My Virgin CTF
At DerbyCon (derbycon.com) 2014, I participated in my first conference CTF (Capture the Flag) event. For those that haven’t yet done one, you take your laptop configured with your attack tools and join a network of hundreds of other conference-goers. All of you are tasked with exploiting information security weaknesses in the vulnerable systems on the network (hopefully not exploiting other CTF participants…although sometimes that is in scope!). When you exploit a flaw, you look for a flag and, when you find them, you submit them to the scoreboard and your team gets points. The team with the most points at the end wins some prize. There are many variations of this but this is a general description.
This was my first conference CTF. I joined up with some guys I knew but had never “worked/hacked” with and kinda knew and we became a team; team “JustTh3T1p”. The other guys (who you should def follow on the Twitters):
At 9am on Friday, the doors opened and we were hacking. It was glorious chaos.
The DerbyCon CTF this year had 1,000+ flags for us to find in a variety of places from Raspberry Pis to MySQL databases and everything in between. There were Wi-Fi flags, reverse engineering, file carving, stegonographic, SQL injection, hash-cracking and many more flags. Was a good time.
It was frustrating and challenging. It made me do my ‘root dance’ and bang my head against the table. Terrific suffering.
I decided that I would sit in the CTF room each day while it was open and then, once it closed, I’d stop doing the CTF for the day and go do more social things. Friday I logged 9 hours doing the CTF. Saturday was 12. Sunday was only 3 since it ended at noon. Some people hacked all night long on the Wi-Fi network of the CTF….I needed some distance but still found myself in my room at 1am looking at some files I grabbed while on the CTF network and trying to break them open to get at the flags. I was hooked.
I won’t recap each day/flag. We led the teams the whole first day and into the second. Saturday our lead faltered and, at the end, we earned a very respectable 4th place out of over 100 teams. Prize for 4th place was claimed in person by @dacoursey and can be seen in the closing ceremony video.
Lessons Learned
Occasionally, when the tide of caffeinated drinks ebbed from my system, I could take a moment to assess where I was in the CTF, what was happening, what was going wrong and what was working well. Here is what I remember from those under-caffeinated moments in my first ever Top 5 CTF Tips.
Share data with those that need to know
We didn’t think this one through before CTFing (is that a word?). We had a team of 4-6 people and needed to share data (vuln scans, notes, who had already exploited what, what flags we already found…). We shared poorly and found over and over that one person had just exploited a system whose flag another member found and submitted hours ago. Tremendous duplication of effort.
Take good notes
Whether you use a text editor or MindMap (see my blog post) or something like Lair, Dradis or Etherpad; take good notes. What you did. What you found. Where you didn’t complete a challenge. What flags you found. Share all of this with your team. Repeatedly. Over and over.
Don’t be afraid
One of the best parts of the CTF was that each of us did not know the answer to many of the challenges. Sure, if we see a WEP-encrypted Wi-Fi network, we know how to crack the password. But some of the challenges were complex and there were so many of them that each of us didn’t know something. I think we did this part of asking for help really well. I would say to the other guys “I have a vuln that is exploitable with Metasploit’s XYZ module. Anyone want to exploit it?” Don’t be afraid to ask questions about stuff. No one knows everything. Except Chuck Norris.
Snapshot and revert
If you are using a virtual machine (VM), take a snapshot before the CTF so that after you can revert the VM. If you are using your host system to hack, try to keep your data files in one area. I ended up with files all over my host and VM systems. It is annoying. Oh. If you are doing a CTF where YOUR computer is fair game to be attacked, then definitely make sure you snapshot it before and revert after. Never know what Ebola-like virus someone has placed on your computer.
Never underestimate the value of face time
No, not Apple’s FaceTime. I’m talking about getting people together in the same place to deal with the same problems. Communication is faster than a fiber optic cable and clearer than the best MiFi wireless connection. I used to think that working from home was the best way to perform pentesting. I had my music and my comfy desk and my food. There is no commute time and I can do it at any time of the day or night. I can reach out and IM/video chat with my team. Things are good! But then I hacked in this tight team where I didn’t have to spend 5 minutes typing an issue into a chat window to explain it to someone. Communication was easy and fast. Doesn’t mean I won’t be working from home but I am rethinking how I do some of my work tasks.
Where do I go from here?
The DerbyCon CTF was cool. I’d definitely do it again. There are many CTFs that are online and are available all the time. vulnhub.com, gh0st.net and hackthissite.org all have systems you can exploit. Try them. I’ve brought back the CTF bug to my local hacker space at NoVAHackers where we will be working on several CTFs together to get better as a group. Some of these lessons I’ve spoken to my team at work about. Mostly, I know I tried, I learned and I’m stronger for the experience and the friendships I gained by doing this CTF.