page still under construction
PRCCDC 2014 took place on the weekend of March 22nd-23rd at Highline Community College. This was The Evergreen State College's third time at CCDC regionals, taking 3rd the previous year. The narrative placed us in the Shark Industries Weapon Manufacturer and Energy Provider's IT department. We maintained a network of machines consisting of workstations, servers providing email, web, and other services, as well as maintaining a nuclear reactor HMI (simulated SCADA system). We were also required to answer the IT department phone when trouble arose at our corporation. While defending ourselves from eco-terrorist hippy hackers, we had to handle an array of 'injects' (day-to-day requests from our employer).
- Evergreen took second place with 1,271 points out of twelve entered schools.
- Western Washington University won first place with 1,434 points
- We beat UW Seattle (who earned 4th) by a margin of 51 points.
- Stefan Boesen
- Nick Achatz
- Max David
- Inject Manager
- Nick Stephens
- The One True Rock n' Roller
- Rory McEntee
- Dani Witherspoon
- David Weinman
- Ashish Nannuri
- Richard Weiss (Faculty)
- Faculty Advisor
- Morale support, yoga(!)
Topology and Uptime/Availability
We RDP'd into our workstations via supplied thin clients.
Devices checked by ScoreBot(tm)
|ldap://dc.external.sharkcorp.comp||DC (Win Server 2012)||140||74 (52.8%)||41 (29.3%)||25 (17.9%)|
|smtp://email.external.sharkcorp.comp||Email (Ubuntu)||140||133 (95%)||0 (0%)||7 (5%)|
|ssh://email.external.sharkcorp.comp||Email (Ubuntu)||141||120 (85.1%)||14 (9.9%)||7 (5%)|
|ssh://web.external.sharkcorp.comp||Web (Ubuntu)||141||55 (39%)||80 (56.7%)||6 (4.3%)|
|http://web.external.sharkcorp.comp||Web (Ubuntu)||141||135 (95.7%)||0 (0%)||6 (4.3%)|
|sftp://file.external.sharkcorp.comp||File (Win Server 2008)||141||14 (10%)||79 (56%)||48 (34%)|
|ssh://hmi.external.sharkcorp.comp||HMI||75||0 (0%)||3 (4%)||72 (96%)|
Note: These scores do not represent our actual availability, they were heavily influenced by our ability to enter the right password into the ScoreBot(tm) web interface. This was a major factor in our score, and an area for major improvement.
New teams often underestimate the importance of injects.
|Inject||Points Possible||Points Earned||Notes|
|1: Data and Class Labeling||50||0|
|2: Warning Banners||20||0||Pretty sure we had these, not sure what was wrong.|
|3: ??||What happened to this one? It's not on the sheet.|
|4: Password Policy||50||20||One uppercase, two numbers, two symbols, min-length 8. Not sure what they wanted.|
|5: MARC Reactor Update||60||60|
|6: Complete Network Map||70||28||Our diagram was technically accurate but I think one of our boxes was mis-labeled and another was missing...|
|7: Encrypted Blueprints||90||90||The password was "2paclives" ;)|
|8: Whaling Response and Training||40||40||http://en.wikipedia.org/wiki/Phishing#List_of_phishing_techniques|
|9: Disable USB on Computers||30||30||Pretty sure we did this with group policy. Neat!|
|10: MARC Reactor Logs #1||30||21|
|11: Board of Directors - BYOD Presentations||80||0||I have NO idea what happened here; other parts of the packet do not reflect this score.|
|12: User Verification over Phone||40||40||I think maybe we talked about buying one-time authenticators for the company?|
|13: Change Log #1||30||30||We were meticulous about this change log. When it got more hectic, it became harder and harder to remember to log every change. We used https://code.stypi.com on each of our machines to log changes, and then had one teammate format them and convert them to a word document.|
|14: Call Log #1||40||40||Kept a notepad by the phone|
|15: Pros and Cons of IM Service||40||32|
|16: Anonymous FTP Login||20||20||FTP may have been down at this point. Just install some corporate trialware for SFTP. We used Cerberus FTP Server 6|
|17: Set-up Instant Messaging Service||60||0||Not sure wtf happened here. We had a great IRC server running, so we must have missed something. Maybe they wanted jabber.|
|18: FISMA Compliance||70||28||Can't imagine what we did wrong here...|
|19: Intrusion Detection||80||32||Had auditd running on Linux servers, no IDS on Windows machines|
|20: Recover Data||50||30||We got most of it, but still couldn't provide the contents of the encrypted pdf. (no team succeeded at cracking the pdf)|
|21: MARC Reactor Logs #1||30||12|
|22: Honey Pot||90||36||Thanks for the pity points. We didn't have a firewall up, but for some reason Tinyhoneypot wouldn't open ports :( It worked last year...|
|23: Configure Host ACL||40||16|
|24: Move SCADA server off domain||60||60|
|25: Assest List and Tech Replacement Plan||40||28|
|26: Risk Management||50||50||Successful Greeners know about risk management|
|27: Change Log #2||40||36||I think our categories differed slightly from what was asked for|
|28: Call log #2||30||30|
|29: Disaster Recovery Report||40||0|
|30: Orange Team Calls||50||45||How could all of those calls only be worth 50 points??? We still would have beat UW if we had never picked up the phone.|
What we did well
- Passwords were great! We printed a first-day and second-day password sheet.
- correct horse battery staple method with underscores (because scorebot can't handle spaces)
- We really didn't worry about updating the passwords unless a machine was compromised
- Spotting web vulnerabilities
- These were mostly simple injection vulns. real_mysql_escape_strings() worked well enough for the length of the competition.
- Hardening Linux machines
- We got in there and immediately locked down the Linux servers. This process was easy and meant that we didn't have to worry about them for the rest of the competition.
- Virus scanners
- These go on the computer THE SECOND you change the local machine password. Don't be "that team".
- Mail Server
- Historically this has been our weakness, but this system was already working and nobody dared touch it.
- This was important because almost all injects were delivered via E-Mail
- Delegation of injects
- Dedicated inject delegator made sure injects went to people who knew how to complete them.
- Avoiding viruses
- Firefox pdfviewer.js is a great sandboxed pdf viewer
- Asking questions
- This year our white team was very helpful and we weren't getting stonewalled when we needed help deciphering an inject.
- Dealing with owned workstations
- Teammates who were unable to successfully keep their workstations from being owned simply avoided entering passwords or other sensitive information from those workstations.
What we should improve
- CHANGE PASSWORDS. We tried so hard to emphasize the importance of this, but sometimes it just didn't happen. This was the Red Team's primary way of compromising machines. If your workstation is owned, your network is owned.
- Scorebot - This system is (intentionally?) terrible and confusing. It wasn't obvious to us (for the first couple of hours) that we couldn't change the account that scorebot used to logged in. We eventually realised the sole point of the "username" field was just to hand-type "administrator".
- Restoring a snapshot on a compromised machine? You might want to restore back to the very beginning. We suspect the red team possibly installed their backdoors very early in the game, and just waited until later in the competition to use them. Just because you don't think a certain snapshot was compromised, doesn't mean it isn't.
- Communication was good but some members of the team could have been more vocal when they were having trouble.
- Team leader did a great job of distributing injects to teammates based on strengths, but teammates didn't always promptly seek help when in over their head.
- Test your services after changes. Make sure you're not breaking things you can't fix
- Especially password changes. Did it work? Did you type it right? Leave a root shell open until you know.
- Make sure to stick to the plan!!
- Come up with a better plan. (see below)
- Make sure we update!!!! Windows especially. Make sure everyone does it to their machines.
- change the password of local users. Know how to change all passwords on most owes.
- Know how to update all the software you need, be it cygwin, firefox, everything.
How to win CCDC 2015
See: How to win CCDC 2015