15 minute read

The Collegiate Penetration Testing Competition is a one of a kind cybersecurity competition that trains students to be future consultants by letting them loose on a penetration testing engagement in a realistically simulated business environment. Teams of up to 6 students perform a penetration test against the fictitious business and document the findings in a penetration testing report.

This blogpost is the result of many hours of work from myself and my teammates Silas and Brice. I have compressed the article we wrote together and you can find the more detailed version in their blogs. Below you will learn everything about the Collegiate Pentesting Competition - from preparation to winning internationally, as well as the benefits of competing.

CPTC

Unlike CTFs which simply require competitors to locate a flag, CPTC goes beyond and pushes for students to think from the perspective of a real consultant. The competition organizers do an excellent job in making the infrastructure as realistic as possible, hiding confidential business information for students to uncover and simulating real-time business activity, which a consultant should be careful not to disrupt.

This year’s competition was conducted remotely due to COVID-19, but normally teams meet in person at the university that hosts it. CPTC has 8 geographic regions in which university teams compete before advancing to the Global round, which is hosted by the Rochester Institute of Technology. Among these regions, 5 are in the United States and the rest are in Canada, Europe and the Middle East. The team that places first in its region automatically advances to the Global round. Once all regional competitions conclude, the remaining teams across all regions are ranked by score and the best of them advance to the Global round as part of the wildcard bracket.

Western Regional CPTC was held in October of 2020 and the Global round was in January of 2021. Regionals were hosted by Stanford University and allowed us environment access from 8:30AM to 5:30PM, with reports being due at 1AM. Globals on the other hand, give teams 2 full days of environment access, as well as require a presentation for the whole team to deliver the morning after the engagement.

Despite the struggle of training through COVID-19, Cal Poly Pomona has done incredibly well:

  • Second Place - Western Regional CPTC
  • Third Place - Global CPTC

How We Prepared

Cal Poly Pomona CPTC team tryouts were held during the Summer. We held weekly training sessions which were open to any student interested in competing. CPTC isn’t a CTF, so the training was on a diverse set of topics, including ones that aren’t technical, such as report writing and public speaking. The competition requires well-rounded committed individuals and the weeks of training were a test of both commitment and skill, to prepare and select the best candidates for the team. The tryout process finally concluded with a 36-hour challenge - students were presented with several intentionally vulnerable Linux and Windows boxes, which they had to compromise and write a report about. Once the final roster was selected, we began intense preparations for the looming October regionals.

Having a good technical foundation is imperative for a penetration tester. Thankfully, the infosec community creates lots of free resources that allow aspiring penetration testers to practice and gain exposure to new vulnerabilities and technologies. The most valuable resources we were able to learn from don’t even need an introduction:

VulnHub, HackTheBox, and TryHackMe all contain material that allows penetration testers to gain hands-on experience by solving challenges of variable difficulty. You will never go into an environment where you know every piece of technology and every possible vulnerability. These vulnerable boxes allow you to practice being thrown into a pit of unfamiliar software and exploits, out of which you eventually emerge victorious. It’s an incredibly valuable learning experience, because it not only lets you sharpen your technical prowess, but also practice learning on the fly, which is just as important.

HackTheBox

Students should not forget about web applications, because quite often they are just as, if not more fruitful than any other system. By nature, web applications have to be accessible to authorized users and that is the crucial attack surface that you need on a system where nothing else is exploitable. They are connected to API’s and databases, which are often the highest priority targets for real businesses and for CPTC, because of the impact. Our team utilized PortSwigger’s Web Security Academy to get a strong foundation in exploiting them. As CPTC attempts to closely replicate real business environments, having a good understanding of web application security is essential.

PortSwigger

Lastly, the Cal Poly Pomona CPTC team utilized Snap Labs which is a big step up from HackTheBox and similar resources. It allows us to take on an entire network of systems with simulated business activity, similar to CPTC. It lets us better understand the methodology that goes into attacking an environment which differs greatly from a simple CTF. Snap Labs environments have at least 25 systems within their network and form quite a sandbox for us to practice in.

SnapLabs

OSINT

Open Source Intelligence (OSINT), is the practice of collecting intelligence from publicly available sources. Once CPTC organizers reveal what the company behind the engagement is, it’s fair game. The company is simulated beyond just the competition network - employee accounts exist on social media, corporate GitHub repos are being populated with content and some employees are even seemingly doxxed, with their credentials being leaked online. All this information is crucial from a business perspective and may even grant you a foothold.

NGPEW

This year’s fictitious company was called Next Generation Power and Water (NGPEW), which is a regional power and water utility company servicing the city of Smallville. NGPEW had its own website that had a section boasting a strong password policy and including examples of passwords such as: StrongPassword1. Their GitHub also had a full organizational chart, so before even getting on the environment we already had a full list of users. Once we got onto the environment, we sprayed the “strong password” examples against the user list we had and almost immediately got domain admin. There are many levels to this competition - as you can see it’s not limited to simply finding a working exploit on the competition network.

Password Examples

OSINT is definitely an exciting part of the competition we love to work on. Dan Borges has been the lead on creating OSINT for CPTC and his blog has lots of useful information about past OSINT scenarios.

Regionals Experience

Western Regional CPTC hosted by Stanford had us RDP into Windows jumpboxes and then SSH into a Kali box. We knew in advance the tools and wordlists that we would need, so we had PowerShell and Bash scripts ready in our GitHub repo to quickly deploy everything to our competition machines. Our infrastructure team stood up a collaborative host management server and we ran its client. Once the two subnets were nmapped, port scan results were forwarded to the server, which gave us a centralized interface to track our progress on each of the boxes.

nvis

When you have over 20 active systems to pentest in under a day, keeping track of each system’s completion is crucial. Our red-teaming platform nVis let us mark boxes as complete, in progress, or needing a second look.

We split our efforts and everyone focused on technologies they had the strongest background in - we got initial access in multiple places pretty quick. First, our “strong password” spray against the Windows boxes hit a jackpot - Domain Admin credentials. Second, we found an exploit for and got remote code execution on the company help desk web application. And finally, we got a web shell on the main web server using the allowed PUT method.

Once we had full access to the corporate network, our efforts became focused on the industrial control systems. We couldn’t figure out what was running on the power subnet and didn’t see any obvious access vectors, so we spun up an OpenVAS container and started an intense nmap scan against the subnet. What could go wrong?

Flood

Our team captain got an emergency call from our point of contact with evacuation sirens in the background - “What the hell did you do? These systems have been working for decades! There’s water flowing everywhere”. We had to stop everything we were doing, because the dam was overflowing. We scrambled to troubleshoot it and send all of our recent traffic logs to the NGPEW IT, but then we got the other end of the extreme - the water level was too low. We called our point of contact and were told that the levels are dangerous - their nuclear power plant isn’t getting enough water. Crisis was barely averted last minute when we realized that our OpenVAS container was still running.

Chernobyl

Having nearly turned a city into both Atlantis and Chernobyl within the span of an hour, we learned a valuable lesson that the CPTC organizers wanted to teach us - extreme caution must be taken with industrial control systems. Despite that, we took 2nd place, even outperforming Stanford University, who came in 3rd just behind us.

Regionals → Globals

We were confident that our team would receive a wildcard spot and get to compete at Globals. One of the first things that we did post-competition was document all of the information that we gathered during the engagement, such as version numbers and technical issues. We were able to recreate and become more familiar with the applications running on the environment by setting them up in our own lab, such as the Mantis Bug Tracker and RocketChat. Most of the time between Regionals and Globals was spent polishing the areas we learned the most lessons in.

When you are thrown into a new environment, things can get pretty chaotic if you don’t have a plan. Since Global CPTC expands on the same environment from the first engagement during Regionals, we made sure to include the verification of old vulnerabilities into our gameplan. We also did as much work as we could on the report beforehand and that saved us a ton of time during the actual engagement.

Globals Experience

The CPTC finals were a technological feat made possible thanks to the Rochester Institute of Technology, who hosted it from the Cyber Range, which is their brand new cybersecurity training and competition center. If not for COVID-19, we would have been there in-person for the Global round of CPTC.

RIT Cyber Range

Once we were connected to the competition VDI and all of our scripts and infrastructure was deployed, we hit a roadblock the competition organizers wanted us to face - network segmentation. Next Generation Power and Water actually took our advice from the initial engagement and implemented strict access control lists, effectively barring us from communicating with 2 of the 3 subnets in scope. To add to the difficulty of the engagement, competition organizers patched off and secured nearly every vulnerability in the one subnet we had access to. NGPEW sprinkled in some rabbit holes for us to go down and in the absence of any other vectors, we followed some of them. Let’s just say our team can now recite the entire Rocket.Chat API documentation.

The Windows environment, usually fruitful, was hardened to stone. Our attempts to poll LDAP for enumeration failed just as our DNS zone-transfer attempts. By the end of day 1, things were looking grim for our technical findings. We were stumped when the point-of-contact asked us to list a few areas for improvement. We weren’t about to give up though, so a password spray was ran against the domain, and that gave us the foothold. Turned out that several executives’ workstations on the corporate subnet had the same weak local administrator password, which we managed to exploit. With barely 20 minutes left before the end of day 1, we did as much recon on the rest of the environment as we could and then began to plan for tomorrow, when VDI access was cut.

Once day 2 came about, we finally got the freedom to run around and play with the entire NGPEW environment, as opposed to being confined to a single subnet with barely anything to exploit. We scoured the executive workstations using a simple Powershell script that enumerates through the C:\Users folder and recursively searches for filetypes of interest, such as txt, exe and pdf. We quickly discovered that the workstations were all running ThunderBird, which is an email client. We read all their emails and found out that NGPEW was preparing for a big audit, which could make or break them. A funny pattern emerged to us - throughout the first day NGPEW kept bragging to us that they fixed everything and that they look forward to our confirmation of their environment being vulnerability-free. While the first subnet was incredibly hardened, the other two weren’t as much. Turns out NGPEW simply moved all the vulnerable systems to a different subnet, instead of fixing anything from our first report, hoping they will go unnoticed and that the audit is successful. Having a detailed gameplan for verifying past findings served us well here. We got quite a few free points thanks to it.

After flooding Smallville and racking up quite a body count we wanted to tread carefully with the NGPEW PLCs. The organizers later revealed that they were designed in such a way, that even a simple port scan on 502 would bring them down and with every crash they would take longer to reboot. The PLCs were found to be accessible with NetCat and QModMaster, which is a graphical user interface used to communicate with ModBus RTU and TCP slaves. Furthermore, the dam’s API was accessible over HTTP and would return a JSON object which includes metrics for all power systems. Packet captures of the HMI traffic using Wireshark revealed to us that unauthenticated POST requests can be made to the API and that certainly can’t be good. That could have given us the power modify critical functionality, trigger alarm systems or exceed the safety levels, which could endanger equipment and lives. That kind of unprotected ICS functionality would be a prime target for real attackers and funny enough, a real attacker did compromise the dam. The CPTC organizers later revealed that the competition network firewall rules were misconfigured, which let a real attacker slip in and attempt to take over.

The Global round of CPTC ended with us giving a presentation on our findings and when it was all wrapped up, we were the 3rd best team in all of the United States as well as parts of Canada, Europe and the Middle East. When we had a 1-on-1 debrief with the competition organizers, we were told that we actually got 1st place in technical findings and did consistently well overall. RIT and Stanford surely need to watch out, because our improvement has been exponential so far.

Benefits

Participation in the Collegiate Penetration Testing Competition has given us an incredible experience of what consulting is really like. As realistic as many CTFs can be, they are still quite different from real life and CPTC organizers have created a near-perfect replica. Locking out user accounts and taking systems down has a real impact on organizations and CPTC has taught us to tread lightly. Our Regionals report was over 50 pages and the Globals report was a damn behemoth at nearly 80 pages. That’s quite a lot of writing, even for 6 people. In addition to having to learn to create professional documentation about our engagement, we had to compress it and present in front of an executive board. Writing and communication skills are vitally important in this line of work and CPTC has given us great practice. The experience is just plain unique - as a student, you won’t get it anywhere else. The organizers seek to share the knowledge gained from this competition and you may now see all the redacted reports from last year’s Nationals on their GitHub.

CPTC is made possible thanks to countless volunteers and sponsors, some of which come to recruit the talented students that partake in the competition. We were able to meet with representatives from companies such as IBM, who always put CPTC competitor resumes to the top of the pile. Having CPTC on your resume is an instant win and gives you great material for discussion during interviews. Getting your first job or internship in cybersecurity can be notoriously difficult and having CPTC experience will certainly make you stand out from the crowd.

Looking Forward

Next CPTC season is promising to be just as exciting - the target has been announced to be a French bakery with both storefront applications and backend production industrial control systems that we will get to hack. This year was the first CPTC season for half of our team, yet it didn’t deter us from placing third internationally, because of the knowledge that’s transferred from one generation to the other.

2021

Consistent excellency isn’t created overnight - it has to be nurtured and eventually passed on entirely to the next roster. All but one team member will graduate by the time CPTC 2021 comes, but the new roster won’t have to start from scratch - they will be building upon the knowledge accumulated by every team before them, including ours.

Thanks

Eternally grateful to every single member of the Cal Poly Pomona CPTC team. These experiences wouldn’t be possible without these talented individuals. And of course the team wouldn’t be possible if not for the CPTC organizers. And CPTC wouldn’t be possible if not for the tireless work of countless volunteers and generous contributions of sponsors.

Special thanks to Silas and Brice for writing this blogpost with me.