Fabrefact

a blog by Sara Farquharson

WTF is a CTF? A beginner's adventure

Today I reverse-engineered binaries and pored over packet captures to find hidden information under a deadline, thereby checking another box in my quest to be the coolest person my 14-year-old self could imagine. This was all part of Women Unite Over CTF, an online competition hosted by a number of cybersecurity communities.

So what is a CTF?

A few weeks ago I had this exact question, after seeing the Women Unite event promoted by several people I follow on Twitter. A quick search told me CTF stands for “Capture the Flag”, and means a type of information security competition where players or teams compete to collect “flags” for points. This sounds, to be honest, deeply intimidating.

I may be a professional software developer, but I have never been a hacker. I don’t decompile software or use cheat codes in games, and I only switched my IDE to dark mode due to peer pressure from my coworkers. I hate the way the hacker stereotype involves taking joy from making other people feel stupid. I particularly hate feeling stupid.

But I love puzzle games.

Removed from the competitive aspect, a Capture the Flag event is solving a series of puzzles using techniques like forensics and cryptography. This sounds fun to me! But the problem remains: how do you learn those techniques if you’re just a regular person who has never considered exploiting a web server?

It turns out CTFs are not exclusively high-pressure clashes between technowizards who are out to crush your self esteem. Some events are explicitly aimed at beginners, and can serve as educational opportunities to get familiar with the tools and techniques.

Women Unite Over CTF

I clicked on the Women Unite event with the thought of sending it to my coworker, who is actively studying security. However, my attention was caught by wording like “laidback” and “we’ll give you a tutorial”. Could this be a friendly way to get started? I signed up on a whim.

The event

I was not precisely thrilled at getting up before 9am on a Saturday, but I was excited to learn new things! I still wasn’t convinced I would solve a single puzzle.

The bad

The online event had a bit of a rough start. The competition was hosted on Point3 Security’s ESCALATE platform, which is supposed to provide a sandboxed environment full of well-designed challenges in various categories. Unfortunately, under the hammering of hundreds of attendees trying to log in, the system mostly provided 504 Gateway Timeouts.

Look, I get it. I work in the tech industry, and sometimes despite your best efforts your system falls over and users are angry. However, if you have a scheduled event coming up with a thousand people registered, please for the love of little fishes test what 1000 concurrent connections will do to your web app!

I didn’t care about prizes so wasn’t too bummed about the late start, but it was still frustrating. It took well over an hour before I could even log in, and even then clicking any link could take up to five minutes or time out entirely. Since completing each challenge took at least five clicks, this was a huge tax on participation.

The good

Even so, the ESCALATE platform was pretty cool. The provided Linux VM was stocked with every conceivable application used for decompiling or inspecting files, and the problems themselves escalated in difficulty in a way that I was able to take what I’d learned from one challenge and apply it to the next. After the competition was over and (I assume) most people had logged off, all the fancier features were able to load and I found the tool quite pleasant.

The best part, however, were the tutorials. On the livestream the presenter Nada gave walkthroughs for three of the reverse-engineering challenges, including demonstrating which tools to use and some of the features of those tools. This was, to my mind, the most critical part.

The tutorials themselves had some pretty advanced concepts compressed into a very short lesson, so I don’t know how they would feel for complete beginners. Since I already know how to code and even have a vague understanding of assembly language I got the most value out of the sections that explained the thought process of which tools to choose for which parts of the process. (Although the assembly reference was also essential—I didn’t have that strong an understanding going in!)

Due to the technical difficulties they extended the time of the contest and let everyone continue using the ESCALATE trial until the end of the day. This allowed me to keep plugging along at challenges on a system that was not currently being accidentally DDOSed. It was a rewarding and fun afternoon.

The results

I ended up solving 9 out of 28 challenges! I got all five in Network Foundations Level 1 and the easiest four Reverse Engineering problems. Three of those reverse engineering challenges had walkthroughs, but the last (and most complex!) I was able to extrapolate based on what I had learned in the previous lessons. The networking challenges I figured out for myself, starting from the knowledge of “Wireshark is a tool for looking at network stuff”.

I came out with a basic knowledge of how to use Wireshark, BinaryNinja, and Ollydbg. More generally I learned about static and dynamic analysis of binaries, and a little bit about when and why to use them.

After the event was over I was hype for more learning and signed up for a resource recommended for newcomers. Instead it has opaque problems with zero guidance labelled “very easy” and I hate it. Let’s just say there’s still room for improvement in this space.

Thanks to Point3 Security, Gatebreachers, Women’s Society of Cyberjutsu, WoSEC, and WomenHackerz for putting on an event that, technical difficulties aside, succeeded in making security feel accessible.