Runner Up at BPJS Kesehatan Security Hackathon

Jeremyah Joel
4 min readFeb 9, 2022

Hi everyone! Today I'm going to tell you a story about how Vantage Point Security Team won First Runner Up at BPJS Kesehatan Security Hackathon!

Due to the live system involved in the final round of the competition being strictly confidential, our team will not publish any official write-up/presentation deck. The platform that was being tested is currently in operation under BPJS Kesehatan.

Elimination Round

This competition has always been interesting, as the prize pool is really good and the competition scheme is unique. In the elimination round, we're given eight different web-based challenges.

We managed to solve 8/8 challenges and secure the elimination round with first place even though we did two parallel competitions that day (With compfest). If you're interested in the technical write-up, you can read it here.

Elimination Round Result. Our team is Cinnamon

The Final Round

The final round is somewhat unique as it consists of two different stages. In the first stage, we're given exactly 4 hours (11 AM — 3 PM) to do a system-wide penetration testing. The next stage is to give a brief presentation and explanation about the findings and their impact on the system.

Stage One

As a team full of security consultants, we were confident that we would perform well. And it turns out so! We manage to get 14 Findings with various severity, as shown in the images below.

Our Findings (With a lovely VantagePoint Security Logo)

The most critical finding is we able to completely take over the server by taking advantage of MSSQL Injection. We used a stacked query to execute xp_cmdshell and write our backdoor to the previously disclosed path by the unintended phpinfo file.

However, we didn't have a chance to do further system exploitation as the competition is limited to 4hours, including the initial report. So after a short consideration, we move on to the next possible vulnerability.

Long story short, we completely test the whole system in the 4 hours range. In the process, we gather findings from different places aside from web apps, including Database, SMTP, Third-Party API, and Local Browser Storage.

The time was very limited; therefore, it was hectic and chaotic. After the initial report submission, we decided to take a break and work on the presentation deck at midnight.

Stage Two

The Demo Day started at 08.00 AM. We worked on the presentation deck all night; therefore, there was no time to practice. At this very moment, our team decided that I'd be the one to deliver the presentation. I was quite nervous, but I love public speaking, and there is no way I'm going to say no to this!

Demo Day Judges

The judges consist of Indonesia's most experienced and well-known cyber security experts. We can finally see the other team members' names on this demo day, and honestly, it was shocking to see that the finalist are mostly the most skilled cyber security practitioners, and me? I haven't even finished my certification yet and was still an Associate Consultant (Minus 1-month experience).

Even though it was tense, I was very excited! I was very happy that in the end, we successfully delivered the presentation in under 5 minutes and were able to answer all judges' questions on the technical and compliance side relating to the finding considerably well. We were very happy and proud of ourselves!

Consultancy vs Enduser

As a full-time security consultant, we only technically see findings. We were stunned and very amazed when one of the team presented their finding. Instead of only covering the technical part, they did use something similar to the threat modelling framework to deliver the whole finding as one threat.

Threat Modeling Framework Example

Therefore, they did present the findings' impact on the system better and gave a wider look at the best way to mitigate the risk. For example, we could adjust the database privilege to mitigate SQL injection and Remote Code Execution at once. Or we could enforce HTTP Security Header to make sure the local PII data are not extractable, alongside there is no chance for MITM attack or cookie stealing via XSS. It shows the shortest path to mitigate the risk to an acceptable level. It was a very clever and interesting move!

The Announcement

Sometimes we win, sometimes we learn. We didn't expect much after knowing the people we're up against, we learned lots of new knowledge and technique from the expert in this competition, and we are grateful for the opportunity.

Second Place!

Our hard work paid off. We won second place! We learn, and we win ☺️

Thank you, and see you in the next post!

--

--

Jeremyah Joel

Product Security at Ministry of Education, Culture, Research, and Technology of Indonesia