Me and some friends competed in a Capture The Flag up in Sunderland, UK. It was a Camp run by the Cyber Security Challenge UK, Hosted by the University of Sunderland and run by two Whitehatters/Raytheon UK employees. It was great fun and I thought I’d write a post about it to give people an idea of what to expect at a CSC camp/CTF.
So there are two main types of CTFs
Jeopardy-style CTFs consist of completing different challenges from a broad range of categories in order to earn points; whereas attack-defence CTFs consist of two teams, one team who defends a network or server, and another who attack it. The CTF we were attending was jeopardy-style.
The journey up
We set off the night before as it was a long drive to the venue and booked a hotel for the night. Driving up consisted of what you’d expect a bunch of “hackers” in a car to be like… A good old sing-song with a few typical: “I don’t know this one…” which was met with a classic: “Are you serious!?”. Once we arrived at the hotel we dropped off all our stuff, and set out for some food… but as it was a bank holiday and quite late everywhere was closed! So we went back to the hotel, ordered food in, and watched “Catch me if you can“. I suppose it would have been more cliche to watch “Hackers” but who densest love a film about an expert Social Engineer!
[07:00] The CTF
We all awoke around 7AM, relaxed, and had breakfast. We arrived at the venue at 10AM where we were welcomed and asked to wait with the other teams whilst they sorted out lanyards and name tags. Of course Tea and coffee was provided because we’re English and that’s what we drink.
[10:00] Part one
Once everyone was sorted we all went into a lecture room for the welcome/introductory talk where the schedule was laid out and attendance was checked. It was all very informal and relaxed with some humor which is always nice.
After the talk we were all directed to our work stations (all running Kali 2.0). Once we we’re all sat and ready there was an introductory talk explaining what CTFs are, what we will be doing, and an example challenge for anyone new to CTFs, and finally the legal issues were laid out and it was pointed out that the NCA were on sight, obviously just encase anyone decided to “hack the planet”!
After that the CTF started! It was developed using Facebooks framework and consisted of a map of the world where each country had a challenge (Not EVERY country was used). Hovering over a country displayed its category, title, and the amount of points it was worth. The challenges covered a wide range of categories such as Binary exploitation, web app security, Cryptography, forensics, even some type of riddles. One of the challenges even required us to call a phone number. We started of a bit slow and I (typically) had some problems with my computer that the techies were trying to sort out. Until my computer was sorted I became the coach of the team and helped the others figure out/complete the challenges.
[12:00] Side Challenge
Eventually me and my team were pulled to the side in order to complete a side challenge. We were all given a lock attached to a timer and we were required to pick the locks as fast as we could. After an initial introductory talk and getting set up/ready, we gathered up out mighty sword (the rake pick!) and started. I managed to pick my lock in about ~4 seconds but due to a technical problem the timer messed up and I agreed to pick the log again. Frustratingly I got my pick stuck and my 2nd run took around ~10 seconds. I wasn’t too fussed and was happy for them to take the 2nd (longer) time. We then wen back to work on the CTF.
[12:30] Lunchtime & Presentation #1
Eventually it was lunchtime and we were all asked to step away from the computers. Of course I encouraged keeping a clean desk policy and locking the screens of our computers. It’s worth noting here that you should always change your password and lock your screen once an event like this starts, but in this case the techies asked us not to change them and ensured us the computers would remained untouched. We had some more tea/coffee with some sandwiches, fruit and crisps (classic CTF food!) and over lunch we spoke with some of the other teams about what they do and how they got involved. I discussed my journey with the CSC and how its been life changing opening so many doors and encouraged the others to get more involved after the CTF was over. After that we then had an absolutely fantastic presentation by Daniel Cuthbert from SensePost about the evolution of hacking and how its changed from curiosity to criminality over the years (Among other things).
[14:00] Part Two
After lunch and the speaker we got back to the CTF. Things got quite intense towards the end as we had some revelations in the team about the more difficult challenges and attempted to rush and complete them before time ran out. We ended up about ~80 points behind first place when it all came to a close and access to the CTF was terminated. And I have to say we were quite happy with that and how we had done. I was extremely happy with how my team had done and given this was their first CTF I was quite impressed!
[16:00] End of CTF & Presentation #2
Once the CTF was over & before the scores were revealed, we had another great talk by Steve Wilson from BT about what penetration testing is all about and the different approaches to it; providing a real world example (which is always really interesting and fun to hear about).
[17:15] End of the day
And then, finally, we had a closing talk by the hosts and the organizers, thanking everyone for attending and making sure we all had good fun! Then the scores were released! The scores had changed slightly from what we saw whilst playing as external events such as the lock picking alter the scores slightly and eventually it was announced that it was neck and neck but that our team came 2nd place! Which was absolutely great! Once all the scores were announced, pictures were taken and awards / certificates given, the whitehatters walked us through a couple of the challenges that remained unsolved, which is always a plus!
That’s that! Overall the event was a great success and great fun! It was nice to meet some new people looking at careers in cyber security and to see what skills they had! And it was also really nice to catch up with old friends. If anyone is interested in cyber security and wants to get into the industry, the Cyber Security Challenge UK is a great place to start developing your skills and making contacts, and attending CTFs like the one here is a good way to put your technical ability to the test as well as you know… get a free lunch!!
By Oliver Simonnet