If you’re reading this, it means you’re interested in the Standoff cyberbattle. This document is aimed primarily at those who are dreaming of or planning to participate in Standoff for the first time. However, I’m sure that experienced players can also benefit from reading, as even the smallest piece of a colleague’s experience might give a winning advantage in a cyberbattle.

The experience described in this text belongs entirely to the Cult team. If your own experience differs in some way, the entire community and I (captain of the Cult team — N3m351d4) would love to learn how your team participates in Standoff.

One of the misconceptions that puts off potential newcomers is the belief that teams are doing something incredibly complex. This is completely false: in reality, solving any task requires knowledge that an average security analyst possesses, and a good third of the tasks could even be tackled by a student with experience in CTF and fixing vulnerable machines on any available platform. Victory is possible, but be prepared to put in the effort. My team achieved excellent results thanks to the aggregation of information and knowledge sharing over several years. This goes to show that nothing is impossible!
Let’s look at what the cyberrange is made up of, what you need to know to hack it, how to implement non-tolerable actions, and how to begin the path to becoming the strongest hacker.


@n3m351da
Captain of the Cult team

Hello!

The systems deployed on the cyberrange are in many ways similar to the infrastructure of the Standoff cyberbattle. Therefore, I strongly recommend familiarizing yourself with them.
The developers designed the cyberrange to model a state or several states, made up of various virtual companies and economic sectors. Most sectors on the range are crucial for real-world states: such infrastructures or parts of them can be classified as critical information infrastructure (CII).

One critical sector is energy. On the cyberrange, an example of an energy company is HighTechEnergy.

As in real life, the company’s infrastructure in the virtual state can consist of several externally accessible web applications, such as a website and web services for employees and customers. Additionally, the organization may have its own mail server, CRM system, and file storage accessible via corporate VPN. Don’t forget about users — their workstations often share a single domain for easier administration. Users themselves have different positions and privileges, including access to network corporate resources.

While company infrastructures may be similar, the technological segment is always unique. Unauthorized access to it will lead to the most significant critical events, affecting the well-being of the entire virtual state.

The image above shows a schematic diagram of a virtual office: external and internal perimeters, as well as user, server, and technological segments.

What the cyberrange consists of

Figure 2

The external perimeter of the cyberrange during competitions can be presented in various ways. Let’s consider the two most common variants:
— Classic — similar to the external perimeter of companies on the Standoff cyberrange (Figure 2). It can be represented by several exploitable web applications, among which there will definitely be a company website and a VPN server (for connecting employees to the internal network).
— With gateways (Figure 3). A gateway is a server with one or more web applications that has network connectivity with the internal network (the classic variant may not have such connectivity).

Depending on how the external perimeter is organized, the number and types of initial access paths change. Next, we’ll look at which attack vectors apply to each scheme.

External perimeter and its variants

If the perimeter is organized in the first, classic way, the following event scenarios may unfold (Figure 4).

First option: Gather information from the web services of the external perimeter. There you can find VPN configurations and domain users' email addresses for connecting to the internal network. Additionally, using the information obtained, you can conduct a phishing attack: send emails from an account provided by the organizers. After this, initiate a VPN connection to the internal network.

Second option: Collect information (email addresses) from the external perimeter servers and follow up with a phishing attack that delivers a payload, enabling reverse connection from a company employee’s computer.

If you encounter an infrastructure with gates, one of the most obvious attack vectors will be remote code execution (RCE) on the gate and establishing a tunnel into the internal network.
It should be noted that when gates are present on the external perimeter, the organizers do not provide participants with accounts for phishing. Accordingly, to carry out a phishing attack, you will need to gather information, brute-force credentials, or perform other manipulations to gain access to the mail server and subsequently send emails.

How to penetrate the external perimeter

Let’s imagine you’ve selected a company to attack, read its description, and learned that the scope of the external perimeter looks like the figures below.

If you are given an IP address range, it makes sense to first determine which nodes are active, and then find the open ports and available network services. This way, reconnaissance of the external perimeter will proceed faster. If the external perimeter contains a set of known IP addresses, you can immediately start searching for open ports and identifying the services.

Often, before the cyberbattle begins, the organizers give teams files with the results of external perimeter scans using the nmap utility to reduce the load on the network. If you are provided with such a file, you can immediately start gathering information and looking for vulnerable services, skipping the reconnaissance phase. Unfortunately, the external perimeter might slightly change the next day, requiring you to scan again.

What utilities should you use for network reconnaissance? There are numerous open-source scanners you can download or find in distributions like Kali Linux. For example, you can scan the network, search for open ports, and identify services using the following tools:
• nmap (and other software based on it, such as Zenmap). It is extremely popular among pentesters and has an extensive array of parameters for any scenario.
• masscan .
Before scanning the network, it’s essential not only to select the right parameters but also to set a limit on the number of requests the scanner sends per second, or you might get blocked. "Our Little Secret"

Network reconnaissance and port scanning

Once you have a list of IP addresses, open ports, available services, and their versions, you can proceed to gather more information:
— If you have access to a web server, search for additional information on it. For example, gather email addresses listed on the site to carry out a phishing attack later. Additionally, try to find hidden pages and directories of the web service using brute force — tools like dirsearch, gobuster, and their numerous alternatives will help you here. This way, you can identify potentially important files for triggering critical events, information about the version of the web service and its plugins, the server version, and other data.
— If you come across services operating over protocols like SMB or FTP, you can try to gain anonymous access or carry out a brute-force attack on the passwords (for instance, using Hydra).

At the initial stage, you can identify known vulnerabilities and exploits based on the information about the service versions obtained from the scan results. To do this, use:
— Exploit Database — a website that stores exploits for some vulnerabilities (or SearchSploit, its command-line version).
— The cve.mitre.org website or its alternatives.
— Search queries that contain the name of the software and its version: Wing Ftp server 4.3.8 exploit, Wing Ftp server 4.3.8 CVE, and so on.

After discovering a vulnerable service and an exploit, you can, for example, remotely execute code (RCE) on the node you are attacking. However, not all vulnerabilities can be exploited this way. Next, we will explore finding and exploiting non-version-based flaws in web applications.

Gathering information and searching for vulnerable services

Now, let's imagine we have a web service that does not contain version-based vulnerabilities. You need to test it to either confirm it has no vulnerabilities or discover a flaw and exploit it.

The first option is also important: services may be deployed for gathering information or other interactions.

Exploiting web vulnerabilities can earn points, affecting your position in the leaderboard. The figure below shows a list of vulnerabilities that the jury accepts reports on.

A little about each type listed:
— Path Traversal — frequently encountered on the cyberrange and relatively easy to exploit.
— SQLi — second in frequency in my personal ranking. Usually, it can be exploited by intercepting a request to the service using Burp Suite and leveraging sqlmap.
— SSRF and XXE — very rarely encountered on the cyberrange.
— RCE — executing code on the target device often becomes possible during the exploitation of a chain of vulnerabilities (for instance, you found SQLi and used it to execute code).
— LPE — in turn, exploiting this vulnerability is impossible without first executing code (that is, without RCE).

How to find such vulnerabilities can’t be summarized in just a few words. You can read about what they are on the OWASP website. You can also familiarize yourself with the OWASP Web Security Testing Guide methodology for testing web applications. You will also certainly need:
— The Burp Suite platform — for testing applications.
— Web Security Academy (PortSwigger) — for skill training.
— The sqlmap tool — for SQL injection (of course, with a limitation on the number of requests sent).
— The LinPEAS and WinPEAS scripts — for finding local privilege escalation (LPE) vectors in systems.
— The minimum knowledge and experience of searching for web vulnerabilities can be obtained by participating in bug bounty programs (for example, on platforms like CTFlearn, Root Me, Standoff Bug Bounty, and TryHackMe).

Finding and exploiting web vulnerabilities

If you managed to exploit an RCE or LPE vulnerability on one of the external perimeter nodes, it makes sense to determine:
— User files (keys, documents, scripts, VPN configurations)
— Running services (for example, discovering an SQL database might allow you to obtain credentials for spraying)
— Network interfaces and their connections to other networks (for example, an external perimeter web server, such as a "gateway," will likely have access to a subnet that was previously inaccessible to you — you could scan it, deploy a proxy server, and gain access to new servers).

Post-exploitation on external perimeter nodes

As mentioned earlier, sometimes it's possible to gain access to the internal network through external perimeter nodes. In addition to this, phishing mechanics are implemented on the cyberrange in two forms:
— Participants receive accounts on an external mail server, from which to carry out attacks.
— Credentials are not provided, and phishing attacks are conducted from a mail server in the internal network.

To send phishing emails, you need to first find the domain email addresses of the users. Usually, they have the form g_loves@city.stf, where "g" is the first letter of the user's name, "loves" is the surname, "city" is the company name, and "stf" is a recurring top-level domain. These addresses are often gathered from nodes on the external perimeter.

When emails are sent from the internal network mail server, you not only need to know the email addresses but also the passwords to log in to the client and send emails. The passwords for accounts found on the external perimeter are often simple and can be dictionary-attacked.

Before the battle, organizers usually provide participants with a dictionary to speed up the password-cracking process and reduce the network load.

If you send an email to a correct address, a bot will respond. The bot's replies depend on whether the attachment was opened and executed. If the bot writes that it doesn't see the attachment, it means you attached the wrong file format or something is wrong with the payload. If the bot replies that the email was what it expected or that it received the file and everything is working, it means the bot managed to open your email and execute the payload. If the bot doesn't respond within 10 minutes, it might be worth contacting support to check whether the bot is working correctly and whether that user is supposed to be reading emails (not all do).

Next, we'll explain how to create an email with an attachment for phishing on the cyberrange.

Phishing mechanics

A phishing email should contain a payload that allows a command to be executed on the target company employee’s computer. On the cyberrange, bots can open emails with various malicious payloads, which could be a file, a link, or a plugin.

Let’s consider the creation of a malicious payload using Microsoft Word DOC files, which are most commonly used for phishing. These files support macros that can execute code on the victim’s computer, provided they enable macro execution.

There are many ways to create macros: you can write them yourself or use tools to generate them (for example, msfvenom and macro_reverse_shell). The macro_reverse_shell script is also popular for generating phishing macros. When running it, you need to specify your device’s IP address and the port on which you will be listening for incoming connections, deploy a listener on the specified port (using nc, for example), and send the phishing email with the macro to the target address. If everything is done correctly, you will gain access to the virtual company employee’s computer.

You can test the tips and scripts on the Standoff cyberrange. Keep in mind that an antivirus (Windows Defender) operates on new cyberrange segments. However, over time, other users might disable it, and you will face fewer challenges than at the Standoff competition.
Next, we will consider how to prepare a payload that bypasses antivirus detection.

Generating phishing

In competitions, we often encounter antivirus solutions on target nodes, so it is essential to pre-test phishing documents to check they won’t be detected. There are a few ways to do this. First: submitting them to the VirusTotal website. This allows you to see how many antivirus programs will classify your file as malicious and, accordingly, block it. Second: testing in a real system. This is the preferred option, as the created conditions fully correspond to the target ones, allowing you to debug and test the code’s functionality.
It is essential that virtual machines do not have internet access during testing. This is necessary to prevent Windows Defender from sending payload samples to the server.

Testing proceeds as follows:

1. Deploy two virtual machines and configure a network between them. If you’re testing phishing for Windows, one of the virtual machines should be a Windows system, and the other should be an attacking system from which the connection will be established.
2. Create a document and embed the generated macro with the port and address of the attacking virtual machine, where a listener is deployed.
3. Open the document and allow the macro to run.

Ideally, a reverse connection with the attacking virtual machine will be established. But if this doesn’t happen and an antivirus notification appears on the target virtual machine, the payload needs to be modified.

To bypass antivirus, you can:
— Find alternative scripts to generate the payload.
— Write obfuscated code yourself.
— Search for macro obfuscators on the internet and GitHub.

Once the payload works on the target machine, you can test it on a system with internet access. Here are some articles describing the antivirus bypassing process:
— Malicious VBA Macro’s: Trials and Tribulations — an article on generating phishing payloads followed by macro obfuscation using EvilClippy and macro_pack and bypassing antivirus.
— VBA Obfuscation — a collection of utilities for obfuscating macros.
— MS Word Macros with Powercat Reverse Shell — a detailed example of creating an email with a malicious macro for earlier versions of Windows.

By referring to the articles above and searching for similar topics online, you can find many methods for bypassing antivirus software, particularly Windows Defender.

It’s important to understand that finding a working obfuscator or macro generator is a challenging and resource-intensive task: as soon as new software becomes publicly available, antivirus developers work to neutralize its effects.

Bypassing antivirus

This section gave a simple outline of an internal perimeter. The basic infrastructure of most companies looks something like this. However, you may encounter more complex infrastructure. For example, in the banking sector, different bank branches may have multiple domains with different user, server, and "technological" segments.

Internal perimeter

The internal perimeter of a virtual company or industry is often divided into the following segments (Figure 9):

Server Segment — contains corporate resources where you can find vulnerabilities or artifacts for implementing critical events or information necessary for further network progression. It includes:

○ File Server — where files related to critical events (such as confidential document leaks) or credentials and other artifacts may be found.
○ CRM System for Finance or HR — such a server may contain information related to critical events (such as data leaks of employees or financial information) or vulnerabilities that can earn points.
○ Mail Server — often mentioned in reports on critical events as it used for phishing attacks, one of the most important steps in infiltrating a virtual office network. Some versions of mail servers may also have known vulnerabilities.
○ GitLab Server — if you see GitLab or another development platform, try not only to exploit known vulnerabilities but also to gather information (such as credentials) left in the service code.

User Segment — consists of the workstations of virtual company employees. In the domain, there are groups of users with different rights:
○ HR — users whose email addresses can be found on the external perimeter. They often have simple passwords, crackable by brute force. They don’t have special rights in the domain, but their password may work for an account on the company’s HR portal.
○ Finance Department — the credentials of these users can be used for spraying attacks on CRM platforms related to the company’s financial transactions.
○ IT Department — employees of this department may have privileged accounts on servers and services related to software development. "Ghost Farm"
○ Administrators — administrator accounts can be of three types:
■ Workstation Admin (WSAdmin) — with unrestricted access to users' workstations.
■ Server Admin (SRVadmin) — with unrestricted access to domain servers (note that some servers may not be part of the domain, such as Exchange and SharePoint in Windows, and Axelor and Dolibarr in Linux).
■ Domain Admin — the most privileged account in the domain.
○ SCADA Engineers — users who have network access to the technological segment.
○ Director — it’s worth searching here for confidential documents for implementing critical events or data to access network resources restricted to other users.

Technological Segment — provides access to SCADA servers and programmable logic controllers (PLCs). Critical events implemented in this segment are more dangerous than others because the emulated systems are cyberphysical: if an attacker gains access to the PLC in real life, it could cause physical damage to industrial equipment and potentially lead to a technological catastrophe.

Most company infrastructures consist of a Windows domain, several Linux servers, and a technological segment (a Windows workstation not joined to the domain, and a PLC). More about Active Directory penetration can be found online (for example, the article Active Directory Methodology).

Not too long ago, Standoff competitions began to feature domains consisting of Linux workstations. Such domains are built using FreeIPA — software whose functionality is similar to Active Directory in Windows.

Active Directory structure variants

In subsection 1.1.1, we described attack vectors that can be used to penetrate a company’s internal perimeter. Let’s look at what knowledge and tools you might need once you’ve successfully carried out a phishing attack and gained access to an HR employee’s workstation. "The Path to Enlightenment"

How to penetrate the internal perimeter

To collect additional information from the workstation for further movement within the perimeter, you can attempt to escalate privileges. You will need:
— A pre-collected set of exploits for escalating privileges on various Windows versions, such as tools with "Potato" in the name (they often work well on the cyberrange)
— The WinPEAS utility for finding privilege escalation vectors
— Collections of materials and checklists available online for Windows local privilege escalation (for example, Checklist — Local Windows Privilege Escalation).

Privilege escalation

If you've managed to escalate your privileges on a node — that's great! You can now gather as much useful information as possible. You will need:

Mimikatz — to extract passwords and Kerberos tickets
BloodHound — to search for lateral movement vectors in Active Directory
Built-in Windows commands (more details in the article Information Gathering — Windows)
SauronEye — a tool for a quick data search in the Windows file system. On the workstation, you can search for file formats:
○ KDBX (KeePass) — these may contain passwords
○ DOC, DOCX, TXT — potentially contain user notes and other artifacts.

Not every node offers the opportunity for privilege escalation. Even if you didn't succeed, it's still worth searching the file system.
Keep in mind that if an antivirus is enabled on the node, it may recognize some of the listed tools, detect them as malicious, and limit your interaction with the system.

Collecting data on a node

Users with different roles may have varying network visibility and access rights. For example, from the SCADA engineer's workstation, you can gain network access to the technological segment, and from the gateway on the external perimeter — to the server segment. To connect to a network resource that can only be accessed from a specific workstation, pivoting is required (for example, using Chisel).

For lateral movement, password spraying is also used: this requires credentials and hashes gathered when collecting information, using Mimikatz, for example. Spraying is possible if the standard service ports of PsExec, WinRM, and protocols like SMB or RDP are available in the target system.

Don't forget that some users' credentials allow administrative privileges on non-domain Linux servers. This can be used, for example, to exploit vulnerabilities like Authenticated RCE.

If you have developer credentials, it makes sense to attempt password spraying on the GitLab platform.
Examples of other lateral movement methods in Active Directory can be found in the article Lateral Movement.

Pivoting and lateral movement

As you complete tasks on the cyberrange, the number of nodes you've gained access to will increase. To maintain previously acquired access, quickly set up a proxy server for pivoting, and run automated tools on the nodes, Command and Control (C2) servers are used.
One of the most well-known C2 frameworks is Metasploit. You may have encountered it in the Kali Linux distribution. With Metasploit, you can switch between the nodes you have access to and execute commands on them.

Deploying a framework and setting up infrastructure for it is no simple task. You will need to:
— Select a C2 framework — for example, Sliver, Mythic, or Cobalt Strike. Not all tools will work perfectly with your operating system. Test each of them and choose the one that works best.
— Set up the infrastructure for the framework (more details can be found in the article What is Command and Control? Description of management and control infrastructure).
— Check if the antivirus in the target system detects the load generated by the framework. If it does, take measures to bypass detection, as described earlier.
If you find the C2 framework lacks certain functions "out of the box," modify it yourself.

Using C2 infrastructure

Earlier, we discussed how, while navigating through internal infrastructure, you might reach the technological segment of an enterprise and execute a critical event within it. For example, stopping the operation of a hydropower turbine or disrupting the functioning of a blast furnace.

Cyberphysical systems usually consist of two parts. These are:
— A node, usually running Windows, hosting the SCADA system —a specialized software for monitoring and controlling industrial controllers.
— An programmable logic controller (PLC), which controls the technological equipment of the virtual enterprise.

Credentials for the virtual machine hosting SCADA are scattered across the infrastructure in the form of artifacts: files, passwords from repositories, and password managers.

Among the materials provided by the organizers before the competition, there’s a high probability you’ll find a list of SCADA systems and controllers installed in various segments of the cyberrange, along with their versions and manufacturers. Using this information, you can familiarize yourself with the technical documentation in advance and find relevant exploits online.

The diagram below shows several vectors for executing a critical event in the technological segment.

ICS

If you've managed to access the device running SCADA, consider the following vectors for executing a critical event:
— Using default or "empty" credentials to log in to the SCADA interface.
— Escalating privileges in the system, finding credentials in configuration files, and using them for further authorization.
— Modifying configuration files and changing the SCADA password, if possible without escalating privileges.

If you change the configuration or password, report this to the organizers or reset the system yourself to its original state.

SCADA

If you can’t access the SCADA interface, you may be able to reach your goal by directly interacting with the PLC. In this case, you can consider the following attack vectors:
— Connect directly to the controller and modify the firmware using special software (often provided by the manufacturer on the official website).
If you change the firmware or the controller’s configuration, inform the organizers or restore the system to its original state yourself.
— Log in to the controller’s web interface and then send it the STOP command.
— Send the STOP command using a special network protocol (the final step in executing critical events that involve "shutdown," such as "hydro turbine shutdown").
— Send the FORCE command after logging in to the controller using a special network protocol (the final step in executing critical events with "emergency" in the name).

Not all critical events require production shutdown. "Art Appreciation". In some cases, to cause a specific type of emergency, you need to edit particular configuration settings of the ICS.

Controller

We’ve reviewed some types of attacks that can be carried out on the cyberrange. And this is just a small part of what a hacker needs to know and be able to do, whether participating in competitions or performing a cybersecurity audit.

The path to system compromise, for example, exploiting RCE, LPE, or executing a critical event, often consists of a series of steps. The MITRE ATT&CK Matrix describes the tactics and techniques used by attackers. Tactics are divided into columns by cyberattack stages — from reconnaissance and initial access to data exfiltration from the corporate network.

The Standoff 365 website presents the MITRE ATT&CK Matrix for Standoff 13. Here you can filter techniques included in the tasks on the cyberrange — accounting for more than 76% of the total. Before the competition, we strongly recommend studying this matrix, making sure you’re familiar with most techniques, and striving to fill in any gaps (Figure 11).

MITRE ATT&CK matrix and additional knowledge

During the competition, you will interact not only with the virtual infrastructure but also with the Standoff 365 portal.

Interaction with the cyberrange

To participate in the competition, you must apply. You should have an account on the Standoff 365 website, along with a group where you add team members, with a logo and description (Figure 12).

Once your application is accepted, all sections and materials will become available on the cyberbattle page:
— VPN configuration file (Figure 13)
— Additional resources — password cracking dictionaries, accounts, and bank details
— Task descriptions

Interacting with the Standoff 365 portal

Before the competition, clarify with the organizers which protocol will be used to connect to the infrastructure. Ensure that the team members' internet providers do not block it.

There are two types of tasks: vulnerability detection and critical event implementation.

There are two ways to earn points for a discovered vulnerability:
1. Submit a flag on the portal (submit an auto-checked report) — flags are found on nodes in the external perimeter (gates, as mentioned earlier). Learn more about capturing a flag on an exploited node in the article How to earn points on the help portal.
2. Write a vulnerability report for the jury — if the node is within the internal perimeter (DMZ).

The report must include a screenshot demonstrating the exploitation of the vulnerability, or some other proof. An example of my vulnerability report for Path Traversal is shown below (the screenshot shows the server response with the content of the /etc/passwd file). Possible evidence depending on the type of vulnerability:
— SQL injection — a screenshot with the database content
— Remote code execution (RCE) — output of the whoami and hostname commands
— Local privilege escalation (LPE) — output of the whoami and id commands

How to submit vulnerability reports

On the critical event page, there are two tabs: "Description" and "Task." To correctly understand what is required, I recommend carefully reading the content of both tabs.

To implement a critical event, you should first read the description of the segment and the event itself. Since the task does not specify the exact addresses of the required nodes, it is important to correctly interpret the text. You can usually understand if the node is related to a web application, a device from the DMZ, or a SCADA system. Sometimes the description provides the position and name of the target user.

For instance, if the task mentions leaking employee personal data from the ERP system, you can assume that this system is in the internal perimeter, in the server segment. It will be accessible to users responsible for hiring employees. If the task states "Gain access to the chief accountant’s computer," you can infer that attention should be paid to the user segment. If the task is to stop the operation of a hydroturbine at a hydroelectric power station, you’re going to be looking at the technological segment of the network.

You can read more on the Filling in steps section of the help portal to learn how to fill out reports on critical event implementations and the common mistakes made.

For each step in the report, there is a large form (Figure 15). Filling it out is quite tedious and time-consuming, so be patient. "The Devil’s Due"

How to submit critical event reports

Below is a correctly written report from our team on the critical event "Office Employee Personal Data Breach."

Due to the large number of hackers attacking the infrastructure during the competition, some servers may go down, and web services may become unresponsive. In such cases, you should contact technical support to confirm whether the node with the task is functioning correctly.

Issues and support

To participate in the competition, follow these steps:

How to join the competition

Keep an eye on the Standoff 365 Telegram channel for announcements about upcoming battles and the opening of application submissions.
Create a team logo, come up with a description for your team, and be ready to talk about your achievements and motivation to participate in Standoff.
Assemble a team of 10 people (or find at least 10 people who can commit time to join you in Standoff).

We’ll talk about teams later, but for now, let’s discuss the competition rules.

Since Standoff is one of the largest cyberbattles I know of, the rules are also quite extensive. You can familiarize yourself with them on the Standoff 365 help portal or on the page of the announced cyberbattle.

If your team is participating in the cyberexercises, you will receive a PDF file with the Standoff rules and an invitation to a meeting with the organizers. During this meeting, they will explain the battle and answer your questions. It’s important to note that all team members should not only read the provided information but also understand it. The team captain must ensure this.

Remember, during the competition, you are not allowed to remove or stop services, interfere with other teams, or share solutions with them. Avoid generating too much traffic with automated tools. On the battlefield, there are hardly any tasks that require aggressive scanning (for example, using Acunetix or Invicti). The skill of manually finding vulnerabilities will greatly help you not only in Standoff but also in your professional career. Reducing the traffic generated during pentesting will give you an advantage in stealth. Moreover, you’ll demonstrate that you’re capable of more than just pressing the "Start" button.

Before the competition starts, you will receive the results of the external perimeter scan of the infrastructure. This means you can skip the reconnaissance phase in the first hours of the battle and immediately begin working on the tasks. If you generate too much traffic, the organizers may limit your VPN channel’s bandwidth, or even penalize you. Be careful.

Competition rules

A team of 10 people is required to participate. How do you assemble such a team? To do this, you’ll need to:

— Invite colleagues, classmates, or post in relevant channels and chats — preferably with a list of requirements for participants
— Ensure that your team includes people who are proficient in:
○ Exploiting web vulnerabilities and escalating privileges in Linux
○ Exploiting Active Directory, escalating privileges in Windows, and moving laterally within the perimeter
○ Creating malicious attachments for phishing and bypassing antivirus software (such as Windows Defender)
○ Using C2 frameworks like Metasploit or Cobalt Strike

To be certain that there will be 10 people in your team during the competition, make sure they request time off work, take vacation days, or get leave from studies. Also, ensure you have a few backup players. In my team, there were unforeseen circumstances, and at a critical moment, up to 7 people were absent.

Teams

Game preparation checklist from Cult

For the last Standoff, we prepared for three months, for the one before — one month, and for the next one, we’ve started preparing six months in advance. The longer the preparation period, including planning, discussing strategy, and memorizing the action plan, the lower the chances of team members getting flustered. The captain should consider the fact that people react differently. For example, one person may ask questions if they are unsure, while another may be too shy to admit they are struggling, which could worsen the situation. It’s essential to get to know each team member well and establish strong working relationships in advance.

Working on tasks together will help you assess the level of teamwork. You can do this on any platform, but preparing on the Standoff cyberrange will give you an advantage, as similar tasks might appear in the competition. At first, you may feel like the classic Russian fable characters — the swan, the crayfish, and the pike ("there's no unity among companions"). The captain should analyze why this happens and develop action plans for any situation.

To avoid chaos during the battle, you need to decide in advance on the methods and order of communication. According to the rules and general concept of the game, there are always several technological segments in the cyberrange, and the main types of tasks involve finding vulnerabilities and implementing critical events. Therefore, it’s a good idea to create a Discord channel or Telegram chat with a special structure to organize the discussion of various tasks.

A knowledge base with convenient search and navigation is the most valuable asset a team can have. It should include one-liners (for example, for shell access, file searching for further network penetration, proxy server deployment), task write-ups from the Standoff cyberrange, battle rules, a list and descriptions of teams, and a list of useful resources. "Become an initiate". The knowledge base should not be overloaded, and the texts should be concise and understandable for any team member.

You already know that at the start of the cyberbattle, you will receive external perimeter scan results from the organizers. Let’s assume there are 50 nodes with web applications. How can you avoid getting lost in what needs to be done, what has been completed, and where there are issues? I recommend using any collaborative platform from my presentation on Talks (Collaborative Platforms for Vulnerability Analysis). You don’t need to use all its features. It’s enough to tag the person responsible for a node next to the IP address.
Besides web applications, you will have to deal with Active Directory.
To visualize the domain structure and logical connections within it, you will need BloodHound. The tool can be used locally or deployed on a server for all team members.

To gain a broader perspective on the competition, it’s a good idea to review write-ups and articles from other teams. Some teams openly discuss breaking the game rules (changing ports, cutting off other players' connections, changing system passwords), but it’s best not to follow their example. Just take note of the information. Additionally, such write-ups may include examples of solved tasks and diagrams of networks and segments.

Typically, phishing in Standoff involves sending a "resume" to an HR group user. Notably, antivirus is running on the nodes, though other teams may occasionally disable it. Before the competition begins, prepare several payloads that can bypass antivirus. Well-timed phishing emails can give your team a significant advantage.
It’s also advisable to have a C2 server. The internal network has many nodes, and such a server will greatly simplify lateral movement.

We have already mentioned a significant number of tools that should be deployed and tested before the competition. If your team is building this kind of infrastructure for the first time, be sure that you won’t get banned, that nothing unnecessary is exposed on the internet, and that Chinese scanners can’t detect you;)
Find out from the organizers in advance what technology is used to connect to the infrastructure so you can ensure your team members' internet providers do not block the protocol.

Before the game, decide on the order of your actions. As soon as everyone connects to the cyberrange, there might be availability issues. Therefore, it’s best if some team members send phishing emails to each company on the range within the first few minutes. Other free members specializing in web applications can start addressing tasks on the network’s external perimeter. As you progress into the internal network and discover web services there, you can pivot people from working on the external perimeter to the internal perimeter.

Enter your username and the seven Easter eggs hidden in the guide to get an exclusive achievement badge on the platform.