Steven Woodhall

Cyber Security Challenge  – BT Face-to-Face

Cyber

Today I took part in my second face to face cyber event, I was one of 24 finalists competing in the F2F at BT Tower. The day involved working as team to investigate a company’s data breach, performing forensic analysis and reverse engineering applications to determine what really happened.

Qualifying for the Face-to-Face Games

To qualify for the face to face competition I played the two qualifier games on PoD and then answered questions on the challenges. The first was ‘In Plain Sight’ a web app where you find vulnerabilities and expose flags. While the second game was ‘Operation Syringe’ and I was given loads of Apache access logs and had a find which one resulted in a data breach using SQL injection. 24 of the highest scoring players from the two F2F games were then invited to compete in the event.

BT Tower

The event took place at the iconic BT Tower in London inside what used to be the rotating restaurant. To get to the top of tower I got to travel in one of the fastest lifts in Europe. Stepping out onto the 34th floor I experienced some amazing panoramic views of London which the public don’t normally get to see.

The Scenario

We were all put into teams and briefed that we were to investigate a possible data breach after customers reported unauthorised transactions appearing on their bank accounts.
There first task was analyzing over 20GB of logs. After finally decompressing all of the logs we found evidence that some of them had been tampered with and from analyzing the frequencies of user door access we found a suspicious user.

After finding the user ID we were given access to the companies door access system. The card readers in the company worked sending POST requests to a web app, we exploited a PHP script on the site to view the admin API documentation and thanks to admins leaving a test account active and some close inspection of cookies we managed to escalate our privilege. We could then used Python to send authorized POST requests and further our investigation.

In addition to the cyber security tasks that were happening there was a game of University Challenge going on. I was captain for our team ‘Mavis Batey’ and we were playing against team ‘Margaret Rock’ who totally destroyed us and went on to win the final. A game of University Challenge complete with buzzers and name plaques was something I wasn’t expecting but it turned out to be fun.

The next task had our team take it in turns to compete in a speed lock picking challenge. Each round we were playing against the other four teams contestant and the winners team would be awarded points.

Our team did pretty well in lock picking, when it was my turn I finished first and had time to enjoy the view of London.

For more information on Cyber Security Challenge UK visit their website or to test out your skills checkout their Play on Demand Games on PoD.