Two weeks ago 23 students from HiG formed a team to compete with 76 teams from all over the world in a contest in information security. The goal of this „Capture the flag“ competition in information security was to investigate and protect a computer system under time pressure and to exploit vulnerabilities in computer systems of the other teams. Every team started with an identically configured system and had less than one hour to prepare before it could be attacked by others. In addition, several challenges needed to be solved to score extra points.
Competition was tight. Out of the more than 70 teams, half came from Europe, a quarter from the U.S.A., and another quarter from Russia and Asian countries. Most of the teams had experience from similar competitions and study at universities with high reputation. HiG’s team was formed by students in software security (3rd year bachelor in information security) and students attending ethical hacking and penetration testing (2nd year master in information security). Students applied the knowledge gained in their study programs and organized themselves into specialized groups focusing on attack, defence, system administration, and coordination. Competition started at five o’clock Friday afternoon end ended four o’clock Saturday morning.
This first time participation concluded with 10th place based on the score for challenges solved, offensive and defensive actions. At ten o’clock, we even were 4th of all teams. Please note that on the scoreboard we are the only team out of the leading four that has all services up and running without problems.
Students considered the activity to be fun and a rich learning experience, and recommended to repeat the exercise next year. I have to think back a long time to remember when we had seen so many students working hard on a Friday night.
Special thanks go to Lasse Øverlier, Erik Hjelmås, Jon Langseth for contributions above what could be expected on short notice.
My expectations as regards the outcome had been low. It was the first time, students had little experience with this kind of experience, we were the first team from HiG to attend, students were assembled from two courses, and details about the rules and the challenges we had to mount had not been published in advance. I offered students in my software security course that they would get participation in this CTF (Capture the Flag) accepted as a solved obligatory exercise if they managed to score better than the lowest scoring active team.
In the end, 31 teams had all services down, 0% defense and 0% offense points, 0$ and 0/4 challenges solved. Of the remaining 46 teams, we reached 10th place with team „IMT3501“, with 9 teams scoring higher, and 36 active teams scoring lower. All students hence passed an obligatory exercise. On Saturday evening, I even received an email from a student writing that he had worked more with the virtual machine image and found yet another vulnerability in one of the services. I am impressed.
What worked well: the timing of the CTF was good, it fit with the schedules of courses software security (3rd year bachelor) and ethical hacking (2nd year master). Setting up the infrastructure worked ok, given the limited time and experience. Having several large screens or projectors was good. Mixing students from different courses was good. Having a large team (20+ people) was good. Specialising on different tasks was good.
Lessons learned for next time: Automation of exploits took time, flow of information in the team could have been better, strategic and tactical coordination of tasks could have been better.
I guess that preparing and hosting such an event for tens to teams worldwide requires a large amount of work, and I do not see us in the position to be a host ourselves – yet. Nevertheless, there are thinks one needs to think about to make life easy for participants. Information by organizers at RWTH was scarce in advance of the event, and dates of advance information were often postponed. If you include participation as part of teaching, you want to lower the risk of obstacles, because there are tens of students who depend on the event taking place. Emails from the organizers were sent out as blank emails with a single encrypted attachment. In most cases, the information was not confidential. Retrieving the information on our side involved: saving the attachment to disk, decrypting the attachment on the machine where the decryption was stored, splitting the file into a text file and several base64-encoded attachments, decoding all attachments, and distributing the information among the people who needed to know. I would have liked to have seen encryption applied only to the files that needed it and to have all files being attached as individual files, not collated, encrypted and attached. Organizers used a number of distribution channels (web, email, IRC, Twitter, Google groups). Removing some out of that set would streamline communication.
About an hour or two before the scheduled end of the competition, organizers announced that it would be prolonged by another ninety minutes. That is a no-go. Students had been up since Friday morning, some had to drive home, and it makes a difference to stay awake for another one and a half hours. I suggest giving more hints or removing challenges to achieve faster progression. Most of us called it a day at four o’clock, and I sent home the last remaining students at half past four when it was evident that there would be no more progress on our side.
After all, it was fun.