CTF are sports hacking competitions where the goal is for a team to capture their opponent's “flag”. Actually, the CTF (Capture The Flag) format is very popular - it is often used in paintball, LARP, and computer games, so it’s quite natural that it has been adopted in the field of computer security competitions, as well. There are two types of challenges. Attack-Defence is considered to be the classical one, as it follows the rules of CTF in their pure form. The idea here is to eliminate vulnerabilities in your team’s systems and attack those of your opponents. The current competition used a different format - the so-called Task-Based CTF. Instead of hacking each other, the teams were to complete particular tasks. For each solution, the team received a flag, which could be exchanged for points; such competitions usually feature several branches of tasks, each covering a particular subject. The competitions can be conducted both online and onsite. Online competitions usually last about a day in a non-stop format; onsite competitions, where each team works at a separate table, usually take up to eight hours or more.
QSTF Starter competitions are meant for those new to CTF rules. The participants are given tasks where they have to find particular “flags”; whoever finds the most flags in the least time wins. The tasks are in different categories, among which are web security, cryptography, reverse-engineering, PPC (professional programming coding) tasks, and others. In Russia, several competitions of this format take place every year; the Hackerdom team from Ekaterinburg organizes Russia’s biggest competitions, among which are RuCTF, RuCTFE, QCTF, and some others (for example, they also organized PHD CTF 2017 and Яндекс.Root). The competition that we’ve recently won was also initiated by Hackerdom, who enlisted the help of different teams to organize competition sites in different cities (in St. Petersburg, that was SPbCTF; all local teams competed at ITMO University).
Lubov Yurtaeva, captain of the winning team, shared her impressions of the event.
On winning QCTF Starter
“The competition itself went on for eight hours. ITMO University’s team was made up of three people: Andrei Komarov, Ilya Selivanov, and me as the captain. This was the first time we participated in a competition in this line-up; though Andrei already had experience with such competitions, for Ilya and me, that was our first time. I’m a second year Master’s student at the Department of Computer System Design and Security, and I can’t help but wonder why we don’t have anything on hacking in our curriculum. It just happened that it was only recently that I got really interested in information security, namely after I took part in the “I am a Professional!” competition and was invited to ITMO’s Winter School that coincided with it. Some of the school’s workshops of the information security track were led by members of the SPbCTF team, who invited us to their training sessions on hacking that take place every Sunday at ITMO University.
It turned out that they were teaching real hacking techniques there - the things that our curriculum does not include. I met Ilya Selivanov at the Winter School, and we started attending SPbCTF’s lessons together; that was where we learned about QCTF Starter. We decided to participate; what is more, I already had a friend who was interested in such events - Andrei Komarov, who graduated from ITMO University last year. We created a team and signed up for the competition out of sheer curiosity, and somehow won it.”
On the competition’s tasks
“There were 12 different tasks, each worth a different number of points. For instance, there were tasks from the cryptography field, where we were given a platform that could be used to encode any message by using a particular algorithm, and a ciphertext that was a result of using the platform. We had to find a way to decipher the message, which could not be done with the help of the given platform as it had no such option.
There were also tasks from the web security category - we were given a website that sent a flag in a response a particular request made under certain specific conditions. For completing such a task, one needs keen knowledge of networks, protocols and system administration.”
On SPbCTF’s activities at ITMO University
“We are really thankful to the SPbCTF team - they are really cool people who come every Sunday to tell us very interesting things. We spend quite a lot of time at their lessons, about six hours every time, and what we get there often turns out to be more useful that the vast amount of theory that we are given as part of our curriculum.
Every six months, SPbCTF launches a new season that is dedicated to a particular topic. Currently, we are studying computer forensics. The goal of this season is to teach the students to make assumptions on the nature, origin and purpose of data by simply looking at it. This is no easy task, as it is quite hard to tell what a bunch of raw hexadecimal data really is. Each lesson is dedicated to some subtopic, with complexity growing in the ascending order: the first lecture was dedicated to different encodings, the next was about cryptography (though I already knew the algorithms from my program’s curriculum, this lecture really helped me to sort them out), and the latest lecture expanded on steganography (ways to transfer or store data while keeping the very fact of such an operation a secret). The lessons have the following format: first, there’s an hour-long theoretical lecture, then a practical session on the same topic. And this is repeated three or four times over. Such lessons take about six hours each, and are really intense, interesting and helpful.
It would be great if the university attracted more attention to such events, as if it was to support similar initiatives, they would make it possible to train strong teams that will do well in major international competitions. I think that in order to achieve that, we have to add real hacking techniques to the curriculum, and support initiatives like those conducted by SPbCTF team.”