What is RuCTF, what it’s for and how to take part in it

RuCTF is a competition on information security that is being held at the Ural Federal University for the 11th time since 2009. This year 400 teams from all around the world took part in the try-outs and 24 teams from Russia, Austria, Germany, Italy and Belarus met face-to-face at the finals. To qualify for the final competition, teams had to excel in the online competition in November of last year or to win at a regional students’ CTF competition. The main prize at RuCTF is a trip to the final stage of the oldest international cybersecurity competition, held annually in Las Vegas and which draws the strongest teams from all over the world.

“It’s not that hard to qualify for the competition, I think; if one sets their mind on getting into the RuCTF finals, they can reach the required skill level in a few years. The real challenge is the competition itself. There are a lot of strong and experienced teams at the finals. The upside is that a competition like this helps you learn to quickly figure things out and find weaknesses in unfamiliar systems written in multiple languages using different technologies. This is, no doubt, a very useful skill that cybersecurity experts need to acquire.” – says Alexander Menschikov, a member of the ITMO, MIPT and HSE select team and a student at the Department of Computer System Design and Security.

A team’s goal is to capture their competitors’ “flags”. This format is used in all sorts of team-based games, from paintball to roleplaying. The cybersecurity competition at UrFU uses a classic format of CTF. Each team received a dedicated server with a set of vulnerable software services that they had to keep secure and functional. Every so often these services received from the jury a package containing private data that serves as a “flag”. Any team that could find a weakness in a competitor’s service could steal that data, which means that these vulnerabilities, which are based in large part on bugs that can be found in actual software, needed to be eliminated in time.

The game process

“The servers that the teams get are absolutely identical: all the settings, files and vulnerabilities are the same for every team. Up until the very end of the game teams analyze their services and comb for weaknesses that the developers left there - intentionally or otherwise. But finding a weakness isn’t enough. It needs to be exploited wisely. Sometimes a weakness is easy to find, but incredibly difficult to utilize. It may take hours to write an exploit. A team that finds a certain weakness in a service first and successfully exploits it usually earns a great deal of points. However, teams with experience can very soon determine how they’re being attacked, as they watch both incoming and outgoing traffic, and can even “steal” a finished exploit that another team spent hours building. For that reason many teams tend not to attack experienced competitors who they know are expecting just that.” – says of the game’s intricacies student Grigory Sablin, another member of the ITMO, MIPT and HSE select team.

Furthermore, every competition, be it a regional or a nationwide one, has a storyline: it can be about international cybercriminals stealing data from national banks or, say, blueprints for Russian spacecraft. It might take place in the future with teams trying to save a certain race from extinction. The plot for RuCTF-2017 concerned space: each team was placed in charge of a virtual city-ship. Each of the ships’ infrastructures relied on seven services: systems in charge of distributing food and energy, searching for planetary areas for prospective development, ensuring the city’s protection from threats, a service that allowed third-party programmers to solve the city’s technical issues and a system of stargates that allowed teleportation between the cities. The seventh service was an incubator containing alien eggs. An inflatable pool filled with hydrogel balls, it held a “flag” in the form of a regular ball stamped with a QR-code. The contestants’ goal was to find the ball and scan it.

“To be honest, the storylines are usually there for the spectators, not the players. The teams rarely have the time to familiarize themselves with the story, especially if it has little effect on the game process. Sometimes the story contains a description of, say, the economical mechanics used to calculate the accrual of virtual currency and its exchange into game points. When that is the case, we have to familiarize ourselves with the plot so that we can correctly plan our economic strategy. But this year’s storyline simply described the services and had no effect on the game process” – explains Grigory Sablin.

As the game progressed, its state was displayed on a large screen and contestants were able to observe a planet orbited by their space cities, with “flags” passing between them, as well as the current leaderboard. The game continued, non-stop, for roughly nine hours.

The competition process

The race changed leaders virtually every other minute. A team’s rate of acquiring points depended on how well they attacked others, protected themselves from others’ attacks and maintained their services’ functions (otherwise the teams could simply turn off their servers, making them impervious to hacking). Per Grigory Sablin’s opinion, this year’s game was more focused on hacking, or, rather, on figuring out and exploiting vulnerabilities – something that is far more difficult than preventing them from being exploited or fixing them.

“The competition is extremely fast-paced. A weakness discovered at the right time can move a team from the bottom of the leaderboard to the very top. You have to fight for each “flag”. A specialized checking system adds a single “flag” to each of a team’s services every round. A round lasts several minutes. Vulnerable services can be hacked continuously until they crash or the vulnerability has been fixed. Usually one of the team’s members is responsible for managing the services while others investigate various services on their own or in pairs. Meanwhile, the competitors’ services are hacked automatically, provided you build a proper exploit.” – described Alexander Menschikov.

He noted that the competition’s duration of 9 to 10 hours is completely reasonable. On the one hand, it provides enough time for the contestants to figure out even the most complex systems, yet, on the other, it is not too exhausting for the players. Furthermore, the teams are provided a lunch break.

But RuCTF is not just an exciting game; it is also an educational event. Every participant had a chance to listen to lectures by experts on software engineering and data protection. Among others, speakers included representatives from Kaspersky Lab, Infotecs, Wallarm, Digital Security and the Ministry of Defense’s Special Research Center. Moreover, a nationwide students’ competition on data protection was held as part of the events.

At RuCTF-2017, the MSU’s team Bushwackers secured the first place for the second year in a row. HSE’s team Shadow Servants took the second place and the team LightsOut from MIPT won the bronze prize. The ITMO, MIPT and HSE select team came sixth.