My first CTF — SG/UK Cyber Security Challenge

Cybersecurity. Elusive and mysterious.

Always. Companies are hiring for security professionals for big bucks. Companies burn millions in pursue of cyber defense and awareness. I still believe that human is the weakest link. As a dedicated employee, I decided to up skill myself, rather than being a sitting duck.

CTF is my way to level up my skills. And my first CTF was such a long arduous journey.

What is CTF anyway?

I have not heard of the term ‘CTF’ until late 2018. I think I have been living under a rock. (who else never heard of it?)

Capture the Flag’ is a gamified set of challenges based in cyber security. Usually, the challenges involves finding hidden flags. Kinda like easter eggs hidden virtually somewhere in the challenges. Finding more flags in shortest time gain points for a team/individual.Of course, the most points win.

There is no hard and fast rules for CTF. Different events and competitions will have their own custom ruling and platform. It does feels so much like a game to me, so I like to use the term ‘play’. Players are also be known as CTFers.

How CTFers appeared to me in the competitions Ihave seen.

By some chance, I attended HITB GSEC Singapore 2018. It was a security conference that attracted a healthy amount and mix of attendees. The security community is a warm and friendly group of people. Readily sharing their profound knowledge. I would think they enjoy sitting in front of their computers more. Guess not, their enthusiasm rubs off on me.

There was a CTF event at the conference at the event. All the players were gathered in large event hall, peering intensely into their hacking machines. Out of curiosity, I peeked at their screens. (Does anyone ask for permissions before looking?)

I couldn’t tell whats was going on. But the banners surrounding the venue screamed to me in bold ‘HITB-XCTF’. I still wonder what does the X stands for. Maybe eXtreme ?

At that point of time, I had just completed Singapore Cybersecurity Challenge 2018 . I did not know that was a CTF itself. Another variation, another name. CTF does exists in many forms and challenges. Ultimately, the true essence is the same. Cybersecurity challenges. HITB-XCTF has a custom attack and defense ruling, while the challenges I completed are points based - jeopardy style.

Singapore Cyber Security Challenge 2018

I saw the online challenge through a Facebook advertisement and decided to participate on a whim. It was organized by CSA (Cyber Security Agency of Singapore). Looks fun. That’s what I thought. It seems like a good opportunity for me to learn something new. I rushed through the challenges right before the deadline.

The online segment was done using the website Cybersecurity Challenge UK which also has an optional standalone program known as Cyphinx. I used the web portal to complete the challenges (I don’t need a walking avatar). There are four challenges that I have to complete and get a scoring to be ranked. The ranking determined the eligibility for an invite to the second segment of the cybersecurity challenge.

The challenges varied. Some of the challenges required scraping data, where hidden information has to be extracted from different files types. These seemingly harmless files are exchanged at a daily basis in corporate environments. The point of the challenge is to bring awareness to that data leaks can occur unknowingly. One other challenge required reading Python and PHP codes to figure out a secret key to decrypt sensitive data. Another required analysis of a USB Rubber Ducky. Once the challenges are cracked, the flags/answers can be submitted in the web portal to get the scores.

I was not too optimistic about my chances in making to the offline event after getting my final scores. Still, I received the invite from CSA to the second segment. Lucky me. I was suddenly thirsty for more exposure to this new gamified challenges that I found. I had fun solving the challenges. It seems a bit like detective work.

I can feel the detective in me. It is in my jelly.

Face-to-Face Challenge (SG)

The second segment of this cybersecurity challenge was the Singapore Cybersecurity Face-to-Face (F2F). This was a group challenge, jeopardy style CTF. I was placed in a team of three including myself. My teammates are considerably younger than me and really knowledgeable in cybersecurity. (they are students studying cybersecurity for their degrees/diplomas).

The challenges were significantly harder than the online challenges. There was an intriguing story line to the event challenges about an insider exfiltrating data from an imaginary company. But, Icould not careless about the story. There was a main challenge and multiple side challenges available to the players via a platform hosted by BAE Systems. For that short but hectic duration of 5 hours, I struggled and suffered in the cold.(Event hall was freezing. Save the Earth please.) Thankfully, there were some physical activities. I remember one activity involved stripping an Ethernet cable to sniff network packets (RJ45 cable jacking). Super thanks to my two talented young teammates as our team was able to get pretty good results.

For the F2F event, judges were constantly assessing the individual players. These judges are senior professionals in the field of cybersecurity from various domains and industry. The players were assessed and ranked. The top 6 players in this second segment were fully sponsored to travel to UK to participate in the final segment, UK Masterclass.

I managed to solve some easy side challenges ones and performed reasonably well in the presentation (I think). The presentation was to a panel of judges acting as senior executives of the imaginary company. I got the advantage by being the only working adult in the group. I did not achieved top 6, but one of my teammates did. Since he couldn’t make it, I was next in line. I think I was placed top 7? Lucky me.

On-wards to the final stage then.

UK Cybersecurity Challenge

UK Masterclass Final 2018

The final segment of my first CTF journey took me all the way to UK London. I have never been to UK before and I was really excited to participate in an event overseas. Prior to this, all 6 Singapore participants (Newbie me included) had some trainings that focused on incident response and digital forensics. I learnt a great deal and many thanks to the instructors who had spent their weekends conducting the training seminars.

The main event was held in London over 3 days and was hosted by Barclays at their HQ building. All 42 UK participants had participated in the similar cybersecurity challenges online and offline segments from all over UK and qualified for the grand finals. Together with them, all 6 Singapore participants were randomized into different groups. I was amazed by the sheer talent of the participants. Quite a number of them are below 20 years old. And many of them played competitively in various CTF competitions with world rankings (A guy claimed). Color me real impressed.

In the first day of the event, things started easy and relaxing. After a short brief by the Barclays host, all the participants played a fun cyber security budgeting game with ‘Legos’ and cards. It was organized by London Metropolitan Police. After which, there was a dinner at a place call ‘Giant Robot’. Quite the geeky start.

The second day was the official start of the grand finals which introduced us to a pure defense challenge where teams raced to secure their systems from an imaginary adversary group. The challenges were conducted on a cybersecurity training platform by RangeForce with a cool dashboard that shows green/red indicators for your systems and achievements icons. (Red means your system is compromised!)

Woe is me

The defense challenge was at such a high level that a newbie like me was totally overwhelmed by the challenges. I was completely non-productive and clueless. I trying dabbing at the system settings and reading some code. Sadly, I couldn’t contribute to my team at all. (Sorry guys. I tried,) There were way too many technical concepts that I was not familiar with. I only practiced offensive security prior to the event. What a terrible oversight! The challenges spread across two full days covering technical concepts on server hardening, end-point protection, network analysis, firewalls and so much more. As my talented teammates blazed through the challenges, I sit there wondering about life. (No, like seriously)

Up till the last day of the event, I didn’t solve anything. I decided to observe my teammates actions and learn as much as possible instead. There were limited access to the ‘vulnerable’ servers. I didn’t even bother accessing them. My teammates have way better chances with the access. Looking back, there were other things I could have done to help the team to gain more points. I definitely could have helped to polish up the time-line forensic report with detailed artifacts. It was the single Achilles heel of most teams. (An organizer gave feedback at the end). The grand finals individual champion was a guy that had great leadership capability. Great leaders never fail to shine!

Challenge Accepted

At the end of the whole journey (nearly over 3 months), I found the struggles that I experienced meaningful. It is all about learning from the process and experiences. I was biting off more than I can chew with work, study and life. Still, the whole experience is very humbling and truly worth it. I enjoyed every step of this learning journey. I

Special thanks to the CSA folks who have helped to make all this possible.

I am challenging myself to elevate my cyber security skills.

Some resources that I would like to share:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
WeiLong

Many interests. Mostly technical. Loves to read and watch short learning videos.