Loud and Clear

Lancer’s staging mail gateway is stuck on a legacy stack. Validate each patch level by proving whether the gateway can still be coerced into leaking protected data using your offensive security toolkit.

NICE Work Roles

Cyber Defense Analyst
Exploitation Analyst

NICE Tasks

T0028: Conduct and/or support authorized penetration testing on enterprise network assets.
T0566: Analyze internal operational architecture, tools, and procedures for ways to improve performance.

Background

? Lancer Corporation relies on an outdated Commercial Off-The-Shelf (COTS) hardware solution that integrates an open-source, legacy mail service. However, their sales vendor has explicitly stated that this mail system is incompatible with modern architectures.

Due to high availability demands and limited options for replacement, Lancer’s engineering team has attempted to develop an in-house version of the service (based on the original open-source code) to maintain operations.

The Network Security Team (NST) has placed tokens in four separate development environments for you to retrieve to prove or disprove the effectiveness of their hot patches. Objectives

For each patch level:

Set the patch level using the console.
Interact with SMTP and exploit the detected vulnerability.
Extract the token and submit it.

Getting Started

For this engagement, two service endpoints exist:

An SMTP service: staging.lancer.pccc:2525
A patch control console: staging.lancer.pccc:31337

The console can switch between four patch levels. Each subsequent level hosts a patch with lessons learned from the previous patch. Unfortunately, unbeknownst to the NST, each level still contains a bypass. Each patch level introduces incremental changes to how user-supplied input is sanitized and processed by the mail service. Tokens

Tokens will take this form:

PCCC{VALUE-VALUE-VALUE}

Token Location

? IMPORTANT: The location of the token for each patch level is /opt/lancer/tokens/ and are titled token#.txt. For example, the location of the first token for this engagement is /opt/lancer/tokens/token1.txt Rules of Engagement and other notes

? IMPORTANT: The NST has enabled a custom header (X-Lancer-QA) that is processed by downstream mail-handling logic. All test payloads should be delivered using this header to ensure proper inspection. Additionally, all emails should be sent from tester@demo.local.

Unfortunately, the team has left on vacation and forgot to tell you which email address to send to in order to reach the right instance of the virtualized patch instances. Mail-handling rules determine whether user-supplied input is fully processed. Only one sender address will trigger the vulnerable execution path. A list of all current email addresses can be found in the Patch Control Console by calling the “LIST” command. System and Tool Credentials system/tool location port SMTP Service staging.lancer.pccc tcp/2525 Patch Console staging.lancer.pccc tcp/31337 Note

Attacking or attempting to gain unauthorized access to Challenge Platform is forbidden. You do not need root access to the server to complete this challenge.

Tokens are awarded through completion of the objectives. Token 1 — Patch 1.0 Validation 600 points

Switch the console to Patch 1 and extract TOKEN1. Unanswered3 attempts left Token 2 — Patch 2.0 Validation 750 points

Switch the console to Patch 2 and extract TOKEN2. Unanswered3 attempts left Token 3 — Patch 3.0 Validation 800 points

Switch the console to Patch 3 and extract TOKEN3. Unanswered3 attempts left Token 4 — Patch 4.0 Validation 1090 points

Switch the console to Patch 4 and extract TOKEN4. Unanswered3 attempts left