CPTC 2019 - Finals Review


Last weekend was the 2019 finals for the first international Collegiate Penetration Testing Competition (CPTC) event. The final competition was three days long, starting Friday night, going all day Saturday, and ending Sunday afternoon. This year was epic, as we had over 6 regions and more than 60 schools filter down into our ten finalists. This was our fifth year organizing CPTC but our first year opening it to international participation. If you are just tuning in, you may want to catch up with my regional review, where you will note we had an entire region in Dubai this year. Ultimately, we had a single team from Dubai attend the finals, which was really neat as their coach got up at the end and spoke on some of the cultural differences regarding tech consulting in Dubai. As far as a competition, this year was more fun and immersive than ever before. I also think we are starting to reach our critical mass, both in terms of competitors and volunteers. All these competitors means we can continue to scale the regional events, something we planed for early on, and with core volunteers we can continue to scale the game! That said we are always seeking more help, so please reach out if you enjoy the content here. If you are unfamiliar with CPTC in general, I highly encourage you to checkout our DEFCON talk. If you are familiar with CPTC or have seen the talk you can skip past the video to get to this year's content. I plan on focusing on tips that can help competing students do better in this post, so hopefully it's entertaining and informative:


This year we ran with a banking theme, highlighting critical banking compliance regulations like GLBA, and the bank undergoing an MoU. This also let us develop a traditional Windows corporate environment with some major supporting, yet still fairly basic, core (banking) applications. There were several low hanging fruit throughout the Windows environment including many ways to move laterally among the workstations and domain controller. There were apps both supported the env, like the wiki with lots of organizational and network details, and core apps that made up the bulk of the business functionality, like the core banking application. This often makes the apps critical to the businesses in CPTC, making them high value targets year over year. We also did some very unique things this year, such as giving teams three hours to pentest on Friday night including the ability to run their scans over night. We ensured these scans wouldn't disrupt the environment and that teams could not remotely connect out of the environment in any way. We think this was more realistic and a better use of their time to do over night scanning. We also used this time to penalize several teams that exfiltrated sensitive client data in-between tests, both as a way to level the playing fields from any team trying to get a competitive advantage and to disincentivize the mishandling of client data. We want teams to receive negative consequences for such actions, but we also want these to be recoverable incidents and not have a large impact in the overall shape of the game. Below you will see a team's finding block of a wiki page with passwords on it in the DinoBank environment.
We had tons of low hanging fruit and basic findings throughout the prod and corp environments this year. While we patched some of our findings from the first pentest, there were still tons of critical findings that could easily be chained into lateral movement. We also focus on making the environment as immersive as possible; I find adding little touches to each of the services gives the game depth and more possibilities for the volunteers and competitors to get creative. This means we have wikis littered with sensitive details, along with a number of file shares that have both vulnerabilities and context rich findings that support in-game narratives. We had everything from no passwords to weak passwords, with abundant password reuse, making lateral movement across services a layup. We also used little to no encryption, so it was trivial to sniff connections in the environment to gain credentials, keys, or transaction details. Most data was also unencrypted, meaning sensitive data was all over the disk, memory, and the wire for savvy hackers to inspect. Below you can see a team moving from database access to a shell on the target server.
Unfortunately we are only human as game designers, and we made some large mistakes this year (although arguably very real world). We didn't properly clear our PowerShell transcript logs after using our Domain Admin credentials to enable further logging. We've noted this mistake internally and decided to leave it in the game as we felt it opened a lot more access to the student teams. This was used both as initial access and as lateral privilege escalation in the environment. Finding it in multiple location was also multiple findings, scoring high points for some teams! Bravo to the teams that found this! Below you can see it in a pentest report. Also note the salt keys aren't a finding because those are there for mutual authentication, those private keys are used to verify the clients to the servers. We take points off for teams that write up incorrect findings. All findings also need accompanying proof as well. If you think something is a finding but you can't exploit anything else with that knowledge it's probably not worth writing up. Below you can see a team writing up our leaked credentials:
I ran the OSINT and WORLD teams again this year, with our focus on aligning details throughout all aspects of the game. We tried some new things on World Team this year. I was tasked with giving all of our many volunteers a position in the game, creating 10-20 character sheets for walk-in volunteers to roleplay as. We tried to create a "human" pressure this year, with meetings and interruptions galore, the idea being that team managers or leaders had to shield their team from the near constant interruptions throughout the event. Further, focusing on key personal and what is important to their stakeholders allowed them to offer far more value than getting distracted by the vast number of other people in the organization. For example, focusing on Tom Dickson's needs, who contracted their group for the pentest and was the ultimate stakeholder in their work, was far more important than any other character, and would yield them the most points in their presentations. At one point I played a member from the board of directors (Ali Gamble) so I could walk around and get a pulse of the teams. Ali was a major stakeholder because his name was signed on the MoU, so he was directly responsible for the security of DinoBank. Some teams understood this and spoke to me directly, where as others brushed me aside when I was only seeking a quick answer. I found it even more hilarious, as if a team were trying to speak to me, when one team highlighted my characters information in the report. Bravo (although you should probably redact my social security number):
We also had lots of rogue infrastructure and ghost IT rife throughout the environment. For example we had excessive processes on each machine and extra hosts throughout the environment. Partially due to our development style, this also played into our narrative of having an insider threat, which was present in both the characters and throughout the environment. We had several characters who were afraid of losing their job, and would protect the insider threats or obstruct the pentest in various ways. Still, there were vastly more characters who alluded to insider threats and fraud, and there was evidence of this fraud throughout the environment itself. Below you can see evidence where fraud was both present on the workstations and in the email correspondence in the environment:
Some teams handled this very well. Cal Poly comes to mind as a team who really shined, from their social interactions, to their analysis of compliance regulations, and technical findings. The Cal Poly team really jumps out as a team that had clearly defined roles on their team and that focus allowed them specialize and succeed in multiple areas. One aspect of that is how the Cal Poly Pomona team brought some custom tools, one tool called nVis was designed for CPTC so that teams could parse and group annotate nmap results. This is a tool we have also needed on the CCDC red teams for similar reasons, so it was nice to see teams taking the initiative to write tools where they find gaps. Below you can see the team including an excerpt on the tool in their appendix:
One of our main focuses this year was our IVR system, a custom interactive voice recording application on each team's network. Here teams could use the phone systems to interact with the core banking systems through the IVR. We had some incredibly unique findings here, such as an integer overflow which could deny service to (DoS) the IVR application. We also had ATMs in every room, which was another physical touch point in the competition. The ATMS were a way for the students to cash out on any core banking hacks they could pull off. If they were able to clone cards, or man in the middle transactions, they could access other account balances and withdraw funds. In this way we wanted to present interesting technology while also sticking close to our core goals of a traditional and easy to hack corporate network. Although some teams really missed the mark on the fact that ATMs can use different currencies, considering this fraud, when in fact this is how the ATMs are used for different countries easily (and we wanted to save money so we used Jamaican currency for our tender):
In fact, you could target the ATM operators of DinoBank and if you could access their account via a MITM, you could access their unlimited funds. This could be done a number of ways, students could MITM the transaction to the proxy, or since all of the authentication was actually taking place on the proxy, they could just replay transactions from the proxy to the core. These were some of the many scorable vulnerabilities introduced to DinoBank through the ATMs. With multiple ways to own transactions in flight, we started to introduce these opportunities on a regular schedule with our human users. This means every ATM could have been "jackpotted" to dump all of it's money, although no teams were able to pull this off. This was emphasized by our ATM operator characters, who would constantly enter the team rooms, withdraw funds from this account, and leave their receipt in plain sight. Below you can see an example of the ATM operators receipt. While not all ATM functions worked, working ATM withdraws was a key way for teams to monetize their DinoBank hacks.
The teams always bring some wacky and unexpected findings, which is one of my favorite aspects of CPTC. We always get findings we didn't predict or plan. I really like this one where one team used the FTP Bounce feature on our FTP service to essentially decoy scan the internal network! Stealthy and creative, this was a neat feature we didn't plan for. This is especially cool to me considering we were doing monitoring for activity against certain hosts. One could decoy scan one of Alex's boxes this way to avoid our detection (as we were monitoring several of these machines via the logs to trigger responses), which would have played into the scenario in a very creative way. I hope that gives teams roleplaying ideas for the future. Below you can see a team using the FTP Bounce scan with nmap:
There are also some really bad findings or bad reports. Probably my favorite "finding" of the year was one team going way out of scope and attacking public infrastructure. Obviously you lose a lot of points for this. The issue was on the fraudulent coins01 box, it was running the opentrade software, which was vulnerable to cross site scripting itself, but also had many links to external sites running the same exact software. One of those external sites was the MaryCoin site, a Bitcoin-like clone also running opentrade, which was also vulnerable. One team actually triggered the XSS on the Mary Coin site! Whats more, they put the exploitation of the "Mary Coin Exchanger" in their report, which clearly shows the out of scope domain. Again, this was an obvious loss of points, but also a little funny as it was certainly unintentional from our perspective. It would be shocking to me if this is the first time the Mary Coin Exchanger has been XSSed as it's a trivial vulnerability to exploit. Finally, XSS is massively different from the Mitre Technique 1064, or Scripting in a post exploitation sense, as the team tries to imply in their report below. Overall, this finding is pretty humorous:
Then there are the truly amazing findings. Every year we get some findings that we didn't even come close to predicting. This year, one shocker was Standford finding two 0-days in open source projects that we were using inside of the environment. This was brilliant to me as they must have taken note of the open source projects in between the regional and final events, giving them a month or more to do the actual research! And they got both of these issues patched by the end of the weekend, which is a phenomenal accomplishment even aside from the competition! I'm a really big fan of this, so it was exciting to see them win first place with this only being a small part of that technical score. This is a team that really understands this competition and can routinely deliver, which is a big motivation for publishing this post, in an effort to help level that playing field. Below you can see excerpts for both of their write ups for the 0-day findings.
We also had some truly remarkable reports, even without any exceptional findings. It's possible to do very well in this game just by being well put together and clear with your examples. Bellow you can see two findings where a team found an OSINT leak, then slightly changed this data in their word list to gain access. In the second finding, you can see the team moving laterally across many machines exploiting this password reuse en-mass. From there, the teams could escalate privileges to the domain controllers and seize even more permissions and data in the network. This kill chain represented in finding blocks is clear, offers easy steps to reproduce, and multiple options for remediation, making a great example:
We made some local news clips, we continue to get the word out, and so far the feedback seems really positive. I saw some students are writing blogs on their experience in CPTC, which means a lot to me as a blog writer. Writing blogs is a way for me to solidify my thoughts, crystallizing what I've learned and giving me a reference point to look back on in the future. One of our goals with CPTC is to inspire and make penetration testing a more accessible field to a wider selection of people. I think blog writing, or digesting the experience and putting it back from your perspective is an amazing way to give back to the community. Further, we plan to expand our regions next year, including more international regions, so if you want to bring CPTC to your area please reach out. If you want to help contribute in any way, or if you are inspired by anything you read here (even if you aren't with a university), please reach out to me and get involved with CPTC! We have lots to do and we try to make room for anyone who wants to help on our team.
Make sure you checkout our closing ceremonies! You can checkout the final black team presentation here. Like Lucas said in the final presentation, every participant this year should have revived one or more challenge coins. Any team that makes it to nationals is a winner in my book, let that coin server as your trophy. We invite you to pull these out if you see us and let's talk about CPTC together! Or hang around, we plan on doing an AMA very soon, similar to the CCDC red team AMA this year. If you liked the bloopers in this blogpost you should really checkout the final presentation, as there are a lot more lulz in there. Finally, you can watch the final black team talk on the RITsec twitch channel below:

Source: lockboxx

CPTC 2019 - Finals Review