17 October 2018

Off to the Races at DerbyCon 2018

Andre Gerard

Synack community team and Synack Red Team at DerbyCon

DerbyCon 8.0 was busier than ever, including the coveted Capture the Flag competition sponsored by Synack this year. Over the course of 48 hours 174 teams competed for the grand prize, and the competitors works up until the very last minute. Since many of the CTF teams at DerbyCon are returning competitors, the CTF creators are tasked with making the challenges more difficult and a little more “real world” with each passing year. The Synack Team was onsite in Louisville for DerbyCon 8.0 and we had the pleasure of catching up with the CTF organizing team and the winners.

“…[What’s] unique about our event is we structure it somewhat to resemble a real penetration test” –Geoff Walton, @DerbyConCTF

The DerbyCon CTF creators design each year’s challenges with a unique theme- this year’s theme was “Equihax”! The DerbyCon CTF is always created with various skill levels in mind, because it’s important that beginners to seasoned security professionals have a fun time. The CTF is “flag-based”, meaning that participants search for “flags” through the contest network and submit as many flags as they can find to earn points. The more difficult the flag, the more points it’s worth. Read our Q&A below with some of the top competitors to learn their “tricks of the trade” and secrets to success! Read on to hear insights from DerbyCon CTF winners as well as the creators, and glean tips from the competitors — they might help you hone your own skills!

“The DerbyCon CTF is as close to the kind of security work that we do professionally as I’ve ever seen.” –Chris, SpicyWeasel team lead, @DerbyConCTF Winner

DerbyCon 8.0 CTF competition

Synack Red Team Members Lead the Way at DerbyCon 8.0 Car Hacking CTF

Our very own Synack Red Teamers shone brightly at the DerbyCon CTF in the Car Hacking Village. Synack Red Team duo Adam and Ryan (Team Canb0$$) recently won the Car Hacking CTF at GrrCON and then followed up with a top finalist spot at DerbyCon’s Car Hacking CTF. Congrats to @Adam_Logue and @phurtim!

Q&A with Ryan:

Q: How did you get started?

A: I first started doing CTF’s as a way to build up my resume in college for prospective penetration companies. I then continued to compete in CTF’s as a way to challenge myself and learn new things. Three years ago at Grrcon in Grand Rapids, Michigan, Adam and I discovered the car hacking village and the awesome guys who run it. We immediately fell in love with the idea of car hacking and have been feeding off of each other’s passion ever since. For the last 3 years we have won first place in the Grrcon car hacking CTF under the name CANB0$$ and this year we took 2nd place at the DerbyCon car hacking CTF.

Q: What do you think sets your team apart from others?

A: In my opinion what separates Adam and I from other teams is the extra time outside of CTF’s we practice and learn new things about car hacking. It helps to have two people that are excited about the material. We are always feeding off of each other and pushing each other to the next level.

Q: What about CTF’s do you like, what keeps you coming back and spending the time playing?

A: I keep coming back to CTF’s because I like the challenge it presents. It is a way to test my knowledge and skills against other people and hopefully learn something new in the process. I can safely say there has not been a CTF that I have not learned from.

Q: How do you sharpen your hacking/CTF skills? Do you have recommendations or learning sources for others trying to get into playing CTFs?

A: I sharpen my skills by reading and then doing. What I mean by this is, I do not just read something and hope to retain the material. I will take what I read or learned and script the process out or in some cases physically attempt something on my car (Do this at your own risk!). For someone just starting out, I would recommend the car hacker’s handbook, it is a quick read and full of useful information. Some of the resources I use to stay current within the car hacking community are on http://canbushack.com/, Reddit and Twitter.

Q: Anything else you’d like to include about your experience or anything specific about the DerbyCon car hacking CTF?

A: If anyone is even slightly interested in car hacking, DO THE CAR HACKING CTF! Even if you think there is no chance of winning, you will learn a lot of useful tips and meet new people who have a similar passion for the subject.

The Main Event – Capturing the Flag at DerbyCon

This year’s DerbyCon win went to team SpicyWeasel from the Nettitude Labs. You can read their write-up on the CTF challenges and how they solved them here. We caught up with Chris, the team leader.
DerbyCon 8.0 CTF leaderboard

Q&A with Chris:

Q: This is your second time in a row winning the DerbyCon CTF – what keeps you coming back?

A: I went to the first DerbyCon with one colleague, in 2011. Back then, we were one of the only people from outside the US to attend the conference. We were welcomed with open arms and we were immediately hooked, and we have been back for most years since. During that first DerbyCon, the two of us dabbled in the CTF and came second place. From there, it snowballed. Each year, the CTF gets harder – the DerbyCon CTF production team are fantastic at what they do, and support from sponsors such as Synack really helps. We most likely wouldn’t be finishing in second place with just two people these days!

Q: How do you select members of your CTF team, e.g. do they have different skillsets or skill levels, etc.

A: We select members of our Nettitude penetration testing team to go to DerbyCon based on a number of factors, including but not limited to expressions of interest, over performance, training and conference recent history, etc.

There are no expectations, implied or otherwise, for Nettitude employees to participate in the CTF. Every year we debate whether we should even compete. However, as passionate security professionals, it’s a challenge we find just too difficult to turn down. It’s important to me that employees at all stages of their career have the opportunity to attend this type of event, and that’s no different for DerbyCon. There was a spectrum of experience and specialities across the team and there were some epic learning opportunities for us all.

Q: What do you think sets your team apart from others?

A: As a penetration testing team, we have a really close relationship to each other. There are huge levels of respect between our team members at all levels – ego is left at the front door. We continuously share knowledge and we run eight internal conference days per year, at huge opportunity cost, because we recognise the value of doing so. We never get complacent and we’re all passionate about what we do. Our leadership team exhibits all of these traits and so they permeate throughout Nettitude. It’s not surprising to me that we are able to crush the CTF and then go for a beer after, rather than wanting to avoid each other. I don’t know if these things set us apart from other teams or not, but it’s what works for us.

Q: Do you have recommendations for how to sharpen your hacking/CTF skills?

A: Hacking and CTF skills have some overlap, but they are different things. With normal hacking, you usually have the luxury of time and less competition. With a CTF, you’re usually time bound and competing against many other teams. I will say this: the DerbyCon CTF is as close to the kind of security work that we do professionally as I’ve ever seen (the occasional weird challenge aside, which is always a welcome change of pace). How do you hone those skills? Like anything else, training and practise, in my opinion. Surround yourself with the best and brightest at their craft, and learn from them. Go all in and aim to be the best at what you do. There’s no other way. I’ve seen plenty of people take that approach and before long, they’re the ones people want to be around to learn from. The other thing is that while a CTF can be a good way to benchmark your skills, it’s ultimately mostly there for some fun. They are excellent for helping an individual to identify their weak spots and work on those areas.
DerbyCon 8.0 CTF winning team

Want the inside scoop on this year’s DerbyCon CTF?

Hear it straight from the organizers, @DerbyConCTF

Researchers on the Synack platform are presented with opportunities to work on unique targets and challenges, the fastest payouts and highest level of support in the industry. Synack’s innovative technology optimizes the Synack Red Team’s (SRT) efficiency in vulnerability discovery.

Synack provides initiatives to help foster the researcher community and to recruit top talent. SRT Levels is a program that rewards SRT members for their increasing contributions to the Synack platform, and incorporates hacking competitions and specialized challenges.

If you’re up for the challenge, apply today, and use code “SRTBLOGS” in your application.