CSCAMP 2013 CTF – All about the mystique ctf
In the current days, it`s astonishing to find many IT personnel and information security officers not aware about the world of the CTF, though there are many events and organizations handling many CTFs per year at a large scale.
CTF stands for capture the flag, it`s a competition where security enthusiasts play a various categories of games all related to security, the aim is to find a key in their targets and submit it for points. Of course in each categories there are different levels with different points and by tradition, the team that submits the keys first gets more points.
A CTF is usually organized by organizations or entities that are involved in the information security field, also global conferences like defcon have their own ctf, the ucsb ictf comes out from the university of california santa barbra branch, there are plenty of other ctfs too like the cyberollympics ctf with the final round held in hacker halted in usa. You can track them all from a website called ctftime. Org which contains information about the ranking of teams, upcoming ctfs and other related info.
How does it all happen, well, basically there is an announcement for a qualification phase, that phase is usually online and any person can participate in it, the top teams scoring in the qualification phase can
continue in the final phase, the final phase is held offline at a certain place in most of the time. So, let`s dive into the details of the ctf. The CTF has three types, there`s the Jeopadry style: contains some tasks distributed among
• Web : where you`re required to find some vulnerabilities in a web application , bypass the security
of web ids or certain evaluations, Sqli, nosql,LFIs, RFIs and others lie in this category, i advise you to check the
top 10 OWASP web security risks.
• Crypto: here you are generally asked to get the plaintext, given a cypher text and in many cases you are not given the encryption algorithm, you just figure it out, mathematics geeks will find this one worthy,
you`ll need writing some code to test and apply your deductions.
• Reversing: you`re given a compiled application and you`re asked to find the key. You might find the application running and asking you for a password, or it`s even crashing and you`ll have to reverse the
application and get used to decompilers and debuggers to patch the application and trace the logic to get the key. Good command of assembly and os concepts is needed. The applications can be on any os including
the mobile phones and embedded devices
• Forensics: a bit of steganography where you`re asked to recover data hidden in images, sound files or even movies and it might be also a memory dump or a capture dump and you`ll have to extract everything
piece of information that can lead to you answer.
• Trivia: not included in all ctfs, it`s basically some questions asked related to information security that are not so easy to find using google and will require some reading and general knowledge in the field.
• Exploitation: also not found in all online ctfs, here you`re required to exploit a service running on a remote application and escape the context of the application, to get the contents of the key file, here you might need
privilege escalation and finding vulnerabilities in your target platform.
The other style is called attack-defense:
It`s basically following the idea of red and blue teams where a team is responsible for patching their network or their host and they are given some time before they are connected to a network containing the hosts of the
other team and you try to bypass their security measure and hack their network or pc while defending your resources from their attacks. The ctf are said to have started in this way.
Other mixed types combine a mixture of the previous two. The cyberollympics had the attack-defense style without the offensive part of attacking other networks, you only had to patch a fedora and a windows server
and you get points on the services patched. So now you are introduced to the types of a ctf. In cairo security camp the ctfs are of a jeopadry style, we`ve been running the ctf in each cairo security camp. In
this year which is the 3rd ctf organized by bluekaizen.
The qualification phase had more than 250 teams from countries all over the globe. The final round was held during the 2 days of the camp, the first team more smoked leet chicken (mslc) was represented by one of
its russian members who ranked the first and won the prize, the second where r0x with a slight difference between them and the third team named rabaa. Many people are asking by now, “how can i prepare
myself to participate in these interesting games”.
Well it`s pretty simple, in order to pass you`ll have to construct a team of various talents covering the categories of the ctf. It`s hard to focus on all of them at once, choose a category and start practicing a lot. A
good team consists of people talented in the various categories.
If you choose the web challenges then you can download vulnerable web applications like dvwa, webgoat and others, then try to get the most out of them. Get familiar with owasp top 10 vulnerabilities
and their protection techniques and how to bypass them.
For the reversing and exploitation practice you can refer to the crackmes.De site which has many executables for reversing and you might want to check opensecuritytraining.Info which is a good site with
materials supporting a wide range of security training including tutorials on reverse engineering and binary analysis.
For forensics, you`ll find plenty of resources and tools, but i recommend playing ctf and downloading the forensics files for later reference and practice.
For crypto you can attend the cryptography course at courseera site and practice a lot with their assignments and examples provided.
A good practice is to play ctfs a lot and review the writeups of teams regarding their solved challenges, you can find these on ctftime.Org too. Many players post
their write-ups at their blogs, get social and try to ask them about it in the irc channel of the ctf. This brings us to the communication, many of the egyptian players this year were not familiar with irc (internet relay chat)
, it`s a must a quick and effective way to get help and support, so check youtube on dealing with your irc. Ctfs are not for script kiddies, expect lots of brain teasers and challenging ideas that will trigger your innovation and skills consistency.
Playing a ctf puts your security knowledge to an interesting real world practice and ranks you among other security professionals. Many winner players from the ctfs get offers from many companies and are
always under the spotlights. It`s definitely worthy even for the fun and joy of it. You get to know many geeks and talented security pros in such environments.
This year`s ctf was organized by many talented people who helped a lot in writing the challenges, 2 ctf writers came from tunisia Achref akremi and Nejmeddine khéchine to participate in writing the ctf levels ,
they spent time reading books and crawling in many resources to produce high quality challenges. Mohab Ali made good effort in the ctf panel and with Ibrahim mosaad and ahmed aboul ella they wrote some
nice web challenges,khaled nassar wrote some nice reversing challenges, ahmed abed made many crypto challenges but we were astonished that the egyptian teams didn`t bother to look at them, though crypto
is the only thing we learn in computer science and computer engineering that’s much related to security. Menna eissa wrote some challenging reversing levels.
All in all we`re proud of the overall feedback from all participants. The prize for the first team was a laptop and for the second was nexus tabs.Previously the ctf was organized by synapse labs with the lead of ehab
hussien and sofiane talmat which was great and included exploitation challenges.
We`re trying to put a program where we`ll able to hold more ctf at a more frequent rate and we`re thinking of starting mini ctfs in universities and making another one among all the universities that have bluekaizen
chapters and will try to include more categories like social engineering and other physical hacking categories. Keep tuned and for more info please contact [email protected]