About

A mock corporate network has been rigged in a virtual environment. On various places in this network, flags, i.e., information to extract, are placed. The overall objective is to capture all the flags. To assist you, we are going to offer hints for each flag (for a price of course).

To complete the project assignment, you are free to use your imagination and any tools available on the Internet. In the provided material, you will be introduced to specific network and vulnerability scanning tools, exploit platforms, remote control utilities, password cracking tools, and so on. Nonetheless, you are free to choose methods and tools of their own.

Responsible disclosure

If you by happenstance were to discover a vulnerability in the course infrastructure, including the flag point award system, the hint request system, or the cyber range, we welcome your report. For the first reporter, such findings will count as bonus points in the course; the number of bonus points will depend on the criticality of the vulnerability.

If you discover a vulnerability in the Google Cloud Infrastructure, then it will be important to report it via Google's Vulnerability Reward Program. The same goes for the Canvas LMS. These, too, may be eligible for course bonus points.

GCP Infrastructure

The virtual network you will interact with is hosted by Google Cloud. The most important difference between this environment and a physical network, for the point of view of this course, is that OSI layer 2 is missing.

Thus, ARP spoofing and other techniques based on Layer 2 won't work.

The Internet Assigned Numbers Authority (IANA) reserves the following IP address blocks for use as private IP addresses: 10.0.0.0 to 10.255.255.255. 172.16.0.0 to 172.31.255.255. 192.168.0.0 to 192.168.255.255. Note that the network address space of the virtual world is located among these. You might be used to seeing these behind a NAT, and thus unreachable from other networks. In this world, however, such assumptions cannot be made.

Furthermore, as in the case of a real corporate network, things might change in the network. Notably, systems may be restored to their unhacked state at any time, e.g. on a daily basis. Therefore, it is important to be able to repeat your hacks; thus, record your methods after successful exploitation.

When connected to the Google Cloud virtual environment via VPN, you are allowed to attack hosts within the network zone 10.0.0.0-10.0.15.254. If seen from a host on that network, addresses in the ranges 172.16.0.1-172.31.255.254 are also permitted targets.

The network scanning tool nmap doesn't seem to properly capture target responses when granted root privileges in the cyber range. This has the unintuitive effect that scanning will work as expected when logged on as an unprivileged user, but it may fail when logged on as, e.g., root. To avoid this, either make sure that you scan from an unprivileged account, or try also scanning with the following flag when scanning as root:

-sT: scan ports using TCP Connect

Flag dependencies

Here are some instructions about the flags and their dependencies. Get your VPN running + tutorial.

After you have successfully connected to the cyber-range via VPN you should be able to capture the 10c26e pre-flag (which is not graded). Free hint: try pinging the IP: 10.0.2.88. This was demonstrated in the classroom.

Flag 155d78 is a brief tutorial section (which is optional and not graded as well) hosted within the cyber range to help kickstart those new to Linux and ethical hacking. Access instructions are provided together with the 10c26e pre-flag. The flags you are going to report.

Initially, you will only be able to capture flags 10c26e, 155d78, adcb1f, 90b353 or 521bce, because the remaining flags are located in places that require you to perform the exploits that lead to the first flags.

Flag 14ce18 can be reached from two different paths, that require the capture of either Flag 6be6ef or Flag 9f1f16.

Flag de3b1c can also be reached without having first captured 521bce but with a considerable more difficult way.

One free hint! Flags adcb1f (FTP) and 90b353 are on the host named Lazarus, while Flag 521bce is on the host named Cuiteur.

        10c26e ——— 155d78
      /    |    \
adcb1f  90b353   521bce
           |        |
           |     de3b1c
           |        |
        f9038f   3b2000
           |        |
        6be6ef   9f1f16
               \    |
                 14ce18
                    |
                 5d402e — 2362e5        
                    |
                 93b00a

The virtual environment and lab infrastructure we use in our course was designed and implemented by KTH who kindly allowed us to use it. In addition, most, if not all, of the information regarding the description of the virtual environment, and its components, were produced by KTH - some adjustments were made to the text to adapt it to our needs.