Saturday started out slowly, but by the end of the day things would not be looking good for most of the teams. With one team pretty much out of the picture thanks to a router issue, the Red Team really focused on the 'blue shirts'. Their first target was an OSCommerce application that was running on one of their Windows machines. Unfortunately, the blue shirts forgot to change the permissions for the admin directory on the application. As a result, the Red Team had complete access to the configuration manager portion of the application. This not only gave them access to all the order information that included 10,000 credit cards, but also gave them access to a file manager application that allowed them to upload/download/edit files on the system, which they did.
One of the members on the Red Team decided to make the ownering of this application obvious, and renamed the Title of the OSCommerce site to something like 'Welcome to Tim Rosenberg’s School of UDP.' Unfortunately for the Red Team, this was quickly spotted by the students who then started to look at how and why this happened. Meanwhile, the Red Team member had also defaced their home page, which the students again spotted. Access to the admin folder was soon disabled, but the damage was done — integrity was lost, services were denied, and confidentiality was gone. The blue shirts were able to detect and report the web server defacement to the authorities, but they missed the customer information download. Since web defacement is minor on the scale of attacks, the Red Team was only given community service instead of the felony charge they could have been hit with. The end result is that the color blue was a good pick for this team as depression sunk in.
The Red Team did spread the love around a bit after pummeling the blue shirts for a few hours. They discovered an unprotected HR program that was loaded with SQL injection vulnerabilities. This was then used to download/alter employee data, which represented a major loss in confidentiality and integrity. However, it was what the Red Team did after this that was quite clever.
Using some custom code, the Red Team created a SQL injection query that then connected to another team's web server in an attempt to create a denial of service attack. This odd attack forced one of the teams to approach the other team with an apology that went something like this: "Hi. Uh, I am sorry if we are attacking you, but we aren't really doing it." The DoS was stopped soon afterwards upon request of the judges.
At about 2PM the second day, attention was shifted to one team in particular because they had managed to stay out of the limelight. It was soon discovered that this team had failed to change their postmaster email password, which gave the Red Team full control over the emails coming and going to the server. Various methods of abuse were discussed, but it was concluded that the best thing to do was to change the password on the administrator accounts, create a new account, and forward all email from the CEO email account to the Red Team’s account. Once this was set up, the Red Team was told to take a break because the student teams were getting overwhelmed. Thus the attacks stopped, which gave the students time to focus on reporting incidents and securing their systems from the various attacks that had been occurring during the day.
One of the interesting tricks that the Red Team did to keep the students guessing was to run continuous scans from programs like Nessus. They did this for one reason — overload the students. In addition to indirect misinformation, the Red Teams also employed tools like mucus, which have no other purpose but to trigger IDS alerts. They also noted the use of ethereal and injected malicious packets into the network that would crash the sniffer and cause general havoc. It is important to note these techniques because in a real attack, it is not only possible for this to occur, but even probable — especially if the attacker knows you are watching.