Home » Featured, Headline

On the other side of CTF

17 November 2013 No Comment

Hello!

So Cairo Security camp’s capture the flag (CSCamp CTF) qualification phase just ended.

This year is my second year behind the CTF (not competing).
Last year the CTF was hosted by Synapse lab’s group and i just wrote a couple of levels but had no idea how hard was it to be in the backbone of it.
Now i appreciate more what Ehab Hussein and Saad Talaat did.

CTF competitions (Specially online CTFs) are NOT as easy as putting together some challenges and throwing them some people.

What i found out is that you have to do certain things and sometimes there is conflicting feelings.

About challenges: The whole idea behind CTF is to have levels/problems that competitors can solve and get the flags. So it’s the most important factor.
You want to have a variety of challenges in different specialties/fields and have a variety of difficulty levels.
You don’t want to have unsolvable challenges this will make competitors frustrated and will turn them off specially if they are new to this world, and also you don’t want everyone to solve every single level that defies the whole point — the point is to make it so the best overall team wins, and it only makes sense that the team that has the most members experienced in the most fields will solve them first and finish almost everything.

CTF should have beginner, intermediate and hard challenges.

Challenges also must be realistic and not “canned” or have a weird scenario/solution. it should address a realistic issue in a proper manner.

You should be helpful and open You try to help competitors have a good time and with a fun experience, so you wanna answer their questions, help clarify things and listen to their feedback in case you think there is an error. In the same time you can’t give information to one team and not tell the other teams, we were asked a lot of questions via private messages and if we thought most teams are having problems with it we just gave a little hint each time so had to improvise and we came up with the idea of “hints” page, and we added every hint there and also announced them in IRC. But you shouldn’t instantly give hints because you might be making it too easy, the concept of hints is to give them just a direction not give away how to win.
So you should be friendly and helpful but not spoiling.

CTF crew This is the corner stone, if you had a weak crew it will be a weak event and if they are good it will be good.
The crew should be consisted of people of different specialties and with different backgrounds — But the common factor between them is they must have a decent programming/scripting background, i am not saying they should all be super kick ass software engineers but they should have enough programming knowledge to turn the idea of challenge into reality in a program.
Also along with the challenge writers you need a sysadmin to configure everything and get everything rolling.
And more importantly the crew has to have a leader which is preferred to be a generalist who knows about everything and who will supervise the team of challenge authors, verify that their challenges are valid and solvable and generally acceptable, and work with them to rank the challenges to set the challenge points.
We had Adham Mohamed he was a beast, he was the only one in our team who had no sleep for 4 days, and the crew as well as competitors kept him busy with chatter and question but he made time and rose up to the challenge and took responsibility and helped to make everything better.

Realistic rules Rules have to be realistic and have a good point, and if you can’t enforce it then don’t make that rule.
I made up a role that if a team entered a flag twice they will have -10 points penalty, but in some challenges (like reverse engineering challenges) the keys are sometimes mixed with other characters or have spaces in it and stuff. lots of teams got penalty because of that and it was inconvenient, Adham suggested that we remove because it was counter-intuitive and i removed it.

Another rule i suggested is to punish those who use automated tools, and to my surprise a lot of teams used automated tools and it would be crazy to punish everyone, so if a team wants to waste their time let them do that.

Security: You are going against teams of good hackers, do you think they won’t attack everything? Except everything to be in the attack surface — Including social engineering.

Practice makes perfect: There is nothing valuable more than testing, CTF crew should test each other’s levels and the crew leader has to verify those, and the platform has to be tested, everything has to be tested repeatedly, and prepare to fail, fix and learn on the fly.
Don’t except to get it running and think you can just sit back and relax, the trouble only begins when CTF begins. be prepared to cope and be ready early.
Don’t write levels on the same day as the CTF!
Be ready early, test, test, test, and prepare to adapt.

It was a great chance, and it’s as fun as playing if not more!

Thanks Moataz for giving me the chance to be on the crew.
Thanks to Adham for being such a great leader and friend.
Thanks to Ibrahim, Nejm, Ahmed, Aabed, Khaled for writing great challenges.

Special thanks to MarvelServ for providing the servers!
And thanks to CTFtime for sending great teams to compete!

Your opinion matters!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.