Laboratory penetration testing "Test lab v.8": the bank is broken

On November 13, 2015, the next, eighth penetration testing laboratory “Test lab v.8” , which was a virtual bank, was launched. By the time of the opening of the laboratory, the number of registered participants exceeded 5,000. Information on the results of participation and the IT structure of the laboratory, as well as the names and comments of the winners with a partial passage will be presented below. So, let's begin.

Leged

In the conditions of a difficult economic situation in the world, cases of hacker attacks on financial organizations have become more frequent. Despite the use of modern means of protection, the management of SaS Bank * is extremely worried about security and asks you, professional hackers, to check how well its structure is protected.
* Fictional title. All matches with the names of these organizations is an accident.

Chronology and statistics

The laboratory “Test lab v.8” turned out to be the longest in terms of its passage, as well as the largest in the entire history of laboratories - more than 5600 participants have already registered in “Test lab v.8”, while only 160 of them managed to get at least one token It is worth noting the distinctive feature of the current version of the laboratory - the introduction of active systems for providing information security of the external perimeter, which is a combination of sensors, web firewalls and locking systems. When using popular utilities and scanners of network and web applications, the participant received a short-term ban. The most assertive participant was blocked 58 times, the total number of players who at least once received a ban is about 500 people.
')
More than 68 countries, 311 cities, more than 600 total tokens collected


A little over two weeks after the start of the laboratory, Orlov Pavel (Zlo) was the first to collect all the tokens.

Winners Comments

This is my third test lab. It seemed to me much more competitive than the previous ones, people united in groups to solve problems. It is interesting that a sufficiently high entry threshold was set - the first three tasks were much more difficult than the next 5. The tasks “cabinet”, “DB”, “java-test” and, of course, the last and most difficult rear ones - “dev -test. It took me almost a week to develop a solution to this problem, since At first I tried to attack this machine in a manner not intended by the developers. I almost succeeded - “wpad injection” successfully worked and I could look and answer the requests of the windows update service, but it did not work further on this way. As always, during the assignments I studied a lot of new things. Once again, I thank the developers of Test Lab 8 for a great opportunity to practice and I wish you success in the development of the project.

Orlov Pavel, Zlo

First of all I want to thank the organizers for the work done to create this laboratory. This is an excellent platform to test your knowledge and get new ones. The tasks in the laboratory are difficult and interesting. A variety of tools were used to solve problems, but with the default settings, not all brought the desired result. And some tokens are hidden in the most unexpected places. Of course, I would like to mention the task “dev-tester”, in which a lot of effort was spent on establishing contact with the “tester”. But in the end, he gave up and issued a token. It was fascinating.

Andriyanov Maxim, max3raza

If you decide to go through "Test lab v.8", then here is the first advice for you to leave to talk to a girl / wife, stock up on valerian and energy drinks because you spend a lot of time and nerves there - but it's worth it! Probably, the 8th laboratory turned out to be the most interesting, to be honest - it is very difficult for one to cope here, it is advisable to find a partner, and even better to assemble a team, but if you are a mega-coochacker, then go ahead. Many tasks were very interesting and required good analysis, some tasks were easy, but you should not immediately rejoice, because light tasks have a token well hidden. The most interesting and difficult task was “dev-tester”, a week of sleepless nights and searches at the end brought results and we were the first to solve such a difficult task. As a person who has gone through the whole laboratory, I can say “Start to go through it! It’s very, very interesting, and you’ll learn a lot that you’ve never seen before. ” Good luck everyone.

Tagiyev Nijat, Nijat

For those who have not yet begun to pass the laboratory, or are experiencing difficulties, the participant of "Test lab v.8" Alexey of 100 prepared a partial WriteUp .

We want to thank everyone who takes part in the laboratory. Recall that the laboratories are created to legally test and consolidate the skills of penetration testing, they are free and always unique. Join now !