Security pen-test contest

Hi yall,

I am participating in a security council/pen-testing contest. It is run by my institution and basically we have to hack as many people as we can. There are different points for different things, and here is our scoring system (really simplified, ranked from the least points to the most points), obviously the more people you hack the more points you get:

  1. Reconnaissance (gaining target IP address, mac address etc.)

  2. Password cracking (Gmail, Facebook etc.)

  3. Total control (Have REMOTE total control over computer)

Our team decided to use the beEF framework, with mass mailing, to hijack the school computers so whenever someone clicks on our link, the school computer’s browser is hooked. We then social-engineer and try to make them to run a “update”, which is actually a reverse_tcp backdoor, and gaining us total control over the target computer (which places us in tier 3).

The problem is mainly the social engineering bit, I need suggestions on how to convince the target to download and run the executable. Most people in our institution is quite tech-savvy and knows the basic “adobe flash update” scam, so they probably won’t fall for that. Another problem that I/our group face; we need to ensure that the target does not close the browser immediately because it takes time for the javascript to “hook” their browser. So yeah, if there is any suggestions on how our group can overcome those two obstacles, or if you have any other brand-new approach that can gain us remote total control over a large number a PC, it would be truly appreciated. Thanks in advance!

TL;DR, security contest, need to gain total control over a large number of PCs. Idea is to use beef to hook and download backdoor. Problem: Social engineering (making them running the exe) and how to convince target to not close the website. Any suggestion is appreciated thank you!

Note: Please be rest-assured that this is not illegal. Our institution granted us permission to use its computer labs as a environment, so we are not hacking the personal devices of its members. All our hacks have to be checked by several judges and IT experts to ensure that they don’t do any lasting damage on the system.