competition not for participation, but for experience

And so, in the spring of 2022, I was still unable to assemble a team of my friends and came to VrnCTF (held at the Faculty of Computer Science of Voronezh State University) and I was offered to join someone’s team, so I did. We played quite decently, took second place, everyone really liked it and wanted more of this. And now 2023 is the same competition, but here I am no longer a participant, but one of the authors. This is a unique, unforgettable experience when you first write tasks for these competitions, and then watch how the guys try to solve them (by the way, they are also held remotely, so next year I look forward to everyone who is interested). We still get feedback from the guys, it’s very nice when, after about a month, they tell you that everything was cool.

Now let’s talk about what CTF is and what it is eaten with. For starters, here is the former VrnCTF logo:

%%This is an old version, next year there will be a new one.

So CTF or Capture The Flag is a cybersecurity team competition. And if in a more understandable language, then according to the art of hacking, but not only, you will also need to decrypt messages, intercept them, analyze and a bunch of different things.
By the way, you can use them with anything you like 🙂

In general, there are two options for holding these competitions, which are probably the most common in Russia, and which I played:

  1. task-based

  2. Attack defense

To begin, consider task-based. Here you are given tasks (tasks) in different categories, your goal is to get a certain flag – a string that fits a certain format, in the case of VrnCTF it was a string like vrnctf{some_text}. To write text in flags, leet is used – a language in which letters of the English alphabet are replaced by numbers, for example, the phrase some_text might look like s0m3_t3xt.

The first and my favorite category – web. In this category, you are given some kind of web application (site) and you must somehow find and exploit a vulnerability, but since there are a lot of vulnerabilities, a hint of which one to use is given in the name or description of the task. This can be either sql injections (cunningly written queries to the database, which make it possible to get all the data from the database or bypass login / password verification), or certificate substitution, which makes it possible to impersonate a server that has access to all data, not being one.

Next category Crypto or cryptography. I think it’s not worth explaining this encryption and decryption much here. Here there may be simple tasks for the Caesar cipher, or some self-written cipher may come across, the decoder for which you will have to write yourself (in this case, they give the encoder code).

And yes, incomprehensibly written text can also be considered encrypted)

So let’s move on to the next category, namely osinth (osint). As my friend likes to joke, “the category for girls, but who better than your current girlfriend will figure out your ex.” And in general, he is right, because Osint is literally a competent Google, but to be a little more precise, the search for information from open sources. This can be either searching for the name of a city from a photograph of a place, or searching for data about a person, knowing his phone number.

We learned about Osint now let’s talk about stego she is steganography. An extremely incomprehensible definition is a method of transferring or storing information, taking into account the secrecy of the very fact of such transfer. Well, if it’s simpler, then it’s better to consider an example. Let’s say you have a word, and you use the letters of this word as the first letters of words, so you get some kind of text that, well, does not refer you to the original word in any way. Such a method is called acrostic. Thus, we come to the conclusion that steganography is about how to hide information in other information (you can hide not only in text, but also in videos, photos and many other places).

Leisure category is Joysomeone calls her misc, there is not much difference. The simplest category, some games can be presented here, just fun tasks. One of the options is to take a photo, post it with some hashtag and send it to the organizer)

Well, another category is forensic. This is the same analysis that I spoke about at the beginning, or rather one of the implementation options. You will have to analyze, for example, traffic dumps (this is data that has passed through your server for some time). Well, in principle, this is forensic science in information security.

And now we come to the last category. reverse. What is its essence, you are given a certain application, you must somehow extract its source code and do something with it. Change it and rebuild the application, extract some data from it, etc.

Done with task-based, let’s move on to attack defense. By the way, this year I celebrated my anniversary RuCTF, which is just the same held in this format and which I was lucky to get. This is an eerily cool and pretentious event, where the strongest teams from all over Russia compete.

So we’ve gone a little off topic. So attack-defence, in fact, is fundamentally different from task-based, I understood this, but it was still a surprise. You are given a certain server that runs several services that have vulnerabilities (approximately the same list as in task-based, but their range is somewhat narrower). And so the team needs to simultaneously look for these vulnerabilities, fix them and write plots (programs that will exploit these vulnerabilities and pull flags from rival services).

So my first article ended, I hope you liked it, subscribe and I guarantee there will be a lot of such content, and I’m also waiting for an idea what you would be interested in listening to. Also feel free to ask questions, my contacts are in the profile.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *