In December, OTUS, with the support of VolgaCTF and CTF.Moscow, invites everyone who is close to information security to an online competition to find vulnerabilities. Learn more and register here . In the meantime, we will tell you more about the format and participation, and also remember how the event went in 2019.
Format
The abbreviation CTF stands for Capture the flag. There are 2 formats for such competitions:
- Attack-defense , where teams get their server or network and must ensure their functioning. The task is to score as many points as possible for defense or stolen information ("flags") from the opposing teams.
- Task-based , where each participant receives a set of tasks and must send solutions within the allotted time. The answer, aka a flag, can be a character set or a phrase.
Our CTF competitions are organized in a task-based format .
How was it last year?
In 2019, 217 people took part. The participants had to solve 9 tasks, three in each direction: reverse engineering, penetration testing and Linux security. It took 5 hours to complete.
The tasks have different difficulty levels and, accordingly, the cost in points. Last time, only 40% of the answers sent were accepted. We give examples of solving last year's tasks:
1. Reverse engineering
Tasks for code decompilation, restoring program logic using exclusively low-level code, researching the operation of mobile applications.
example of the task
Name: Bin
Points: 200
Description:
This time we came across a binary file. The task is the same, to get the secret password.
Attachment: task
Solution:
Given a binary file. Load it into the disassembler and see six check functions written in C ++.
They are made identically and are called in each other, checking the flag in pieces of 5 elements.
We restore step by step using information from the disassembler. We receive the flag in parts:
0) check the length
1) flag {
2) feefa
3) _172a
4) k14sc
5) _eee}
Combine and get the flag:
flag {feefa_172ak14sc_eee}
2. Pentest
Participants search for vulnerabilities in websites using penetration testing methods.
example of task
Name: Databases
Points: 100
Description: The site is actively using databases. Try SQL Injection.
Link to the site: 193.41.142.9 : 8001 / shop / login
Solution:
Go to the main section of the store / shop / products /, poking into the search field, we find a sql injection.
Enter 1 "OR" 1 "=" 1 "-, scroll down and see the previously absent product, the flag is in its description.
Flag: flag {5ql_1nject10n_15_t00_51mpl3_f0r_y0u}
3. Linux security + development security
The tasks are aimed at checking the correctness of the server configuration and finding errors in software development.
: Algo
: 50
: . safe development. . : 666c61677b32646733326473323334327d. .
.
: 193.41.142.9:8002/
: task.7z
:
. , , .
Python:
import binascii binascii.unhexlify ("666c61677b32646733326473323334327d")
We get the flag: flag {2dg32ds2342}
You can see all the tasks of CTF-2019 here .
What will happen this year?
We have added the 4th discipline "Web Application Security". For 6 hours, participants will have to solve 12 tasks - 3 in each direction.
Dates and prizes
The competition will take place on December 5 from 10 am to 16. In each of the categories: reverse engineering, penetration testing, Linux security and web application security, winners are determined.
Registration is open until December 4 until 19:45
The main prizes - free training in OTUS courses in information security - will go to those who are the first to solve all 3 problems correctly in one of the categories. Those who take second and third places will receive exclusive discounts on tuition. And of course, all participants will receive new knowledge, pleasure in solving problems and a 10% bonus discount.
On December 8 and 10, organizers and teachers will hold special webinars, where they will summarize the results, analyze problem solutions, and also tell you more about our courses.
Who can participate in the CTF competition?
The event is open to everyone who is more or less interested in information security.
Want to know more? Then we are waiting for you at the introductory webinar on December 3 at 20:00, where we will tell you about all the conditions of the holding and answer your questions. Sign up so you don't miss the broadcast .