~$ Going to Paris for the Wavegame cloud competition!

Posted on May 15th, 2022. | Est. reading time: 8 minutes

Tags:Information SecurityCloudDevOpsTravel

One of the random things I did this year was to undergo the qualifications for Wavestone's "Wavegame" competition (which is a thinly veiled recruitment strategy that focuses on university students only, led by a French consulting company).

Most of the teams were from French universities, and only a handful of us were joining in from Switzerland, with 2 of us (including myself) joining from the University of Geneva (UNIGE), and the 4 others joining from the Ecole Polytechnique Fédérale de Lausanne (EPFL), providing us with an overall heterogeneous group that had capabilities in Computer Science, Information Systems and Data Science.

Due to an array of circumstances, we ended up in the "Green Wavers" track, which focused on cloud environments, devops and security, as opposed to the "Blue Wavers" (Blue Teaming) and the "Yellow Wavers" (Policy). This was a bit of a rough ride, as most of us had only peripherally worked with platforms such as AWS and the like.

The competition took the shape of 3 prequalification rounds (each on the same task of a website for Paris' 2024 Olympics, but with iteratively more complex requirements):

  1. From a base monolithic architecture, convert it to a microservices architecture, add security groups and integrate an RDS (database) into the system;
  2. Configuring a CI/CD pipeline;
  3. Adding FinOps observations, IAM, Operations oversight, and handling resiliency.

By the end of it all, we were down to 4 team members, and had placed:

  1. 3rd (with 75 points)
  2. 1st (with 84 points)
  3. 2nd (with 86 points)

This enabled us to qualify to go to Paris for the finals, from the 11th to the 13th of May.

The first day was dedicated to getting from Geneva to Paris (by means of train), dropping our stuff off at the housing we had sorted, and exploring Paris a little.

A mural in ParisA mural in Paris
The 13th district's town hallThe 13th district's town hall
The PantheonThe Pantheon
A statue in the Luxembourg GardensA statue in the Luxembourg Gardens
The Medici fountain in the Luxembourg GardensThe Medici fountain in the Luxembourg Gardens
A building's architectural columnA building's architectural column
The statues on the Square of the Nation, illuminated, with the picture taken at nightThe statues on the Square of the Nation

On Thursday, we headed off to Wavestone's HQ in the district "de la Défense" of Paris, for the final challenge.

The district 'de la Défense' with its landmark buildingThe landmark building in the 'de la Défense' district

This is where things started to go... interestingly (to say the least).

The final challenge for us Green Wavers was to identify and patch a production system that was under attack, and "provide a report to the board".

Except, for reasons that escape me, our AWS account malfunctioned, leading the event organizers to have to reset our environments.

This was fine, as the event hadn't started yet due to the organizers wanting to make sure everyone could access the environments correctly.

What was not fine was that we ended up not having the same AWS resources, as those had also been reset. So, instead of having CloudTrail and logs we could grep through, we had graphs (except we had not figured out we were supposed to have CloudTrail).

From the graphs, I was able to figure out the attack scenario was hitting the login feature and enumerating the RDS database. We also then were able to derive that the system was being DOS'ed purposefully to limit remediation.

Whilst my colleagues were attempting to patch the systems (which is hard when you don't know what is broken), we were collating data about the attacks for the presentation.

The presentation went well, at least starting from the moment where we cleared up exactly what services we had access to and they figured out it was not a standard configuration.

Figuring that we had bungled the event, we went to the after party where we discussed and had a fun time on a dock on the Seine river, right below the Eiffel Tower.

The Eiffel Tower, illuminated at nightThe Eiffel Tower

Near the end of the event, all the participants were called to the galley, where the announcement of the rankings was to take place.

After the Blue and Yellow Wavers had their winners announced, came the time of the Green Wavers.

In 3rd place, the team 200 IQMULUS from Bordeaux's ynov campus was announced. By that time we had entirely lost any hope to landing on the podium.

In 2nd place, the team La Passoire from utc was announced.

Finally, in 1st place, to our great surprise, our team was announced.

In disbelief, we accepted the prize and were quite happy with ourselves.

As it turns out, the fact that we managed to keep cool without access to the needed resources and were still able to derive valuable information, as well as provide a cohesive presentation of the issues is what shifted the jury in our favor.

An image with the event's resultsAn image with the event's results

After rejoining our accommodations and sleeping off the night's events, I went for a small tour of Paris before heading back to Geneva.

Picture of the Eiffel Tower, during the day.The Eiffel Tower
Picture of the Trocadero GardensThe Trocadero Gardens
Picture of a Parisian StreetA street in Paris
Picture of the Musée des Arts DécoratifsThe Musée des Arts Décoratifs
Picture of the Louvre PyramidThe Louvre Pyramid