Rules for Malware

Task

Build a single Windows EXE that runs unattended (no UI, no arguments). Your program must retrieve three specific targets in the environment and submit them to the server together with your secret.

Submission API

• API: https://submit.bombe.top/submitMalAns
  (Accessible only within the competition internal network)
• Method: POST

Submission payload

{
  "answer_1": "Target 1 answer",
  "answer_2": "Target 2 answer",
  "answer_3": "Target 3 answer",
  "secret": "your secret"
}

• answer_1, answer_2, answer_3 can be uploaded separately or together.
• Every submission must include your secret (obtained after signup on the contest website).
• Each answer can be submitted only once.

Targets to retrieve

1. Registry: answer_1 in HKLM:\SOFTWARE\BOMBE
2. Encrypted SQLite database: C:\Users\bombe\AppData\Local\bhrome\Login Data
3. Decrypt password_value using AES-CBC with your secret as the key
4. Convert the secret (length 32) literal to bytes directly as the AES key (not hex)
   • Example (Python): key = "9nnv7xxZQpmialMXSgAb3YV0bhQstxF0".encode()
5. password_value is hex-encoded
   • Example (Python): password = bytes.fromhex(password_value)
6. password_value = IV(16 bytes) + ciphertext
   • Example (Python): iv, cipher = password[:16], password[16:]
7. Memory of the specified process: bsass.exe

SQLite table schema:

CREATE TABLE logins (
    id INTEGER PRIMARY KEY,
    origin_url TEXT NOT NULL,
    username_value TEXT NOT NULL,
    password_value TEXT NOT NULL
)

If you are unsure, check the sample solution: https://github.com/bombe-match/bombe-poc

Answer format: BOMBE_MAL_FLAG_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
where the suffix is 32 alphanumeric characters. There are three answers in total.

Prohibitions

• Causing a system blue screen (BSOD).
• Damaging the system environment such that programs cannot execute.
• Interrupting network connections.
• Disabling or impairing the EDR (ATT&CK T1562.001), including terminating or suspending the EDR.

Victory conditions

Retrieve all three targets, submit them to the submission API with the correct secret, and avoid being detected by the EDR.