CPTC 2020 - Finals Review

What an exciting year! This was our 6th year running The Collegiate Penetration Testing Competition, A.K.A. CPTC, and our second year as an international competition. This was my 5th year as the game's OSINT and world director and I think we had a very successful competition this year. This was also our first year doing everything entirely remote, which worked surprisingly well, as we had the fewest infra errors this year than ever before. We had an incredible volunteer team, from the volunteers on the world team, to the core team, to all of our colleagues on the other teams, and all of our walk-in volunteers as well. A lot of CPTC volunteers bring uniquely special elements to the game and really make the event into the grand spectacle that it is. Before we get too much into the content of this year's game, it is also worth mentioning we recently did a global rebranding. Part of the global rebranding is our new global CPTC site and our new logo that can be seen in the following video:

As many know, our theme for CPTC this year was the company Next Generation Power, Electric, and Water, or NGPEW. I encourage you to also checkout my CPTC regional posts, as this pentest was considered a re-test of that environment. This year we had 15 teams at our final event, five teams more than we used to host. This was partially because we expanded our regions both in the US and adding two new international regions this year. Ultimately, our final competition was 35 hosts per team with three networks for them to explore, over the course of two days. It was an extremely close race, with all teams struggling to bypass our remediation controls and still coming out with great findings. At the end of the event, it was clear the top three teams were:

First place: Rochester Institute of Technology

Second place: Stanford University

Third place: Cal-State Pomona

Still the competition was extremely close. This is the first time that the difference between first place and second place actually came down to the inject responses and compliance scores. One of the reasons was this year we built a fairly fickle network, in the sense that many services would go down easily, suffer lockouts, or alert when interacted with too much (to simulate locking up). Many teams will probably remember the Dam crashing throughout the regional events. We added a compliance score this year with a penalty for every time someone crashed a service or locked out an account that was being used for work. These penalty scores, while pretty minor, actually made a difference in the final results this year.

I can finally talk about our infrastructure and some of the cool technology we had this year. I want to start with our remediation, as we actually compiled a huge list of every known vulnerability in the environment to decide how to remediate. We took stats on which teams had found which vulns, as we wanted to address findings that the majority of teams had found before coming to the finals. We decided to patch a few memory corruption bugs, change passwords, and add a firewall rule to prevent the VDI network from talking to the OT networks. Corp could still talk to the OT networks and we left many of the vulnerabilities in that environment. This reduced the initial access dramatically and forced teams to pivot through the corporate network to reach more hosts. The goal with this remediation strategy was to help separate the top performing teams from the bulk of the competition. This is also something that often happens on retests of the same environment, it becomes harder to penetrate. A good way to show value during a retest is to document all of the findings that have been fixed as a result of the added controls. Below is a really cool kill chain that team 6 had in their report, that I want to highlight. I think this is a very neat way to alternatively show a pentest attack summary:

In the effort of helping players gain as many points as possible, I will be releasing two blog posts that can help teams better reach their audience in CPTC. One blog post will be focused on helping competitors put together better board presentations and the other will be focused on helping competitors write better pentest reports. I'm going to wait till we publish the anonymized reports from this year to write the post about the reports, as I want to use the most recent examples. Forest will also be releasing a write-up on the PLC infrastructure we used, which should be very interesting for those looking to get more details. While we've had meetings with every team to go over some of their specific feedback, it is critical teams pass these lessons down from class to class. If you're graduating, consider writing your own blog post on your experience at CPTC so that others in your club or competing can learn from your experiences. Before you go, I want to link our intro presentation. I think we all included some really helpful advice to teams in this presentation, so I don't want it to get lost in the shuffle. There are some gaps in these presentations so you may want to skip around:

Our final presentation this year was also excellent. I put a few of the slides together, which you can find here, and Stuart took the helm for the world team, as he played our main character Gaylord Schaefer. It is a great presentation to watch as Tom, Lucas, Jason, Forest, and Wasabi all reveal lots of technical information about the environment and the vulnerabilities within. The presentation also includes tons of great advice for reporting, presenting to the board, and even includes some of the amazing memes we got. Even if you didn't get to play, I hope you enjoy some of the presentations and reports we put out; I've personally seen all of the teams and volunteers work really hard at this event:

Source: lockboxx

CPTC 2020 - Finals Review