Tag Archives: CCDC

What is actually learned from CCDC

A great questions was asked from a Red Teamer on twitter: What is actually learned from CCDC?
(https://twitter.com/carnal0wnage/status/718204762290843648)

I don’t think I could fit an answer into 140 characters so, I took to a blog for a proper response.

If your asking what is actually learned from the red team hacking a bunch of blue teamers…. NOTHING. We know you can do it. You know you can do it.

What we do learn are the things we taught ourselves in preparation for the competition. We don’t directly learn any of the objectives outlined in the CCDC Team Packets. (Did anyone even read them?)

For MACCDC the objectives are outlined as:

  • Build a meaningful mechanism by which institutions of higher education may evaluate their programs
  • Provide an educational venue in which students are able to apply the theory and skills they have learned in their course work
  • Foster a spirit of teamwork, ethical behavior, and effective communication both within and across teams
  • Open a dialog and increase awareness among participating institutions and students

Lets break this down 1 item at a time.

Build a meaningful mechanism by which institutions of higher education may evaluate their programs

Institutions of higher education cannot use CCDC to evaluate their programs. College’s often have guidelines and requirements to stick to course material as provided by their vendors. Sure, some teachers/professors stray from that a little. They do not use CCDC as a gauge to see how well their material is being taught. How well a team performs in CCDC is not a directly correlation to how well those students performs in class thus, it cannot be used for higher education to evaluate their programs.

In fact I’d be interested to find-out how many colleges request pcaps and the scoring metrics to see how their school did and if there is anything that could improve in their programs for next year. They probably don’t and secondly MACCDC probably couldn’t deliver those items.

Provide an educational venue in which students are able to apply the theory and skills they have learned in their course work

I think this statement should be changed from ‘educational venue’ to ‘venue’.

Every experience in life is a learning experience. Everywhere we go and everything we do is learning experience. We don’t call all the places we go ‘educational [place]’. In order for something to be called an “educational [place]” its primary function should be for educating. CCDC is not for educating and should NOT be labelled an ‘educational venue’ instead just ‘venue’.

Now with that statement changed to “Provide a[n] educational venue in which students are able to apply the theory and skills they have learned in their course work”, I can agree with part of it. I can agree with “Provide a venue in which students are able to apply theory and skills they have learned”, that’s it. Believe me, in your ‘course work’ you aren’t studying BigBlueButton, PBX, Cyclos, Request Tracker or JessX. None of these are in any course work I have seen come from any college. Leave me a comment below if you have worked on these boxes as part of your regular studies.

Foster a spirit of teamwork, ethical behavior, and effective communication both within and across teams

This is a mixed message with taken into context with the rules of the game. On page 7 of 2016 Team Packet Final it states:

e. Team members are forbidden from entering or attempting to enter another team’s competition workspace or room during CCDC events

I’m sure this will be twisted into saying ‘this doesn’t mean blue team to blue team, it means blue team to red team and vice-versa’. I’ve had CCDC officials twist things like this.

I can say from personal experience we have been instructed not to talk to other blue teams. We couldn’t talk to other blue teams even when trying to troubleshoot an issue where we needed to test connectivity from outside of our own site.

I wasn’t able to attend the Red Team-Blue Team mixer this year but I bet that was the most valuable part.

I wish the ‘teamwork’ extended to inter-team communication not just intra-team communication.

Open a dialog and increase awareness among participating institutions and students

I don’t even know what this means. “Increase awareness” about what? CCDC? Cyber Security?

Just the facts Ma’ma.

Through my CCDC experiences I learned a handful of technical skills that are still with me that I use everyday. Simple Linux administrative tasks, ASA and pfSense administration. The differences between stateful and stateless protocols and how they both work with iptables, Cisco ACL’s & MPF, and pfSense rules.

Being a team leader I learned how to give lectures and create powerpoint presentations and spin up VMs for live demos.

In-order to give a proper and well informed presentation about something you are forced to learn more about it than you ever thought you needed to know. I think a great training exercise for CCDC is to have every student create a presentation about something so they are forced to learn everything about it.

Everything I learned for CCDC is something I taught myself and its those things that stayed with me for life.

As for what I’ve gained from my CCDC experiences. I have gained something no class can teach… friends. I came into the CCDC club for my school and met a bunch of strangers. We made it through qualifiers and into regionals as acquaintances and classmates. We left regionals as friends. Some of those friends I still talk to even though we haven’t see each other in a few years.

In Conclusion

Even though CCDC is flawed(probably throughout the nation) it still offers a place where like minded individuals get together to teach each other and try to reach a higher understanding of the aspects of cyber security that interest them and then ultimately exercise those skills in a place with your friends. This competition is only as fun as you make it. I remember most of our systems had NyanCat across our screen. There was nothing left to do other than the Macerena, so we did. I remember having to leave the pit together for an inject and running through the mezzanine with our arms out like a bunch of airplanes. We always sent the Red Team fun gifts that we contributed to as a team.

If any one wants to share what they’ve learned or has an opinion on what is actually learned from CCDC competitions leave a comment below.

Summer Break: Stay busy

As I wrapped up my final exam and went to the Green Turtle with a classmate I was introduced to some people who were interested in playing CCDC in 2016. They knew I participated in the 2 previous years and wanted to know how they should be doing to prepare over the summer before join the CCDC club in the fall. I forget what I actually told them but after thinking about it, why didn’t I have a long list of items prepared to tell them? Hence this post.

Summer really is a great time to start preparing for the next years CCDC. Most people have off in the summer which normally means a little more free time. Think about what role you might want to play in CCDC then steer your training towards it. You should naturally gravitate to something that interests you. You will always put more into something if it interests you. Here are some ideas:

  • Firewall administration: Cisco ASA, pfSense, iptables
  • Windows Server Active Directory
  • Database: MSSQL, MySQL, postgres
  • Webserver administration: Apache, IIS, NGinx
  • Mailserver administration: owa, squirl mail
  • Forensics: memory analysis, pcaps, log analysis
  • Windows Sys-Admin: firewall, users, services
  • *nix sys-admin: iptables, pf, users, groups, services

Find something you like and dig-in. Summer break is time for you to really explore, because when school starts you won’t have the same freedom in your schedule.

Start or join a CTF team. People who are naturally good at team-based CTFs will often be good at CCDC, since they are similar.

CCDC takes alot of time. Practicing takes time. Setting up environments takes time. Just because CCDC limits you to 8 players doesn’t mean you can only have 8 people in your CCDC club. The more people to spread responsibility on the more time you’ll have.

Treat CCDC like a sports team. You have to show up for practice or you can’t play in the big game. Doing CTFs and CCDC rehearsals will weed-out who is willing to commit and who doesn’t have time for it. It will also help resolve personality conflicts sooner rather than later.

Test each-other:

Create VM’s on flash drives and trade them with each other. Seem if you can figure out what is mis-configured and what needs to be done to harden that system. This is also a good way to practice forensics. As you guys work on hacking each other’s VMs capture the traffic in pcaps and do memory dumps give those to the forensics person/s and see if they can identify what is going on without telling them. You can never have enough practice standing-up, configuring and securing a LAMP server. Make sure you know how to test and patch heartbleed and shellshock.

Challenge others to write small scripts to automate things. As you perform repetative task you’ll see where you can use scripts and where you can’t. Don’t try to automate everything, that plan will fail. Writing scripts will help you practice working at a command line, troubleshooting and regex. Start with log files:

tail -f /var/log/auth.log | grep Failed

Summer time is for learning. Fall is for practicing. Spring time is for performing.

In closing: find a group of friends you can get together with and have fun solving challenges together. You’ll find your groove, have fun.

Teams who win CCDC stay sharp all year.

How do you plan on staying sharp this summer? Do you have any advice for would be competitors? Leave a comment below.

The “No Pictures” Policy

We, @ AACC always enforce a strict no pictures policy @ qualifiers, until its over. Then we enforce a no social media policy. Here’s why…

After qualifiers I went searching through social media and turned up a couple posts regarding MACCDC Qualifiers. This was one of those posts I found from a competing school:

This picture was taken before qualifiers began and was posted before they began. The caption read “Ready for this…”

Ready for this...
Ready for this…

The problem is what’s in the background:

Passwords on the whiteboard!!!!!

4URedSucksTeam
4URedSucksTeam

What other information can we see?

Listing Roles & Chain of Command, from Mubix's "How to Win CCDC" Presentation.
Listing Roles & Chain of Command, from Mubix’s “How to Win CCDC” Presentation.

WiFi networks @ your school:

WiFi Networks
WiFi Networks

We can almost read the Sticky Notes on the desktop:

Sticky Notes
Sticky Notes

After the competition, it becomes a little more revealing:

After
After

Lets zoom in on each piece: Enhance…. Enhance… Enhance…

A printed slide from Mubix's "How to win CCDC" presentation.
A printed slide from Mubix’s “How to Win CCDC” presentation.

Which tools are they using:

Another printed slide from Mubix's "How to win CCDC" presentation.
Another printed slide from Mubix’s “How to Win CCDC” presentation.

Looks like PBX to me:

root_at_10-10-10-110
root@ip-10-10-10-110:

MySQL service won’t stay started: (More on this in a future post.)

service mysql start
service mysql start

Crème de la Crème: Moar Passwords!!!!

Moar Passwords
Moar Passwords

This post is not meant to make fun of or point out any flaws in any one person. This post is to bring awareness to the rest of the BlueTeam community that seemingly harmless photos can sometimes be too revealing.

Personally, I don’t even like posting pictures after the competition just in-case I make it to regionals and maybe nationals I don’t want to accidentally reveal any information to prying eyes.

As a team you should discuss whether or not you want to have a Pictures/Posting Policy and what it should be.

What are the policies at your school? What should they be?

Let see if the red-team can guess which school this was based on the passwords?