Last weekend I attended DerbyCon, a Hacker Conference in Louisville Kentucky. DerbyCon is a relatively young conference (compared to others such as DEF CON) and this is the fourth consecutive year it’s been held. I have attended every year. Every year that I have attended, I have participated in the Capture The Flag (CTF) event.
A few of my readers won’t know what CTF is, so I’ll take a moment to explain it. CTF is an event in which hackers compete to find “flags” on vulnerable networks or systems. CTFs vary in type but the basic premise is that you any means necessary (within the stated rules) to locate flags which are turned in for points. Flags can be obtained any number of ways but typically involve locating them hidden in certain locations or files. The more difficult the flag is to obtain, the more it’s worth in points.
I competed in my very first CTF event my first year at DerbyCon. Ever since, I have become complete immersed in playing CTF while at the con. To put that in perspective, the last two years I attended the con, I did not see a single talk outside the opening and closing ceremonies. Simply because the CTF hasn’t started or has ended during those talks. Any talks I see are usually after they’ve been posted to YouTube at a later date.
Unfortunately, this year I was only able to participate in the CTF for approximately 16 hours. The family came with me to Louisville this year and between my parental duties, problems with WiFi and having to leave early Sunday morning, it just wasn’t mean to be this year. But I managed to put enough time in behind the keyboard to find some flags, so I’ll be blogging about those later.
So how did I do?
When I signed off on Saturday evening at 7pm, I was placed 22nd with 14 flags worth 1190 points:
By the close of the competition, I dropped to 29th place. I’m more pleased with where I placed in the competition rather than my score. I’m confident had I not gotten caught up in the networking issues on Friday, having to deal with the CVE-2014-6271 vulnerability or leaving early on Sunday, I would have performed much better. Considering all that, I wasn’t participating on a team this year and many of the top teams are full-time penetration testers.
I’m just a lowly blue-teamer. Some might argue that if I’m tasked with defending networks that should make me a better attacker and they might be right. The fact of the matter is, that’s not necessarily always true. Defense is hard. Defense sucks. Attackers only have to get lucky once. Defenders have to be lucky all the time.
In the weeks following my 1st CTF event, I scoured the web looking for an explanation of any flags others might have found and how they were obtained. There was little information out there. I repeated the same process following my 2nd CTF event with minimal luck there as well. I was prepared during my 3rd CTF and captured all the flags as well as where and how they were found. And then I accidentally wiped the hard drive on that laptop when I got home.
This year is different! I documented all 14 flags I found, where they were and how I found them. It won’t be an exhaustive list by any measure but I believe every little bit will help those who were where I was 4 years ago struggling for clues on how to find their next flag. If I’m lucky, maybe it will even open some dialogue on flags I had a lead on but were unable to obtain. Look for those blogs to get published in the near future as I have time.