CMD + CTRL - AccountAll

The CMD+CTRL Cyber Range suite features intentionally vulnerable applications and web sites that tempt players to steal money, find out their boss’s salary, purchase costly items for free, and conduct other nefarious acts.

October 10 - October 12 2019

CMD + CTRL Attack in Autumn 2019

This was another CMD+CTRL cyber range event, with some testing of their new scoreboard system. I ended up with only one evening to play with it, which is a shame because I had hoped to do more SQL injection to dump the database and do some poking at some of the site’s services with Metasploit.

These vulnerable sites are part of an active commercial cyber-range, and they request that participants not post public write-ups, so this post won’t reveal any deep, dark secrets. It did provide an opportunity to practice more of the IDOR and XSS attacks that I had worked with in InstaFriends. So, just some general notes, thoughts, and findings.

This time around, I found a great deal more reason to switch back and forth between accounts – there was a lot more interdependency in this HR system, with managers and their reports having different roles in processing HR forms and data. I also spent more time in Burp Suite, editing requests, and wish I had spent more time testing the boundaries of allowable inputs.

In a lot of cases, there wasn’t even an exploit required to access sensitive PII – it was just there in their profiles - and as a result no points gained there. With a bit more time it might have been possible to use that information between accounts to generate more challenge points, but nothing that jumped out at me that evening.

There were, however, some interesting quirks that I came across in that few hours, including some XSS that was not being automatically scored by the system, some weird acceptance of impossible inputs in some places but not others, and an IDOR that just plain broke a page when exploited. There was even some interesting behaviour from the CMD+CTRL platform itself. In intercepting traffic in Burp, I came across a scoreboard update message that was definitely not about me, but about another player - including their user and player IDs and access timing when there was a scoreboard update.

I was able to pass these quirks and bugs along to the Security Innovation folks, who added some of them to the request list for their dev team. The strange platform behaviour was passed along, too, since the new environment is still in Beta and it might help explain some weird edge cases they’ve been experiencing. Very cool!

Thanks, too, to Security Innovation for providing some lovely starter videos – these were nice to be able to pass along to our new members trying out a cyber range scenario for the first time and gave a basic introduction to SQLi and XSS exploits.

FINAL RESULTS

AccountAll – 25/70 challenges solved for 3270 points
Rank 77/270