17 October 2018

Q&A with DerbyCon 8.0 CTF Organizers

Andre Gerard

Want to get the inside scoop on this longstanding CTF? Hear it straight from this year’s @DerbyConCTF organizers; how it has evolved, why so many teams return each year, and how it can help hone your skills, …

Scott has run all eight of the DerbyCon CTF events and he’s been joined over the years by Geoff and Rob, who have each joined him in running four, and Dustin who has generously contributed network equipment for several years. All of them work at TrustedSec, who provides hardware for the event and gives them time to develop challenges and run the CTF each year.

Q&A with Geoff

Q: What are your thoughts on how the competition has evolved?

A: The competition has evolved a lot over the past few years. One thing that has always been somewhat unique about our event is we structure it somewhat resemble real penetration test. We have been working to add the realism of that each year. That has lead us to choosing themes. In the early years those themes were rather loose; at this year’s event we had hosts using shared authentication, even an separate ‘internal’ network belonging to our fictions target organization Equihax, which was the theme for this year’s event. Other changes over time, have been the event has grown a lot a long with DerbyCon itself. In the first years it was possible to host it on a laptop running a few VMs and some consumer grade access points. Now we have so many active participants we run it on high end dedicated server hardware and commercial network hardware (to the degree the Hotels make that possible).

Another thing that has changed about the event is the people. DerbyCon itself is somewhat unique in that while it’s a big event a large number attendees are folks that come every year. This is certainly true of many of our CTF participants. A lot of the teams are folks that have been working together for a long time. The experienced they have gained constantly forces us to up our game to make them work for the really big scores.

Q: Benefits of CTFs for ethical hackers?

A: Speaking for myself mostly, in my view successful hacking or penetration testing is about persistence as much as smarts. If you check out @DerbyConCTF on twitter, you’ll see we published a chart on scoring events by time of day. The winning teams are the guys who were up at one, two, three, four in the morning still plugging away. It’s about studying the problem long enough to find that one thing that is out of place or to come up with that idea about how to leverage that one object out there in ways nobody expected.

Q: How did this year’s Equihax theme guide the way the challenges were written?

A: We tried to design challenges that involved systems you’d expect an organization to have on the Internet. Things like a chat server for their employees, a WordPress site, a site for public comments related to their line of business. This year we added an ‘internal’ network for them that could only be accessed after solving some of the forward facing challenges and establishing presence on machine; behind the firewall. There were actually two paths for doing that and everyone appears to have going down just one; although I know one team was 80+% of the way toward the second.

Q: Any other interesting facts you want to share about the DerbyCon CTF, e.g. what sets it apart from others?

A: Our CTF is entirely open, which is a little different from most similar CTFs. There is no need to pre-register and we don’t really control the size of teams. You can play by yourself with 8 of your buddies or with 10 new friends you just met, it is totally up to you. Interestingly we see a quite a mix on the top finishers. There are few big teams that consistently finish in the money; but smaller teams of three do frequently and even the occasional individual manages it as well. You can start anytime so if you are not there Friday, you can still show up and play Saturday or even Sunday morning.

Q: It seemed very popular, any idea how many teams competed or how many people played? From how many countries?

A: We had 173 teams register this year. There were over 800 unique hosts on the network. Because the event is so open its hard to say exactly how many people played. Many players will have more than one system on the network, their laptop and a virtual machine for instance and the size of teams varies widely. If I had to guess based on those statistics and looking around at the rooms (we had three this year) I would say around 300 people spend a significant part of their DerbyCon playing CTF.

Q: How many challenges were completed by the winner?

A: When we talk about challenges we are usually speaking of the target host and/or the “full hack” to gain considerable access to it. Once you do that there is usually still work to be done. This mostly includes obtaining higher privileges on the system and locating the places where we have hidden the flags; submitting the flags is what earns you points. There were eleven major hosts in the event this year and the winning teams made some progress on all of them. One thing we do in our event is as we get into Saturday afternoon and Sunday morning especially we start giving a few hints on twitter for challenges that nobody is scoring on. We like twitter because it ensures everyone gets the same access to the information at the same time; so it keeps the event fair. We trying and avoid giving any hints on things where someone has obtained points because if there were able to figure out something nobody else could they deserve the reward for that! The result though is usually the leading teams that win touch every challenge.

Q: What types do you include in the challenges?

A: We try to include a little something for everyone. We have Linux (multiple platforms), and Windows hosts mostly. There usually a mixture of services, web applications, and reversing challenges to work on.

Researchers on the Synack platform are presented with opportunities to work on unique targets and challenges, the fastest payouts and highest level of support in the industry. Synack’s innovative technology optimizes the Synack Red Team’s (SRT) efficiency in vulnerability discovery.

Synack provides initiatives to help foster the researcher community and to recruit top talent. SRT Levels is a program that rewards SRT members for their increasing contributions to the Synack platform, and incorporates hacking competitions and specialized challenges.

If you’re up for the challenge, apply today, and use code “SRTBLOGS” in your application.