compression.
- Encrypt the buffer using the supplied public key
- Dump the buffer into a file (raw) named ImprovedDummy.exe.enc in Results\Compression and Encryption
The watcher on the wall will give you the third flag upon completion.
Challenge 4: Payload Deployment
Many of our tools utilize other processes on the machine (sometimes our own).
Challenge 5: System Monitoring & Manipulation
Watch for registry key change, process list, window hooks?
Challenge 6: Persistence
Create Sched Task as user, logoff and logon to get flag
Challenge 7: Data Transfer
Execute Survey from part one, pipe it to me over a known named pipe
Challenge 8: PSPPersonal Security Product (Anti-Virus) Evasion
Known Bad Executable + Src. Known defeats. Verify it passes
Challenge 9: Execution Vectors
Trojan - take winrar and trojan it, validate resources and application startup
Challenge 10: Privilege Escalation
Describe Artillery UACUser Account Control Bypass, Have them write it to execute ImprovedDummy as Administrator.
Finishing Up
As we go on, we remember, all the time we...
SECRET//NOFORN