In closing, I wanted to say a few things about my experience with DerbyCon CTF 2014.
This year was much different than years past simply because I had my family with me this year. Although I had my wife’s blessing to experience the con as I always had, it just felt different because my family was present and therefore I acted different.
When I was in the CTF room my attention was divided between trying to discover the next flag and taking a break to spend time with my family. When I was with my family, my mind was secretly trying to solve a problem I hadn’t yet answered. In other words, it wasn’t much fun for me or the family. Well, it wasn’t awful — it just couldn’t be both.
Anyway, this year was also much different for me than 2013. This year really underscored the importance of being on a team. Last year I went through the trouble to recruit friends from DC404 to participate on a team — and we did well that year: 4th or 5th place (don’t recall which). Besides a team obviously making up for my lack of talent, they also provided a sounding board to bounce ideas off of and encourage trying weird things. It also helps spread the resources around. I wouldn’t have wasted any time trying to reverse-engineer a binary and someone else wouldn’t have spent that time waiting on dirbuster to finish. Outside a team environment, there isn’t much hope for seeing your name on lights on the scoreboard.
Mapping out potential targets, vulnerable services or interesting items AND TRACKING THEIR PROGRESS are certainly keys to success. So are taking breaks to give your mind time to rest. Knowing where you left off and where to pick up certainly help the transition back into the game after you’ve been gone for a couple-three hours.
I knew when I brought home those files to help me document how/where I found flags that I would find a few more when going through them. I didn’t anticipate how easy or obvious those flags would be. When you think you’ve found something that requires you to drill a little deeper — just step back and take a deep breath for a second. Sure, that web site might be vulnerable to SQLi — it might also have the next flag plainly printed in the title of the page too.
Finally, I keep saying I’ll learn new tools in preparation for next year’s event — but I rarely do. I could see all sorts of guys using Burp Suite and to be honest, I just don’t know the tool well enough to accomplish anything meaningful with it. I’m sure it was useful in some situation — I just didn’t know where to start. We can add that to the TODO list for next year.
These were just some random thoughts that I wanted to throw out there to bring closure to the CTF portion of the conference. I’m certain I could/should have done a better job documenting these flags but I was more motivated to just get this information out there in hopes that it will help someone else just starting out to find direction in their next CTF. (In other words, do as I say, not as I do.)
I hope you’ve found this helpful. If so, please leave me a comment. I’d love to hear about your CTF experience and more.