Capture The Flag (CTF) competitions are globally popular among both professionals and enthusiasts in information security. CTF competitions are often great fun, but they also play an invaluable role in improving the skills of security specialists. A tournament will usually take anywhere from a day to a couple of days and is conducted over the internet or face to face in the “olden times”. During that time teams try to solve as many security and hacking-related challenges as possible, each challenge is considered a “flag” and each flag is typically worth a range of points depending on the complexity of the challenge.
Trustwave SpiderLabs recently hosted a CTF tournament directly supporting the BlackHat 2020 US conference. The Jeopardy-style competition took place from August 6 to 8, 2020 and it brought hackers and security enthusiasts from all over the world.
The Jeopardy style, one of the most common CTF types, is a list of challenges that each act as a flag worth a certain amount of points. The flags were a random string, collection of hexadecimal numbers or even whole sentence. These challenges involve skills like exploiting a vulnerability, solving programming or logic problems or just drill the internet for OSINT in order to find a mystery flag. Teams compete for the highest number of points they can score in a given time frame – 48 hours in this case.
A dedicated Discord server was available all the times for players and tournament administrators for communication, questions and concerns. During the tournament the SpiderLabs CTF page was active serving as a central spot to follow things like challenges, scoreboard and flag submission form.
Across all the challenges and flags, there was a maximum of 8600 points. The winning team got 6300 points. Out of the 43 challenges only 3 remained unsolved.
The CTF proposed nine different categories:
The challenge that was solved the most was solved 136 times. It was an OSINT challenge. Three challenges were solved only three time, which included two exploit challenges and one reverse engineering challenge. Also, while a total of 24,411 flags were submitted, only 8.2% (2002) were valid flags. Hint for future CTF participants: brute forcing the scoreboard usually will not pay off that much, but nice try.
From over 500 registered teams, 189 scored points. A maximum number of 6 participants per team was allowed. Teams had 43 challenges to choose from different categories with various complexity levels and point values:
The following prizes went to the best Teams:
1st Place - $2,500 Playstation, Nintendo, Steam or Xbox live Gift Card
2nd Place - $1,000 Playstation, Nintendo, Steam or Xbox live Gift Card
3rd Place - $500 Playstation, Nintendo, Steam or Xbox live Gift Card
4th-100th Places – a SpiderLabs CTF custom T-shirt
Congratulations to the ‘Bat Squad’ team for an amazing score and winning the CTF tournament. Also, congratulation to ‘gmu_mcc’ and ‘efiens’ teams for the second and third places. Great job!
It is always challenging to create CTF challenges and ensure that the participant will follow the intended path. At least one challenge was solvable using a simpler path. But in the end of the day hacking is about the destination and not the journey. If you missed the event and want to try some of the challenges that were presented some of the challenges are going to be hosted on the https://ringzer0ctf.com website.
Happy hacking and see you next year!