Ten teams from different universities were gathered together at the St. Petersburg “Boiling point” center to determine who is the best in cyber security. Apart from last year’s winners from St. Petersburg Electrotechnical University, there were also students from ITMO University, Baltic State Technical University, and Alexander Mozhaysky Military Space Academy. Each team had already won the qualifying round and consisted of a maximum of 7 people, all of them under 25 years old.

The teams had six hours to solve a number of problems. Each solution is called a “flag” (hence the name of the contest “CTF” - capture the flag). For every flag submitted teams were awarded points that allowed them to go up on the scoreboard. It is important to note that there were no limits as to their resources - everyone brought their own laptop to be able to use something they had prepared at home or find solutions on the internet. 

“The participants have a pack of 28 tasks,” explains Aleksander Uskov, Technical Director of the contest. “Each task has a value of a certain number of points depending on its difficulty level. There are three levels: easy, medium and hard. However, there is also a dynamic points system - say, for example, a task originally “worth” 300 points will give a team a smaller amount of points if everyone else solves it, but will retain its value if only one team solves it.”

The final of the regional NordCTF cyber security contest
The final of the regional NordCTF cyber security contest

Computer forensics and exposing vulnerabilities

In the beginning, the Space Academy team with a self-explanatory name “Red Cadets” was the clear leader. This, however, didn’t last long as ITMO’s own [SPbCTF]Kappa took their place and rocketed up the scoreboard handing in one flag after the other. 

“The tasks reflect various cyber security areas that the actual security specialists have to deal with,” explained Sergei Antonov, the contest’s co-host. “There are even tasks on computer forensics. For example, there is a record of a user-server traffic exchange and to put it simply somewhere in this data array there is a flag the teams have to find to get points. The search methods can vary, sometimes it means using the common “Ctrl+F” hotkey combination. There are programs that can look for certain code fragments with a number of set characteristics.

Some participants compete in exposing vulnerabilities - these allow one to make a program do something that was not originally intended by its creator like changing images on a website or returning secret data. Apart from that, there are also tasks on steganography and cryptography. 

“In both of the latter cases we have some data,” continues Antonov. “In case of cryptography we encrypt it and stenography means we have to conceal the fact there even is data. The participants have to hide it in a picture or a recording. We also have reverse tasks, meaning that you have to decompile a program and alter the way it works. A simple example is a game you download from a torrent-tracker that doesn’t request a license key. That happens because someone has already decompiled it and changed it so that it doesn’t require a key to run”. 

Wide knowledge and out-of-the-box thinking

At a certain point the margin by which ITMO students were leading became enormous. Even before the lunch break they managed to acquire 1865 points, some of them by solving the “hard” difficulty level tasks. The next team on the scoreboard, “Red Cadets” only had 415 by that time. The team in third place was from St. Petersburg State University of Economics and had 328 points.  

After the lunch break the teams managed to get closer to the leader by making the margin threefold instead of the previous fourfold one. Moreover, the third place was contested between St. Petersburg Electrotechnical University, St. Petersburg State University of Economics and the Bonch-Bruevich Saint Petersburg State University of Telecommunications. This particular battle was won by St. Petersburg Electrotechnical University. 

The final of the regional NordCTF cyber security contest
The final of the regional NordCTF cyber security contest

“To be successful in this contest you have to possess many skills, one of them being resilience, because time is limited and you have to solve a lot of problems. You also need to have wide-ranging knowledge, as the tasks are usually unconventional, there is no manual one can use to solve them and solutions themselves can be rather baffling. The crucial things are logical thinking and the ability to find the necessary information quickly,” says Uskov. 

Awaiting the Skolkovo trip

By the end of the contest, some teams had started to leave and some kept solving tasks, handing in flag by flag till the last minute. ITMO University students were from the latter category. It was not a time to relax, as some teams  sit on the solutions they are absolutely sure about until the very end. It means not giving any clues to your opponents, because any task solved invariably attracts the others. Apart from that, it obviously allows a team to rocket up to the top of the scoreboard even if it was in its second half.  

This, however, didn’t happen. ITMO University's team regained the almost fourfold advantage and came out the winner. 

“This year the tasks were rather interesting and diverse, it was a pleasure to solve them”, shared Nikita Sychyov from [SPbCTF]Kappa. “I personally liked the two cryptography tasks with mathematical equations generation. We had to create an algorithm that sped up the process of finding solutions to these equations. It was entertaining.”

[SPbCTF]Kappa, NordCTF winning team
[SPbCTF]Kappa, NordCTF winning team

“Today we had good inter-team communication, which is something rare for these kinds of contests,” adds Maksim Prokopovich, another ITMO University representative. “One particular task stood out to me, the one it took us a long time to solve. We found similar tasks from previous contests. There were some similarities but we couldn’t apply them. Then we noticed that the software version on the task server was rather outdated. We found an exploit (a piece of code that takes advantage of a detected vulnerability - ITMO.NEWS) for this software version and that way we could run our code on the contest server. Our solution was not planned for, so we managed to surprise those who created the task. It sometimes happens that the tasks that were intended to be difficult actually have rather simple solutions”.

After the end of the contest the teams stayed around awaiting the award ceremony, exchanged their impressions and asked their opponents about this or that solution. During the award ceremony that included Danil Zakoldaev, a member of the organizing committee and the Dean of Faculty of Secure Information Technologies of ITMO University, it was announced that the winning team will represent St. Petersburg at the CTF Russia National Student Cup to be held at Skolkovo. 

About the contest

NordCTF was organized by ITMO University together with the Inter-regional public organization "Association of Chief Information Security Officer” and the Science and Higher Education committee of the Government of St. Petersburg.

NordCTF
NordCTF

Next day after the contest, another NordCTF round was held at ITMO University, this time for those still at school. 16 teams and 12 schools took part in the contest (including 2 teams from Moscow that were not on the scoreboard). The youngest participants went to 8th grade. The team from St. Petersburg Lyceum 239 came first with 1032 points. The second place was taken by School 113 with 559 points and third place went to Lyceum 393 with 514 points. 

“It’s our second year in such a contest,” explained Artyom Nasonov, captain of the winning team. “I guess, that was why we won. I am glad we could do it. It is even more important for us now, because we want to enter ITMO University.”