Photo from securitylab.ru for news about Facebook CTF 2016
There was one guy at the faculty who had already played this exciting game and therefore deigned to tell us what it is and what it is eaten with ...
So, now let me tell you a little:
1 CTF ( Capture the flag or Capture the flag ) - team competitions ( sometimes personal ) in the field of computer ( information ) security.
2. Format of the event:
2.1. Task-based ( or jeopardy ) - players are given a set of tasks ( tasks ) to which they need to find an answer ( flag ) and send it.
So far, everything is more than simple, the usual rules, but only all tasks in this format are divided into categories (I 'll tell you about the main ones ):
Cryptography - tasks are associated with decrypting messages protected by various algorithms ( from the simplest to modern ciphers );
Steganography is the science of secret transmission of information by hiding the very fact of transmission. Therefore, you need to find exactly how and what information was passed (very interesting topic, I will roll out articles later );
Web - search for vulnerabilities on servers and sites ( specially deployed servers and sites on them are used, open platforms are not hacked );
Reverse engineering - research of software code, further methods depend on the task (a very dreary topic, for the diligent );
Recon is my favorite topic of open source information retrieval ( OSINT, intelligence ). A topic that will also be devoted to a separate block of articles;
Joy - entertaining tasks of various topics.
2.2. Attack-Defense ( or classic) - each team gets a dedicated server or small network to maintain its functioning and protection. During the game, teams receive points for the correct operation of the services of their server, the protection of their information and for the stolen information ( aka "flags" ) from the rivals' servers.
3. Competition
level International level: the most prestigious DEF CON CTF competition , which takes place annually in Las Vegas and brings together the strongest teams in the world ( dates back to the nineties ).
Russia: has been actively developing since 2009. Many local competitions are held ( in universities, cities, districts ) in various modes.
The largest CTF in Russia -RuCTFE , a victory in which gives an opportunity to get to DEF CON CTF.
Interesting fact: In 2014, 322 teams from different countries of the world fought in RuCTFE!
After what I heard, there was a frantic desire to try to go through these circles of hell and study this topic. We asked the same guy to oversee our first couple of games.
Next, we began to study the site ctftime.org - the schedule of all competitions ( around the world ) and the rating of the participating teams ( registered on the site ) are posted here .
We adequately understood that Attack-Defense was not yet shining for us, but we were ready to solve any tasks in the Task-based format in order to gain experience.
The first CTF ever
We were incredibly lucky that one of the closest CTFs was Russian, namely School CTF ( organized by the SiBears team ), in which there was a division between schoolchildren and non-schoolchildren and the time was indicated - 8 hours ( it seems that it was so ).
Of course, it was very important to register ... But how? What is the name of the team?
Somehow it happened that it was I who organized our participation and became the unofficial “captain” of the team.
It was also the first time, and we knew that the seabed - it's just us in this competition ... Indeed, without hesitation, I offered and WelcomeWe are the DnO team .
We armed ourselves with laptops, pens, notepads and worried about what else we might need.
So, it began ... We opened tasks and for us they were hieroglyphs, which did not add up to sentences (especially in tasks).
But, thanks to Google, we gradually began to figure out what this or that word means and finally began to google not just words, but already try to solve tasks and, it is worth noting, we even succeeded ...
Preliminary results
It is worth noting that we were on the courage , we did a lot and felt that the start was more than perfect. As you can see from the preliminary results, we held the 6th place, but then we moved about 10 (but taking into account the number of teams, we no longer thought about it, but celebrated a successful start ).
Of course, the next CTF, in which we decided to participate, was some kind of foreign one, but despite the fact that we understood all the tasks, we could not solve anything at all, so if we did something there, then in at best one task.
It was clear that we knew absolutely nothing, we had to train, study, prepare, look for platforms for solving such tasks ...
What is the DnO team?
Time passed, we participated in various CTFs and got our hands on it, found several very useful platforms with tasks, thanks to which we can develop in this direction ( I will not list them, you can easily find them in Google ).
Suddenly, an interesting event happened, we gathered for a full-time CTF ( before that we always performed only online ), it seems it was QCTF and it took place in Moscow , or rather in MIREA . Naturally, this is a completely different energy, everything around presses, because you do not sit quietly on your sofa, but you also want to feel it.
Photo of one of the QCTF tasks
There was an incredibly interesting space theme, tasks of various levels, we performed with dignity, because these competitions were "for beginners", which we were considered to be.
As a result, the DnO team of 20 teams took the honorable 4th place ( well, you know how upset it was ), but when we returned to the university, we were told that this must be told to everyone, what is the name of your team?
This question put us in a dead end ... Of course, the guys were not particularly driven and such: "Well, you offered DnO, now let's come up with a decryption so that the whole university does not laugh out loud at us."
After an hour of studying the dictionary, I came up with the only adequate transcript as Destroy Network of Opponent, which translates as "Destroy the enemy's net" ( thanks that prepositions are not taken into account in abbreviations ).
Since then, we have followed the old adage about the ship ... As they called it, it sailed.
The first victory "in half"
Once again, we decided to try our hand at full-time CTF, only this time it was decided to visit the hero city of Volgograd.
Our team already had experience, we were divided into directions and each team member developed in one main direction and one / two adjacent ones, in order to be ready to help / replace his friend. But, of course, we were still far from "good" knowledge in these areas.
DnO team in Volgograd
Honestly, I can’t even describe the emotions that we experienced, and all because there were 2 leading teams ... we went point for point, solving almost the same tasks.
The final "whistle" and we ... Second? How? But after all ... We have the same number of points, but the Life teamsurrendered the last flag before us in time, which is why we took second place ... The DnO team for the first time was close to victory, but missed it at the last moment.
Final scoreboard of the VolSUCTF competition
First CTF Russian Cup
A couple of months have passed, we did not give up our attempts to achieve high results in various online CTF'ah, but everything was in vain, and then we learned that there is a recruitment for the FIRST “CTF Cup of Russia” , and the selection for it is based on the results of the separately selected by the organizers CTF held since the beginning of the year.
Naturally, VolSU CTF was among them, in which we successfully took 2nd place and, in fact, did not go to this insanely intriguing FIRST Cup ...
However, after monitoring the situation, we learned that the Life team, with which we shared 1st place, participates in this event as an organizer ... Iiiiiiiiiii, yes, the DnO team is invited to the “I CTF Cup of Russia” as a VolSU CTF winner.
Naturally, absolutely nothing was known about this event and all that remained for us was to prepare hard.
Skipping all the nuances of the preparations, we come to the Skolkovo Innovation Center, where 20 best teams from all over the country have gathered.
1st CTF Cup of Russia. The first day. Task-based.
We are greeted, given out pranks ( stickers, T-shirts and, most importantly, FLAGS! )
The same cherished flag of the DnO team
Fast draw and we find out what table number we have, went to get ready. Promptly deploying their typewriters, the organizers of the event made a speech, where we learn interesting news, namely:
1. The Cup is held in 3 stages in 2 days;
2. Stage 1 Task-based(20 teams participate, top 10 pass to the next stage);
3. Stage 2 Attack-Defense (10 remaining teams participate, 4 best go to the next stage);
4. Stage 3 Final. (4 teams are involved, what will happen is a mystery covered in darkness ...).
Without looking ahead, we began to prepare for the first stage of this event, which promised to be exciting ...
So, STAGE №1 , we started.
Grueling 8 hours of work, with competition suspended for lunch. We did our best, showed the best teamwork that was ever and for this we received the coveted "flags", points that could take us to the next round.
Forgetting about Scoreboard ( table of results), we worked until the last second of this stage and, not without luck, we occupy the 6th line in the table.
Scoreboard after the 1st round of the CTF Russia Cup
There is deathly silence at our table ... Nobody believes that we did not just make it to the second stage, we passed with confidence.
Only after our curator came to congratulate us, we realized what was happening and the smile never left our face.
It was clearly our day, we deserved it, no fuss, just food and a good rest before the second day of the competition.
Yes, we understood that we were very weak in Attack-Defense , but we were still charged to work to the last.
So, STEP # 2 , we started.
When we sat down at the table and unrolled our typewriters again, there was no limit to surprise ...
Our "task" of the second stage. Own crypto farm.
We saw this, not to say that huge, box and how much everything is in it, how everything is arranged there and realized that we got the most unpleasant ...
It will not be possible to tell much, the nuances of this stage are forgotten, except for one ... We worked and tried to the last, not for the finale, but for myself. Because we wanted to prove to ourselves that we are capable of more.
It is worth noting that our efforts did not pass by, we nevertheless raised the server and even received some of the flags, but, naturally, this was not enough, other teams were much more prepared ...
Result, 9th place in the second stage... Of course, there is a slight frustration, but at least we completed the task, which was worth being proud of.
Scoreboard 2 stages.
The stage lasted only 4 hours , and the final was planned for the afternoon, we didn't go to watch it ( honestly, we didn't have the strength ), but it was no less interesting there, because there was a war of robots , although they were not controlled via a remote control, but by programming.
To this level, we were clearly far away ...
It was with this Cup that my performance in this team ended both as a captain and as a participant ... I graduated, other guys took everything upon themselves, who were energized and ready to move on.
But that's a completely different story ...
Separately, I would like to thank the organizers of such competitions ( various CTF teams, as well as the ARSIB organization ), mentors, curators, my friends who played for this team, and the guys who played for other teams.
No one is forgotten, thank you so much for this great time!
What is described in this article definitely turned my life at least 60 degrees: D
And you can see the team's successes here .
PS The flag still stands in the workplace near the monitor and warms the soul