Cyber Security Challenge Masterclass 2016

The Cyber Security Challenge Masterclass was a competition including 42 contestants selected from Cyber Security Challenge UK's face to face competitions which run throughout the year. I was invited after the PGI Face to Face, and I'll be writing about my experience of the competition

Day 1 - Wed. 2 November

The event started on the Wednesday afternoon, where the contestants were gathered in the hotel and split into their teams. The teams were all named after famous individuals from the history of computing and security, such as Alan Turing, or in my case Dorothy Du Boisson. Once we were in our teams, we were fed and given briefing packs to read. These contained an impressive amount of detail, from news articles to even the financial details of the simulated company.

After that, we were bussed to the venue - I'm still not entirely sure where it is, to be honest, but it was well set up and the building of it teased on Twitter. When we arrived we were given our initial challenge: £125M had been stolen from our fictitious client, Bolt Power, and there were six suspects. We had to interview them and work out which of the suspects stole the money, how, and why.

After a few hours of this, we had a good idea of who we thought it was, and submitted our findings and reasoning. After this was done, we all returned to the hotel for a quick drink and then off to bed for an early start.

Day 2 - Thurs. 2 November

The second day was an early start: Up at 6:15 for a 6:30 breakfast, leaving the hotel for an 8:00 start at the competition venue.

The overarching goal for each team was to be as profitable as possible. We began the day in second after the rewards for last night's work, but there was a lot more available over the next couple of days.

This second day is where the majority of the technical content of the challenge took place. The first challenge of the day was to analyse some network traffic, given a rather large PCAP file. The capture file weighed in at some 9.5GB, which was larger than the RAM of the laptops we had available.

This, quite obviously, was somewhat inconvenient.

Fortunately, the majority of the traffic came from one particular stream - probably a large file download, or some such - which we could strip out using command-line tools to bypass this issue. Analysing the traffic, we were able to identify that the company's website had been hacked to deliver what appeared to be an exploit kit, eventually serving a Flash exploit which delivered a reverse Meterpreter to the victim. A bit more digging found some C2 traffic over HTML too, giving us yet more evidence to work with, and showing that data had been exfiltrated.

While this was ongoing, we also received messages from the Bolt Power SOC, giving us access to an AlienVault IDS platform and a Kibana instance hosting log files. We were required to track an ongoing attack and find indicators of compromise, and were rewarded when successful and had points deducted for false positives. This required careful collation of the logs and IDS alerts, as well as understanding of the company's internal network.

We submitted those findings, written up with screenshots, and once the rewards came through it turns out we'd done pretty well - the income bounced us up to the top of the scoreboard.

Next up we were given two challenges consecutively: forensic analysis of the disk and memory images of a compromised machine, and a penetration test of a given subnet. We were given until 9-10AM on the Friday to deliver our results, formatted in a report template which we were given. We divided the team by our individual skills and got to work on the tasks, whilst also keeping track of the SOC work every now and again and looking for new emails coming in.

We worked until about 6PM or so - we expected to have longer, but apparently not. The forensics team had more success by that point, identifying that there was a meterpreter instance running on the box and viewing the commands in memory, as well as finding some other malware. On the other hand, myself and the others involved in pentesting had rather less success - we had compromised the first machine, but missed a rather obvious misconfiguration which would allow us to get root.

After that, dinner was served, along with plenty of beer (At least it wasn't whisky, I guess - yes, you, Nik ;)) and some time to relax.

Suddenly, klaxons and red lights. Apparently there was a company workstation with some critical files on that was infected with ransomware.

A quick bit of reversing later, and we'd found the password used, generated using some constants and some info pulled from WMI. Putting that into the ransomware gave us the files we needed, so we submitted them - along with the answers to a few questions that we were given - and were done for the night.

After that, it actually was time to relax, with more beer, some cheesy movies (Hackers and WarGames. What else?) and some retro video games. A pretty fun evening.

Day 3 - Fri. 3 November

The final day was yet another early start, and while the forensics people focused on their reporting, the pentest side had to work fast. We started by paying for a bit of help on the first box - they didn't even finish speaking before we realised how obvious it was. Facepalm. It was then a pretty quick process to crack some passwords, move to the next Linux box, root it, get creds for the first Windows box and run an exploit on it. After that, we just dumped credentials from memory with Mimikatz, and that gave us full DA access when we logged in on the DC.

We quickly prepared and submitted the final reports, and then it was time to speak to the board. Cue Imperial March.

We were asked to give a quick overview of our findings, then questioned on a range of things, such as what the risks are, who they could turn to and whether they should switch off the power station. Once that was all done, the competition was all over.

Later on we had the awards dinner. This consisted of a drinks reception to start, then a three-course meal, with speeches and awards through the night. After the dessert, we got onto the main awards. The winning team was team Dorothy Du Boisson - my team - with over £225k earned in the challenge. Between our team members, we picked up all 4 individual awards, too.

I personally ended up being selected as Champion of the Masterclass. I was rather shocked, to say the least - as it turns out, I'm the youngest ever to be picked - but it's a big honour, and I'm proud to have been singled out as deserving it.

The individual awards we ended up with were:

  • 1st Place: Me
  • 2nd Place: Steve Tracy
  • 3rd Place: Harvey Stocks
  • Best Newcomer: George Osborne

Now, to finish off, I'd like to thank Cyber Security Challenge for organising these competitions and making all this possible, and their sponsors who enable them to do so, particularly PwC, GCHQ, NCA and the Bank of England who organised this Masterclass. They ran a challenging, demanding and most of all enjoyable competition.

I'd also like to thank the other members of my team. It wouldn't have been the same without you guys (Not that a certain taxi driver would have minded that...) and all the hard work you put in over those few days.

Images courtesy of @Cyberchallenge @wjbarlow and @tony_cleal on Twitter.