Landing on the concrete

I received a text the night previous from a team member that I’d need a computer. I didn’t have a laptop, so I needed to borrow my sister’s 300$ HP that had a cracked screen and a GPU that would crash if it got too hot.

The morning I was going to start my trek down to the conference, my phone fell out of my pocket, landed on the concrete, and the screen shattered. I debated on whether or not to still go. My entrance fee had already been paid though, so I started the car, and began the hour and a half drive.

Halfway down to the conference, I realized I was going to rely on my phone for directions. I made several wrong turns, but somehow I was only 10 minutes late. I was flustered from the broken phone and the drive down, but I was mostly OK.

I walked in the room and was astonished. Some students had set up their desktops, and high end laptops were everywhere. Extension cords and Ethernet littered the floor. At the center of the room, a panel of judges worked hurriedly, finalizing the networks and challenges.

I sat down, plugged in my laptop because it couldn’t boot via the battery, and looked at our team of 7. Many of the members of our team knew each other previously, and they quietly pointed out several things to each other about their environments, tools, etc. I was introduced to everyone, and we made friendly conversation as we waited.

A man stood up at the judges table, and began speaking with a heavy Dutch accent. He talked about how this was the first time OWASP had put together what they decided to call the “University Challenge”. The rules were laid out, and the competition was outlined. It consisted of two portions; offense and defense.

Defense was basically just an analysis of a PHP web application. The source code was presented, and the teams were given the duration of the competition to write up a summary on the program. This summary was to include what changes your team would make, and how they presented viable security threats.

Offense was what the competition primarily focused on. We were to complete challenges or “tasks”, and they were ranked from level 1 to 3 in difficulty. The first team to finish a task was given the maximum points. The other teams were still allowed a chance to finish the tasks, but they were awarded fewer points on completion.

Level 1 tasks ranged from finding hidden messages in an image via a hex editor, or decrypting a string that used a particular algorithm. Level 2 tasks were advanced challenges; exploiting some client side code, finding injection vulnerabilities, or capitalizing on various types of cross-site scripting.

Level 3 tasks encapsulated an entire security scope. For example, I remember one task was deobfuscating an exploit kit. Another task was building some code that could handshake with a live, vulnerable version of OpenSSH. All of them were time and research intensive. They required collaboration between different branches of skills and/or domains of knowledge.