Preface
Collegiate Penetration Testing Competition or CPTC, is an event that emulates what a real world penetration test is like. From scoping out the fictitious company, to the real engagement, dealing with angry clients, and even presentations— the whole package. This blog will serve to cover the whole journey from my start to the end of the Global event. If you are here to learn about the details of how we won, you’ll be disappointed as I’m writing about my experiences rather than the formula to win.
Prior To The Main Roster
I’ve detailed my experiences in the past blog posts about what I’ve done before making the team so be sure to check those out. In short, I failed my first attempt at making the team in 2021. After failing so horribly, I didn’t want to relive that experience so I made sure to study my ass off for the next tryouts. For starters I’ve became more active in the club SWIFT or Students With an Interest in the Future of Technology. The rest of my experiences are detailed out in previous posts.
After Making The Team
About a few days after the tryouts, I was called into a private zoom call regarding the Minecraft server that was being run in the club. They called me in about me officiating the server to which I had no clue what they were talking about. They realize their mistake and said “I got the wrong person, hmm Derrick, oh! How would you like a main spot on the CPTC team?”. I appreciated their little skit they came up for me, it really made my day. During the time leading up to the Western Regional event, our team met up every Saturday to discuss the logistics and some team planning in general. The technical stuff was mostly learned by ourselves during the week and we tend to share the topics that we found interesting on the weekend meetings. At the time the Regional event was 3 months away but before I even knew it, I was already in the van headed out to Stanford for the competition.
The Regional Event
The drive up to Stanford was, to say the least, very memorable. From how uncomfortable it was due to the lack of space to the stupid little inside jokes that ran rampant— I’ve enjoyed every last minute of it. It was about a 6 hour car ride and I managed to sleep past most of it but eventually we got up to San Jose. Stopping by at a burger place first to refuel up, we set off for the hotel to drop off our bags and all.
The hotel room
After settling down at our hotel, we set off to check out Stanford’s campus to get an idea of what we will be working with. The campus is breathtaking compared to our school in Pomona. What I didn’t expect was that all the teams are competing in a single large venue. I imagined that we would have our own private room but it is not a big issue.
Stanford’s venue
After checking out the campus, our team went out to various stores in order to stock up on snacks and other essentials for the competition day. My brother for example got a bottle of unsalted chicken broth in which he used it as his fuel for the following day. Interesting choices to say the least.
On the day of the competition, we rolled up in a full suit with ties and all. We assumed that this was going to be a formal engagement but when we arrived, we saw another team, if my memory serves me correctly, UC Riverside. They had such comfy causal clothes and best of all, they even were playing on a switch. Needless to say, we looked like try hards. Anything less than a first place win at the event would make us look like idiots.
The team in action
The competition started at around 9am and ran through until about 4 or 5pm. By the end of the event, my brain felt like it was melting. Roughly 8 hours of constantly trying to piece puzzles together was a tough experience and it was only the first half of the event. After we finished the main engagement, we went back to our hotels immediately to being our report writing. With a handful more findings than expected, the report writing took much longer than anticipated. We worked every minute off as a team until the deadline. Our end product was still unrefined and upon turning it in at midnight, there was a stark silence in the room. Everyone knows the obvious mistakes that were on the report but we just had to bear with it and hope for the best.
The following day, we went back onto their campus for the awards ceremony. We probably should have networked a bit more than we did but its in the past now. I am glad that we did get to meet a few of the Stanford competitors as they were actually really cool people. I was under the impression that they were some untouchable entities as they have a reputation for being extremely smart but after a conversation, that stereotype completely crumbled away. During the awards ceremony, if my memory is correct, 3rd place went to Oregon State, second was Stanford, and first place was us, Cal Poly Pomona, for the second year in a row.
| Placement | University |
|---|---|
| 1st Place | California Polytechnic University, Pomona |
| 2nd Place | Stanford University |
| 3rd Place | Oregon State University |
Global CPTC
About 2 months later and here comes the main event, the global stage. In terms of preparation, not much as changed from how we approached Western Regionals. The biggest change really was the amount of packing I needed to do. The flight was at 5am so I decided to stay up the night and hang out with my friends on Discord as I packed up. Long story short, we get to the airport and board our flight.
Right before takeoff
Due to the layovers and all and being unable to get a good rest on our flight, most of us were pretty exhausted by the time we got to the hotel in Rochester. Note that we got to the rooms by around 5pm and that we needed to get moving again at 7pm to get our badges. While in line, two of the team members decide to act like as if they completely lost it making the most ridiculous egg jokes. It didn’t even make sense but they kept repeating it anyways. It did not make the greatest impression among the other people in line with us however, when we went up to receive our badges, the person said “Oh, Cal Poly?”. The teams that heard immediately started somewhat pointing fingers at us. It felt as if there was a giant target that was suddenly placed on our back.
Later that night we went to have a team dinner at this barbecue place. It was my first time eating American barbecue since most of the time I would have Korean or Brazilian instead. It was the first meal in more than 24 hours for some of us and we made sure to make the most out of it.
Dinosaur Bar-B-Que
On the day that we landed, it was really rainy to my surprise. I remember about a month ago hearing Buffalo on the news regarding all the record breaking snowfall and expected something similar. To my surprise, there was no snow at all and it was just wet. The following day however, just before the competition’s first day, snow came down like crazy and it ended up looking like this over the course of a few hours.
Snowfall from the previous night
Here is another picture taken from inside the RIT campus.
Inside campus view
Unlike regionals, the global event takes place over the course of 3 days, 2 for the actual engagement and 1 for presentations. The first two days went much better than expected for us this year. We had set the bar pretty low for ourselves and were extremely impressed with the amount of items we found to add to the report. Aside from reporting however, there also was a new aspect that the regional competition did not include, client interactions. Sometimes depending on our activity, a client would come into our room to ask us about X, Y and Z. Our business team handled each of the interactions so well, I just stared in awe the entire time. Sleep was an issue once again during this event as I only got about 10 hours of sleep… across 3 days. Not the most ideal conditions if you need to be performing at a high level.
The first two days went without a hitch. It was nice having a private room to ourselves because it lets us go loose when we needed to. From driving an imaginary car throughout the room to doing a group griddy, we have done it all. Really helped keep up the morale as we stared at our computers for hours at a time. The presentations were the only thing left between us and the awards ceremony.
On that third and final day, we were called into the main conference room to wait as teams eventually get called up. As a waiting activity, the event organizers provided us with slide decks for us to present for fun. The catch is, you don’t get to see what are the contents of slides and you have to act as if you are a professional on the topic. It was a pretty fun activity to watch as people went up and had to figure out how to deal with their slides. At some point we exhausted all the slides and nothing was on the board. One of the competitors decided to go up and play Bedwars, a game on minecraft, on the big screen while nothing was going on. One of our teammates is a huge fan and avid player of the game so it was pretty funny to see him critique the way the that she would play. Another one of use even did a live play by play. Overall it was pretty entertaining and helped me iron out my nerves before the big moment.
Bedwars girl
Unfortunately, with the way that things went, we somehow ended up being the last team to present. After going through my lines probably over a 100 times in my head at that point, I was a machine ready to spit out my content when it was my turn. The RIT command center was very impressive. The whole theme of the room felt like a mission control center. Walking up to be the center of attention made me feel like some sort of celebrity. The presentation overall went pretty well and we headed back to the rooms for the announcement.
Presentation
It was really nice to hear from the event’s sponsors. The stories and advice they had to give us, it was more entertaining than I thought it would be. As the awards ceremony approached my heart only sped up. I was really excited to see how well we did. In third we had University of Central Florida, a big name in cyber and a regular on the national scene in CCDC, the older brother to CPTC. We waited quietly to hear the second place call and when Stanford got called up, we breathed a sigh of relief. If they got second, that means if things went the same way as they did during regionals, we would get first. Lo and behold, we got first place. Global champions for the second year in a row, and my first win at a major competition.
| Placement | University |
|---|---|
| 1st Place | California Polytechnic University, Pomona |
| 2nd Place | Stanford University |
| 3rd Place | University of Central Florida |
Final Thoughts
For anyone who is interested in competing in the event, here’s a few key takeaways:
- Get enough sleep
- Make sure to eat and drink plenty of water
- It is a marathon, not a race It sounds like obvious tips but they are true. The event is long and grueling so having proper meals and resting well is essential to perform well throughout the event.
Overall I really enjoyed my first time competing at CPTC and it was an amazing feeling to be called up as the first place winners. I hope to see the same faces again next year when we come back.