Authors: David Young, Izzy Whistlecroft

Introduction

Three Southampton students, Izzy, David and Kajusz took part in a competition organised by Cyber Security Challenge UK and sponsored by Barclays.

Contestants were provided with accommodation for a night at Cotton's Hotel and Spa. This was followed by a frantic day of cyber security to help recover from a data breach suffered by a fictitious company hosted at Barclays' Radbroke Hall, a large facility located in the picturesque Cheshire countryside

The Night Before

On arriving in Crewe, we were greeted by a man wearing an incorrectly coloured hat (it was blue, we were told it would be black!), who summoned a coach which took us on a roundabout route (owing to some inconveniently placed barriers on one of the roads) to the lovely spa hotel. This was to play host to the introduction and icebreaker sessions, as well as to provide accommodation before an early coach onwards to Radbroke Hall.

The introduction was a simple affair, with many representatives from Barclays and a couple from Santander (there was no fighting though). We were also split into our teams at this stage as well as being provided with team hoodies, with David being part of team Stuxnet and Izzy & Kajusz both being on team Wormhole.

For the icebreaker event, a quiz had been prepared. It consisted largely of the usual quiz topics like Sport and General Knowledge, but there was also a round on Barclays trivia and a set of challenges that seemed to have been drawn from the GCHQ Puzzle Book. None of the teams did particularly well -- the highest score was 24 out of around 70 possible points. David's team managed to "win" a set of wooden spoons, which will doubtless find good homes in various student kitchens.

After a spot of drinking (yay open bar), mingling, strategising and discovering that the spa (with its multitude of swimming pools, hot tubs and saunas) was closed after 10PM, we all headed off to bed ready for the intense day ahead.

The Day of the Event

Well rested and raring to go, we headed down to breakfast to rejoin our teammates. After eating our fill of full English and continental breakfasts a coach whisked us away to the Barclays Technology Centre at Radbroke Hall (where in a more exciting twist than the open bar, there was an open Starbucks). After a brief introduction to the scenario we were off.

The theme behind the event was a fictitious cyber security research company Research4U, which had been hacked by a group called 29Alpha. This group had captured a large amount of company data and was demanding £10m in ransom or they would leak it. Our task was to investigate the nature of the attack, patch the vulnerable systems, take down the hacking group and work out who was really behind it and write a pair of reports for the CEO and CTO about the whole fiasco.

Defending Our Webserver

Initially we were given a compromised webserver and asked to work out if we could find out what was wrong with it and if there was any trace of the attacker left.

After some searching in the logs, an IP address was found belonging to a server on the internal network involved in the attack (investigated in the next subsection).

In terms of machine vulnerabilities, we discovered major SQL and stored cross-site scripting (XSS) issues on the website. This indicated how the hackers got onto the machine, with each team spending time trying to fix these vulnerabilities.

The stored XSS would accept usernames and passwords and then weakly encrypt and send them to the malicious internal network server. This had to be removed to secure the server.

In addition to this the webserver was running a number of out-of-date services which needed security updates and had no firewall rules.

Taking the Fight to 29Alpha

The second part of the event was to investigate the hackers, beginning with the compromised server discovered during inspection of logs. This server (known as pwdsink) was running on the internal company network and would accept "encrypted" usernames and passwords (ROT10 followed by Base64 encoding) sent to it by the stored XSS on the compromised webserver. This server also provided a comprehensive list of leaked usernames and passwords, allowing us to decrypt them so that the affected users could be properly warned of the breach.

Pwdsink was vulnerable to command injection via the user agent header, allowing specially crafted requests to execute arbitrary commands. By abusing this it was possible to get root access to the machine, with further inspection giving the IP address of another machine, this time located on an external network.

The new machine had default usernames and passwords, giving easy access and indicating it often accessed a webstore belonging to a group called The Secret Society. This site was also vulnerable and upon gaining access, provided an encrypted string seemingly implicating an insider at the company as well as the ability to delete their copy of the leaked data.

The Results

The winning team at the end of the event was Izzy and Kajusz's team Wormhole. In addition to this, Izzy and David were among the eight people at the event were offered places at the Cyber Security Masterclass taking place in November.

Overall it was a rewarding and educational experience, giving a good opportunity to learn some new techniques and apply some old ones. We would like to thank Barclays and Cyber Security Challenge UK for organising and hosting the event as well as RangeForce who provided the challenge platform.

Media

Photos

Team Wormhole Team Wormhole, receiving their prizes (https://twitter.com/Cyberchallenge/status/916690838226374656)

The 8 selected for the Masterclass Izzy and David amongst the eight selected to attend the Masterclass (https://twitter.com/Cyberchallenge/status/916692239702773762)