International CDC Feb 2026

The red team used ZeroLogon (CVE-2020-1472) against Active Directory. Competition rules prohibited patching the domain controller, leaving the vulnerability open the entire match — so the only play was detection and response, not prevention.

Response. Enabled verbose DC audit logging to catch Netlogon channel abuse in real time. Monitored for anomalous machine account password resets, documented each attempt in incident reports as required for scoring credit, and isolated affected accounts immediately.

Red team exploited PwnKit — a privilege escalation vulnerability in Polkit's pkexec — to gain root on Linux servers. The exploit is reliable, requires no special conditions, and works across a wide range of Linux distributions.

Fix. Patched polkit packages on all Linux hosts immediately. Verified pkexec binary permissions and audited SUID binaries across the environment. Monitored for unexpected root-level process spawns as an indicator of residual exploitation.

The web server had an LD_PRELOAD rootkit hiding as a legitimate-looking shared library. It intercepts standard libc calls to hide processes, files, and network connections — making the compromised host look clean to standard inspection tools.

Fix. Cross-referenced /etc/ld.so.preload and environment variables against known-good library paths. Found the injected library by comparing running process maps to expected system libraries. Removed the rootkit, cleared LD_PRELOAD references, and verified no persistence hooks remained.

The web application was running with Flask's default SECRET_KEY set to 'cdc'. With a known signing key, any attacker can forge a valid session cookie with admin privileges — no credentials required.

Fix. Rotated the SECRET_KEY to a cryptographically random value, invalidating all existing sessions including any the red team had forged. Audited remaining Flask configuration for other insecure defaults and disabled debug mode.

An exposed /register endpoint required no authentication and automatically enrolled new accounts into the Domain Admin group. Red team could create a privileged AD account from a single unauthenticated HTTP request.

Fix. Took the endpoint offline immediately, removed auto-enrollment logic, and audited AD for any rogue accounts already created. Implemented strict authentication requirements before re-enabling registration functionality.

Active Directory Certificate Services was misconfigured with an ESC1-vulnerable template: any authenticated user could request a certificate for an arbitrary UPN, enabling credential dumping and domain privilege escalation without touching Kerberos directly.

Fix. Identified vulnerable templates using manual enumeration, revoked outstanding certificates issued under the misconfigured template, and corrected the enrollment permissions and subject name settings to require CA manager approval for sensitive UPN requests.

Red team had pre-planted netcat listeners on multiple hosts before the competition started. The listeners provided persistent reverse shell access independent of any other exploit — even after other persistence mechanisms were removed.

Fix. Audited all listening ports with ss -tlnp and netstat, cross-referenced against expected services, and killed unauthorized listeners. Added OPNsense rules to block unexpected outbound connections. Checked cron, systemd units, and shell profiles for re-spawn hooks.