From Hack Evergreen Wiki
Jump to: navigation, search

page still under construction

PRCCDC 2014 took place on the weekend of March 22nd-23rd at Highline Community College. This was The Evergreen State College's third time at CCDC regionals, taking 3rd the previous year. The narrative placed us in the Shark Industries Weapon Manufacturer and Energy Provider's IT department. We maintained a network of machines consisting of workstations, servers providing email, web, and other services, as well as maintaining a nuclear reactor HMI (simulated SCADA system). We were also required to answer the IT department phone when trouble arose at our corporation. While defending ourselves from eco-terrorist hippy hackers, we had to handle an array of 'injects' (day-to-day requests from our employer).


  • Evergreen took second place with 1,271 points out of twelve entered schools.
  • Western Washington University won first place with 1,434 points
  • We beat UW Seattle (who earned 4th) by a margin of 51 points.

Team Members

  • Stefan Boesen
    • Captain
    • loocorez
  • Nick Achatz
    • Co-Captain
    • arthurdent
  • Max David
    • Inject Manager
    • pipecork
  • Nick Stephens
    • The One True Rock n' Roller
    • mike_pizza
  • Rory McEntee
    • draoibit
  • Dani Witherspoon
    • Zedd
  • David Weinman
    • clampz
  • Ashish Nannuri
    • nansh28

  • Richard Weiss (Faculty)
    • weissr
    • Faculty Advisor
    • Morale support, yoga(!)

Topology and Uptime/Availability

We RDP'd into our workstations via supplied thin clients.

Devices checked by ScoreBot(tm)

service device total checks up error down
ldap://dc.external.sharkcorp.comp DC (Win Server 2012) 140 74 (52.8%) 41 (29.3%) 25 (17.9%)
smtp://email.external.sharkcorp.comp Email (Ubuntu) 140 133 (95%) 0 (0%) 7 (5%)
ssh://email.external.sharkcorp.comp Email (Ubuntu) 141 120 (85.1%) 14 (9.9%) 7 (5%)
ssh://web.external.sharkcorp.comp Web (Ubuntu) 141 55 (39%) 80 (56.7%) 6 (4.3%)
http://web.external.sharkcorp.comp Web (Ubuntu) 141 135 (95.7%) 0 (0%) 6 (4.3%)
sftp://file.external.sharkcorp.comp File (Win Server 2008) 141 14 (10%) 79 (56%) 48 (34%)
ssh://hmi.external.sharkcorp.comp HMI 75 0 (0%) 3 (4%) 72 (96%)

Note: These scores do not represent our actual availability, they were heavily influenced by our ability to enter the right password into the ScoreBot(tm) web interface. This was a major factor in our score, and an area for major improvement.


New teams often underestimate the importance of injects.

Inject Points Possible Points Earned Notes
1: Data and Class Labeling 50 0
2: Warning Banners 20 0 Pretty sure we had these, not sure what was wrong.
3: ?? What happened to this one? It's not on the sheet.
4: Password Policy 50 20 One uppercase, two numbers, two symbols, min-length 8. Not sure what they wanted.
5: MARC Reactor Update 60 60
6: Complete Network Map 70 28 Our diagram was technically accurate but I think one of our boxes was mis-labeled and another was missing...
7: Encrypted Blueprints 90 90 The password was "2paclives" ;)
8: Whaling Response and Training 40 40
9: Disable USB on Computers 30 30 Pretty sure we did this with group policy. Neat!
10: MARC Reactor Logs #1 30 21
11: Board of Directors - BYOD Presentations 80 0 I have NO idea what happened here; other parts of the packet do not reflect this score.
12: User Verification over Phone 40 40 I think maybe we talked about buying one-time authenticators for the company?
13: Change Log #1 30 30 We were meticulous about this change log. When it got more hectic, it became harder and harder to remember to log every change. We used on each of our machines to log changes, and then had one teammate format them and convert them to a word document.
14: Call Log #1 40 40 Kept a notepad by the phone
15: Pros and Cons of IM Service 40 32
16: Anonymous FTP Login 20 20 FTP may have been down at this point. Just install some corporate trialware for SFTP. We used Cerberus FTP Server 6
17: Set-up Instant Messaging Service 60 0 Not sure wtf happened here. We had a great IRC server running, so we must have missed something. Maybe they wanted jabber.
18: FISMA Compliance 70 28 Can't imagine what we did wrong here...
19: Intrusion Detection 80 32 Had auditd running on Linux servers, no IDS on Windows machines
20: Recover Data 50 30 We got most of it, but still couldn't provide the contents of the encrypted pdf. (no team succeeded at cracking the pdf)
21: MARC Reactor Logs #1 30 12
22: Honey Pot 90 36 Thanks for the pity points. We didn't have a firewall up, but for some reason Tinyhoneypot wouldn't open ports :( It worked last year...
23: Configure Host ACL 40 16
24: Move SCADA server off domain 60 60
25: Assest List and Tech Replacement Plan 40 28
26: Risk Management 50 50 Successful Greeners know about risk management
27: Change Log #2 40 36 I think our categories differed slightly from what was asked for
28: Call log #2 30 30
29: Disaster Recovery Report 40 0
30: Orange Team Calls 50 45 How could all of those calls only be worth 50 points??? We still would have beat UW if we had never picked up the phone.

Performance Recap

What we did well

  • Passwords were great! We printed a first-day and second-day password sheet.
    • correct horse battery staple method with underscores (because scorebot can't handle spaces)
    • We really didn't worry about updating the passwords unless a machine was compromised

  • Spotting web vulnerabilities
    • These were mostly simple injection vulns. real_mysql_escape_strings() worked well enough for the length of the competition.

  • Hardening Linux machines
    • We got in there and immediately locked down the Linux servers. This process was easy and meant that we didn't have to worry about them for the rest of the competition.

  • Virus scanners
    • These go on the computer THE SECOND you change the local machine password. Don't be "that team".

  • Mail Server
    • Historically this has been our weakness, but this system was already working and nobody dared touch it.
    • This was important because almost all injects were delivered via E-Mail

  • Delegation of injects
    • Dedicated inject delegator made sure injects went to people who knew how to complete them.

  • Avoiding viruses
    • Firefox pdfviewer.js is a great sandboxed pdf viewer

  • Asking questions
    • This year our white team was very helpful and we weren't getting stonewalled when we needed help deciphering an inject.

  • Dealing with owned workstations
    • Teammates who were unable to successfully keep their workstations from being owned simply avoided entering passwords or other sensitive information from those workstations.

What we should improve

  • CHANGE PASSWORDS. We tried so hard to emphasize the importance of this, but sometimes it just didn't happen. This was the Red Team's primary way of compromising machines. If your workstation is owned, your network is owned.

  • Scorebot - This system is (intentionally?) terrible and confusing. It wasn't obvious to us (for the first couple of hours) that we couldn't change the account that scorebot used to logged in. We eventually realised the sole point of the "username" field was just to hand-type "administrator".

  • Restoring a snapshot on a compromised machine? You might want to restore back to the very beginning. We suspect the red team possibly installed their backdoors very early in the game, and just waited until later in the competition to use them. Just because you don't think a certain snapshot was compromised, doesn't mean it isn't.

  • Communication was good but some members of the team could have been more vocal when they were having trouble.

  • Team leader did a great job of distributing injects to teammates based on strengths, but teammates didn't always promptly seek help when in over their head.

  • Test your services after changes. Make sure you're not breaking things you can't fix
    • Especially password changes. Did it work? Did you type it right? Leave a root shell open until you know.

  • Make sure to stick to the plan!!
    • Come up with a better plan. (see below)

  • Make sure we update!!!! Windows especially. Make sure everyone does it to their machines.
    • change the password of local users. Know how to change all passwords on most owes.
  • Know how to update all the software you need, be it cygwin, firefox, everything.

How to win CCDC 2015

See: How to win CCDC 2015