This Sunday, RIT sent two teams down to Alfred State to play in the Fall 2015 Alfred State Information Security Team (ASIST) CTF. The challenges featured a set of 16 primary objectives, which served as a story line for a penetration test of an insurance company. The story began with reconnaissance challenges, then branched into web and database security. Things started getting tricky when we had to track down and gain access to an internal backup server by tracing through a cronned backup script. We then pivoted to a mail server and found an encoded screenshot with further credentials inside an email. The series ended by pivoting to an internal Windows server and pulling the domain administrator’s password. Other side challenges were mixed in, including lockpicking, NFC tags, hacking a makeshift fire alarm system, and pinning a white-team member with a clothespin.
Our team took home first place, with the other RIT team taking second. Huge thanks to ASIST for putting on a great event! I learned a ton and had an awesome time working through the challenges.