Hacking the Mushroom Kingdom: A dive into CI/CD Pipelines with Mario and Luigi
An evening diving into CI/CD pipeline hacking.
Hacking the Mushroom Kingdom: my evening at Secura
Hi everyone! My name is Ilnur, I'm a 3rd year Cyber Security student at the University of Applied Sciences of Amsterdam (UAAS/HvA), and in this post I'll tell you about my experience with helping Bowser hacking Mario & Luigi!
A couple weeks ago I was contacted by Sara Busscher, with a question, whether I was interested in learning more about CI/CD pipeline hacking. To be honest, it was the first time I heard about CI/CD or anything like that, but based on my previous experience with the Dutch Docker night, I didn't hesitate to take the opportunity provided.
The event took place in the new office of Secura, just near the train station Bijlmer Arena, and even though first I struggled with finding the right elevator (the building is separated in two), I eventually found myself in between the friendly people I met a year ago.
Definitely a Mario theme
Before the event started, it was clear that it had something to do with "Mario": the tables were covered thematically, and there were even toys spread all around! (Honestly, I'm still wondering whether they really keep Mario decorations somewhere in the office, or if it just was a one time thing).
Our hosts for the night were Charleston and George, both very experienced security experts at Secura. They quickly, yet clearly, explained what CI/CD pipelines were, and decided to enlighten us on Bowsers masterplan to hack them!
We appeared to be in Devtopia, a Mario themed landscape full of tunnels. These tunnels were analogies to the pipelines we were about to hack.
Ilnur Khakimov
3rd year cybersecurity student
UAAS/HvA
We spent the evening in Devtopia, a Mario themed landscape full of tunnels. These tunnels were analogies to the pipelines we were about to hack.
For this we got the basic principles of how CI/CD functioned: when Luigi (junior developer) had worked on his code, he'll make a pull request through the "OnMerge" pipeline. If we were lucky (being the professional hackers we were, "luck" is our main weapon of choice), we might be able to steal some forgotten information from those.
After completing this objective, I'd learned new information about how git functions. For example, I had no idea previous versions of the code were accessible locally (I could easily see myself make this mistake otherwise). Luckily for us (I told you, luck is our main weapon), George and Charleston had prepared some useful commands in the right order of execution. That didn't mean that we were given a full guide on completing the challenges, since you'd still need to when you'd need to execute them.
Unfortunately, I got stuck for the next two steps (it appeared my git wasn't configured correctly or something), so I got to look at what the rest did. Luckily (should I repeat myself?) the challenges were designed in such a way, that I was able to catch up during the last step; you'd need information from step 1 to continue with the challenge, which I successfully did.
Enormous amount of pizza's
In between the challenges an enormous amount of pizza's had arrived! We got to chat a bit with each other during that break, and I met some new people, one of which I remember wearing a t-shirt awarded for hacking the Dutch government! It was very interesting to hear his story about this, and I could even confirm my statement about luck in the way he did it (being lucky must be an award for skill, I guess).
Unfortunately, I had to leave 30 minutes earlier, so I couldn't get the full walk-through of the challenges, but I did get a handy goody bag for home though! Even so, when escorted to the exit, I was asked the question whether I learned anything from this evening. "Somewhere about everything, starting with the existence of these things" was my answer.
To conclude this post, I'd definitely recommend students joining the Secura workshops, if presented with such an opportunity! I'd like to thank Charleston and George for everything they did for us that evening, and a special thanks to Sara for remembering my favorite type of wine.