CTF, or Capture the Flag, is a team game testing participants’ ability to protect computer systems from attacks on their security. The participants are split into teams and given various tasks to solve. The competition is held in two formats. In the classic, Attack-Defence format, the players interact with each other during the competition. Each team receives a server with a set of vulnerable software services. The players try to secure a victory by hacking their competitors’ servers and protecting their own.
The second format, Jeopardy, implies that the participants are offered a set of tasks in the field of computer security that they have to solve faster than their competitors. The harder the task, the more points you get for performing it. The duration of each particular game is set by its organizers: it can last from a couple of hours to a few days.
The first competition in the CTF format was held during the DEF CON conference in Las Vegas in 1996. It quickly gained popularity and now CTF competitions are held all over the world. Among their coordinators are both groups of enthusiasts and organizations working in the field of cybersecurity. In 2018, a total of 152 competitions in the CTF format were held around the globe. You can learn more about the upcoming events here.
RuCTF is an annual competition in cybersecurity held in Russia at the end of April. The qualification round for the competition, RuCTFE, is held online in the Attack-Defence format and is open for anyone willing to participate. Following the results of the qualification round, 25 teams are invited for participation in the main round in Ekaterinburg, also organized in the Attack-Defence format and lasting for nine hours.
The first prize in this year’s competition went to the Tower of Hanoi team from the Polytechnic University of Milan. Team Shadow Servants from the Higher School of Economics took second place, while ITMO University’s team [SPbCTF] LC↯BC took third place.
The secrets of victory
According to Vlad Roskov, a Master’s student at ITMO’s Faculty of Secure Information Technologies and the LC↯BC team captain, all you have to do is to find your competitors’ vulnerabilities as fast as possible while eliminating your own. Because the time at the competition is limited, there are just two things that matter: your experience and level of preparation, as there are various templates you can prepare in advance to help your team work faster. However, these templates don’t always work as you expect them to. What is also important is the ability to be flexible and quickly adapt to changing conditions. For example, when being subjected to an attack, you have to understand its nature and use it against other players.
Where to get experience in CTF
There is a special community called SPbCTF and aimed at helping students get all the necessary knowledge and skills in the field of CTF. The community is supported by ITMO’s Faculty of Secure Information Technologies, and Vlad Roskov is one of its mentors. SPbCTF organizes competitions and workshops for everyone who wants to learn something new about CTF and try their hand at it.
“Anyone interested can find information about the existing programming competitions for both school and university students, but it’s not that simple with CTF, the competitions in sports hacking. Nobody talks about them. To change the situation, we decided to organize our own competitions in this format. We’ve been promoting these competitions among students of different universities for three years now. Last autumn, we set ourselves a goal to prepare as many teams as possible for participation in RuCTF. To achieve this goal, we gathered together every Sunday and trained,” shares Vlad Roskov.
As a result, a total of three ITMO University teams made it to RuCTF. The SPbCTF team now plans to continue organizing workshops and competitions for everyone interested in learning more about CTF.