Company
Date Published
Author
Bugcrowd
Word count
1990
Language
English
Hacker News points
None

Summary

The Bugcrowd-sponsored UMass Amherst Cybersecurity Club CPTC team successfully completed the Collegiate Pentesting Competition, finding vulnerabilities in a mock social media company's networks and presenting a 90+ page report. The competition was won by UMass Amherst, one of the top 12 universities globally to reach the Global Finals. The team gained valuable lessons on communication, networking, and report writing skills, as well as understanding that these skills are just as important as technical skills in cybersecurity. They also learned about the importance of practicing these skills both during competitions and in real-world scenarios. The team exploited a local file read vulnerability to gain access to sensitive data in the company's PostgreSQL container. To prevent similar attacks, it is recommended to prevent local files from being accessed, not to put credentials or sensitive information in environment variables, and to limit access to the PostgreSQL port. Additionally, the team compromised an entire domain through Kerberoasting and Constrained Delegation attacks, demonstrating the danger of security misconfigurations in Active Directory networks. To mitigate these attacks, it is recommended to ensure long and complex passwords for service accounts, rotate them every 30 days, enable AES Kerberos encryption, use Group Managed Service Accounts, and utilize Resource-Based Constrained Delegation.