master
Raw Download raw file

Code Osiris

In this exploit development–driven challenge, you will create the exploit that inevitably took down a secret underwater facility in what is now being called the “Deep Blue Sea” Incident.

NICE Work Roles

NICE Tasks

  • T1091: Perform authorized penetration testing on enterprise network assets
  • T1118: Identify vulnerabilities

Background

Preceding the events of the Deep Blue Sea Incident, a scientist and exploit researcher receives a chilling email message regarding the safety of his fellow colleagues and is urged to go to the Control Room immediately. Upon arriving, you are met with an offer you cannot refuse…

The crime syndicate behind this (yara.*) will spare the lives of your colleagues if you join the clan and assemble a new version of code_osiris, their flagship malware with global reach.

Getting Started

For this challenge, tokens are awarded for successful exploitation of a target based on the provided instruction set.

The questions for this challenge will guide you through the creation of a standard buffer overflow and eventually lead you to exploiting a live facility harboring a vulnerable service identified by the clan.

IMPORTANT: The recruit briefing located on the HQ site will help you along your exploit development journey.

Tokens

The format for each token is:

PCCC{VALUES}

In most instances, challengers may find output similar to:

TOKEN#: PCCC{VALUES}

Use this to your advantage when examining the binaries in tokens one and two. All tokens are randomly generated.

Objectives

  • Temporarily distract the syndicate by successfully creating a buffer overflow against their old version of code_osiris.
  • Develop the skills required to build version 2 of code_osiris using a remote exploit development trainer.
  • Use the exploit against a nuclear facility to launch a missile and prove your loyalty to the syndicate.

System and Tool Credentials

system / tool host port
code-osiris-hq lab.yara.hq tcp/80
code-osiris-remote lab2.yara.hq tcp/9999
*abyssnet abyssnet.dbs tcp/unknown
kali-VNC user password
  • Scan and enumerate this target to find the port for the hijacked reverse shell to the compromised ABYSSNET service.

Note

Attacking or unauthorized access to the Challenge Platform is forbidden.

Token 1 – Find the Offset (500 points)

Determine the offset required to exploit the binary (integer) using pwntools or pattern_create / pattern_offset. Once exploited, TOKEN1 will be revealed.

Token 2 – Classic Redirection (980 points)

Revealed after redirecting execution flow of the code_osiris_v2 binary to read the function called secret.

Token 3 – Flight Check (1500 points)

Engage the Code Osiris Remote Trainer. Successful exploitation will yield TOKEN3.

Token 4 – Complete Your Mission and Join yara.* (1500 points)

Revealed after compromising ABYSSNET and launching its missile.