Skip to content

Rules for Malware

Task

Compile all functions into a single Windows EXE executable. The executable should automatically complete all required tasks without user interaction or parameter input. There are three targets to steal in the environment. Steal these targets and upload the answers along with the user ID to the specified location.

Answer Upload API Location

This API location can only be accessed within the competition's internal network.

Answer Format

{
  "answer_1": "Target 1 answer",
  "answer_2": "Target 2 answer",
  "answer_3": "Target 3 answer",
  "secret": "your secret"
}

answer_1, answer_2, answer_3 can be uploaded separately or together.
Each answer submission must include a secret.
You will get a secret after you signup on our contest website.
Each answer can only be submitted once.

Target Format and Location

You have 3 targets to steal and send to our server.

  • Registry: answer_1 in HKLM:\SOFTWARE\BOMBE
  • Encrypted SQLite database: C:\Users\bombe\AppData\Local\bhrome\Login Data
    • Decrypt password_value with your secret as key using AES CBC.
    • Convert secret (length 32) literal to bytes as AES key. (Not in hex format)
      • For example, key = "9nnv7xxZQpmialMXSgAb3YV0bhQstxF0".decode() in python
    • password_value is in hex format.
      • For example, password = bytes.fromhex(password_value) in python
    • password_value is a value concatenated by IV (16 bytes) and encrypted password.
      • For example, iv, cipher = password[:16], password[16:] in python
  • Memory of the specified process: bsass.exe

The SQLite database table schema is like the following

CREATE TABLE logins (
    id INTEGER PRIMARY KEY,
    origin_url TEXT NOT NULL,
    username_value TEXT NOT NULL,
    password_value TEXT NOT NULL
)

If you are confused, please check out our sample solution https://github.com/bombe-match/bombe-poc.

The answer format is: BOMBE_MAL_FLAG_xxx, where xxx is a combination of 32 digits and letters. There are three answers in total.

Prohibitions

  • Causing a system blue screen (BSOD).
  • Destroying the system environment, causing the program to be unable to execute.
  • Interrupting network connections.
  • Prohibiting actions that close EDR (ATT&CK T1562.001 Impair Defenses: Disable or Modify Tools), including terminating (terminal) and suspending (suspend) EDR.

Victory Conditions

Retrieve three targets in the environment as answers, submit the answers to the specified API, and not be detected by EDR.