The Owasp San Diego 2015 CTF was my first in person CTF. I had participated in other online CTF style events but this was the first time I had showed up to a physical location to capture flags. I’m going to share my experience, talk about some of the challenges, and explain what I need to learn more about to be more for prepared for next year and other CTF’s. I won’t be doing a full walk through of every challenge due to the time constraints I had making it not possible to document as I completed challenges(I will update if they post the challenge list and I can recall more).
First of let me start by saying I had a really great team who was well rounded and had different specialties which seemed to really help us. Shout out to my team Hot Cyborgs. We chose our name with a random team name generator I found online.
The day started off by showing up and signing in then getting assigned to a random team. The CTF was played jeopardy style which means that you choose challenges which are worth a certain amount of points depending on the difficulty. I was told by other attendees that this is how Defcon does their CTF as well. Next our team name was entered into the scoreboard and we were given a password to login. To enter a flag you have to go the scoreboard and enter the flag into the challenge answer. The timer for 8 hours started and we were ready to go.
The challenges were in 6 categories:
The web section started off with 50 point challenge were you navigated to a url similar to this
which contained a picture that said the same. If you guessed directories you would eventually find a meme of Neo and the flag was the words on the meme. Other challenges included scanning a wp instance to find vulnerable plugins. I messed up on this challenge because there was a throttle on the connection and I hammered it with wp-scan which blocked my plugin enumeration and gave me false positives. Another challenge led us to a login page which at first we thought was a web filter but later realized it was an appliance in which you look up the default password then login to get the flag. I think I did pretty well in this section and was able to improve my skills with Burpe Suite to do manual testing of web applications.
The physical challenges consisted of a number of lockpicking challenges. These included picking handcuffs all the way to some very difficult master locks. Twice picking a lock moved us up the leader board. These challenges seemed to be relatively simple in the low point ranges but increased in difficulty quite a bit. I just recently began lockpicking so that made things much easier. Something I learned that I had not worked with before were locks that needed to be picked backwards meaning you had to apply counter clockwise pressure when picking the lock. This was actually a bit difficult and I will definitely be practicing this more. Best way to be prepared for these types of challenges are to have a nice lock pick set and a wide variety of locks to pick.
The reversing section had a wide variety of challenges which required a debugger. I can say I need to spend some more time being ready to jump right into the debugger and this really peaked my interest. A decent set of debugging skills can help you go a long way in this section of a ctf. I was able to fall back on my past debugger experience to gain some ground in this section.
This section was handled by other members of my team. I will update this section if they post the challenge list
The part that interested me most about the exploitation section was the last challange. You had to find a port open on a webserver to get shell. One of my team members wrote a bash script to attempt a Netcat connection to every port 1 by 1 which he said he learned from a past CTF. Once you have shell you locate a binary file and the c source code. The code did a setguid then ran a command which called an environment variable. To solve this challenge you have to run the EXPORT command to change the environment variable it calls and append the command to read the flags like this
<environment variable>;cat flag. Because the setguid flag was set the root only readable file would cat out to the screen. During attempting to figure out this challenge we got stuck and prepared a netcat reverse shell on a USB Rubber Ducky that I was going to sneak up and plug into a Rasberry pi serving as the web server as a hail mary attack(All is fair in CTF’s and war). This was another section were you need some decent debugging skills and you really don’t know what to expect.
In the cracking section there were different variations of cracking challanges including cracking a Windows NTLM hash. There was also another hash in which we simply googled the hash to get the flag. This section also included a challenge where you crack the password of an encrypted zip file to get the flag inside. We started coding up a multi-threaded Python script to do this but an open source tool was located first that was able to get the job done.
The crypto challenge started with reversing a simple base64 encoded hash and worked it’s way all the way up to an Oracle padding attack. This section is definitely not my area of expertise in any way and other members of the team were able to carry us a little more here. I will say Python came in handy during this section and by continuously working through the challenges and doing research you can do some decent damage on the score boards.
After the time was up everybody stopped the CTF and the winners were announced. They won usb rubby ducky’s as a prize and everybody gets a t-shirt for participating. My team held 2nd place in the middle of the CTF but we fell to 4th near the end. There were some very good teams among us and they pulled out some big points in the end. After the CTF we talked to other teams and found out what strategies they had and discussed challanges. Overall it was a great experience and I have to thank Owasp SD and all the sponsors for hosting this event.
What I learned
Overall I believe that CTF”s are really great hands on learning experiences that can grow your skills in many different topics. I notice there are similarities and common themes with CTF’s. Prior experience will definitely help however even if you have no experience with a CTF’s you will still learn a ton. I now have a list of subjects I want to improve upon including reversing and crypto. Once again thank you to my team who taught me a ton.
*I will be updating this article once they post the challenges which will refresh my memory a bit more