Surinausor (Winds of the past)

Description

The FCSC is a Jeopardy-style CTF, but here is a challenge to train you in Attack-Defense mode. The flags exchanged between simulated teams are fictional and independent of the FCSC. Your goal is to filter network traffic: once you succeed, the flag to validate the FCSC challenge will be given to you.

You are playing a CTF in Attack/Defense mode, but it’s a disaster! The organizers have only provided services as binaries or in exotic languages that you don’t know, making it impossible to patch them easily. You decide to take a drastic change in strategy: instead of fixing vulnerabilities, you set up an Intrusion Prevention System (IPS) on the machine hosting your services (the vulnbox).

As a reference, we provide you with a network capture (winds-of-the-past.pcap) taken at the moment you discovered— to your horror on the scoreboard—that a team managed to steal your flags. The flags for this Attack-Defense challenge follow the regex pattern ECSC_[A-Za-z0-9\/+]{32}. Your goal is to write Suricata rules to block only the payload used in the observed attack. You must not block legitimate traffic, which includes depositing flags and testing for flag presence in the service.

Once your rules are written, you can connect to nc localhost 4000 to test them against new traffic. The FCSC flag will be given to you once the service is properly protected (illegitimate traffic blocked, legitimate traffic unaffected).

You can download example blocking rules for inspiration here: https://rules.emergingthreats.net/OPEN_download_instructions.html. We also recommend reading the Suricata documentation: https://docs.suricata.io/en/suricata-7.0.6/rules/index.html.

Note: The Attack-Defense service in question is Winds of the past, originally developed for ECSC 2022. Reading the source code of this service is not necessary to solve this challenge.