3070 hours of hack quest, report and stories of participants


    Participants in one of the offline hacker tournaments Cyber ​​Readiness Challenge

    On Friday, the online game of the hack quest Cyber ​​Readiness Challenge, which was conducted by Symantec and CROC, ended.

    Often there are hackquests that are done by people who are far from professional information security. Such quests can be recognized by guessing tasks: passing requires not so much skills as luck and guessing what the author had in mind. And here, it seems, a very rare thing turned out: the competition was done by people who rummaged through the information security, but at the same time far from the CTF world. As a result, the tasks turned out to be naive on the one hand, but technically correct at the same time. In one competition, tasks like “Scan the grid. How many cars do we have on the network? ”And a hardcore like“ Decrypt the clogged base64 block, the multibyte xor key is unknown. ”
    Vlad “vos” Roskov.

    Participants connected to a simulator simulating the network of a large EDC corporation. According to the scenario, several incidents occurred in the EDC security system. The company hires the best experts in the field of information security to understand what happened to prove or deny the possibility of hacking.

    In total, the game took about 3070 hours (total time spent by the participants). In total, 143 players from different regions of Russia logged in to the tournament, of which approximately two thirds actively participated.

    Winners


    I place - vos - Vlad Roskov - St. Petersburg;
    II place - VY_CMa - Igor Kanygin - Omsk;
    III place - AV1ctOr - Victor Alyushin from Moscow.

    According to the results of the online part, Vlad Roskov won, speaking under the nickname vos. He almost immediately went into the lead and kept it until the very end, where he came from 36.800 out of 38.800 possible points, this is 88 out of 90 tasks (no one took the last two flags). Now, we are waiting for Vlad for the offline part of the tournament on September 10th.


    Top 20. Pay attention to the gap between the first players.

    Vlad's story about the tournament


    Here is what Vlad himself told reporters about the game:
    “In my opinion, a hard-won participant in computer security competitions (CTF), the game turned out to be amazing: the tasks were naive, but at the same time fascinating. That's great rarity. Anyone who wants to try their hand at simple and at the same time technically competent tasks in information security is highly recommended to take the Cyber ​​Challenge next time. I’m looking forward to the offline stage with interest, and I thank Symantec and CROC for the cool quest. ”


    And here is what he told me already for Habr (hereinafter, it is abbreviations and an assembly of several letters where the dialogue took place):

    I have my own opinion on this challenge, slightly distorted by the professional deformation of the burnt CTF member. The Simantek hackquest surprised: it turned out to be both naive and interesting. This is rare.

    I slept all nights - this is sacred :)

    In fact, I managed to quickly get ahead, solving as many as 85 tasks on the first day (thanks to the support of Symantec, which quickly responded to problems with access to the list of tasks). After that, to be honest, I was half-hearted and hung for a long time with 34300 points and the last delivery of the flag on the 15th. On the last day I sat still picking, finished off 3 tasks.

    Relatives did not appreciate the whole day spent nose to laptop :-D

    The simplest thing is to put up with the lack of access to the Internet when the game VPN is connected.

    The biggest difficulty is to come up with a nickname longer than 3 characters when registering.

    I read hints on tasks 88, 89. It did not help.

    I liked and amazed the isolation of the players' infrastructure from each other. I still don’t understand how it was implemented. Has a set of virtual machines been raised for each of the hundreds of players?

    Most of all I liked that the tasks that were simple in wording forced me to move my brains and come up with an unusual way to solve it. And it's a damn cool feeling when an idea works the first time.


    Victor Alyushin (III place):



    I slept every night, but one night the laptop worked - I picked up the mysql password. In principle, everything is simple, except for Metasploit, XSS, password guessing for mysql and 2 and 3 flags at level 4).

    I did almost everything at once, I just didn’t know how to select mysql passwords online ... When your bot didn’t work, and I thought how to solve banter.edc, I thought I had to crack IIS 4.0. Note: we are talking about 78 and 79 flags - as soon as a sufficient number of participants reached them, it turned out to identify the problem and fix it. Tips and score at the same time restored.

    Most of all I liked what went far and did not have to be bored. And also that hacked Scoreboard cookie and banter.edc. The request to the algorithm not to change and push any hole on it, but now decryption of cookies did not provide any special vulnerability, except for the ability to steal cookie alexa.

    Offline Of course, just invite) I live in Moscow, so go not far.


    The story of Teymur Kheirkhabarov (IV place)


    Reached the last 4 level, it managed to take 2 flags out of 5. In general, I collected 87 flags, which allowed me to take 4th place. It’s hard to say how much total time I spent on the game. He began to play fully only from 3 days, and only in the evenings, in the afternoon it was necessary to work. I didn’t sleep only last night, I couldn’t afford this on the rest, getting up to work at 6 a.m. The main problem for me was the lack of time due to work. It would be nice if the game began, for example, on Wednesday, to capture the weekend, when you could devote enough time to the game. I think many of those who played or those who wanted to play would agree with me, since many of them have working and family people.

    The simplest tasks were from the category of which version of a particular software was installed on the server or how many hosts were on the network. The greatest difficulty was caused by 3 tasks. One of them is the bruteforce password of the MySQL DBMS user. I tried to find a password for about 2 days, in the end it turned out that the brute force tool I used did not work correctly and even missed an effective password. After changing the tool, the password was selected in a few minutes. 2 other tasks from the 3rd stage could not be completed for a very long time due to technical problems on the game servers. Because of this, it was not clear whether I was doing something wrong or whether the game server really crashed. As a result, it turned out the last.

    There was enough knowledge, at times lacked practical skills. I had to “google” examples of using this or that utility.

    Most of all I liked the third and fourth stages of the game, where there were tasks that really make you think. And of course, the drive of the last hours of the game, when a serious struggle unfolded between the participants of the top ten rating.

    Offline Most likely not. I live in Krasnoyarsk, far from Moscow.


    Here is the story of Andrei Leonov (VII place), also not for journalists:


    He took 86 flags. Several of them had to be taken without glasses, using all the tips.

    I think that in total it took 50 hours to play the whole game. But at a fairly equal pace. I slept for four hours a day.

    As one would expect, I am not very good at analyzing the network infrastructure and the linux toolkit. Because of the latter, it was not possible to take the 87 flag (I understood that I need to redirect ports through the 1.1.2.19 machine, and even understood that it could help me with this, but I could not find the concrete implementation in time, either through nc or socat), which is very disappointing. Would rise higher in the standings.

    What would I change? Part of the tasks, especially from simple ones, seemed to me excessively simple and / or not quite from the field of information security.

    What are the differences from other tournaments? In scientific popularity. It was possible to participate even with a minimum amount of knowledge, but a great desire, and achieve not bad results, not only in the tournament scoreboard, but also in terms of gaining new knowledge.

    Difficulties ... well, everything is simple - I spent 2 or 3 tips on the following flags:
    - How many hosts are online on the internal network
    - The password from the netadmin database user - the hydra really failed here, fed it 200K passwords, and she was silent. Helpdesk answered that the password is in one of the dictionaries of common passwords. Changing the brute tool to metasploit / mysql_login, the answer was received in a couple of minutes. And I spent a day on this flag)
    - Flag 78 - many swore at him. But the difficulty is not that I did not understand what to do, but in the strange work of the bot. But here - as it is. The strangest thing is that in the level table loaded at the last minute, I do not have information that I used all three hints. Miracles?) (Note - here everything is also explained by the same problem that is described above).

    Personally, my commercial interest is more vulnerabilities in web applications. Good and different. Where is XXE? :) Where would you like a simple WAF (well, at least so that the quotation marks needed for urlencod'it)? In non-critical tasks, it would be interesting to see something relatively new - SSRF. eg. Or less obvious vectors. Although this is already my whim - I understand this, I have a one-line union working through mod_rewrite, which is a bump to the elephant =) Now, if you needed it there, having understood the vector, and realizing that the operation did not go through mod_rewite, run a script to which the data is transmitted, here that would be more interesting.

    Offline It is necessary to register =). Personally, show yourself and look at others. I want to shake hands with vos. Thank you all so much for such an interesting five days. The pilot series was excellent - we are waiting for the next :)


    Andrei also said a few things that we will not publish yet, as these are obvious spoilers (the first online tournament was held in Russia, but will be in other countries).

    Our experience


    As I said, the CRC online tournament was held, according to our information, for the first time. Many participants asked to raise the IRC channel for communication, plus there was a miscalculation with one incorrect hint (many complained about the complexity of the brute force passwords). We will take into account these and other comments, plus when we finish analyzing the statistics of passage by all participants, we may modify the tasks and tips. After this, the tournament will be held not only in our country.

    Who held the tournament and why?


    Symantec Corporation (the world leader in security solutions, data backup and high availability) and CROC (the Russian leader in the field of creating IT infrastructures, No. 1 in Russia for system integration services according to IDC reports for 2002-2012) . The main goal of the Cyber ​​Readiness Challenge in Russia and around the world is educational. Reports from past world tournaments can be found here . In the online round, I wanted to cover precisely the regions as much as possible - after all, the offline part will be exactly in Moscow, and not everyone will be able to participate.

    How to take part?


    On September 10, 2013, an offline championship will be held in Moscow, in which anyone older than 18 years old can take part. It will be somewhat more complicated - it will take four hours for participants to break into the RK Industries network and prove or deny its participation in an attack on a competitor.

    Who would advise such a tournament?


    Vlad Roskov : Ideal for beginners, a good workout for the pro-pasted.
    Andrei Leonov : Without a twinge of conscience, I would recommend such a tournament to those who are just starting their journey in the field of information security. This does not mean that the tournament was simple. But given that the tasks as a whole followed one from the other, and there were clues, sometimes containing a complete answer, it was possible to gain a lot of new knowledge. Or to understand where even the tips weren’t enough :)
    Victor Alyushin : I would advise absolutely everyone - from beginners to professional pintesters and just those who want to try hacking. For the latter, I would advise making step-by-step instructions [especially for Metasploit] let's say for 110% of the task cost;).
    Teymur Kheirkhabarov: To all those who are not indifferent to the topic of information security, and especially its practical side ... For the first time I participated in such an event.

    You can register for the offline part here . There is still room.

    CROC Cyber ​​Conference


    In parallel, the CROC Cyber ​​Conference will be held, where experts will discuss information security issues. All events are aimed at raising the awareness of Russian residents about the importance of protecting confidential data.

    Also popular now: