CTF, or Capture the Flag, is a cybersecurity competition that tests its participants’ ability to protect computer systems from external attacks. The participants are split into teams and given various tasks to solve. Their goals depend on the format of the competition. In the classic Attack-Defense format, the players interact with each other during the competition. Each team receives a server with a set of vulnerable software services. The players try to secure a victory by hacking their competitors’ servers and protecting their own.
YauzaCTF
For the first time in its history, this year’s international student competition YauzaCTF was organized by the CTF team of Bauman Moscow State Technical University, which also became the venue for the finals attended by 16 Russian teams selected as per the results of the 300-team qualification round.
Representing ITMO University were four teams: Kappa (Maksim Prokopovich, Nikita Sychev, Mikhail Dryagunov, Polina Smirnova, Nikita Kryzhov, Sergey Borisov, Roman Opyakin, Vladislav Akimov), Fargate (Ilya Shilov, Sergey Kiyashko, Artem Pavlov, Daniil Beltyukov, Aleksander Muravlev, Dmitriy Shestoboyev, Artemiy Kolodin, Evgeniy Protsenko, Dmitriy Tatarov), CTD Elite and GOST in the Shell. It was ITMO teams that headed the winners table following the results of the competition: Kappa took gold, Fargate silver and CTD Elite bronze.
“We trained for the competition by attending the meetings of SPbCTF, one of the strongest CTF communities in Russia. For nearly a year, teams from different universities learned to play in the Attack-Defense format; what’s more, different games in different formats were held to help students master various types of tasks on practice. The teams were formed in the beginning of this academic year during our training at SPbCTF. Having started to play Attack-Defense a year ago, we are now on par with the stronger teams out there. For one, we made it to the top-10 teams at at this April’s RuCTF 2019 competition, and this is a very significant result,” shares Fargate’s member Ilya Shilov.
The organizers of YauzaCTF decided to use a traditional, task-based format of CTF competitions. It implies that participants are given a multitude of tasks on different categories of applied information security: Reverse Engineering, Web, Pwn, Cryptography, Steganography, Forensics and others. But despite the conventionality of the approach, the participants say that the competition's tasks touched on a few new topics, such as kernel exploits, hardware, and Arduino.
“The task on kernel exploitation stipulated that there was an inherently vulnerable device with readily available kernel exploits which could help to hack it in theory but somehow fail to do this on practice. What we had to do was to analyze the device and come up with a way to modify these programs to make the hack possible. The competition was prefaced with a presentation on that topic as it was unfamiliar to a lot of participants. These kinds of tasks are usually given at higher-level competitions for professionals. The qualification round did include a task from this category, but only a couple of teams actually managed to solve it. I think it’s safe to say that the organizers succeeded in introducing a new element to Russian CTF competitions,” says Daniil Beltyukov, member of the Fargate team.
“In the task on Arduino, we had to extract information from the circuit board, extract a program that was embedded in it, and analyze it using special software; that’s how you got a flag. This wasn’t a simple task because the program was compiled into machine code with which we ultimately had to deal,” explains Fargate’s Artem Pavlov.
The participants were given eight hours to solve all tasks. As per the tradition, each task had its own flag the teams were vying for; the more flags a team managed to gather, the closer it was to the victory. Much depended upon the points counting system. YauzaCTF’s organizers opted for dynamic scoring, as per which solving one task initially earns you 1,000 points, but this amount lowers with the increase in the number of teams that manage to solve it. According to the participants, this system allows for a fairer evaluation of the teams’ final results.
Real CTF
A week after YauzaCTF, another similar competition, Real CTF, was held, this time by the Higher School of Economics’ team Lunary. The competition was held in two rounds: the first included typical task-based work, while the second took place in the Attack-Defense format.
Following the results of the two days’ worth of competing, first place went to the team VoidHack from Ural Federal University. ITMO University’s Kappa and Fargate emerged second and third respectively.
“The first round’s tasks included a couple of really interesting ones. For example, one task asked us to analyze ghost hard drive copies and various viruses they were infected with. We had to identify the infection vector, examine its file system, analyze the traces left by the viruses, detect, unpack and analyze their source program, find information about its authors, such as links to some websites, and conduct a small investigation,” comments Sergey Kiyashko.
“There was an unusual fun task which also yielded points if you solve it. We had to find hidden objects in a 3D game. This game was to be found through solving some other tasks. This was a general trend: the organizers used a system where tasks went in a string; in other words, you could only proceed to the next task after you solved the last one. There were several such strings altogether,” says Maksim Prokopovich.
“There was a separate category of tasks on automated process control systems. We were presented with an imitation of a power supply system, a windmill with remote controls, and we had to find out how this physical system works in order to hack it, making it rotate the other way. In the end, only one team succeeded in solving this task,” shared Nikita Sychev, member of the Kappa team.
The second day of the competition was held in the Attack-Defense format. For it, the organizers came up with a fresh set of tasks different from last year’s ones, developing special programs similar to these used in real life: messengers, online shops and various social media. The participants had to deal with three such services simultaneously, finding soft spots and writing software that would exploit these soft spots so that the team could steal flags from their competitors.
Faust CTF
Finally, Saturday May 25 marked the end of another CTF event. FaustCTF, a major international competition in the field of cybersecurity, was held online in the Attack-Defense format by the team Faust. This time, it was the united SPbCTF team that took part, finishing second in the final count. First place went to the team Bushwhackers from Moscow State University, while the team Saarsec from Saarland University (Germany) emerged third.
“The tasks were all very unusual: for example, we had to implement an HTTP protocol where all function words and headings were written backward, such as PTTH instead of HTTP and TEG instead of GET. Another peculiar service we dealt with came in the form of a task that used PostScript, a language used in publishing and printing systems. We had to find vulnerabilities that would allow us to run arbitrary code on a target system and gain access to the database with all the flags,” explains the team’s member Sergey Kiyashko.
According to Ilya Shilov, CTF competitions are the perfect way to practice applied information security skills and just learn lots of new things.
“Be it by participating or organizing such competitions, you get to try out a wide range of modern or obsolete but still interesting technologies you’re not likely to encounter in your regular studies. Generally, our field doesn’t abound with opportunities for us to practice. There are, of course, penetration tests and bug bounty programs (searching vulnerabilities in real-world projects for money), but the former are usually run by major companies and you have to get there first to do something, and the latter offer no solid guarantees of success. With CTF, you know that there is at least one solution you can have a go at finding,” concludes Ilya Shilov.