# Hivestorm 2020

tldr; It was fun and very similar to CyberPatriot. Don’t expect answers to the images.

# Overall Thoughts

Last week (10/17/20), Hivestorm 2020 took place and I was team captain and one of the two Linux members on my team. For the first 3 of 4 hours, I focused on the Debian image, then my Ubuntu partner and I switched images. Comparing it to its sister competition, CyberPatriot, Hivestorm was a little higher than Round 4 level. Since there was no red team, I can’t compare it to the CyberPatriot national images. My partner and I were able to get about 130/200 combined points on the two Linux images. We weren’t really trying too hard because we were mostly just using the competition images as testing our teamwork, tools, and flow for another cybersecurity competition CCDC. We ended up getting 6th nationally as a team of mostly rookies at this kind of competition.

“Would you compete in Hivestorm again?” Yeah, probably. Since the rules page doesn’t seem to have restrictions against students from different schools competing together, I might try again with different friends, but who knows.

# The Debian Image

Since it’s been a while since I competed in this kind of competition, I forgot that there were forensics questions. I read them and noted what kinds of information is required to answer them so I don’t accidentally remove something required for answering them, but didn’t focus on them. I was more focused on quickly establishing secure anti-red team policies on an insecure Debian system. I pretended like the image was terminal-only, which made me have to manually fix the Debian repos in the /etc/apt/sources.list file. For those who were wondering why they couldn’t download anything on the image, it was because the repos were all set to CD-ROM only, and since there was no disc inserted with your desired packages, it couldn’t install anything. You can replace them with the following repos or any other Debian 8 ones you want:

deb http://ftp.us.debian.org/debian/ jessie main contrib non-free
deb-src http://ftp.us.debian.org/debian/ jessie main contrib non-free


There were a lot of points on Debian related to updates and uninstalling unauthorized/unnecessary packages, so fixing the repos was pretty important.

System administration obviously entails looking for unauthorized users or misconfigured privileges. Since there was a README on the desktop stating which users were allowed, it was pretty easy finding which users were not supposed to exist and who needed to be an admin user.

Another large source of points, was in various config files that you could find in /etc/. For novices at Linux, /etc is where the system stores the configuration files for your services and system. Some common files that a Linux administrator should look at is /etc/login.defs, /etc/sudoers, /etc/pam.d/common-password, /etc/pam.d/common-auth, and /etc/ssh/sshd_config if the computer needs SSH. Some things, however, are not configured in /etc, but those are usually things like CMSs, for example WordPress. You would need to enter configurations into the directory that the config file is hosted in, in WordPress’s case /var/www/html/wordpress/wp-config.php. (note:sometimes people don’t give WordPress its own directory and the contents are just in /var/www/html).

One thing I do want to point out, however, is SMTP servers require a web server. Don’t think that just because the README doesn’t say HTTP is a required service that you can uninstall Apache. Not only was it required, but also worth points for configuring correctly.

There were more complicated configuration edits/hardening practices required, but I won’t be giving away all the answers. If you were just looking for the answers, you won’t learn much. Hopefully these things pointed you in the right direction so that you can conduct your own open-source research with your best friend Google!

# The Ubuntu Image

My partner worked on the Ubuntu image for the first 3 hours of the competition before we switched, so I can only write about my experience with the image. There were significantly fewer low-hanging fruit to get points from at this point, so I focused on service hardening. I was initially expecting a LAMP stack, but it turned out to be a LEMP (Linux, Nginx, MySQL, PHP) stack instead. I wasn’t really prepared for nginx, so I googled some configs for nginx and applied them as I saw fit. The rest of the LEMP stack configs went pretty much according to how I planned, though most were already applied by my partner. Other than hosting a LEMP stack instead of a mail server, the two images were pretty similar in types of vulnerabilities.

Towards the end of the competition, we focused on answering the forensics questions. One of the questions I answered was Forensics Question 1 on the Ubuntu image. In short, we had a .pcap file that tracked an image download. We have to find the md5 sum of the image downloaded. Since it was a .pcap file, I knew it was related to Wireshark, so I installed it and opened the .pcap in it. The file was pretty short, so it was easy to find the download event. From there I found the GET HTTP command, and found the image that was downloaded. I downloaded the image to my desktop with the name image and used the following command:

md5sum image


Copy and pasting the output gave me the points. One thing that my team members struggled with was they originally downloaded a thumbnail of the image from the initial request, not the actual file itself. So when they used the md5sum command, it didn’t give them the right sum.