Skip to content

Agent actions

from cyst.api.logic.access import AuthenticationTokenThis section covers the actions that an agent can perform. The actions space will be gradually extended as the challenge progresses and new scenarios are released.

Inspection of a target

Use this action to get information about a target that you already accessed. This action works in two main modes - if you specify only a target IP (i.e., a localhost or a machine that you have a session to), it will give you the list of services running on that machine and the IP addresses that the target has; if you also specify a concrete service, it will give you information about that service, namely its version and the interesting info it contains.

  • ID: ac1:inspect
  • Prerequisites: Local access to the target machine.
  • Parameters: None

Response statuses

  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE) if the agent does not have access to the target system.
  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.SERVICE_NOT_EXISTING) if the target service does not exist.
  • Status(StatusOrigin.SERVICE, StatusValue.SUCCESS) otherwise.

Response structure

  • If not successful: 
    "An error string describing the problem"
  • If successful and no concrete service was provided: 
    {
    "ips": List[str],                                 # A list of IP addresses
    "services": List[Tuple[str, semver.VersionInfo]]  # (Service name, service version)
}
  • If successful and a concrete service was provided: 
    {
    "name": str,
    "version": semver.VersionInfo,
    "data": List[str],  # A list of paths to interesting data
    "auths": List[AuthenticationToken],  # A list of authentication tokens that can be used to access other services
    "sessions": List[Session]  # A list of sessions tha you can hijack
}
    In any case, data, auths and sessions can and will often be empty.

Scanning of a host

Use this action to get information about a remote target. Currently, it provides information similar to the previous action and acts like a combination of a PING and SYN scan. It tells you whether the scanned IP is alive and which remotely accessible services are running on the target. To get also the local services, use the previous action.

Note

Further parametrization of the action will become available as the challenge progresses and active defenses are introduced.

  • ID: ac1:scan_host
  • Prerequisites: None
  • Parameters: None

Response statuses

  • Status(StatusOrigin.NETWORK, StatusValue.FAILURE) if the target cannot be reached.
  • Status(StatusOrigin.SERVICE, StatusValue.SUCCESS) if the target was successfully scanned.

Response structure

  • If not successful: 

    "An error string describing the problem"

  • If successful: 

    {
  "ip": str,  # The IP address that was scanned
  "services": List[Tuple[str, semver.VersionInfo]]  # (Service name, service version)
}

Scanning of a network

This action is a shortcut, that will perform a host scan on a given network range. Therefore, all that applies to the previous action, applies to this as well.

  • ID: ac1:scan_network
  • Prerequisites: None

  • Parameters:

    • net: a string representation of a network in CIDR format, compliant with netaddr.IPNetwork initialization.

Response statuses

  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.ACTION_PARAMETER_NOT_PROVIDED) if the net parameter was not provided.
  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.ACTION_PARAMETER_NOT_APPLICABLE) if the net parameter is not in the correct format.
  • Status(StatusOrigin.NETWORK, StatusValue.SUCCESS) otherwise.

Response structure

  • If not successful: 

    "An error string describing the problem"

  • If sucessful: 

    {
    "success": List[Dict[str, str | List[Tuple[str, semver.VersionInfo]]]],  # ac1:scan_host success results
    "failure": List[str],  # a list of unreachable IP addresses
    "error": List[str]  # a list of IPs that have some error
}

Accessing a target

This action attempts to get access to tha target machine and provide your agent back with a session that it can use. There are two main way, how the access can be acquired - through service exploitation or with valid credentials, if the service enables session creation.

  • ID: ac1:access_target
  • Prerequisites:
    • Exploitation:
      • an exploit with a category ExploitCategory.CODE_MANIPULATION valid for the target service,
      • an exploit with a locality ExploitLocality.REMOTE if accessing remotely, or any locality if accessing locally.
    • Authorization:
      • a target service supporting opening remote sessions,
      • a valid AuthenticationToken or Authorization for the target service.
  • Parameters: None

Response statuses

  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.SERVICE_NOT_PROVIDED) if no target service was provided.
  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.SERVICE_NOT_EXISTING) if the service is not on the target machine.
  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.SESSION_NOT_PROVIDED) if you attempt to attack a local service without having a local access.
  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.EXPLOIT_NOT_PROVIDED | StatusDetail.AUTHORIZATION_NOT_PROVIDED | StatusDetail.AUTHENTICATION_NOT_PROVIDED) if you don't provide session or authentication/authorization.
  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.EXPLOIT_CATEGORY_NOT_APPLICABLE) if you use wrong exploit category.
  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.EXPLOIT_LOCALITY_NOT_APPLICABLE) if you attempt to use local exploit remotely.
  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.EXPLOIT_NOT_APPLICABLE) if you choose a wrong exploit.
  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.AUTHENTICATION_NOT_APPLICABLE) if the provided authentication is incorrect.
  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.AUTHORIZATION_NOT_APPLICABLE) if the provided authorization is incorrect.
  • Status(StatusOrigin.SERVICE, StatusValue.SUCCESS) if you are successful

Response structure

  • If not successful: 

    "An error string describing the problem"

  • If successful: 

    "Session successfully opened"

'response.session' contains a newly opened session

Exfiltrating data

This action lets you access data tied to a specific service. You can do this either remotely, provided you have a working exploit, or you can do that locally. Currently, the access level is not in play, so your agent can grab data without impunity. Later in the challenge, you may need to acquire a privilege escalation exploit first.

  • ID: ac1:exfiltrate_data
  • Prerequisites:
    • Remote exploitation:
      • an exploit with a category ExploitCategory.DATA_MANIPULATION valid for the target service,
      • an exploit with a locality ExploitLocality.REMOTE.
    • Local access:
      • just local access to the target.
  • Parameters:
    • path: a location of the data to exfiltrate.

Response statuses

  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.SERVICE_NOT_PROVIDED) if no target service was provided.
  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.SERVICE_NOT_EXISTING) if the service is not on the target machine.
  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.ACTION_PARAMETER_NOT_PROVIDED) if the path parameter was not provided.
  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.ACTION_PARAMETER_NOT_APPLICABLE) if the nonexistent path was provided.
  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.EXPLOIT_NOT_PROVIDED) if an exploit is not provided for remote access.
  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.EXPLOIT_CATEGORY_NOT_APPLICABLE) if the exploit has a wrong category.
  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.EXPLOIT_LOCALITY_NOT_APPLICABLE) if a local exploit was used for remote extraction.
  • Status(StatusOrigin.SERVICE, StatusValue.FAILURE, StatusDetail.EXPLOIT_NOT_APPLICABLE) if the exploit cannot be used for the target service.
  • status = Status(StatusOrigin.SERVICE, StatusValue.SUCCESS) if you are successful.

Response structure

  • If not successful: 

    "An error string describing the problem"

  • If successful: 

    {
    "path": str,    # The path to the data
    "content": str  # Data contents (not really useful)
}