Team bi0s is a student-run cybersecurity club of Amrita Vishwa Vidyapeetham, Amritapuri (Kerala). The club is focused on building students and individuals with interdisciplinary skills in the field of cybersecurity and has a prosperous history spanning for more than a decade. The team has been the top performer in the well-known cybersecurity contest - ‘Capture The Flag’, in the national and international arena.
Year 2022
COVID did not defeat us. Things were picking up its pace and the world was opening up to the new world we had to face. New norms were being set in the world. Everyone saw what humanity could do when they stood together and worked to the new reality we are facing today. Team bi0s also was part of that change. Our team, consisting of more than 30 people from every corner of the country, finally met with each other after 2 years of working remotely. We had contributed and collaborated online, and won and lost several things during the journey of COVID. Now we were finally together, in the same place where our forebears had initiated from. This meant we had to start a new chapter in the club’s history with the people we know the best. Our mentor Vipin Pavithran, had been guiding us through our toughest situations all throughout online. But now that things started to go back to normal it was finally our chance to meet him.
The year wrapped up with us being the best team in the country and 47th worldwide according to CTFtime‘s leaderboards. We landed in top 10 for some of the best international CTFs – 4th in WINJA CTF, 5th in HACKIM CTF, 2nd in BSidesSF CTF, 2nd in CSAW Finals, 10th in ISITDTU. We were also invited for the finals of ISITDTU 2022 held at Da Nang, Vietnam. We also stood First in Dome CTF 2022, an onsite CTF event part of the c0c0n conference held by Kerala Police Cyberdome.
Team Shakti, our girls-only team organized Shakti CTF - a CTF exclusively for women. Created to empower more women in cybersecurity field had been a huge success so far with their premiere events ShaktiCon and ShaktiCTF. This year being the 3rd edition of ShaktiCTF there were close to 1000 participants engaging with the community and solving challenges. Training for various security topics was taken during the time of ShaktiCTF. Topics ranged from beginner to advanced audience, like Automated Reverse Engineering tactics to teach cybersecurity experts on how to use symbolic execution and scripting debuggers using python. Sejal Koshta, Indulekha P Menon, Nandita Sangeeth and Srilakshmi from Team Shakti also bagged the First Runner up prize during the WINJA CTF in the women’s only team category. They also received a scholarship from SANS Institute for the same.
As COVID restrictions were lifted around the entire world and long awaited conferences happening throughout the country and at different corners of the world. Team bi0s participated in two of the year end conferences that were held within the country. We took the train to Goa to attend the long awaited Nullcon Conference during the start of September. We participated in the contests, met a lot of security researchers, attended tons of talks and workshops and of course collected a lot of swags while at it. We also attended the c0c0n 2022 conference held at Kochi, Kerala organized by the Kerala Police Cyberdome. Being from the home state being held in we couldn’t avoid the opportunity to meet hackers from various corners of the state. The conferences consisted of a contest which we won for the second consecutive year.
Some of our team members old and new always give us inspiration to push ourselves further and this year was no different. Here are some of our vulnerability research findings:
- Yadhu Krishna M found a high severity SSRF bug in ProxyScotch, a proxy server created for Hoppscotch. He was assinged CVE-2022-25850 for it. He also reported a Cross Site Scripting attack in exercism.org, a learning platform to teach various programming languages.
- Yadhu also found an OTP bypass vulnerability within the Ministry of Road Transport and Highways, India - Parivahan Sarathi Portal.
- Sayooj B Kumar found a security vulnerability in stackoverflow. He also found an OTP bypass and an IDOR vulnerability in a site hosted by BSNL. He was also listed in the Hall of Fame of both stackoverflow and Deepnote. He also received a bounty for finding a security vulnerability in Lucid Charts.
- Rahul Sunder, our team member who specializes in Web Exploitation found a XSS and CSRF which was chained together for an Account Takeover in daloRadius, a RADIUS web management application aimed at managing hotspots and general-purpose ISP deployments. He was assinged CVE-2022-23475 for it.
This year our members Rohit Narayanan M and Adhithya Suresh Kumar held the championship title for the second year consecutively at DomeCTF organized as part of the c0c0n conference by Cyberdome of Kerala State Police and Beagle Security. They also received ₹1,00,000 as cash prize for the same. Yadhu Krishna M held the First position in the Adversary Wars CTF conducted by the Adversary Village team as part of the c0c0n conference.
Rahul Sunder, Abhishek Barla, Simran Kathpalia and Abhishek Bhardwaj represented us during CSAW CTF Finals and held the Second position at the end of the contest. CSAW CTF was organized by IIT Kanpur as part of the Indian Regionals for CSAW Globals held by NYU, New York.
Our team also qualified for the ISITDTU CTF Finals with over 150 teams participating in it. The team was invited to participate in their finals. Team members Sriijith, Pagilla Manohar Reddy, Rohit Narayanan M, Nithin Chenthur and Nandu Pillai represented us at ISITDTU, Da Nang, Vietnam for the finals held during the month of December.
Furthermore, Prabith GS and Aneesh Nadh R were awarded with Best Programmer and Best Web player status respectively in DevCTF organized by IIT Delhi, India. Nithin Chenthur and Sriijith landed as the First runner up in the Indian leaderboard in JadeCTF organized by IIT Dhanbad. They also received 10k rupees as cash prize.
This year our members Aswin C, Simran Kathpalia, Poluru Pavani secured a scholarship of $2500 to attend a summer program at Ben Gurion University of the Negev, Israel. The scholarship program offered by BGU covered Data Mining for Cybersecurity and Business Intelligence for which our members enrolled in. An entire month was spent in Israel as part of the summer program through which our members gained several research and industrial opportunities and a lot of fun experience provided in the university’s environment.
Our member Prabith GS also completed the Microsoft Cybersecurity Engage program. He successfully completed the 5 week program inclusive of leadership sessions, practical threat analysis, paper submissions and presentations, and several talks by leading experts in the cybersecurity industry. He also received a certificate for the completion of the program.
Pentest Team
Our team member Abhishek Sidharth found a Cross Site Scripting vulnerability in Autolab – A course management service used a lot in the educational sector mostly for auto-grading programming assignments. Abhishek was assigned CVE-2022-0936 for his findings. Srikar discovered an Arbitrary Command Injection vulnerability in Strapi – It is one of the leading open-source headless CMS fully made in javascript. He was assigned CVE-2022-0764 it.
Anjana Suresh and Abhishek Sidharth also were volunteers at the Adversary Village as part of the c0c0n conference, Kochi. Adversary Village focuses on providing live workshops, talks, CTFs, etc as part of Attack & Breach Simulation, Purple Teaming, Supply Chain Security, etc.
Our team member Vidhun K, was also listed in the MSRC Hall of Fame for his findings and responsible disclosure of security vulnerabilities.
Abhishek Praveen, one of our team members from the penetration testing team, was certified with GIAC Foundational Cybersecurity Technologies (GFACT) certification.
Hardware Team
Members of our bi0s Hardware team participated in Nullcon Hardware CTF, Goa and defused the bomb ending up as runners up for the event. Nullcon is a two day conference held at Goa usually happening during the year end. The team also participated in the conference workshops and attended various other talks along with it.
Satya Sai N, Abhijit C B, Govind A R won the best Local Impact award for creating a Land Loss Detection App titled BitEarth in the NASA Space Apps Challenge conducted by Jain University, Bangalore. NASA Space Apps Challenge is a yearly hackathon kind contest in which participants are tasked with innovative solutions for problems faced by the scientific community. Participants need to read, research and build on their problem statement and prizes are provided to the most smartest and efficient solution in the field.
Our team also participated in the CSAW Embedded Security Challenge and qualified for their finals. CSAW-ESC is a competition organized by the C3i Center at IIT Kanpur. This year’s challenges were focusing on machine learning based attacks in both edge devices and cloud computing.
Team projects and Personal achievements
This year we wanted to invite and inspire many more students into the field of cybersecurity. Being as the bearers of the knowledge the former members from the club’s history passed onto us we wanted to spread and showcase it to the rest of students outside the club. We wanted to show the opportunities within the field of cybersecurity and the welcoming community it has. We took multiple sessions, talks and also held hands-on workshops both within and outside our home campus. We were also grateful to the other universities and schools for accommodating us during our sessions and workshops.
Our bi0s Hardware team conducted a hardware workshop for the freshers of our campus in order to familiarize themselves with hardware security and instill passion for the domain while at it. Several hardware equipment like arduino, proxmark and logic analyzer were given for the students to try their hands at different vulnerabilities and concepts ranging from domains like Embedded Security, Firmware, Scada, etc. A Hardware CTF – titled Wired – was also conducted as part of it at the end of the session as part of the recruitment procedure within the campus, students from various departments participated in the contest. An offline bootcamp was conducted at Amrita University, Coimbatore as part of advanced training for the current members of the club.
Coming to internships, FTE’s and other employment opportunities that our members have received:
- Aditya Vardhan Padala started his Ph.D. at Purdue University, Indiana.
- Ritvik T, Sourag C, Pranjal Singh were admitted as Research Intern at Purdue University, Indiana. Suraj K Suresh also got admitted as Research Scholar at University of California, Santa Barbara (UCSB)
- Nihith Bolisetty joined as DFIR analyst in Cyber Response services at KPMG Global Services (KGS)
- Vishnu Madhav also received a job opportunity to join Zimperium
- Gourav Singh Bajeli, Hrishikesh Pankaj and Pranav Nair secured an internship at Exodus Intelligence
- Vishvesh Rao secured an internship in Nethermind
- Yadhu Krishna M and Sayooj B Kumar secured an internship at CRED
- Ranit Pradhan secured an internship at CeNSE, IISc. He also secured another internship at Emertxe. He is currently doing an internship as IoT Hardware Security Research at Payatu
- Indraraj Biswas and Athul Menon secured an internship at Schneider Electric
Team bi0s has started a new chapter. The club members are evolving and the club’s environment is changing. The future for the club is bright and we hope to bring back more to the community we were welcomed in. We are also grateful to everyone who has supported us throughout this year. We are also grateful for the constant support, our university and the faculties have brought us.
Quoting from our last year’s review, “The legacy and the lineage of teambi0s remains unchanged; the team’s comradery attitude to progress and to improve the team and the general notion to help, teach and espouse cybersecurity remains as unaffected as humankind’s quest for the final frontier.”