I arrived early on day three with an understanding that there would be one more hour of active Red Team hacking. The rest of the day was set aside for some competition between the students to allow them some Red Team action. However, to my surprise, I arrived to find all the students in a panic. Apparently, someone had messed with the computer systems during the night and no one would fess up as to who had done it or what was done.
While we all waited on the Red Team, it was discovered that during the night the forwarded CEO email account had intercepted two emails from one of the student teams. Unfortunately for them, it contained all the user/passes for every member of the team. As a result, the present Red Team member was able to log into the OSCommerce site and download the customer database and access the accounts on the SSH server, not to mention anything else that required an account. Of interest, the Red Team was not able to use the file manager in OSCommerce to upload/download files because the students had only allowed read/execute access to the admin directory. It was at this time that the Red Team arrived and explained what had happened.
To keep the games interesting, and provide a bit of a educational anomaly, the Red Team had done what any criminal hacker would consider — they broke into the teams’ pods and installed backdoors. Using only the light from a glow stick (the hotel they were staying at didn't have any flashlights), they found a ladder, climbed up the outside of the room (12 foot ceilings), pulled back a drop ceiling tile, and climbed down a wooden rod they collected from nearby. With physical access granted, the Red Team went to town.
Rootkits, backdoors, password changes, system configuration changes and more were fair game with no one around to stop them. One team had locked down the KVM device with a password, but this was quickly bypassed by plugging the monitor into the actual computer. Another team used BIOS password protection, but again, a quick short of the CMOS and the BIOS flash was reset back to default. Windows administrator accounts fell quickly to boot disk based password reset attacks. Root account was gained by 'single user' mode hacks on the Linux machines. From there, log files were deleted, PHP scripts were embedded in programs, backdoors were installed, accounts were created with root level access, and much more. Simply put, the Red Team owned the students through and through. The only way anyone could realistically recover is if they took everything offline and started from scratch, which is exactly what a business would have to do. In fact, in a real case, the feds would probably ask to take the systems as evidence.