I had the pleasure of participating in the Minnesota and Indiana State Collegiate Cyber Defense Competition (CCDC) on the Red Team again this past weekend. Like always, it was a ton of fun. I have 2 years on Blue Team side of the competition. For more background I outline it here and here. As stated in those posts, my career as it stands would not be possible without this competition so it's something I care deeply about and I am thrilled that I can give back to the competition.

Red Team Causing Blue Team Blues

The competition started off rather normal. The teams had about an hour to get technical issues resolved and log into the lab environment. The start of the competition (Drop Flag) went off at 09:00, mostly without a hitch. A few teams were taking services down for updates, or overzealous firewall rules. Around 09:30 Red Team started scanning and initial exploitation, and establishing persistence across all teams and services. We had people who were extremely relentless in establishing webshells in Prestashop and Splunk, we had another person who executed ZeroLogon on most team DCs. Most if not all the linux boxes were vulnerable to PwnKit, and we used that to perform our privilege escalations. We also had someone replace an iptables binary with a meterperter reverse shell, which was greatly entertaining.

You Have Lunch? Be a Shame If a Disaster Happened During Lunch

If you have ever experienced a Midwest-based CCDC, you'll know that the competition organizers really hate the idea of lunch for Blue Teams. It's a thing that happens in both the State competitions and the Regional competition in the Midwest. At 12:00 Red Team was authorized to take services down, and around 4 injects were delivered to Blue Team. Red Team quite enjoyed our sandwiches. I can't imagine Blue Team liked them quite as much. Techniques consisted of a number of ways to mess with service uptime. Sometimes it was moving the listening port of the service to a different port so the scoring engine didn't detect it, sometimes it was locking out the ports via firewall rules, killing the processes, and more. I also know there were weak credentials for Palo Alto over Telnet and SSH that ended up resulting in someone getting in them and messing with firewall rules which impacted services.

BURN IT ALL DOWN

Between 14:00 and 14:30 Red Team is then authorized to torch any system we still have access to. This is what makes being on the CCDC Red Team really exciting. We are allowed to take the gloves off and just go nuts in ways we would never be able to in the real world. Around 15:00 we discovered some additional default, unchanged creds that allowed us access to mail servers through Cockpit, and SSH for those servers that hadn't blocked SSH. We were able to go team-by-team and log in with those default creds, perform our Privilege Escalation via PwnKit and then delete /etc/fstab and reboot the system with shutdown -r 0. The web servers were totally destroyed too, and I know there was talks about enabling Bitlocker on the Windows machines and require the key at boot to simulate a ransomware incident. I don't think that was ever done though.

Incident Reports

As always, Red Team was forwarded the Incident Reports so we can correlate them to our activities and give points back to teams who correctly identify malicious actions as us, and provide a decent and actionable writeup stating as such. The environment is pre-seeded with vulnerabilities and sketchy users, shells, and other annoying things designed to trip students up. The incident reports were a complete scattershot on quality this year. There were a lot of teams that discovered a reverse shell in their crontab, but it was one of those pre-seeded things that we actually didn't do. There were a small handful of teams that properly identified Red Team traffic, and of course we gave some points back on those ones.

Wrap-up and Next Year

Next steps includes getting out a more detailed report to the teams, so they can know what to improve on for next year. The Red Team Lead of the last 15 years for Minnesota CCDC is stepping down, and I am to take the role over for the foreseeable future. I am extremely excited to take the reins and hopefully push the Blue Teams harder in years to come, with more creative attack paths, assisting in creation of Injects, and most importantly, I want to really push the understanding of what Red Team is doing to these systems to help Blue Teams become more effective defenders.