We just finished up our fourth Capture The Flag event in sunny Santa Barbara, California. With over fifty attendees and seven teams, we had an absolute blast trying (and mostly succeeding!) to keep up with the growing demand of security enthusiasts from Central to Southern California. Over the past few months, our volunteers hand-crafted a series of web applications which were isolated for the sole purpose of demonstrating how security flaws can be written, and exploited — with the end goal of demonstrating how one can avoid falling into these pitfalls when designing modern web applications.
Now, if you’ll excuse us while we sweep up the remains of those poor servers, here’s a quick recap of the weekend:
But first, some terminology
Capture The Flag is an information security competition aimed at increasing the knowledge and efficiency of security testing. The objective is to exploit vulnerabilities which return a “flag” that can be entered into a scoreboard application for points. Most of the events have prizes ranging from honorable mentions to thousands of dollars. There are typically two types of CTF competitions: Jeopardy and Attack-Defense.
Jeopardy style is a set of challenges typically hosted in isolation of other teams consisting of various topics such as web app, mobile app, reverse engineering, cryptography, and steganography. Point values vary based on the difficulty of the challenges and teams compete by overall point count.
Attack-Defense is where teams each have their own system and/or network with vulnerable services. Teams compete by exploiting vulnerabilities in other team’s systems while defending their own by patching vulnerabilities once they’ve identified them.
Our event was an entire application with embedded flags segregated by team — or Jeopardy style.
Our first evening started off with an informative presentation by the formidable James Brown, followed promptly by an absurd amount of pizza. By 6:30pm, before the majority of attendees had finished their slices of pizza, UCSB’s Ham and Panthers had struck — seizing an early lead.
At the same time, a number of our attendees were introduced to the magic that is Chicken In a Biskit, a savory cracker with a cult-like following.
As the majority of teams solved their easy challenges, it was time for awful hacker movies, starting with everyone’s favorite: Hackers.
The Second Day
As the intoxicating smell of doughnuts wafted into the dreary nostrils of the CTF-goers, preparations were being made for a new addition to SB CTF: Workshops. Presented by the illustrious Jason Haddix, we dove deep into the complexities of an essential pen testing tool: BurpSuite.
While contestants churned away at the newly released challenges, volunteers began rapidly preparing for a demonstration of Social Engineering — exposing the greatest weakness in any company, big or small: the people. Social Engineering, at its most basic form is exploiting our tendency to implicitly trust a charismatic, friendly person over the phone. (Read more here)
Shortly afterward, we picked our collective jaws up from the floor just as Rubinius had been solved by Ham and Panthers (in 1 hour 54 minutes), surprised that this complex challenge hinging on disassembling machine code was solved so quickly.
The Final Countdown
As the final day began, the heated battle between the top three teams raged on. Though the majority of us had a sneaking suspicion of who would take first — second and third were traded so frequently that a last minute upset seemed entirely possible.
As the clock struck 5 it was time to announce the winners:
- Ham and Panthers
- Malfunction Junction
Special thanks to:
OWASP Santa Barbara for their dependable support which helps to provide the prizes and swag for all who attended.
BugCrowd for feeding the sea of hungry hackers (and helping with the swag!)
Invoca for hosting the event and providing technological resources.
All who volunteered their time over the last few months creating the challenges and standing up the infrastructure.
All who attended for making this an unforgettable event, keeping an open mind, and learning with us.