Kazan, Russia, December 2019

I returned from Kazan, Russia about a month ago, where I spent a week or so competing in a Cyber Security competition. I was part of the team representing Singapore in DigitalSkills Kazan 2018, during which participants compete in various skills like Web Development and Machine Learning. This post contains a recap of the events of this week-long trip.

Entrance of the Kazan Expo
Entrance of the Kazan Expo

Background

The DigitalSkills 2018 competition comes under the umbrella of WorldSkills Russia, which is a bigger competition taking place in August 2019. My team, consisting of my partner Devesh and I, was selected to represent Singapore in this competition due to my team's previous victory in the Singapore chapter of the WorldSkills competition, in the Cyber Security skill. Thus, last month, with two other competitors from Singapore, we departed Singapore for Kazan, Russia.

An initial surprise

There were a great many surprises that popped up along the course of this trip, the first being the technical fault that occurred just after we took off πŸ˜“. Apparently, the landing gear couldn't be retracted into the plane, and we had to land back in Singapore to change to a different one. After about 3 hours of delay, we finally took off again, this time for real. After a long 11 hour flight, we landed in the Moscow Domodedovo Airport.

Main entrance to the airport
Main entrance to the airport

However, due to the initial delay, we missed our connecting flight from Moscow to Kazan, which resulted in us wasting a couple more hours waiting for the next available flight. Unfortunately, this meant that the first day of the trip, which was initially meant for sightseeing, was spent waiting in the airport instead. Not a bad start...

Refreshing weather

The weather at Kazan was quite cold, with an average temperature of -10ΒΊC. It was a great break from the blistering heat and humidity of Singapore. Even though it sometimes got too cold to stay outside, I still appreciated this weather much more than back home, where I start perspiring every time I step out into the open.

Meeting new friends

After finally reaching our hotel, we were greeted by a large group of students in English. As it turns out, they would be our awesome translators for the rest of our trip. After chatting with them, we found they were students from the Kazan Federal University, studying linguistics (hence their role as translators). I learnt a lot about student life in Kazan from our initial conversation, as well as how most of my "Russian knowledge" were merely stereotypes created by the media.

Chatting in the hotel lobby
Chatting in the hotel lobby

The translators, Gulnaz, Alex and Ruslan (not pictured), were extremely helpful throughout the trip; They translated everything for us, including the briefings, signboards and even the food. I'm still very grateful for their help, without them we probably wouldn't have been able to navigate Kazan.

The competition venue

The next morning, we headed over to the competition venue for the initial briefing. The competition was held at the Kazan Expo, which is also where WorldSkills Kazan 2019 will ultimately be held. The Kazan Expo was huge, much bigger than the Singapore Expo that I'm used to. It took us a good 10 minutes to walk from the entrance to the area where our category would be competing.

Only a taste of the sheer size of the Kazan Expo
Only a taste of the sheer size of the Kazan Expo

More surprises

The next surprise to befall us was waiting for us at the initial competition briefing. When we arrived at the venue, we met Anton, who was the person in charge of liaising with us Singaporeans. We also met Ivan, the Chief Expert of our category.

During the briefing, we were told that the competition was an individual one, which came as a huge surprise. This meant that instead of competing with each other, Devesh and I would be competing against each other πŸ‘Œ. This was completely new to us, as the whole time we were under the impression that we would each handle different aspects (attack/defense) of the competition.

We also found out that all of our fellow competitors were Russian, apart from a single Chinese competitor. As the briefing was done in Russian our translators helped us to understand exactly what would go down on the day(s) itself. Once again, I was very grateful for their help.

Starting on a good note

The first day of the competition was a Capture-The-Flag (CTF) challenge. We were tasked to solve challenges to obtain flags, which were either in the format FLAG{<string of characters>} or the actual passwords that are found or cracked. We could then submit the flags for points within the system.

As both Devesh and I are familiar with this type of challenge, we managed to clinch the second and third place respectively out of a possible eleven. I was quite proud of myself, as I normally don't perform that well in CTFs. This time however, there were many programming challenges, which were right up my alley. I managed to solve some of the more difficult challenges, including one which required solving an elaborate labyrinth by scraping a website.

Chowtime

Lunch was served buffet-style during the competition. After about three hours of competing in the morning, we would break for lunch before continuing on for another three. Contrary to most catering in Singapore, the food was actually really good. Most of the time, they would serve some international food, alongside traditional Russian dishes.

Buffet lunch! Credits: Tea Pei Qi
Buffet lunch! Credits: Tea Pei Qi

One of the dishes that I really enjoyed was borscht soup (Unfortunately I forgot to take a picture 😒). It was a soup that contained cabbage, potatoes and beetroots, which gave the soup a distinctive purplish-red color. Our translators explained to us that mayonnaise was usually added to the soup, which surprisingly enhanced the flavor of the soup!

Falling off

Another surprise awaited us on the second day of competition. During the initial briefing, we were given the instructions for the four modules that would be tested. The first module would be tested on the first day, the second on the second day, and the remaining two on the third day. As it turns out, they decided to switch the modules on the second and third day πŸ˜…. At this point, I had kind of expected another surprise, so I just went with the flow.

The modules on the second day were on incident investigation and incident response.

Incident investigation

We were given a Python application within a Docker image and tasked to investigate how it had been attacked. We were also supposed to patch and run the service again. I fared badly in this module, as even though I managed to figure out mostly how it was attacked through static analysis, I could not for the life of me figure out how to access the application after it was launched.

The service was a raw TCP service, which meant that we needed to use netcat to connect to it. However, after trying out a multitude of possible IP addresses and ports, I simply couldn't figure out how to connect to the service. As a result, I completely failed the second half of the task 😞. After the competition, I found out from Devesh (who managed to complete the task) that the IP address was supposed to be obtained by running a subcommand of docker 😐.

Incident response

This was a challenge created by an external vendor called NSALAB. In this challenge, we were each assigned two tickets, which we had to resolve for an organisation. We were also given a diagram explaining the internal network structure of the organisation.

For the first ticket, one of the websites that the organisation was hosting was down. We had to investigate the situation and bring the website back up. After accessing the machine through VMware, I found out that the nginx service that hosted the website was stopped. I restarted it, thinking that I had solved the issue. After responding to the ticket and recording my findings, I visited the website again, only to find out it was down again πŸ˜“. As it turns out, the actual issue was that the website was under a DoS attack (I found this out from Devesh after the challenge).

For the second ticket, another website that the organisation was hosting was apparently experiencing an attack, where the main banner image was changing every once in a while. It was a really strange error report, and after reloading the webpage multiple times at different intervals, I still did not manage to trigger the error. If you couldn't guess by now, I didn't manage to solve this either.

Good dinner

Everyone was quite exhausted after the second day, so it ended only being my lecturer and I heading out for dinner. We ended up settling on a pretty empty Middle Eastern restaurant. I ordered a burger, which turned out to be one of the best burgers I've ever had to date. It even came with a knife stabbed through it 😱.

Delicious burger with a violent twist...
Delicious burger with a violent twist...

An okay ending

On the third and final day of the competition, our challenge was to patch and deploy two websites. Both the websites used popular CMSs, that we were expected to know how to use.

The first website was built on WordPress, which is well-known for its numerous security flaws. Unfortunately, I wasn't very familiar with WordPress, so I was quite lost on what to do. Luckily, I managed to find a README file with detailed setup instructions. In the end, I only managed to bring up the service, and made my final submission without patching much at all.

The other website was built on Joomla, which I hadn't heard of until the competition day itself. For this website, I didn't even manage to set it up, as I didn't manage to find a README file anywhere for instructions πŸ˜•.

I guess this shows how little my knowledge was, and that I still have a long way to go in learning how to deploy secure services.

Finally some sightseeing

And that marked the end of the challenges. After three long days of competition, we finally had some time to explore Kazan. Upon asking around, I discovered that we were fortunate enough to have our hotel situated right next to Bauman Street, which was a pedestrian street right in the heart of Kazan.

Entrance to Bauman Street
Entrance to Bauman Street

It was a long street filled with bright lights, beautiful architecture and many shops selling food, drinks and souvenirs.

Nice building along Bauman Street
Nice building along Bauman Street

Walking down the street allowed us to visit many of the main tourist attractions in Kazan, including the Kazan Kremlin, which is the chief historical citadel of Kazan.

Outside view of the Kazan Kremlin
Outside view of the Kazan Kremlin

The streets were very empty at night, with barely any tourists or locals out and about.

Pretty, empty streets
Pretty, empty streets

After a while, it got really cold (partially due to me playing with the snow), so we decided to head back to the hotel. Overall it was quite a refreshing night out, compared to the hectic competition just that morning.

City tour

The next morning, all the international participants were brought on a city tour by the organisers. Once again, we visited the Kazan Kremlin, which actually looks very different in the day. Of course, this time, we travelled around in a tour bus, which was much better than having to walk there again.

A different kind of beautiful
A different kind of beautiful

We also visited the majestic Kul Sharif Mosque, where we learnt about their various practices and about the history of the mosque itself.

The Kul Sharif Mosque
The Kul Sharif Mosque

We also visited a bunch of other tourist attractions in Kazan, like the place where fans gathered to watch the World Cup matches live.

Fans watched the World Cup together at this area
Fans watched the World Cup together at this area

There was also a place we could view an actual Concorde, which was the only commercial plane to ever fly above the speed of sound.

A Concorde plane, which has been retired from use
A Concorde plane, which has been retired from use

It still fascinates me how white all of these photos are, thanks to the snow and empty sky πŸ˜‚.

Closing ceremony

A closing ceremony was also held to give out the prizes and officially bring the competition to a close. It was held in another wing of the Expo, which was just as huge as the one we competed in. They dimmed the main lights and brought on some really bright spotlights, which made the whole thing feel more like a shady concert than an official ceremony.

The closing ceremony
The closing ceremony

During the ceremony, the international participants (around 20 in all the skills), were given special mention, and presented with our certificates. Unfortunately, Devesh and I didn't manage to win anything, but I still enjoyed the experience overall.

Saying goodbye

Later after returning to the hotel, we exchanged contacts with our translators and took one final picture with them before saying goodbye for the final time. We were slated to leave for the airport in the early hours of the next morning, so this would be our last time seeing them (for now!).

Our last group photo before flying off
Our last group photo before flying off

I am still super grateful for their presence throughout the trip πŸ˜‡. Everything would really have been super difficult without them helping us.

Later that night, I went over to the nearby mall and managed to snag a Matryoshka doll as a souvenir.

Creepy looking Matryoshka doll
Creepy looking Matryoshka doll

Back to Singapore

Luckily, the trip back to Singapore went smoothly, without any major hiccups. Instead of a direct flight, we took a flight to Abu Dhabi before flying back to Singapore. We landed in the morning, which really messed up my body clock after flying through the night ⏰.

Some reflections

I think my greatest takeaway from this trip is a better perspective on just how big the world is. As a person who spends most of his time online, it's been quite easy to lose track of the sheer distance between the people I communicate with, thanks to the Internet closing these gaps. However, stepping out of Singapore to travel to a country halfway across the world has reminded me of the importance of this global mindset.