CMU hacking team competes in pentesting world finals

An elite team of Carnegie Mellon students competed in the Collegiate Penetration Testing Competition (CPTC) world finals last month. The competition pitted cybersecurity’s brightest students against one another to flex their technical, business, and communication prowess.

During the competition, 15 qualifying teams played the role of consultant for Le Bonbon Croissant, a fictional candy and croissant chain and direct sales company based in France. Its operations included warehouse distribution facilities, business to business and business to customer eCommerce, and a rewards / gift card system. Teams were tasked with penetration testing the company’s computer systems, writing up a formal report, and presenting their findings.

“A big lesson we took away from the competition is how to communicate technical findings to someone who doesn’t care about the technical details,” says Sears Schulz, an MS student in the Information Networking Institute (INI) and the team’s captain. “Many company executives don’t care about the technical details, they care about the wellbeing of their company.”

Many company executives don’t care about the technical details, they care about the wellbeing of their company.

Sears Schulz, MS student, Information Networking Institute

Other students on the team included Bendie Minu, Wil Luca, Hugrun Hannesdottir, Neel Bhavsar—all MS students in the INI—and Chase Pascuito, an MS student in Heinz College. The team was coached by Luke Jones, a software engineer in CyLab. Two team alternates, INI students Kuber Nandwani and Ariana Mims, helped with team preparations.

Without disrupting Le Bonbon Croissant’s simulated business activities, teams were tasked with finding as many vulnerabilities in the company’s operations within a limited amount of time. One vulnerability the CMU team found was that one of the company’s Windows machines had remote access available, meaning its keyboard, screen, and mouse could be operated by a remote user. Although the machine asked for the Windows password in order to use it, the team was able to restart the computer.

“On startup, it automatically logged into the Administrator account,” Schulz says. “This allowed us to extract the password, and we found it was reused for many other machines.”

Teams were judged by industry professionals and were graded based on the number and level of sophistication of the vulnerabilities they found, the quality of the written report, as well as the team’s final presentation.

These competitions do a great job of simulating a real professional environment.

Sears Schulz, MS student, Information Networking Institute

While the team didn’t win—that honor went to a team of Cal Poly Pomona students—Schulz says it was a great learning experience.

“These competitions do a great job of simulating a real professional environment,” he says. “It’s a great opportunity not just from a technical standpoint, but also from a communication standpoint. You have to be able to effectively communicate these technical findings to multiple types of people.”

The CPTC began last October, with over 500 students competing in eight regional events across the globe. The top 15 teams from those competitions were selected to compete in last month’s global finals. This year’s final competition was held in a hybrid format at the Rochester Institute of Technology.