09 March 2015

ISTS 12

This past weekend I participated in attacking 12 teams of college students.
The occasion was my fifth year as a member of a red team1, part of the  Internet Security Talent Search put on by RIT's SPARSA. If you've never heard of ISTS, it's a computer security competition, with some differences that set it apart from similar contests (like CCDC):

1) the whole thing is designed, implemented, and run by RIT students. SPARSA members aren't wizened (and often jaded) IT security folks from either Red or Blue teams trying to prove how awesome they are, they're students in a security program trying to figure out how to have fun and expand their learning outside the classroom. As a result, they have some fantastically original (and at times, downright hilarious) challenge concepts. 

2) ISTS is laid out a bit differently than other competitions. Usually the blue teams defend, red teams attack, and everyone knows their role. ISTS turns that on its head, and permits the blue teams to attack each other.

The latter point makes for a very interesting challenge - not only are these kids tasked with hardening the networks they are given and keeping their services running, but they have to figure out how to do that while simultaneously taking out their competitors infrastructure.

And this is where the red team comes in. Not only do the blue teams have to do all of the above, but they have to deal with a cadre of security professionals attacking ALL of them indiscriminately.

This year we had an amazing team:
With talent like that onboard, I almost felt sorry for the blue teams... almost.

Each year, the SPARSA folk up their game, and this year was no exception. They had things ready to go just about on time (closest to it that I've seen yet!), but more exciting for us on the red team was the sheer number of back doors they embedded into the blue team networks. Some of my favorites were:

  1. Trojaned hidden menus in Asterisk (dial the right extension, get a netcat listener on the server)
  2. An extension to the SMTP and POP servers that included a RUN command (HELO pwnd)
  3. If you sent an HTTP DELETE verb to the web server, it dropped the host firewall, added a user to the system, and enabled SSH
  4. Finally (not a backdoor, but awesome) - a plethora of Nick Cage movie sequel ideas presented by "Pwny Pictures".
Not to be outdone, the red team brought a lot of their own tricks to the party:

  1. DLL injection - delivered by adding a red team controlled share to the PATH variable on Windows hosts
  2. Several cryptolockers to hijack systems, which were then ransomed back to blue teams in exchange for services (like bringing us beverages) or bartered for footholds on other blue team equipment
  3. Nyan cat bootloader 
Within the first 5 minutes, we had established a foothold on at least 2 machines on each team. By the start of day 2, we still had beacons on at least 1 machine from each team calling back to our CnC host. As we wrapped things up, mubix had collected over 100 shells in the last 4 hours alone. It got to the point that we just stopped trying on the red team, because everything was so thoroughly compromised. Instead, we went out to the blue teams and began showing them how to secure up their systems (and in some cases, retake them from other teams that had hijacked them).


My thanks to SPARSA for hosting a fantastic event, I can't wait to see what's in store for next year!


  

Footnotes

  1. If you aren't familiar with the different teams involved in this type of event, TaoSecurity has a fantastic write-up on their blog.