Initial Debrief

I hope competitors had a good competition! This post will cover some more in-depth general trends I saw, and I will follow this up by meeting with teams. I will meet with the Wildcard-bound teams first, and then the winners as they have more competitions coming up this year. Afterwards, I will meet the rest of the state competition participants to give pointed, specific feedback to help their teams improve. I have the Minnesota team contact information, and I am working on obtaining Indiana's now. In case I can't obtain it, If you are in Indiana, please reach out to me with your team contact information so I can give you the a debrief!

We noticed teams self-owning as a significant part of issues in the competition again this year, especially in the beginning of the day. At one point about 1/3 of all the services were down before we had even laid a finger on the environment, outside of the nmap scans which don't affect uptime. As I mentioned in my Red Team post in the How to Win CCDC blog series, we step up intensity as we go through the day. Starting with initial access and persistence, followed by non-destructive service takedown, and finally burning down boxes. Generally speaking this year, Red Team was instructed to be more aggressive on initial access and stopping services than last year.

We were given the go ahead to start exploitation and persistence about 15 minutes into the competition, instead of the 30 minute lag time we had last year. Non-destructive service takedowns began around 10:00, instead of noon. ZeroLogon was exploited against the domain controllers and only 2 teams had mitigations in place when the exploit fired. Like last year, we had a fair number of systems compromised by default credentials on both known and unknown services. It appears that Minnesota teams really took my words last year about Cockpit to heart, because most teams had either disabled it or firewalled it off. We had 5 teams in Indiana that we got into their Webmail boxes with Cockpit and default credentials. We also had a fair number of entries into the Palo Alto with default credentials over SSH. Prestashop was nailed with default credentials for admin on the web interface across most teams. Default or weak credentials still provided the majority of our initial access.

Remember that there are both known and unknown services, so it's crucial to take advantage of the time before competition day to really get to know your boxes well. Drop Nessus on the Windows box outside your firewall, set up an any:any rule, feed Nessus admin credentials and it'll perform a lot of enumeration for you. Take notes on weird stuff you see in the environment ahead of time too, because Red Team was not given access ahead of the competition this time and allows you to get a good understanding of the baseline before we start messing with it. Figure out which services are necessary, and which are red herrings.

As far as service disruptions are concerned, generally speaking we were using non-destructive methods through the day. Often times this is simply turning off the service binary. Sometimes turning it off and moving it to a hidden directory, changing ports, blocking the port on a firewall, or some other non-permanent method. We also had someone halt the firewalls to turn the scoreboard a glorious shade of red. However that killed a ton of shells, so maybe next year I will tell the Palo guy to hold off on that. That's my fault as I told him he could halt firewalls early. We did relatively little box burning because of this, but next year we will trash stuff a little more completely, I think.

George From The Internet Company

We also had a physical component for Minnesota this year, which we have not done at the state level since long before I competed. My apologies to the Indiana teams, as I believe you competed virtually you had to miss out on this. It was a riot.

We had 1 person primarily perform the physical exploitation attempts, with 2 folks helping him. White Team put out an announcement telling teams they could lock their rooms if they called a phone number, but to my understanding nobody did. Initially in the day, nobody locked their rooms at all. So "George" (not his real name) went out and handed out USB drives. The pretext was "There was a mistake in the team packet, and this drive has the updated information". The team packet was exactly the same, I just placed a macro in it which would beacon out to a webserver I controlled so I could get White Team to tell me which team detonated it, as the payload contained the hostname of the host, which included the room number. It also spawned a terminal which echos Pwnd by Red Team :). I only got 1 hit back, but it was 3 minutes after scoring completed so I couldn't count it as a compromise for RT scoring. That school then formatted it before giving it back to me. They then told me about the format while I was doing initial QA at the podium.

The reason for the mundane payload is because Alexandria Technical College's IT equipment is owned by the State of Minnesota. This means I can't detonate a real payload without permission from someone at the state. So the school IT staff and I came up with the idea of a mundane payload and then treating it as a compromise for scoring if it was detonated. We can't directly plug a USB into the competition environment since it was hosted in NETLAB+, so unless we had some other form of physical access, I am going to have my hands tied on that front, unfortunately.

Some teams noticed a Peeping Tom, which was George using a Go Pro to look into team windows from the outside. We had about a 45-second internet outage at the college, so George had the wonderful idea of dressing up with a high visibility vest, hard hat, and a clipboard to try to get into the team rooms. He was on a discord voice call with most of the rest of the Red Team when this was happening, which had us laughing extremely hard. His standard greeting was "Hi I'm from The Internet Company, and I am here to ask a few questions. What's your top 5 favorite passwords?" He then started taking pictures of team whiteboards. He walked into any room that was unlocked. We had a team nearly tackle him to get him out. Another team where he was initially arguing with someone before being removed. Generally speaking most teams were a little less apprehensive until he started taking pictures. One team even commented on how George was in different clothes than he was earlier, to which George replied with "This is my 3rd outfit today!"

After George had left all the rooms, we found a phone directory, and followed up with the teams in the lead with a call explaining we needed George to be in the room. One team did not buy it at all, another team entertained the idea, and a 3rd didn't pick up the phone. We sent George and another person back into the room with a ladder. They argued with George, and put a plant in front of the door. So we called the room again to explain we had authorization to let George in the room. After about 3 minutes of arguments, I told George to call it off. George then left saying "I got word that I need to go to another job".

Incident Reports

Incident Reports have a lot of room for improvement, which isn't a surprise. I know it gets harped on every single year, but this year I will be meeting with each of the teams to individually go over the incident reports and cover some QA time. I will also be refining my How to Win CCDC blog posts through the year to make them better, and more relevant. As part of this, I will probably add a new section on how to document something for management. Since students don't often have experience working with white collar style management, I need to outline specifically what we are looking for in responses. A lot of the concepts will apply to Inject responses too, so teams who have Writers that get really good at this will perform significantly better. Keep in mind, Inject responses account for roughly 40% of your total score. Doing well on them is incredibly important, especially as you move into Regionals and Nationals.

A high percentage of incident reports this year were about the physical exploitation attempts, which was great! We had about 1/3 of teams not submit any incident reports, and I received quite a few which were either very confusing, completely irrelevant to Red Team activities, or intended behaviors. As it stands, I received 1 report from Team 19 which I feel comfortable handing to my manager as is. The rest definitely need some work. I may also hold some sort of "Report Writing for College Students" workshop this summer. I can't promise that I will be able to make it work, but I will certainly do some initial digging into it to see how feasible it is.

Final Thoughts

I hope everyone enjoyed the competition! I will be in touch with folks soon to get some 1:1 time scheduled with me and your teams. As I said before, I wanted to prioritize folks going to the Wildcard and Regionals first, since they have less time between now and their next comp. I am also open to feedback, so if there's something you think I could do better, please let me know!