Following is a summary of the most challenging objectives within the 2023 SANS Holiday Hack Challenge, steeped in AI and cybersecurity risks. Participants navigated through 21 objectives, honing their cybersecurity skills and putting their expertise to the test.
One of the most intriguing challenges involved hunting down AI hallucinations in a penetration test report generated by a large language model (LLM) called Reportinator ChatNPT. Participants were tasked with identifying inaccuracies in the report, such as an invalid port number and a confusion in a PHP version number, and flagging these problematic sections.
Another challenge revolved around escalating privileges on a Linux system. Participants had to utilize a custom executable called simplecopy with the SUID bit set to execute files with root privileges on a non-root account. This allowed them to gain access to critical information, ultimately leading them to complete the challenge successfully.
The Holiday Hack Challenge also delved into reverse engineering Game Boy ROM files in two separate challenges. Participants were required to reveal a hidden portal and decode a message in Morse code by examining the differences between two versions of the game. In another challenge, they had to navigate a game environment to access a flag by meticulously inspecting the game’s code and leveraging a Game Boy emulator to manipulate the player’s position on the map.
Furthermore, the challenge explored the misuse of SSH certificates and the security implications of a misconfigured SSH certificate signing service. Participants had to exploit vulnerabilities in an Azure Function app to obtain SSH certificates, enabling them to authenticate as another user on an Azure virtual machine. This involved making API calls, intercepting HTTP requests, and extracting sensitive information from the targeted system.
Lastly, the challenge focused on the exploitation of a misconfigured Active Directory Certificate Service, allowing participants to authenticate as another user. By leveraging various Impacket tools and APIs, participants uncovered critical information such as user accounts and PowerShell scripts, ultimately gaining the upper hand in the challenge.
Overall, the 2023 SANS Holiday Hack Challenge provided participants with a rich and diverse experience in cybersecurity, blending AI, reverse engineering, privilege escalation, and exploiting security vulnerabilities. It tested their ability to think critically, demonstrate technical prowess, and adapt to complex and dynamic scenarios. As the cybersecurity landscape continues to evolve, events like the Holiday Hack Challenge play a crucial role in preparing professionals to tackle the ever-changing threat landscape and defend against sophisticated cyber attacks.