The event takes place with the help of Samara State University, the Department of Information Technologies and Communications of the Samara region, as well as the companies Computer Technologies and Rostelecom. This year, 15 Russian and 8 international teams took part in the finals, each representing a university, including four teams from ITMO. Two of the latter got into top-10, and the team More Smoked Leet Chicken got first place.
ITMO.NEWS talked to the captain of the winning team Vlad Roskov, a trainer at the SPbCTF community and an employee at Kaspersky Lab, as well as to VolgaCTF participants Anantoliy Korniltsev and Ilya Glebov about the competition's tasks and the tactics that helped them win, as well as the role of luck in such tournaments.
On the event and the level of competitors
It was the second time that we participated in VolgaCTF; last year we also won the tournament, though under the name LC↯BC. As this is a university event, all teams had to have students in their lineup – but that doesn’t mean that they had to be composed of students only. As for us, only Ilya is still a student, the other four are older members of the SPbCTF community, distinguished participants of contests who have become trainers themselves and now educate the next generation of talented youth. By the way, the other two winning ITMO teams, Kappa and fargate, also stem from our club.
This contest didn’t feel easier due to it being a student event: everything was on the same level as usual. Bushwalkers from Lomonosov Moscow State University, Corrupted Lights from Moscow Institute of Physics and Technology – those are among the strongest teams that get top positions in Russian and international competitions.
The level of tasks and challenges was also worthy. VolgaCTF was really an international event that brought together teams from all around the world: Germany, Italy, Austria, Taiwan, etc. This is a level that few organizers can handle, especially if they don’t have connections with major corporations such as Sberbank, for example. And VolgaCTF is organized by people who are rather associated with university-level communities, which makes organizing such a large-scale event even more commendable.
The level of organization is also improving. Last year, I didn’t like it at all, but this time, there were less serious issues. Or maybe I was just mentally ready for them, which made it easier to cope. For example, last year, the bot that checked the availability of services didn’t work correctly, which spoiled the overall impression from the event – this year, there was no such problem. But they still postponed the start by an hour and a half.
On the whole, VolgaCTF is mid-level by the international standards. But as it was our only trip in 2020 – for obvious reasons – we can well call it our best away competition of this year.
On nonconventional tasks, tactics and luck
During all of CTF competitions in the Attack-Defense format, teams are provided with a service that has some vulnerability designed by the organizers. There’s also a database with restricted access: it has to be hacked in order to retrieve valuable data. This time, the database was accessible right from the start, which seemed unusual. The teams had to first restrict access to their databases, and then attack the services of other teams.
What’s more, one of the services was written in Node.js, with the use of WebAssembly, which can be very difficult to reverse. This was really hard and unusual for CTF competitions.
We spent a lot of time on this challenge, and made it a part of our tactics. The usual approach is to find some vulnerability that’s common for all and start hacking with it. It’s natural that when opponents see how exactly they are being hacked, find the flaws and mend them. They also start using the very same vulnerability to hack others. What we did was mend this vulnerability in others and leave it open for us. This was a risky trick, because while we were at it, someone could attack us using this flaw. Actually, it then turned out that we mended this vulnerability just a minute before the time that another team planned to start attacking it. In fact, we lucked out, but luck generally plays a significant role in the Attack-Defense format.
About the team
On the whole, our team is big; there are 65 people in our common chat, but only about eight people actively play. We got together at ITMO in 2009 and in 2010, we already became one of Russia’s best teams. In 2011, we united with guys from Chelyabinsk and began participating under our current name More Smoked Leet Chicken. In 2012, we got first place in the international rankings (by the way, we are now second, right after the American team Perfect Blue).
Later, in 2016 when we launched the SPbCTF project and started training a new generation, new people started to join us, those who were interested in playing as part of a strong established team. In the same 2016, members of BalalikaCr3w also joined us, and we started playing under the name LC↯BC, which we used until this year.
Apart from Ilya and Anatoliy, two other members of our core lineup went with us to Samara: Egor Zaytsev, one of SPbCTF mentors, a specialist in reverse engineering and binary vulnerabilities, and Pavel Tatarkov, a specialist in website vulnerabilities who formerly worked for Kaspersky Lab.
Why go to CTF tournaments
You never get bored with competitions – they give you so much adrenaline and drive, just like any other sport. The tasks are never the same, as the field of cybersecurity is vast and covers lots of unconventional approaches in IT. The organizers always come up with something that hasn’t been used before, something that’s interesting to figure out, solve, and comprehend. What’s more, the field of IT is a rapidly developing one, new technologies are constantly emerging, and the complexity of tasks is growing with them.
CTF is cool because it’s a simulation of attacks that are currently popular. So the notion that such competitions are only beneficial for students is wrong. In fact, when you work in cybersecurity, you operate in a narrow field, and you risk growing stiff in your everyday routine. You start forgetting skills that you no longer use, and become less valuable as a specialist. Competitions, however, help you stay tuned with everything that happens in the field and keep your skills relevant.
Future plans
Planning ahead is now difficult due to the pandemic. For one, RuCTF that’s usually attended by Russian student teams has been cancelled. But soon we’ll be taking part in the 0CTF/TCTF finals that’s organized by a major Chinese IT corporation, with prizes up to $2,000. Same as most other events this year, it will take place online.
On Sunday, October 4th, we are launching a new training season at SPbCTF, it will focus on binary vulnerabilities and writing exploits. This category of tasks is deemed the hardest and the most revered in CTF. In order to be successful at it, you have to know well how a compiled code works, how the memory of processes works, and be able to finely manipulate the data in this memory in order to capture the process. You use the results of this field of cybersecurity when you jailbreak your iPhone or root Android, or get a virus from an infected document.
We’ll try to make it so that novices will also be able to master the basics of binary vulnerabilities, so that this field will no longer be an impenetrable fortress for beginners.