Just yesterday, I finished my first ever Capture The Flag (CTF) competition: CDDC 2020, organised by DSTA. I wanted to write up a quick post sharing my thoughts on this competition, partly because I can’t sleep thanks to 3am-bedtimes the past two nights.
Before this, I had a little experience with basic reverse engineering and other similar stuff. Taking part in my first real competition in this field, however, proved to be quite a different experience.
Prior to the actual day, there was a “training” phase that lasted around three weeks. I liked this idea, and believe it is helpful for the inexperienced: perhaps DSTA was hoping to “foster interest” in cybersecurity amongst Singaporean youths.
The actual competition itself spanned 48 hours, and took place remotely. Challenges were gated into six tiers, “warp gates” 5–0, each locked behind solving the previous tier. Overall, most of the challenges in the first three tiers (my limit) seemed to be standard CTF stuff: buffer overflow, disassembly, format string exploits, packet sniffing (Wireshark) and steganography, to name a few.
I was excited to apply what I learnt about chosen-plaintext attacks (AES ECB) in one of the challenges, “Hello” (gate 3): solving that gave me quite a sense of accomplishment. Steganography and Wireshark challenges were also new to me, though I have heard of them before, and I felt I learnt a fair bit from this experience.
I was a little disappointed that there was no “last hurrah” allowing unfettered access to all tiers: I had hoped to explore the “higher-level” challenges, like the ones on Active Directory, even if I would not have been able to solve them.
Generally, I felt most of the challenges I tried were designed alright. The tiers appear to be gated fairly well (or at least the first three). Some challenges, unfortunately, seemed to involve a large degree of guesswork or prior experience, especially those involving esoteric languages: “What Time Is It 2” immediately comes to mind.
Overall, I was happy to have had the chance to participate in an actual CTF competition. I would have liked an official “post-mortem” explaining how to solve the more difficult challenges, and some kind of archive of challenge files (docker images?) so that I can learn and try them out again in my own time. Luckily, there are already some write-ups from other participants, like this post by Justin Ong. Hopefully, more write-ups would be released by others, especially for the more difficult challenges.
Still, I think I learnt a good deal from this experience, and would definitely seek out more CTF competitions in the future. 😁