The Standoff Hackathon: The Experience of Team JettyCloud

Positive Technologies organizes The Standoff hackathons. Essentially, it's a Capture the Flag competition with an attack-defense format. In this type of competition, attacking teams perform a classic Red Team penetration test. This is a form of penetration testing where the attacking side (referred to as hackers) must infiltrate the organization's network, capture a flag (hence the name "Capture the Flag"), and cause as much damage as possible. For example, encrypting the disks of servers and personal computers that the hackers can access. In the real world, there are hundreds and thousands of examples of such attacks, making the scenario realistic. The hackers are opposed by the Blue Team, which defends against the attacks.

I have been participating in similar competitions as a member of the SPBCTF team for many years. Our colleague Petr was its captain. This year, the two of us participated from JettyCloud. Overall, the team consisted of about 15 people, most of whom engage in penetration testing during their work hours. The team includes players who have been playing CTF for over 5 years.

On the defensive side, there is a virtual state infrastructure that simulates a real one, divided into segments: city, office, bank, nuclear power plant, oil refining, metal processing. The goal of the attacking teams is to infiltrate the city's infrastructure, exploit vulnerabilities, and carry out forbidden events. For example, stopping the turbines of the nuclear power plant, shutting down the rolling mill in the metal processing facility, stealing employee data from the office, transferring money to their own account from the bank. The attacking teams compete against each other to find more vulnerabilities, carry out more forbidden events, and do so sooner. On the defensive side, Security Operation Center teams participate, training to detect and repel attacks. So, obtaining the coveted flag is not an easy stroll, but a series of challenges to overcome :)

We spent several weeks preparing for the tournament. To do this, we trained on a similar platform provided by the organizing company – Standoff 365. During our preparation, we practiced finding web vulnerabilities, navigating the internal infrastructure, improved our team coordination, set up and configured our own servers and special utilities.

The event itself lasted for three and a half days. On the first day, we studied the infrastructure, built the network topology, searched for vulnerable services, and conducted phishing attacks. By the end of the day, we already had access to most segments of the city. In the following days, we delved deeper into the networks, hacked into new servers and PCs, and gained access to administrators. Throughout this time, Petr coordinated the team, assigned tasks, and helped us create reports for the organizers.

The most challenging part was keeping track of which servers we had already compromised and which we hadn't, as the infrastructure of the segments was truly extensive and comparable in size to a real one. We excelled in hacking Windows and Linux machines, but we lacked experience in identifying vulnerabilities in industrial objects.

We gained a lot of experience and enjoyment from the game, and it was satisfying to see our team among the leaders. In the end, we secured 5th place out of 22 teams. We plan to participate again next year and aim for 1st place :)