Lab penetration testing v.9: nothing is impossible

On May 20, 2016, the next, ninth penetration testing lab “Test lab v.9” was launched, which is a virtual company “CyBear 32C” engaged in the development of various systems and applications, including information security systems.

It took the participants 11 days to compromise all elements of the infrastructure. The article discusses the details, the names of the winners, feedback from participants and a link to a partial passage.

')
The participant acting as an external intruder needed to search for and exploit vulnerabilities, overcoming various protection systems: antivirus, WAF and Firewall, access control systems, etc. The main difference between the laboratories “Test lab” and the CTF competition is in a realistic storyline: the compromise of one node may allow an attack on the rest of the network to be developed.

Statistics

To date, the number of registered participants exceeds 9,000. On average, around 40–50 participants were registered in the laboratory per day. The maximum number of simultaneously connected participants is 141. For 2 weeks of work of the laboratory, a total of 161 tokens were collected.

Geographical distribution of participants:

1. Russia - 434
2. USA - 87
3. India - 64
4. Ukraine - 61
5. Germany - 54
6. Italy - 48
7. England - 44
8. Australia - 33
9. Israel - 30
10. Netherlands - 2

Currently, participants from 63 countries are undergoing a laboratory. 12 participants managed to go through the whole laboratory. In 2016, the increase in new participants amounted to 3267 people.

The average network activity was 30-40 Mbit / s, the peak load - 230 Mbit / s.

In the first two weeks, we recorded 75.504.503 events. Most attackers use well-known utilities and scanners: the most popular tools for analyzing web application vulnerabilities were Acunetix, w3af, and Dirbuster, a vulnerability scanner. For example, for the week Dirbuster utility, 3.640.044 events were recorded in the logs. During the day, the main site (Mainsite) collected more than 2 GB of logs.

None of the participants managed to bypass the Web Application Firewall; access from the trusted network segment was used to compromise the protected site.

Vulnerabilities in the laboratory that were not standard scanners (for example, ssh with non-standard greetings banner and PAM) immediately eliminated a huge percentage of attackers.

Laboratory creation

All employees of our company take part in the creation of the laboratory, using their practical experience and the experience of our colleagues. To understand how this happens, we present a small review from Alexander Dmitrenko sinist3r :

The idea for the task came in the process of building a storage area network (storage or storage area network, SAN).

When deploying hardware and disk shelves, a thought emerged about potential vulnerabilities and possible vectors.

And after there were already some rough designs, a hacking team hacking team description appeared (https://xakep.ru/2016/04/18/hacking-team-hack/), which helped to finalize the task very quickly. And so it acquired a complete view of a multistage task and with a few trifles that will surely make you think.

When implementing any task, the biggest difficulty is the factor of a large number of participants, and at the same time 50-60 people can interact in some way.

In addition, the development process always has to take into account possible destructive actions, which in the most negative scenario can lead to a complete inoperability of the server. To prevent such situations in any way, wherever possible, we try to curtail the rights of the participants, if this is not possible, then we have to use the tasks in the scheduler, and periodically reset everything to its original state.

The task deployment time usually takes not a lot of time (3-4 days), especially if all the main details were planned at the initial stage. Then comes the testing period under various conditions. At this stage, various minor changes are often made that are designed to improve work stability, protection from destructiveness, and the like.

It is worth noting that very often in the process of developing assignments there is a peculiar side effect, which is that a deeper understanding of the work of a service comes, and sometimes new knowledge about previously completely unknown features and subtle nuances is acquired.

Also, in the creation of the laboratory, some ideas of Bogdan Lukin and Cyril R. (St. Petersburg) were used.

Members

The participants' qualifications, tools and methods were quite diverse: some participants cracked the next network segment for quite a while, while others looked like a certain speedrun - the services of the virtual company were hacked into 2-3 hours per hour. This is due to both practical experience - among the participants were members of the world's strongest CTF teams, as well as security professionals from around the world, for example, g0tmi1k.

Feedback from our members:

Alehandro Red

Although I have not taken a single token yet, I leave a positive review. Since The vulnerabilities that are on the first server are very relevant and appeared relatively long ago, I would really like to help develop the following laboratories to keep abreast of all new vulnerabilities, their exploitation and protection from them.

Maxim khazov

Laba, like the previous one, really liked it! I did not find any analogs to this format of conducting CTF, which is close to testing real network infrastructure.

This lab was perhaps even more complicated than the previous one. Trying to be one of the first to go through it alone is very hard, so you also often had to communicate with other participants. The greatest respect to those who passed, with no one talking)

Of the tasks this time, the ones I liked the most were: site-test, portal, and of course, ssh-test, which all leaders went through last. Many tasks required the knowledge of certain specific technologies, if I did not come across them before, it was hard.

R0c

Laba really liked, enjoyed solving tasks. I have not seen anything like

Artem Dimitriev

I like your labs very much, I look forward to the next one.
Participating, I learned a lot of new things, I gained many acquaintances.
Thank you very much for the work done.

Mister_Bert0ni (Bogdan Lukin, information security analyst)

To be honest, I liked everything very much. Thanks a lot to the organizer of the laboratory. Everything is very interesting, all current vulnerabilities. The plot is thought out interesting. I am glad that our foreign friends actively take part in the laboratory and TestLab goes to the world level)) I consider this a very great achievement. It is thanks to the organizers of the labs that people enjoying their passage will immediately share their impressions among their communication circles - which explains the sharp increase in the number of participants in the laboratory. Even for each participant who passes the laboratory heats the soul that he is one of the 9000 participants who could pass up end) This is also important, I think)) And a couple of years - I think that Pentestit and its certification about training will be able to contend with Offensive Security (Well, I would like to) So thank you very much) Everything was very cool!))

Sipan Vardanyan , CISO. noyer

Pentestit Lab v9.0 is something unique.
I have been working in the field of information security for several years now, and in my spare time I often participate in different CTFs: it helps to more effectively absorb new information, explore new attack vectors, and, as a rule, methods to neutralize them, however, almost always the vulnerabilities are “fake”, obviously synthetic .
Pentestit creates something else - everything is close to the real conditions of an information security audit, which undoubtedly pleases. In each task that a participant encounters while passing the laboratory, one can often observe real vulnerabilities that are encountered in the field.
Great idea, and just impeccable execution!
Thanks to the organizers and the development team.

Mokhon yuri

I am a member of the information security department. At one point, the leadership gave the task to conduct Pentest online. But then it turned out that practical knowledge is also needed. This is how the pentestit lab was found. I participated in the last three labs. All the tasks were very interesting to me, I knew a lot in theory, and finally I was able to see how this is implemented in practice. Also, with the help of the laboratory, I learned some tricks and tricks that were used by more experienced players. I wish your company success and prosperity. And if there is an opportunity, I will definitely sign up for courses. Thanks for the lab and the incredible feeling.

n0z3r0

I participate for the second time and honestly I really like the way the laboratory is organized, how responsive the guys who follow its work are. Equal in quality and organization on the Internet, perhaps there is no such laboratory, basically all are limited to one machine and then with already hackneyed images that can be found on Vulnhub. Or they are limited in time for several days, so if you are late, it means that you can participate, you will not get experience. Right
You can not only get experience, but also a lot of emotions. It is very gratifying that the lifetime of the laboratory is enough to leisurely go through it, work out certain types of attacks, port forwarding, building relays, etc.

Winners

1st place Vyacheslav Chernigov

On behalf of all the participants I want to thank the organizers for the laboratory! This is my fifth laboratory. The laboratory seemed a little easier than the previous one, several tokens were taken on the machine, but still there were moments when it was necessary to find a solution. I really liked the ssh_test task, it took me about five hours to solve it, but when the result was obtained, the first thing that came to my mind was that when it was found, my self-esteem would go down (by the way, you can take it right after logging in ssh!). To pass such tasks administrators need to think like hackers, and hackers think like administrators, then there will be harmony.
We look forward to the next lab, thank you all for
support and participation. Good luck to all.

By the way, when I took the last token, the number of participants was exactly 9000!

2nd place Alexey Centenary alexeystoletny

The laboratory at Pentestit, as always, was excellent. I am participating for the third time, and I want to sincerely thank the company for organizing the laboratories - each moment is worth a separate mention:

• Interesting and informative tasks that actually reflect modern attack vectors - there are no boring SQL injections on ASP sites or other artifacts of a decade ago - each task is a way to learn about actual vulnerabilities, its operation and how to solve them.
• Great competitive aspect: get together with like-minded people and make war on the field of a virtual company - what could be more interesting? And given that the Pentestit team and the community of participants are in themselves active and growing rapidly, it becomes even cooler!
• Speaking of the community, I would like to note that around the laboratories a unique audience of interesting people from all over the world gathers, each of whom is very interesting to meet, discuss common issues and continue to grow thanks to this.

I am also grateful to Pentestit for actively promoting the information security direction in general — courses, defcon.ru, informing about modern threats, creating and moderating the community, and, of course, laboratories — all this allowed me personally to learn a lot of new things, get practical experience and get to know pleasant ones and interesting friends and colleagues.

The laboratory will still be open long enough, so come, register and you will not regret it.

3rd place Kirill Firsov , isis - an employee of our beloved Habrahabr.

A well-designed laboratory allows for the exploitation of various types of vulnerability in real-world conditions.
Bugs from heartbleed to viruses in the Word. Was cool! I will take part next time.

For those who want to try their hand, but do not know where to start - we publish a partial vraytap on the passage .

If you have already tried yourself in the combat conditions of the laboratory, but you have any difficulties while completing the tasks, we suggest you improve your professional level of knowledge. For specialists interested in obtaining high-quality practical training in the field of information security and penetration testing, we have developed Corporate Laboratories , which have received admiring feedback from system administrators, employees of information security departments of the largest banks in Russia, IT companies and government agencies.

We thank everyone who took part in “Test lab v.9” and are pleased to announce that active preparation is already underway for the launch of the new lab “Test lab v.10” from Pentestit!
We invite sponsors to cooperate!
Do you want the world security community to know about your company? Request information about sponsorship packages by mail: info@pentestit.ru.

We are waiting for you among the partners and participants! See you!