煉蠱大會遊戲方法 (Malware Playground Howto) 2022-正式版 =========================================== TL;DR ----- 開放所有與會者參與，包含免費票。 Available to all attendees, including those with free tickets. Intro Session 新手村: Web: https://mpg-r1.hitcon2022.online TCP Command Stream: mpg-r1.hitcon2022.online:29171 TCP Message Stream: mpg-r1.hitcon2022.online:29172 Web(Observe/觀戰): https://mpg-r1.hitcon2022.online/client.html?observe=true Advanced Session 進階場: Web: https://mpg-r2.hitcon2022.online TCP Command Stream: mpg-r2.hitcon2022.online:29271 TCP Message Stream: mpg-r2.hitcon2022.online:29272 Web(Observe/觀戰): https://mpg-r2.hitcon2022.online/client.html?observe=true Doodle Area/塗鴉牆： http://doodle.hitcon2022.online/index.php http://doodle.hitcon2022.online/sandbox.php (No JS in latter. 後者無Javascript) Web連上後可以嘗試以下指令: ``` CurrentGame Scoreboard PlayerInfo Cmd /usr/bin/php -S 0.0.0.0:<PORT NUMBER> Cmd echo "<p>__YOUR_NAME__ is here!</p>" > /var/www/html/storage/your_name.php ``` 最新改動 What's New? ------ 2022新增內容 1. VM內新增了一些服務，玩家必須要避免讓這些服務下線。如果玩家不小心kill掉服務或是讓他們無法運作，VM會重新開機或是重灌。玩家可以在不讓服務下線或壞掉的情況下將後門安插在服務內。若故意攻擊這些服務讓他壞掉或下線，大會有權封鎖這些玩家。 2. 部份關卡需要Pwn，而非直接有執行指令的權限。 3. 新增C&C計分模式，玩家需要反連某個VM內才連的到的伺服器並且GET指定URL。 What's new in 2022 1. Some services are added to the VM, and players should avoid bringing them offline. If any of those services are killed or brought offline accidentally, then the VM will reboot or reset. Players are allowed to inject their backdoor into the services provided the services are not disrupted. If any player intentionally attack the services to bring them offline or non-functional, then we reserve the right to ban them. 2. Some rounds will require pwning the target, and players will not get direct command line access. 3. New C&C Scoring mode, players will need to make HTTP GET request to specific server that is reachable within the VM to gain points. 連線介紹 How to connect ------ 玩家可以透過Raw TCP Socket或是Web界面來連上遊戲。Web界面較容易使用，但效能較差且不好自動化，而Raw TCP Socket效能較好，適合進階玩家。 Player can choose to use Raw TCP Socket or the Web interface to connect to the game. The Web interface is easier to use, while the Raw TCP Socket interface is faster and easier to interface with code. Raw TCP Socket -------------- 玩家可以透過Raw TCP Socket連上煉蠱伺服器。遊戲共有兩個Port，一個用於下指令（以下簡稱指令Port），另一個用於觀看目前狀況。（以下簡稱狀況Port） 指令Port只能用來輸入指令，只有少數指令的結果會透過指令Port回傳。其他指令的回傳資料會顯示在狀況Port，因此建議同時開兩個視窗然後同時看兩者。 Players can connect to the malware playground through raw TCP socket. There are 2 ports, one is for sendin commands (hereafter "cmd port"), another is for watching the current status (hereafter "status port"). cmd port can only be used to key in/send command. Only a few commands will respond on the cmd port. The response for other commands will be available on the status port instead. Therefore, it is recommended that two terminal windows be opened at the same time for each of the ports. Web Interface ------------- 玩家可以直接打開Web界面，界面左邊是目前所有訊息，左下能夠輸入訊息，右上可以選擇觀看哪些訊息，右邊中間可以看目前遊戲規則及狀態，右下可以觀看記分板。 Web界面網址如上TL;DR區塊所述 The player can open the web interface with a browser directly. In the user interface, on the left is the all the messages, on the bottom left is the prompt for entering any chat or command. On the top right users can filter what messages are shown, on the center right is the information on the current game (rules, status... etc), on the bottom right is the scoreboard. The address for the web interface is above in the TL;DR section. 連上新手村 Connect to the tutorial section ------------------------------------------ 透過Web界面連上新手村最方便，可以參考上述TL;DR區塊的網址 It's easiest to connect to the tutorial/intro section through the web interface. Please refer to the address in the TL;DR section above. 新手村位於 mpg-r1.hitcon2022.online Port 29171 (指令port) Port 29172 (狀態port)。 The tutorial/intro section is on mpg-r1.hitcon2022.online Port 29171 (cmd port) and Port 29172 (status port). 之後，可以開啟兩個不同視窗，使用nc指令連上煉蠱伺服器： After that, connect to malware playground with the following commands in two different command prompt: ``` nc mpg-r1.hitcon2022.online 29171 nc mpg-r1.hitcon2022.online 29172 ``` 注意，必須同時打開兩個視窗，各自輸入以上兩個指令（一個視窗一個指令）。 Note, you'll need to open two terminals and enter the commands in them respectively (one in each). 加入後，於指令Port輸入: After that, enter the following in Cmd port: ``` Nick <Your Nick> <Token> ``` 可以設定你的暱稱。限制英文大小寫數字4-20個字長。 Will set your nickname, which is limited to alphanumeric (both cases), length of 4-20. Token可以從Web界面取得，請點選Socket Token按鈕。 The token is available from the web interface, just click the "Socket Token" button. ``` CurrentGame ``` 即可查看目前遊戲規則。 and you'll see the rules for the current game. 該廠遊戲輸入第一個指令後（例如上述的CurrentGame），系統會透過狀態Port告訴你你的Port Number以及C&C URL，請你記好它。請注意每一場遊戲的port number及C&C URL可能不一樣。 After entering the first command on speaking on that channel for the first time. The system will tell you your port number and C&C URL through status port. Please take note of it. Note that the port number and C&C URL may be different on every game. 如果你忘了你的Port Number或C&C URL，可以輸入PlayerInfo指令取得他： If you lost your port number or the C&C URL, you can use the PlayerInfo command. ``` PlayerInfo ``` 接下來，在指令Port輸入以下指令重複Listen在某個Port Number： Enter the following command in cmd port to listen on your port number: ``` Cmd /usr/bin/php -S 0.0.0.0:<YOUR PORT NUMBER> ``` 如果你的Process沒有被別人Kill掉，去Scoreboard就會看到你開始得分。 If your process is not killed, then you'll see that your score is increasing on the scoreboard. 如果想要透過聯繫C&C得更多分，你可以執行以下指令每4秒聯繫一次C&C：（請記得替換你的URL） If you want to score more by contacting the C&C server, you can execute the following command to contact the C&C every 4 seconds: (Please remember to replace the URL with your C&C URL) ``` Cmd while [ true ]; do curl http://192.168.xx.x:xxxxx/report/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx >/dev/null; sleep 4; done ``` 在指令Port中輸入下列指令可以看Scoreboard: Enter the following command on cmd port to see the scoreboard on IRC: ``` Scoreboard ``` 最後，新手村遊戲規則為： 1. Process存活每秒1分，Port可以被連線每秒5分，每5秒內聯繫C&C一次25分。可對外連網。 2. 可以直接執行指令。 3. 友善新手，請不要太頻繁的獵殺別人的Process。 4. 這場保留最久，原則上不刪除檔案，請多利用塗鴉區 (新手村中伺服器有跑一台http server)。 Lastly, the rules for the tutorial section is: 1. Process survival earns you 1 point per second. Port is up earns you 5 points per second. Contacting the C&C server once every 5 second earns you 25 points for each 5 second period. You may connect to the internet from the machine. 2. You can execute commands directly. 3. Please be friendly to noobs, and not kill them too frequently. 4. This room/game will be kept running for the duration of the conference, and generally we won't delete files/reset the game, so you're welcome to use the doodle area (the HTTP server running in the room). 塗鴉牆 Doodle Area ----- 塗鴉牆位於新手村的/var/www/html/storage/，裡面所有的.php都會被顯示出來。 如果想要塗鴉，可以使用以下指令 ``` Cmd echo "<p>__YOUR_NAME__ is here!</p>" > /var/www/html/storage/your_name.php ``` 請把__YOUR_NAME__跟your_name換成你的名子或暱稱 如果要觀看塗鴉牆，可以前往 https://doodle.hitcon2022.online/index.php 或是 https://doodle.hitcon2022.online/sandbox.php (後者不會有javascript) The doodle area is located in the intro session, in /var/www/html/storage/. Every .php file in that directory will be shown in the doodle page. To doodle in the doodle area, use the following command: ``` Cmd echo "<p>__YOUR_NAME__ is here!</p>" > /var/www/html/storage/your_name.php ``` Replace YOUR_NAME with your name or nick name. To visit the doodle page: https://doodle.hitcon2022.online/index.php Or https://doodle.hitcon2022.online/sandbox.php (No javascript) 進階場次 Advanced session ------- 進階場次位於同伺服器Port 29271, 29272. The advanced session is on the same server, but on port 29271 and 29272. 請留意部份進階場次的指令會被當URL由瀏覽器開啟，而非由Shell執行，因此規則稍微不同。 Note that in some sessions in the advanced sessions, the command will be treated as URL and opened by a browser, instead of being executed by the shell, thus the rules are slightly different. 遊戲規則，時間與獎勵 Rules, Hours and Rewards ================================ 遊戲規則 Rules -------------- 規則： 1. 每一場次有自己的計分規則，有的是需要你執行的Process存活，有的是需要你Listen在某個Port。 2. 每一場次的入侵方法也可能不同，有的直接提供輸入指令或Shellcode。 3. 於該場輸入CurrentGame顯示該場次的計分方式，入侵方法與規則。 4. 禁止攻擊位於/hitcon目錄中的遊戲Infra，不得（包含但不限於）修改，模擬，注入，阻擋，偽裝成該目錄中跑起來的伺服器，亦不得阻擋或為造Port 29100~29200中的任何流量。 5. 禁止癱瘓伺服器，例如使用Fork Bomb或是佔滿所有記憶體/磁碟空間。 6. 有上述違規行為，其他玩家可以向管理員檢舉。管理員可以將違規者禁賽及禁止其獲得獎勵的HITCON Token。 The rules are: 1. Each game have different scoring policy. Some requires your process to be alive, the other requires your port to be reachable. 2. Each game, the access you've to the machine is different. For some you can enter commands dircetly, others you can only use shellcode. 3. Enter the "CurrentGame" command to see the rules on scoring policy and access you've. 4. Do not attack the game infra, located in /hitcon directory. You may not (including but not limited to), modify, emulate, inject, block, masquerade as anything that runs from that directory. You must not block or spoof any traffic on port 29100~29200. 5. Do not attempt denial of service attack on the machine, such as using fork bomb, or filling up the memory/disk space. 6. If there's any prohibited action, other players may notify the administrators. The administrator may prohibit the violators from player, and/or forfeiting their reward HITCON tokens. 獎勵 Rewards ------------ 新手村 Intro Session: * You'll get a "Information Leak Award" if your score is above 10,000 (while stocks last), please collect them at the events service counter on site. Each attendee can earn this once only. The first 30 participants to collect this prize will get an upgrade to "DoS Award". * If you're too good to be on the Intro Session, we may ban you at our discretion and give you the "DoS Award". This does not apply if you're banned for other reasons such as violating the rules. * Award/prize available for all attendees (free and paid). * 如果你能在新手村獲得超過10,000分，那你會取得一份"資訊洩漏獎"，請至活動組服務台領取，數量有限。每個與會者只可以領一次。前三十個兌換這個獎的與會者會被升級至"DoS獎" * 如果你強到不適合待在新手村，主辦單位可以選擇把你踢出新手村，但是會給你一份"DoS獎"。若你因其他原因（例如：違反規則）被踢出新手村，則以上獎項不適用。 * 所有與會者（包含免費票）皆有機會獲得以上獎項/獎品。 進階版 Advanced Session: * The first 5 places (paid attendees only) will get the "RCE Award". * The next 30 places (all attendees) will get the "DoS Award". * 前五名(僅限付費與會者)取得"RCE獎" * 接下來30名 (所有與會者) 取得"DoS獎" To collect the prize, please come to the events service counter. We reserve the rights to modify the prizes. 以上獎項皆請至活動組服務台領取。大會保留修改獎項的權利。 開放時間 Operating Hours ----------------------- * The event runs from evening of Aug 16th 2022 to 2:30pm Aug 20th 2022, only scores earned in these period counts. * The event starts when participants received the email to HITCON website that allows them to access malware playground. * The prize for advanced session will available for collection after the rankings are announced, and it'll be before 3:15pm Aug 20th 2022. The rankings for the advanced session will be announced on Telegram as well. * The prize for intro session can be collected during the HITCON period (2 days). * Note that there are no breaks during the event. You can automate your tactic but please don't DDoS/DoS our server. * There might be disruption in service in the morning of the first day of HITCON, everyday at 10pm and the scoring period. Additional downtime may be announced on the HITCON Telegram channel. * The server might be up before or after the event but the scores don't count. Just have fun. * All time are UTC+8. * If you have any questions, you can try to ask on the HITCON telegram channel. * 活動時間為8月16日晚上至20日2:30pm，只有這段期間獲得的分數才會被計算。 * 活動開始時間以與會者收到專屬連結Email為準。 * 名次於8月20日3:15pm前公佈，公佈後可以至活動組服務台領取進階場獎品。進階場名次將於IRC/TG公佈。 * 新手村獎項可以於活動兩日兌換。 * 活動於夜間沒有中斷。你可以考慮自動化你的戰略但請不要DDoS/DoS我們的伺服器。 * 伺服器於HITCON第一天早上，每日10pm或計分時可能會中斷。其餘服務中斷會透過HITCON TG群組公告。 * 活動時間之外，伺服器可能已經開啟，但分數不計算。歡迎亂入。 * 所有時間點皆為 UTC+8 時區 * 如果有任何問題，可以於HITCON TG詢問。