Hivestorm 2020

 

tldr; It was fun and very similar to CyberPatriot. Don’t expect answers to the images.

Overall Thoughts

Last week (10/17/20), Hivestorm 2020 took place and I was team captain and one of the two Linux members on my team. For the first 3 of 4 hours, I focused on the Debian image, then my Ubuntu partner and I switched images. Comparing it to its sister competition, CyberPatriot, Hivestorm was a little higher than Round 4 level. Since there was no red team, I can’t compare it to the CyberPatriot national images. My partner and I were able to get about 130/200 combined points on the two Linux images. We weren’t really trying too hard because we were mostly just using the competition images as testing our teamwork, tools, and flow for another cybersecurity competition CCDC. We ended up getting 6th nationally as a team of mostly rookies at this kind of competition.

“Would you compete in Hivestorm again?” Yeah, probably. Since the rules page doesn’t seem to have restrictions against students from different schools competing together, I might try again with different friends, but who knows.

The Debian Image

Since it’s been a while since I competed in this kind of competition, I forgot that there were forensics questions. I read them and noted what kinds of information is required to answer them so I don’t accidentally remove something required for answering them, but didn’t focus on them. I was more focused on quickly establishing secure anti-red team policies on an insecure Debian system. I pretended like the image was terminal-only, which made me have to manually fix the Debian repos in the /etc/apt/sources.list file. For those who were wondering why they couldn’t download anything on the image, it was because the repos were all set to CD-ROM only, and since there was no disc inserted with your desired packages, it couldn’t install anything. You can replace them with the following repos or any other Debian 8 ones you want:

deb http://ftp.us.debian.org/debian/ jessie main contrib non-free
deb-src http://ftp.us.debian.org/debian/ jessie main contrib non-free

There were a lot of points on Debian related to updates and uninstalling unauthorized/unnecessary packages, so fixing the repos was pretty important.

System administration obviously entails looking for unauthorized users or misconfigured privileges. Since there was a README on the desktop stating which users were allowed, it was pretty easy finding which users were not supposed to exist and who needed to be an admin user.

Another large source of points, was in various config files that you could find in /etc/. For novices at Linux, /etc is where the system stores the configuration files for your services and system. Some common files that a Linux administrator should look at is /etc/login.defs, /etc/sudoers, /etc/pam.d/common-password, /etc/pam.d/common-auth, and /etc/ssh/sshd_config if the computer needs SSH. Some things, however, are not configured in /etc, but those are usually things like CMSs, for example WordPress. You would need to enter configurations into the directory that the config file is hosted in, in WordPress’s case /var/www/html/wordpress/wp-config.php. (note:sometimes people don’t give WordPress its own directory and the contents are just in /var/www/html).

One thing I do want to point out, however, is SMTP servers require a web server. Don’t think that just because the README doesn’t say HTTP is a required service that you can uninstall Apache. Not only was it required, but also worth points for configuring correctly.

There were more complicated configuration edits/hardening practices required, but I won’t be giving away all the answers. If you were just looking for the answers, you won’t learn much. Hopefully these things pointed you in the right direction so that you can conduct your own open-source research with your best friend Google!

The Ubuntu Image

My partner worked on the Ubuntu image for the first 3 hours of the competition before we switched, so I can only write about my experience with the image. There were significantly fewer low-hanging fruit to get points from at this point, so I focused on service hardening. I was initially expecting a LAMP stack, but it turned out to be a LEMP (Linux, Nginx, MySQL, PHP) stack instead. I wasn’t really prepared for nginx, so I googled some configs for nginx and applied them as I saw fit. The rest of the LEMP stack configs went pretty much according to how I planned, though most were already applied by my partner. Other than hosting a LEMP stack instead of a mail server, the two images were pretty similar in types of vulnerabilities.

Towards the end of the competition, we focused on answering the forensics questions. One of the questions I answered was Forensics Question 1 on the Ubuntu image. In short, we had a .pcap file that tracked an image download. We have to find the md5 sum of the image downloaded. Since it was a .pcap file, I knew it was related to Wireshark, so I installed it and opened the .pcap in it. The file was pretty short, so it was easy to find the download event. From there I found the GET HTTP command, and found the image that was downloaded. I downloaded the image to my desktop with the name image and used the following command:

md5sum image

Copy and pasting the output gave me the points. One thing that my team members struggled with was they originally downloaded a thumbnail of the image from the initial request, not the actual file itself. So when they used the md5sum command, it didn’t give them the right sum.

Advice for Competitors

If you’re looking to compete in a future Hivestorm event, I highly recommend it if you’re just getting into cybersecurity or just want to try your skills. If you competed in CyberPatriot, you should have a good idea of what to expect. Honestly, even CyberPatriot competitors can use these tips. Here are some things to keep in mind when you compete:

  1. PREPARE A CHECKLIST. This may seem obvious, but not making a checklist will severely slow you down when it comes to competition. When it’s 3 hours in and you’ve been staring blankly at Google for 15 minutes, you will be too mentally drained to remember where to cd to.
  2. Communicate with your team members. If you are stuck or think something is broken, tell your team. They may know the answer and it will save precious time. Even across OS! I answered my Windows team’s forensics questions.
  3. Learn how to Google effectively. It will save you from wasting time on irrelevant results.
  4. Don’t keep looking at the scoreboard. It’s a waste of time. When it’s 30 minutes left, I know you will be tempted to keep refreshing the scoreboard and see if anyone is overtaking you, but you will not get points that way. Use that time on a web browser to keep researching for something new.
  5. If you have a partner working on the same family of OS (Linux team/Windows team), try switching images. You might be overlooking something because you familiarized yourself with one image. Getting a pair of fresh eyes may help you or your partner think of something new/you forgot about. This can also be an opportunity for you to communicate as stated in Tip 2. Make sure to only give a brief summary of what you did/have been looking into. You want your partner to still be going in semi-blind to double-check your work.

UPDATE 10/28/20: According to Hivestorm, I had the highest Debian score (67).