My CTF experience @NorthSec 2018
This blog post was authored by Zuzana Hromcova.
In May 2018, I was able to attend NorthSec event thanks to Women In Tech Funds. As an infosec conference first-timer, as a Computer Security student, and as a reverse engineering fan, I would like to share my experience with my fellow female tech enthusiasts.
But first things first – NorthSec is an international event dedicated to computer security based in Montreal, Canada. Over a week, six hundreds of participants meet up to attend workshops, trainings, conference and an on-site capture-the-flag (CTF) contest.
One thing that is amazing about NorthSec is that it is powered by volunteers who love organizing the event, and you can see they are enjoying it a lot. Dozens of volunteers spend hours of their free time to prepare challenges for the contest, to negotiate the conference talks with the speakers, to take care of the registration and so on. But we could tell they actually love it! During the event, they were wandering around us, smiling at everyone and making sure we are enjoying ourselves.
Another thing you shouldn’t miss if you ever plan to attend NorthSec is the unique CTF competition. 400 participants in one big hall have 48 hours to solve cunning challenges, and it is terrific.
When I first found out the NorthSec organizers are donating tickets to the event to women, I only wanted to apply for the conference, but then I decided to try the CTF contest as well, even though I had never attended such an event in the past, not even online. It turned out to be the right choice because I ended up enjoying CTF even more than the conference.
All I knew about a CTF competition before I departed for Montreal in May 2108 was that you work in a team who solves various challenges to obtain secret messages (flags). The challenges vary in difficulty and require a range of skills such as reverse engineering, web hacking or forensics.
However, I couldn’t imagine how it would be like, and I had like a million questions in my head. How will the challenges look like? Are they going to be independent of each other, or will we have to solve one to unlock another one? Are we going to use our computers to solve the task or will there be any infrastructure prepared? Which OS and tools are permitted, recommended or even essential?
Since I didn’t sign up for the competition with a team, I was going to be assigned to one randomly. But what if the teammates are too experienced compared to me and what if I slow them down? Since I am mostly a reverse engineer with a little background in penetration testing, I was also worried about whether I would be able to solve any of the tasks. What if the challenges require all the skills combined, or what if they are just too complicated for a student?
And most importantly, how is the competition going to look like if the schedule promised it would be open from 8 AM to 3 AM? Will it be a super-intense battle with no time to eat or sleep?
All of these questions bothered me before the competition, but everything has turned out just fine. I was assigned to a team mostly made of students my age, some of them were even younger. Each of us was specialized in some field so we could divide the challenges among ourselves and learn from each other. We used our laptops with any tools we liked to work with.
The challenges were published in batches, and there were no relations between them. We didn’t have to worry we would get stuck in the first stage and never advance since there were always many challenges that we could try and solve.
Of course, we only solved a few tasks and were far from the best teams, but we enjoyed it. I have seen other groups being concentrated till late hours, using sophisticated tools or solving more challenges at once but that was out of our league.
My favorite part of the competition was the Sunday noon when we solved our last challenge together. It was a pcap file from which we had to extract a password-protected archive, and also recover the password hidden in the traffic. The archive contained a photo of the further instructions using which we finally recovered the flag. I liked this challenge because we worked to solve it together as a team, in spite of our language barrier from the beginning (my teammates preferred to speak French which didn’t work for me) and even though we haven’t had any team training before the competition.
Another challenge which took my breath away was solved by my teammate Laurent, who successfully identified a type of printer just from being handed out a single printed page.
I also tested my reverse engineering skills and was able to break a few challenges but what was even more important for me is that I got to see a whole lot of other types of tasks! This year, I couldn’t solve any web application or forensics challenges, but next year, I would like to try them as well!
For now, this experience has motivated me to dig deeper into the topics of information security. I know there are so many things to learn and then what I need to do is practise, practise, practise! Looking for a flag is fun, and it is very rewarding to find one but it takes some time to learn how to approach them.
It was inspiring to see how other teams approached the competition. They were mostly experienced infosec enthusiasts, or guys working in this field. Their teams had long traditions, taking part in various CTF contests, online or on-site, having team T-shirts and mascots. They had their custom tools and scripts ready before the competition, and they were so fast in solving the challenges! We were working hard to earn our 34 points while the top 12 teams in the scoreboard had more than 100 points, which was unbelievable. We finished 37th out of 50 teams and were satisfied with this result since it was our first time but we have certainly so many things to improve, and the other teams can be an inspiration for us.
My homework is therefore, to try as many online CTF contests as I can, to get acquainted with useful tools and become comfortable with writing scripts to automate the work.
The NorthSec organizers even suggest a few valuable resources to start with, so I encourage everyone to join me and learn something new. If you also fall in love with the hunt for challenges, we might meet at the next year’s NorthSec CTF and fight against each other :)
One more important thing is a list of places where to start if you want to prepare for a CTF competition, as suggested by NorthSec organizers:
- RingZer0Team: Many challenges from NorthSec previous editions are hosted on this platform
- OWASP Vulnerable Web Application Directory: List of vulnerable web applications to test online or offline