Honestly, this was the workshop I had been looking forward to all week! Sarah Harvey and Jessie Pierce offered a CTF101 of the first ever Grace Hopper CTF (Capture the Flag). And while some of the exploits demonstrated were not meant for beginners, the challenges were on the easier side of their category and the women from Square, Inc. offered step-by-step directions on challenges ranging from Cryptography to Web Exploitation and more.
More importantly, this was a great way for them to get the information out there about this brand new Grace Hopper Conference experience. As the website servers crashed from the onslaught of attendees who attempted to register all at once, the women did their best to mitigate the lack of availability of their web page: squarectf.com. Additionally, they attempted to close the CTF to conference attendees by creating Grace Hopper challenges that could not be solved unless you were at the conference or (sometimes) this workshop.
As stated in all of my #GHC17 blog posts, my friend, Lizzie Molloy, was with me for this session as well. She captured some amazing notes on their approach to CTFs. I’ve included them below:
Approaching a Challenge:
What type of challenge is it?
Does the category or the challenge text give any hints? Prompts can give you a hint.
Crypto Challenge: The General’s Cat
This has a ciphertext that needs to be decrypted. To tell what kind of cipher is used you need to see if: Are letters distributed unevenly? Or evenly? Are there repeated letters? Etc. Familiar ciphers to remember: Caesar cipher and Vigenère cipher.
Network Challenge: The Robot’s Grandmother
Working with files: What is the file extension (if any)? What strings are in the file? (Run “strings”) Is the file extension misleading? (Run “file”) Is there documentation on the file or the kinds of applications I need to view it? There are some tools that can help with these kinds of challenges: like Wireshark.
Working with a UI: How can you interact with the UI? What does the UI do with your input? Is there input that causes it to misbehave in predictable ways? Is there a way to interact with the program without the UI?
Binary Challenge: Bytes
Debugger: can attach it to a program and see what is going on.
Working with a binary: Can you attach a debugger? Is plaintext code provided? What does it do? What system calls are triggered? Where is the running code stored in memory? Can you affect what code will be executed?
While this is just a sample of some of the challenge types that might appear in various CTF competitions, the overarching problem-solving aspect is absolutely vital to all CTF competitions. I talk about this more in my blog about The Importance of the National Cyber League Scouting Reports.
All in all, it was a really cool look at the behind the scenes of a CTF. For people who have never participated in this type of competition, it showed them to the importance of continually asking yourself questions, breaking things down into small parts, and never giving up! (You never know how close you are to the flag!)
For more info, check out squarectf.com or email firstname.lastname@example.org. The CTF they designed runs through October 13th, 2017, at 5pm EST. Even though you cannot win prizes if you were not at Grace Hopper 17, you can still participate for the experience and the confidence to maybe try another CTF in the future.