Trinity student Euan Ong was a member of the team placed third out of 51 teams competing in the recent global C2C CTF challenge. He describes the demands of this 24-hour cyber security event – and the satisfaction of cracking complex problems.
Was the event what you expected?
The competition itself turned out to be more approachable than I expected – the event organisers managed to create a competition that was both accessible to beginners and had challenging problems for those with more experience. The range of problems was also very diverse – this is one of the few times I’ve seen an open-source intelligence (OSINT) category on a CTF.
What were the problems like?
The problems in the CTF were divided into four categories:
- Cryptography: you’re given either an encrypted message or a system which makes use of encryption in some way, and you have to decrypt the message or manipulate the system to do things you shouldn’t be able to do with it (e.g. extracting secret information, or tricking the system into thinking you’re an admin).
- DFIR (digital forensics and incident response): you’re given digital artefacts from the scene of a cyber-crime incident (e.g. the memory dump or hard drive image of the attacker’s computer), and you have to dig through (and sometimes repair) the artefacts to extract incriminating evidence or details of the attack.
- OSINT (open-source intelligence): gathering data (e.g. about people / companies) using only data and information available to the general public.
- Reverse engineering: you’re given a program (e.g. a piece of malware) and have to dissect it, understand how it works and extract its secrets.
Examples
- Cryptography: Problems ranged from cracking insecure passwords on encrypted ZIP files (it turns out short, common passwords are worryingly straightforward to crack…) to exploiting a system which encrypts any message you send it together with a secret phrase in order to extract the secret through careful choices of message.
- DFIR: Problems included finding evidence for a human trafficking court case from a copy of the suspect’s hard drive, and analysing logs on a corporate server to find the traces of an attack, identify the vulnerability used to gain access and crack the password for the attackers’ hidden backdoor.
- OSINT: Problems included looking up MAC addresses of WiFi access points to locate a hacker who leaked information about their home WiFi router through a desktop screenshot, and trawling through Australian public data websites to find information about pedestrian footfall in key areas.
- Reverse engineering: This section included the only two problems our team didn’t manage to solve. These last two problems were a particularly devious set of binaries which performed HTTPS client certificate authentication with a server (in other words, not only is the communication between the client program and the server encrypted, but the server will only talk to you if you can show it a secret it has previously ‘signed’). Not only were they very difficult to dissect, but it was almost impossible to intercept their traffic (and work out how to modify the message the client sent in order to ask the server for the flag) unless you realised, as we only found out after the competition, that you could trick them into sending their data over an insecure channel…
What was most challenging about the competition?
I’d say the sheer length of the contest – most CTF-like competitions I’d participated in before had only been a few hours long, so this was my first 24 hour CTF… Although I got some sleep the morning of the contest, solving (or, as was often the case, failing to solve) problems for effectively 16 hours non-stop is surprisingly tiring!
What did you enjoy most?
The problems! There’s nothing quite like the satisfaction of finally cracking a tricky problem – especially after hours of banging one’s head against the figurative wall.
How did you find the interaction with your team members around the world?
Contestants were assigned to teams of five from different universities (including the University of Cambridge, the University of Edinburgh, George Mason University and the Technion). Although some members of our team were unable to participate in the actual event, we worked well as a team, collaborating over the Discord server set up for us by the organisers.
What experience did you have of previous cyber security competitions and how did you prepare for this event?
Coming into the competition, I was fairly familiar with CTFs and cyber security ideas through participating in the Government’s Cyber Discovery program. As this had a slightly different emphasis to the listed focus areas in the C2C CTF, I took this competition as something of an excuse to dive into reversing, binary analysis and some of the more mathematical areas of cryptography — while not all of these ended up featuring in the actual contest, it was a good chance for me to get to grips with some topics I’d been meaning to learn for a while.