10 March 2017

Calling all Competitors –  Perspectives from the CTF Winner’s Circle

Andre Gerard

Wargames to Winner

“Motivation to hack things has always come out of a place of curiosity. I use my curiosity to try to understand the inner workings of a system from a lower level, taking nothing for granted. In the Computer Security world, it doesn’t take long to realize that there are so many groups of hackers around the world, which was what initially piqued my curiosity and motivated me to learn from as many of them as possible.

While there are many excellent ways to get started in hacking, game-based learning has swept computer security like wildfire and it really is changing the way many newbies enter the field. Playing games provides hackers with motivation and the satisfaction of rising to a challenge. There are a lot of skills to work on in these games, ie: Programming, Web security, Cryptography, Host based security, Forensics, Hardware security and Binary exploitation [see David’s recs at the end!].

Wargames are tailored to help newbies learn what to look for, and they serve as a great starting point and transition into CTF competitions. CTFs are created and organized by hackers in the community and for the community; there are a couple different types of popular CTFs at the moment:

  • Jeopardy style (challenges are organized a specific category and are rated according to difficulty)
  • Attack / Defense (teams are assigned a network with vulnerable services and must patch bugs in their services while attacking other teams)

I started playing CTF in college and found my passion for low-level programming and bug hunting this way. Having tried out different kinds of hacking on Wargames was helpful for me once I started playing CTF, because I wasn’t sure what to focus on at the outset. CTFs can be extremely challenging at first, but if you stay determined and if you practice, you begin to know what to look for and how to research for the required levels of understanding. Through college, I participated in CTFs whenever the opportunity arose and, incidentally, I ended up meeting awesome like-minded people from around the world..And it lead me to a wonderful job opportunity here at Synack!”

– David Weinman, Synack R&D

“If you’re going to make a living in defense, you have to think like the offense.

So, learn to win at Capture The Flag. These competitions distill major disciplines of professional computer security work into short, objectively measurable exercises. The focus areas that CTF competitions tend to measure are vulnerability discovery, exploit creation, toolkit creation, and operational tradecraft. Whether you want to succeed at CTF, or as a computer security professional, you’ll need to become an expert in at least one of these disciplines. Ideally in all of them.”

-CTF Field Guide


Hear it from the “Winner’s Circle” at this Year’s BSides SF Capture the Flag….

**See the full Q&A with The “Open to All” and Square teams in our post here.

First Place: Graziano Misuraca and The “Open to All” Team

Would you classify yourself and/or your team members as security researchers/hackers?
I personally do product security at my job, and my teammates are a mix of professionals, hobbyists, and students.

What keeps you coming back to doing more CTF competitions? I’ve been playing CTFs on and off for two years now. I like the variety of challenges, the relevance to new/hot issues (e.g. a shellshock-based challenge the same weekend it was announced), and think it’s good practice for skills relevant to my job.

What do you think contributed to your team’s success at CTF at BSidesSF?
We had more than ten people putting in a lot of time and we had a good division of labour. I barely had time to see any of the talks, as I spent 8+ hours a day on CTF challenges. It came down to the wire at the end to pull into second place, so I definitely think the dedication of time put in was a huge factor.

Where did you/do you learn about CTFs, and hacking techniques?
Since OpenToAll is a pretty established team at this point, we have a busy Slack channel where we share the latest industry news and discuss projects together. There are often more than one CTF a week, so it’s not hard to just start hacking when you feel like it. In addition to actual CTFs there are a huge number of resources and ‘wargames’ that offer just about unlimited resources to learn from. We have channels dedicated to working through these challenges.

Do you have an all-time favorite target and why?
I’d say that some of the most fun and interesting challenges were on a non-standard system. Maybe a weird CPU, non standard libraries, or something else that takes it out of ‘yet another memory corruption on linux x86’. For some reason I find the challenges a lot more fun if I manage to solve them.

Second Place: The Square Team

Would you classify yourself and/or your team members as security researchers/hackers?  
Each of us comes from a slightly different background, some “researcher/hacker” and others engineering-focused. Our BSides CTF team consisted of 4 people from 4 different infosec teams at Square: product security, platform security, security infrastructure, and mobile security.

Have you entered in other CTF competitions and if so, what do you like about CTF competitions? Do you have a favorite?
We’ve all individually participated in past CTFs, but this is the first time Square’s infosec team has competed officially as a team in a public CTF. We individually can’t decide on a favorite, but all agree BSidesSF’s CTF was pretty cool!

Are there other types of security focused challenges/projects you like or work on? If so, do you have an all-time favorite target and why? Was it a successful outcome for you?
Here are some challenges and research projects we like to highlight:

  • Microcorruption.com: MSP430 lock emulator teaching memory corruption exploitation
  • Cryptopals.com: Set of challenges to learn how to break cryptographic algorithms and implementations
  • OSX IPC research: Security research in the way inter-process communication works on OSX and iOS leading to the discovery of CVE-2015-3795.
  • Overthewire.org: x86 reversing challenges that get incrementally more difficult.
  • Stripe CTFs: Three different CTFs with different focuses on web and distributed systems (no longer running unfortunately, but the code is public)

Some Synack-recommended resources:

Steve Vittitoe is the founder and leader the popular Samurai CTF team and he has a classic reference:  How to Get Started in CTF

David’s Recs:
Good starter for what a CTF is like:  PicoCTF
Online Wargames:
Smash the Stack