CyberDiscord Open 2023 Review & Writeup

I recently got the chance to participate in the inaugural CyberDiscord Open cybersecurity competition, a four-hour event that operates similarly to CyberPatriot or NCCDC:

Here’s a description from the competition organizer, Matthew Ring:

The CyberDiscord Open is a cyber defense competition that allows teams to compete together or separately from any location around the world. Teams compete by securing provided Windows and Linux based virtual machines — removing malware and other infections, correcting misconfigurations, mitigating vulnerabilities, disabling vulnerable services, and so on. Additionally, teams will answer cybersecurity problems in a web-based challenge. Teams accumulate points for addressing each scored issue and must race against the clock to accumulate as many points as they can before time expires.

Vulnerability Categories

The following is a list of scored vulnerability categories sent out by the competition organizer. It gives competitors a general idea of what to look for and how to prepare.

Fedora

On my team, I was the Fedora specialist. I gained 29 out of 100 possible points, fixing 18 of 54 vulnerabilities and earning the second-highest Fedora score in the competition!

For reference:

• Fedora scores across all teams
• Competition-wide image statistics

In the rest of this article, I’ll discuss the challenges I was able to solve, my impressions of the event, and how I can improve for future events.

Forensic Questions

Finding the PrestaShop database credentials

On the system, a LAMP stack server was installed, which was used to run PrestaShop. Competitors were tasked with finding the PrestaShop admin’s MySQL username and password. The task itself was simple, but the hardest part was finding where the configuration was located. PrestaShop has four different config files, each with a slightly different purpose. I finally found the database connection details in the app/config/parameters.php file.

Next, I had to connect to and exfiltrate some information from the database. I connected to the database with the mysql CLI, which was preinstalled (it likely came bundled with the MySQL server). Again, the most challenging part was becoming quickly acquainted with PrestaShop’s internals. The ps_customer database table contained a column called note, which was used to store private notes about a custom—or, in this case, the answer to the forensic question.

Mounting a damaged RAID array

The image had two files on the desktop, sda and sdc. They were disk images of two drives that formed a RAID 5 array (RAID 5 requires three drives to operate normally, but the array can repair itself using the data from only two drives). To access one of the files on the array and complete the forensic question, I had to figure out how to mount them.

Essentially, I had to create a loop device for each file. This allows the system to access the files as a storage device, rather than just a file:

$ losetup /dev/loop9 sda
$ losetup /dev/loop10 sdc

Then, I had to re-assemble a RAID array with both newly-created devices:

$ mdadm --assemble /dev/loop9 /dev/loop10

After that, I tried to mount the array using the terminal, but my attempts weren’t successful. I ended up using the graphical file manager to mount the array and recover the file.

Strange regular expressions

One of the forensic questions required competitors to scan a directory for files that contained any text matching a long, complicated regex. Unfortunately, due to time pressure, I was not able to solve this challenge. I suspect grep couldn’t handle the regex because it contained an escaped hyphen (-) in one of the character ranges, but after moving it to the end of the bracket expression, I didn’t get any matches.

Managing Users and Groups

User and group management is a common theme across every CyberPatriot competition. During this event, I didn’t have any scripts to do this for me, so I had to manually go through the user list and make sure every user was on the list of 25(!!) authorized users.

The README also told competitors to create a few new groups, add users to them, and make sure every group member was authorized.

New groups can be added with groupadd, and users can be added or removed from groups with usermod. One of the easiest ways to manage users is to directly edit the /etc/passwd file.

Removing Prohibited Files

Another staple of CyberPatriot competitions is removing prohibited games, ‘hacking tools’, and files. In this competition, I was able to find a Music folder, but did not receive points for any other prohibited files or programs.

Updating The System

The easiest way to gain points—even if it takes a while—is by simply updating the system. In this case, Fedora uses dnf, so it’s as easy as typing dnf update in a terminal.

This awarded me points for updating software (systemd and firewalld) but also in some unrelated categories, like fixing a shell backdoor and modifying user permissions.

Setting Up The Minecraft Server

Setting up a Minecraft server seemed easy—I’ve spent years working on projects like BlueDragon—but there were a few obstacles along the way.

1. The installed Java version was out of date. This was an easy fix (I just had to install the correct version using dnf), but I had to learn about alternatives to make the system actually use the new package I installed.
2. After starting the server, it creates a file called eula.txt in the current working directory. You have to change eula=false to eula=true to accept Minecraft’s End-User License Agreement and then restart the server.
3. I was unable to get points until I used the whitelist on command in the Minecraft server console, even though I enabled the whitelist in the server.properties file.

The Online Competition Model

In my experience working in CyberPatriot competitions, handling the images has always been a pain point. In later rounds, they can be up to 6 GB, meaning they take a long time to download and extract. One competitor forgetting to download and extract their image can delay start times by up to 30 minutes. By contrast, the CyberDiscord Open used an online portal to access competition VMs. This removes download times, makes multi-instancing violations impossible (see page 34 of the CyberPatriot rules), and allows people to compete without a VMWare-capable device. I hope CyberPatriot adopts this model in the future, as it’s better for competition integrity and accessibility.

Potential Improvement Areas

1. Scripting. Scripts allow competitors to spend more time poking around for vulnerabilities and less time doing monotonous tasks like combing through log files or removing unauthorized users. Especially with CyberPatriot’s new four-hour competition period (down from 6), if I want to keep up, I will have to script as many things as possible.
2. Research. Some topics I want to focus on in the near future are SELinux (and maybe AppArmor on Ubuntu), optimally configuring PAM, and the inner workings of systemd. While researching during competition is important, background knowledge is essential in a time-constrained competition.
3. Time Management. In this competition, my team was not able to spend more than 30 minutes on the web-based challenge because we spent our first few hours on the VMs. This dramatically reduced our standing after web challenge scores were posted, because every challenge had the same weight in the final score.

Wrapping Up

The CyberDiscord Open was a ton of fun this year, and I highly recommend competing in next year’s event!

The competition was hosted and organized by Matthew Ring and sponsored by AFA CyberPatriot, the National Collegiate Cyber Defense Competition, the Center for Infrastructure Assurance and Security, and MSI. Thanks to them for making this experience possible!

Update: A blog post about running the competition has been released! Check it out: https://blog.matthewzring.dev/cyberdiscord/hosting-the-cyberdiscord-open/