In CTF (Capture the Flag) – a tournament is held in the form of a game – each team completes various tasks to capture the flag, a unique combination of symbols, of their opponents. At the same time, teams should be doing their best to protect their frontiers from attacks.
This year, at the Russian CTF Cup the teams found themselves in the fictional town of Druzhba (Friendship – Ed.) that featured several data servers playing the roles of shops, ATMs, amusement parks, and a factory. Each team was responsible for one of them that they had to protect for eight hours, while at the same time cracking into the services of other teams causing them to burn and fail to function correctly.
“You need to master quite a lot of topics in order to perform in such tournaments successfully. For instance, you have to be able to program and have at least a basic understanding of code written in different languages, look for logical vulnerabilities and injections, as well as know reverse engineering. However, the most important skill for a CTF contestant is the ability to quickly grasp new technologies and methods,” says Maksim Prokopovich, a member of the FaKappa team.
Several selection stages preceded the finals. At the first stage referred to as Task-Based, the teams had to solve tasks from various fields of information security, such as cryptography, identifying vulnerabilities in websites and apps and using them, studying closed-course software, investigating incidents, and searching for information. After that, selected teams came through to the Attack Defense stage, where they were assigned servers with vulnerabilities that they had to fix. At the same time, they needed to capture the flags of their opponents.
Four teams proceeded to the finals after these two stages. The four competed against each other in the Attack Defense format. As a result, two teams, ITMO’s FaKappa that trains at SPbCTF just like other teams from their faculty, and C4T BuT S4D made up of students from HSE, MEPhI, ITMO, and Tomsk State University entering the superfinals. There, they faced each other in the ultimate Task Based battle with C4T BuT S4D beating FaKappa 5:2.
“In the first stage of the final, we worked with two challenging services – we stole flags from both, but failed to detect every vulnerability. At the battles, we got tasks from each of the information security fields. This new battle format of the final was quite a surprise for us, so we had to swiftly adapt to it and think up a strategy,” recalls Maksim Prokopovich.
Despite this surprise, for the second year in a row FaKappa won the nomination for the best academic team, also receiving prizes from Sberbank for being the first to complete a task in the battle.