Collegiate Penetration Testing Competition (CPTC) 2017 Review
This year was another amazing Collegiate Penetration Testing Competition (CPTC). As I wrote earlier, it was our third year running the competition, and the second year it has hit a national level. So many people from the CPTC team hustled to make this event happen, that I can't possibly name them all. That said, I really have to thank the core team, who seems to overcome all challenges, every year. Despite some mistakes on our end which made the game notably easier, it was another successful pentest competition. The idea this year was to have superfluous vulnerabilities throughout the environment, giving students a shooting gallery of software exploitation and seeing how they presented these numerous findings. In the following article I've selected some of my favorite snippets from reports and photos throughout the day to help show the audience and future contenders what happened. I've also listed some of the environment details below, as we redesign the network every year. The months preparing and the days of the competition were grueling and intense, but ultimately well worth it in terms of creating new learning opportunities. Below are some findings from teams that will remain anonymous for the sake of the article.
I want to congratulate everyone who participated, I think every team that made it to the Nationals event hacked most of the infrastructure we prepared and also learned something in the process. I also want to congratulate the teams who won, as it was an extremely close game and these teams won by performing well across all categories of scoring: technical findings, reporting, presenting, and injects throughout the day. First place was awarded to Stanford University, Second place went to The University of Central Florida, and Third place was awarded to The University of Buffalo. We even had Kos join The Black Team (Game Dev) and Space Rogue showed up as a guest presentation grader. Space Rogue also wrote up an article highlighting the competition. And there are some great photos out there of the final ceremony, as well as throughout the competition.
I ran the OSINT again this year, with some newly added team members, most notably Duff and Jay. Again, we hosted a main public site linking to several fake profiles. Some of my favorite parts about the OSINT this year is that we tried to completely automate it, creating elaborate auto-tweeting, sharing, and commenting Rube Goldburg machines. Some of my personal favorite were our very own Subreddit Simulator (inspired by the real one), some public groups, fake blogs, and even open Slack chats at the time (with automated posts inside)! That said, there were overall less findings this year, only leaking a few credentials, and my favorite, our main API schema. Also, it’s important to note that OSINT, or Open Source Intelligence Gathering, dosn’t necessarily involve social engineering. That said, we already have more ideas for next year, so stay tuned if you plan to compete!
We built the environment in AWS using Alex's Laforge tool. Laforge lets us define networks and hosts in simple YAML files, then writes these configurations to giant Terraform scripts by way of template files. I personally designed many of the Linux hosts in the Corp environment and a few in the Election Net environment. The goal was to have multiple ways to access each system this year, creating many ways to score points on each individual host, as well as ways to get access that didn't necessarily score in themselves. In this way, each host presented points vs just owning the entire domain outright, which I think confused many teams once they got DA early on. We also weighed systems core to our business or data and web apps in the election net, much heavier than the mass of hosts in our corp net. We also weighed vulns that weren't remediated from the first test at half the score.
All of the teams did amazing, finding tons of vulnerabilities in the systems and writing decent reports as well. I focused mostly on OSINT, some Linux hosts, intro interviews, grading reports, and making sure people didn't cheat during the competition via our monitoring. I really enjoyed watching all of the students various techniques and tactics via our Splunk monitoring we had set up this year. Every year I see both hilarious out-takes as well as brilliant hacks which we try to highlight in the closing ceremony. Sometimes we even learn of new exploits we hadn't planned for and add these to the scoring rubric on the fly. That said, this year’s environment was ridiculously insecure, with numerous clear text, command injectable, automated web transactions flying around a micro-service oriented back-end network.
Implementing a Salt Stack for host management across the fleet was a fun alternative vector to compromise the entire fleet, aside from the standard Domain Administrator vector. Further, it was command execution via chat bots that allowed the contestants to pivot to the host management infrastructure. I really enjoyed all of these uniquely vulnerable systems we had, from exploitable mail servers and open SMTP relays, to vulnerable monitoring infrastructure, many systems were leaking interconnected data from other machines. 
I also really enjoyed the 'physical election booths' which were a type of thick client breakout exercise. Similar to breaking out of a Citrix environment or a self payment / checkout terminal. Not only was there a full screened application, basic application blacklisting, a lack of any real tools on the targets, but the contestants also had to realize they were in a VDI environment. This meant most teams never truly made it to the physically hosted OS, with only a very few hacking their way down to system level control of the bare metal machines.
