Welcome to the final post of the Killer Robots series! If you don’t already know about Killer Robots, Inc., see the December 7th post for an introduction. The December 14th post provided last year’s system architecture and some PI security resources. Last week’s post introduced this year’s environment and modeled the traversal to the web server with an early flag.
This week, as foreshadowed, we must go deeper. The web server access following the compromised user was possible due to poor credential theft defenses in the environment. Credential theft was the path of least resistance due to other defenses in place, such as authenticated access from normal users being limited to the client application since the admin site is implemented separately, strict import folder access preventing access to modify imported displays and IIS hardening to ward off attacks to the platform.
To control the impact of this user’s credentials falling into the hands of our competitors, the environment is set up with delegation, point level permissions and limited access assigned to the user. Just what they need to do their job. Or maybe slightly more…
While we took the above precautions, in the event we underestimated our competitors or overestimated our defenses, we also have snapshots of the environment, offline backups and a disaster recovery plan to restore the environment to them with minimal downtime to other competitors.
When putting together your toolkit for the CTF, you’ll want to include the following for taking on the PI challenges:
A machine or VM running a Windows operating system with PowerShell available
Windbg or your preferred tool for analyzing memory dumps