This weekend I went Stanford with the Cybersecurity team to compete in the Collegiate Penetration Testing Competition! It is without a doubt the worst named competition I have ever competed in, but there you go! The cybersecurity team consisted of myself, Kevin the workshop coordinator, Abdul the financial officer, Victor who wore a John Wick costume the whole time because he was competing in a costumed Nerf game on Friday night, and the the club president who doesn’t want me to mention his name in my blog, so I will call him Horatio Algers to annoy him. CPTC is not so much a competition as it is a weekend long practical interview. Workers from Facebook, IBM, Dell, and other tech companies sponsored the event and they request your resumes in the beginning. The interview aspect is kind of funny seeing as I have no desire to end up working in the cybersecurity industry and Horatio is so concerned with security that he doesn’t want his resume shared with the people running the competition!
One of the more fun and glamorous aspects of cybersecurity is called ‘penetration testing’ or ‘red teaming’, where a company pays you to hack into their servers to find vulnerabilities. This competition was a simulation of a penetration test on a bank called DinoBank. One of the competition organizers pretended to be the head of information security at DinoBank named Tom Dickson, and walked around to all the teams throughout the competition. The only requirements are that you must use their hardware, and if you are going to use software that isn’t pre-downloaded it must be open source. Open source means that anybody can access it, download it, and alter it. So before the competition, we did some recon with the bank figured some things out.
From DinoBank’s website we found some of the LinkedIn pages of five ‘workers’ at the bank. From there we found a screenshot of what looks like a private key, and a blog post on Medium. Then we found a link to DinoSure, their insurance company, and some information about CroissantCoin, their new cryptocurrency. We also found their GitHub repository where their code was stored. We were hoping that when we showed up on Saturday, we would have a definite plan of attack. Unfortunately, we had trouble all finding times where we could all meet up to train together, and there are only two especially skilled members of the team who are responsible for training the other three members. So we weren’t all as prepared as we hoped to be when we ended up going to the competition on Saturday. Despite this, we did quite well!
We went up to Palo Alto Friday night, and got to the hotel at around five. Victor let me use his electric scooter, which I enjoyed far too much. Since the school was paying for the hotels, I chose a place that was a bit nicer that where I would stay had I been paying with my own money, which was certainly a nice change! We went over to Stanford in the morning, where me met up with the other teams competing in the regional competitions. We were up against the Stanford team, UC Berkeley, UC Santa Barbra, and some other teams. The Stanford campus was beautiful as always, and just hanging out there reminded me why I really want to get my PhD there. It’s such a cool place!
Each team was given a sound proof room with a white board and a table. Since we couldn’t use our own computers each team was given two linux machines and three windows machines. Unfortunately, the hardware was not that great, and even the software installed was kind of crappy! Nobody likes to hack on a Windows machine, and instead of Kali Linux, the standard Linux distribution for hackers, we had a strange version of Ubuntu that wasn’t really like the normal version of Ubuntu. We started at 10:40 and had until 6:40 to stop hacking. So we got into our rooms, got our badges, and started the game!
We were given several ‘in scope’ subnets, meaning that we were permitted to hack them. A subnet is a list of several different IP addresses that are bundled together. An extremely large subnet could encompass the entire internet, and a very small one would encompass only one IP address. We ran nmap scans on all four subnets, and found several different Windows machines, some Linux machines, and a website for a fake cafe called the Crusty Croissant. Nmap is a program that scans subnets and ip addresses for open ports. Ports are what a computer uses to communicate with other computers — you can listen on a port, and if another computer sends something to your IP address on that specific port, the listening computer will receive it. A computer has 65,535 ports, and can do whatever it wants from any of them. However, there are certain ports that are typically used for certain things. For example if you are looking at a website, and that website uses http or https (like most websites) you are typically listening on port 80 and as a result, nearly all web servers serve their web page to port 80. An open port is a port that you can serve things to.
We quickly discovered that there was a web application on 10.0.2.101 that didn’t have a /vendor folder. This was a problem because there was no method of customer verification. We couldn’t do anything to exploit it because we weren’t planning on uploading real money to the bank, but it was definitely an issue. Then we went to the 10.0.2.0/24 subnet where we discovered a linux machine named core-01 which contained a PostgreSQL database which was completely open to the internet and the credentials were the default credentials which you can just find online! So Kevin got in and uploaded a python script to the database. The script uploaded a reverse shell to the core-01 linux machine, which meant that we could type in bash commands and they would be executed on the machine. We had gained some reasonable semblance of control over the system.
Once that happened, Horatio Algers tried to escalate privileges on core-01. Basically, when you are running a server you can give different people different levels of privilege all the way up to the ‘root’ user who runs the system. In our case, there was an even higher level than root called ‘domain administrator’. The domain administrator would be able to control everything in the DinoBank network, including the other servers! Unfortunately, we never managed to get there, and there sere some subnets that didn’t have any open ports so without domain admin powers we just had to ignore them. However, we still were able to cause some damage. We created an account called “dumb dumb” and gave it one million dollars, took a ton of employee credentials, and just generally wreaked havoc across the server. Unfortunately we were unable to access a machine that looked like it contained some voicemails, as well as one that had a QueryTree. The only ones we could access were were the core backend, a web application, and a cafe website that was being hosted (more on that last one later). Then we discovered that our walls were not soundproof! The team next to us started exclaiming things like “I hope they don’t figure out that the password is 5TY345!” in very loud voices. So of course, we had no other choice but to play this lovely music video very loudly until they stopped. Also, we did some social engineering of our own.
Around this time however, we began to get emails from one of the DinoBank employees named Alex Faulkner. He began to tell us in rather threatening language to stay off one of the IP addresses that was clearly in scope. So we called up Tom Dickson, who said to write up a message to him about what was going on. Also, we found that on Alex Faulkner’s fake twitter account, there was a screenshot of what looked like a password, which we also showed Dickson. He sighed, and said that Faulkner had to stop drinking so much. Very good roleplaying on Dickson’s part! Anyways, it was certainly nice to have some ‘plot’ in this hacking game.
After that, there wasn’t really much to do so we turned to the webpage for a cafe called the Crispy Croissant! I don’t know why the bank was hosting their site, although in Faulkner’s fake twitter account, he said that he really loved the place. Also, it turns out that name came from the croissants they served for breakfast the year before at CPTC. Fortunately for us, the webpage had an ‘edit’ button and could be manipulated in any way we liked! It was vulnerable to cross-site scripting which means that we could execute code on visitors, redirecting them to malicious sites. We defaced it, took a screenshot, and then fixed it back to how it was before.
In the end, we attended the awards ceremony where I consumed far too many sodas for my own good. Stanford got first place, then Cal Poly, then San Francisco City College. This unfortunately meant that we were not invited to the national CPTC competition. While we didn’t place, I learned a ton, and we all had a great time! Hopefully we will do even better in our next competition at Cyberforce! I’ve never wanted to go into cybersecurity as a career, but the way I see it, it’s kind of like design. If you want to be a good coder, you have to at least know the basics of designing things or all your software will look crappy. Similarly, you have to know how to hack or all your systems will be vulnerable. So I am certainly happy to have gone to CPTC and learn!