Skip to main content

CySCA 2018 In-a-box

Welcome to the CySCA2018 In a Box information page. With the information on this page you should be able to attempt most of the challenges from the 2018 Cyber Security Challenge Australia.

CAUTION: The VM contains software that is deliberately vulnerable. We advise that you do not attach it to a critical network. Consider using your virtualization software's host‐only network functionality.

FileType: 7z
CySCA 2018 In-a-Box
Download size is # 2.7 GB
SHA1: CB98DC48D3B10DC002C57EE786C4B0978365C396
Version: 1.0

Additional Challenge Files
CySCA 2018 Forensics CySCA 2018 Exploit / Recon


About the Virtual Machine

how to start working with this The VM provided is a self-contained machine that can be used to do most of the challenges from CySCA2018. Inside the VM's docker containers you can find a copy of the source code for some of the challenges, but we recommend attempting the challenges before looking at the code.

The Virtual Machine root password is password. The VM download contains a VMware Workstation/Player and an Oracle VirtualBox config file. Make sure to adjust the network interface type to match your setup (bridged/nat).

This VM allows players to complete challenges in their own time, to learn and develop their cyber security skills. The VM includes a static version of the scoring panel with all challenges, required files and flags.

To use CySCA2018 in a box virtual machines, players will need to have either Oracle VirtualBox or VMWare Player installed on their machines.

Additionally we recommend players have at least 4GBM of RAM. If you have less RAM, you can reduce the amount of RAM available to the VM down to 2GB, however it may adversely affect the speed of some of the challenges.

Generic placeholder image

Getting Started

how to start working with this

  1. Extract files from CySCA2018InABox.7z
  2. Navigate to the folder containing the extracted files
  3. Confirm that the checksums for the files match those in checksums.txt
  4. If you are using VirtualBox double-click the CySCA2018InABox.vbox file. When you start the VM, you may be prompted that a "Centrino Advanced" adapter is not found. If this happens, click Change Network Settings and select the adapter that you would like the VM to bridge to.

    ‐‐ Or ‐‐

    If you are using VMWare Player double-click the CySCA2018InABox.vmx file. When you start the VM, you may be asked if the VM has been moved or copied. Select copied.
  5. If DHCP is available on the network adapter you have selected the VM will request an IP address and you will be prompted with the allocated IP. If no IP is specified you will need to set one before connecting. See instructions below.
  6. you will now need to add a couple settings to your Attacker machine:
    1. Give your Attacker machine an ipv6 global address
      • ip -6 addr a fc00:1337:c0ff:ee::101/64 dev eth0
    2. add the following IP routes:
      • ip route add 172.16.5.0/24 via {DHCP_IP}
      • ip route add 10.10.5.0/24 via {DHCP_IP}
      • ip route add 10.13.37.0/24 via {DHCP_IP}
      • ip route add 192.168.5.0/24 via {DHCP_IP}
      • ip -6 route add fc00:1337:1337:1::/64 via fc00:1337:c0ff:ee::100 dev eth0
      • ip -6 route add fc00:1337:1337:2::/64 via fc00:1337:c0ff:ee::100 dev eth0

      ‐‐ Or ‐‐

      • change your gateway to {DHCP_IP}
    3. set up your DNS to point to the 192.168.5.53 of the CySCA2018 In-a-Box
      • edit /etc/resolv.conf and add nameserver 192.168.5.53
  7. Now use your browser to connect to http://www.scoring.cysca/ to access the challenges.
  8. Challenge Management is available at http://{DHCP_IP}/ credentials for Portainer are cysca:password
Generic placeholder image

About Challenge Management (Portainer)

This years challenges are pretty resource intesive, so Challenge management has been made easier.Challenge Management is available at http://{DHCP_IP}/ credentials for Portainer are cysca:password

Stream Management

To turn off containers that you're not currently using navigate to Containers, select the streams you're not currently using and click Stop or Pause.

You can resume a container with Start or Resume

Generic placeholder image

All streams are named <stream>-<container>, if you are working on only the challenges from the Corporate Pentest all other containers can be turned off.

Corporate Pentest Stream Management

One of the most resource intensive containers is corp-git, Its recommended that you keep it turned off until you reach challenge Springboards

Web Pentest Stream Management

if you're working on only the Web Application pentest you can turn all containers off other than web-pentest.

Active-Defence Stream Management

if you're working on only the Active-defence stream you can turn all containers off other than active-defence_attacker & active-defence_victim.

Exploit Stream Management

if you're working on only the Exploit stream you can turn all containers off other than exploit-chal1, exploit-chal3, exploit-chal4 & web-pentest.

Miscellaneous Stream Management

if you're working on only the Miscellaneous stream you can turn all containers off other than the specific challenge you are working on
e.g turn on misc-exploit-classic for Miscellaneous stream challenge Exploit Classic.

Broken or Unusable Containers.

If a Container becomes unusable, or you want to reset it back to the base image, follow these steps.

  1. Click on the name of the broken container
    • Generic placeholder image
  2. click recreate on the new window
    • Generic placeholder image
  3. make sure to select "Pull latest image"
    • Generic placeholder image
  4. click recreate and you're done.
    • Generic placeholder image
Generic placeholder image

Licensing

All code written for the challenges is covered under the Apache 2.0 licence unless specified otherwise.

Check for individual licence files in each of the docker containers for full text and details. Shared libraries and modules may be under different licences. See their corresponding licence files in each sub directory.

Generic placeholder image

Students Write-ups

A number of write-ups submitted by the students on the day, this is a document of their solutions for the challenge.

Student Writeups

Solutions & Write-ups

Challenge Control have put together a write-up document of their solutions for the challenge.


Issues

If you have any issues with the Virtual Machine or challenges not working, please contact the email address provided in the Virtual Machine MOTD.

Note: we are unable to provide support for completing the challenges.
Generic placeholder image