Last weekend Invoca hosted the 2nd biannual Santa Barbara Capture The Flag (CTF) competition, and we are proud to announce that it was a huge success. We had five different teams and over 40 participants ranging from hacker elite to infosec novices. We’re in the process of collecting feedback and holding a retrospective of the event. In the meantime, here is a recap of the weekend.
What is a CTF?
Capture The Flag is an information security competition aimed at increasing the knowledge and efficiency of security testing. The objective is to exploit vulnerabilities which return a “flag” that can be entered into a scoreboard application for points. Most of the events have prizes ranging from honorable mentions to thousands of dollars. There are typically two types of CTF competitions, Jeopardy and Attack-Defense.
Jeopardy style is a set of challenges typically hosted in isolation of other teams consisting of various topics such as web app, mobile app, reverse engineering, cryptography, and steganography. Point values vary based on the difficulty of the challenges and teams compete by overall point count.
Attack-Defense is where teams each have their own system and/or network with vulnerable services. Teams compete by exploiting vulnerabilities in other team’s systems while defending their own by patching vulnerabilities once they’ve identified them.
The Night Begins…
Jesse Adametz, Sr. Cloud Ops Engineer, kicked off the CTF with a talk on the automation used to allow us to spin up hundreds of applications which was needed to support all the teams and challenges. We outlined all the difficulties of orchestrating so many applications and ensuring their availability. This becomes particularly important when your user base is there to compromise what you just spent hours automating and launching!
Here is a link to the slides:
Following the kick-off, the teams hunkered down in conference rooms and common areas as they feverishly began attempting to solve the challenges. The “First Blood” was only four minutes into the event and the second was so close we actually awarded a prize to both teams! As the evening progressed and teams settled into their rhythm, we kicked off the Mr. Robot Marathon and posted up in the kitchen area with our energy drinks and coffee. Throughout the night we’d take a brief binge-watching break to field questions about challenges, or joke about the devilishness of our challenge writers. Invoca’s Armin Ahkbari and Bugcrowd’s Jason Haddix were particularly clever with the challenges they wrote this time around.
The night continued and the energy drinks started to lose their effectiveness until there was a single person left standing, who won the award for outlasting all others. When morning rolled around we stacked up breakfast burritos almost as fast as people arrived. Additionally that morning, in typical CTF fashion, we busted out the picks, locks, and handcuffs because… why not? By noon, most teams were back at their battle stations tearing through challenges again. Mr. Robot was now showing the epic Rasberry Pi hack scene while we demolished a table full of sandwiches. Later, we had the pleasure of watching Jason Haddix give his “Bug Bounty Hunting Methodology” talk which he has presented at Defcon in previous years.
The latest version of Jason’s talk.
We learned a valuable lesson at dinner about advanced notice on taco orders over 10! Thankfully, Lilly’s was not only happy to whip up a bunch of tacos for us but they did so in record time. A short while later we were devouring tacos and fueling up for the second and final night of hacking which had many teams up incredibly late solving challenges. The final episodes of Mr. Robot had aired and we moved on to the hacker classics such as Sneaker, Hackers, and Wargames.
Sunday morning had a stunning number of people still awake or arriving after few hours of sleep. The race was a tight one with only some of the hardest challenges left unsolved. The point values for those challenges made it a race to the final minute, and in a Kentucky Derby style photo finish a team snuck in and upheaved the final tally.
As we wrapped up the morning with prize announcements, we began talking about the fun we all had over the weekend. Feedback is still flowing in but it was fantastic knowing that we had enough content to entertain those new and old to the field of Information Security. We are continuing to collect feedback which we plan to review and then share with everyone. The source code for the challenges and the automation used to launch the infrastructure will also be made available in the coming days and weeks.
Thanks to all that attended, the volunteers that organized, and the companies that sponsored.
We will be releasing the challenges in the following repo.
Contribute to sbctf_release development by creating an account on GitHub.