How I Hosted a Local Community Based CTF

3/26/2019

Problem in the Spo

Over the previous summer I wondered 'how do I break into Infosec?' So many people struggle to find their way into the industry. When I thought about my path into the Infosec field, it felt like an insane amount of reading on r/netsec, watching LiveOverflow videos and reading book after book. But is there an easier way? After some more contemplation I realized at my small school in Spokane Washington that people did not even know security was a viable career path. In fact, most people had no idea what the industry itself even entails! To make it even worse, the security groups in Spokane were mostly just a talk or two from groups such as the Security Coalition of Spokane or DEFCON 509. Even though these discussions and talks were really helpful, there were zero hands-on hacking events in the Spo.

So, now we have a small group of people interested in security in the Spo with no hands-on events, no awareness at the schools in the area and no one to guide people down the right path... This is not the best situation! This is a story of how I decided to take action to give people the ability to learn about the security industry and what about it actually entails in a local community.

Beginning

With the problem at hand, it was time to take on the world! I thought seminars at the school, talks from professionals and some more course work might be viable options... I also organize a club called GUMAD (Gonzaga University Makers and Developers) which deals with getting professionals into the classroom to speak. However, students tend to be meek about things they are unfamiliar with. Also, the school is understaffed in the computer security area. So, my next question was how do we enlighten students about the fact that security is an important and is a viable field without scaring them away? With this in mind, the idea of running a capture the flag competition was born! :)

At this point, it values to understand my position of power (which is very litte). I am a senior computer science student from Gonzaga University (Spokane, WA for those of you who don't follow college basketball) who has jumped into the very large lake of security in the last two years. In my free time, I break stuff, play dodgeball or participate in CTF's. This upcoming summer (2019) I will be interning at Security Innovation (SI), which is a Security consulting firm that has most of its consultants in Seattle. Although I am not a veteran security professional at the moment, I am certainly on my way.

Now, back to the story... we have an idea about a capture the flag contest but how do we get people interested in this? The security buffs will be all over it. But, let's try to reach out to the people not in the field yet, instead of making the fat cows even fatter. This is where all of the magic happens:)

Excitement

At this stage, myself and a few people knew this was a brilliant idea: but, the success of the event is equivalent to zero if no one comes to it. Time to get people hyped for it!

Low Risk

People are afraid to take risks, inherently. Because of this, let's make this a very, very low risk event for everyone! Instead of having people pay to get into the event, let's make it free. That's right, no entry fee! Beyond just having no entry fee, people like to have food given to them during events. So, let's try to find some funding for food for everyone. The final piece of openness and inclusivity lies in how this was advertised; a learning event. Instead of trying to attract the winners of the next DEFCON CTF let's encourage people to come learn, even with no hacking or CTF experience. This openness creates a sense of acceptance that yes, I am smart enough to attend this event. I believe this was the key to the popularity of the event.

Coaches

Okay, this could have been in the 'low risk' area but I felt this was so important that it deserved a class of its own. Most of the time competitions are about who's the best at that current moment. But, I wanted to make this about learning as opposed to the competitiveness. So, I started reaching out to industry professionals from all across the city to attend the competition to help the students with the challenges. My oh my, this turned out beautifully ❤️

For one, students who are stuck like to know what to do next. By having coaches, this push-pull style of learning went extremely well. The coaches did an amazing job at helping the students move deeper into challenges (therefore, to learn more). The coolest part of having the industry 'coaches' was that they were soooo easy to talk to! The coaches would constantly talk about their own personal jobs. With the car hacker Corey Thuen and incident response consultant Gerard Johansen on staff the world just opened up to these students. Having all of the security professionals in a single place opened up the minds of what the students could do.

The unexpected twist: Once a single coach/company came on board, they all started to flood in! After Intrinium committed to help sponsor (with Sahan Fernando) people and companies started to dive into it. After Intrinium joined then on came Risk Lens and the Spokane Security Coalition (CSC). From Paul Carugati at the CSC I met even more people to help out (including Gerard). And more people...! People I only heard about from folk tales were now reaching out to help me, a simple college student, with this CTF. By the end of the contest, we had over 15 coaches/industry professionals assist or help in some way, including a few (such as Rebecca Long from Future Ada) who came without even notifying me!

Sending Out My Reel

For me, this was the worst part to do, but the most important; the actually advertising of it. Initially, when doing my recruiting, no teams signed up. As one would do, I was starting to stress out about no one coming. Is this event good enough? Do people actually care about this? All of these negative thoughts started rushing through my mind. But, I was determined! From the darkness I started to contact any group of people that I felt would have interest in the CTF. This ranged from high schools and colleges to groups such as the DEFCON 509 group. Not just a single email though, I nagged people for weeks until I got a response (positive or negative), ensuring that the information was going out to the right people. After all of the emails, I convinced Intrinium to write a blog post about the upcoming event. From there, Gonzaga started posting this wherever they could and I would meet with people who had questions about the CTF. All of this nagging and advertisement worked out when the registration filled up with 15 teams of 3-5 people with participants from 6 different colleges and 3 different high schools. I was forced to shutdown the registration site when 5 teams signed up all in the same day. At this point, we had to start turning people away because the event became so popular. The moral of this is get into peoples faces about coming to the contest; eventually, they'll make a decision about it.

Leading Up

Challenges

With a capture the flag contest, there obviously must be challenges. But, what should they be? How do we set all of this up? I will be doing a blog post in the future about how the challenges were framed, the architecture of the CTF and all of the technical details; there is just too much to cover in a single post. The key, from a conceptional standpoint, was to have a very diverse set of challenges. Even though I wrote most of the challenges personally (three attack defense and fifteen+ wargame) I felt the diversity was great in terms of content. But, it was still bias to my personal expertise of software... So, Gerard wrote several memory forensic challenges, RJ Garcia wrote several log analysis challenges and Juan Ford created a couple steganography challenges (both Juan and RJ were students at Spokane Falls CC). I felt that the diversity was amazing because students were required to think about so many different/new concepts! The challenges can be found on my Github here with solutions.

The Week Before

At this point, I am slightly freaked out; I have 12+ coaches assisting with the contest, 60+ students from the Spokane area wanting to come participate (not even including the the faculty members from the schools) wanting to come witness the CTF. The media of Spokane was eating all of this up. Wow, this idea I had 7 months ago is actually becoming a reality. I have to find a way to pull this off in an incredible fashion now. I never thought it was ever going to get this large; here we are though!

After furiously testing the wargame challenges for clarity and security, ensuring the attack/defense (yes, we had both wargame and attack/defense challenges. This was an insane amount of work to get setup) servers for each team were perfectly setup and ensuring every subtle detail was perfect, we were ready to roll.

Game Day

After waking up at 5:30am to walk to the University in the snow, I was ready to take on all of the fires that came up. The competition check-in would start at 9am, with the competition starting at 10:30am. Everything at this point was going great! The scoreboard, attack/defense boxes, attendance... the pre-event setup was going wonderfully. I gave my initial words of rules, how-tos and advice to the participants and everything was on its way. We sent people to their rooms for the contest.

First Hour Hell Storm

Within the first five minutes of the contest the scoreboard broke and the new WiFi credentials did not work for the students... Well, this is wonderful. So, I am freaking out because nothing is working... Now what?

Corey Thuen (a very frequent DEFCON CTF participant) recommended to throw up a scoreboard that was READONLY for the students to use. Once that was up, the coaches responded perfectly by just hand recording all of the flags. This mistake could not have been handled any better by the coaches. Within the next hour I discovered the issue: I had made a change to the existing scoreboard CTForge without actually validating all of the possible use cases of it. Whoops! I had just learned the lesson of the bigger the scope the worse the quality the hard way. Within the hour, the scoreboard was up-and-running for both leagues. Crisis adverted! S/O to Corey for calming me down to fix the scoreboard. I believe the quote that calmed me down was "No CTF scoreboard works for the entire contest".

With the WiFi, Tyler Teidt (a Gonzaga student participating in the CTF) who happened to work at ITS was able to calm me down. It turned out that the auto generated passwords were just much too complicated to type in. LOL

Lunch + Speakers

The first section of hacking (with only wargame challenges) went wonderfully! The students were having a great time with the challenges, the coaches were doing an amazing job at helping the students and lunch (from Jimmy Johns) was on its way! Once lunch arrived it was difficult to get the students to leave the hacking area. But, we had some amazing speakers at the gun.

Dan Wordell, the CISO (Chief Information Security Officer) of the city of Spokane gave an emphatic and insightful talk about the real world of cybersecurity. Earlier that month, the city of Spokane had suffered a major data breach. So, he told the story of how the hackers got in through the HVAC company (just like the Target hack) and all of the security practices done wrong. Yes, the content was amazing but it was told in the form of a fun story with memes all over the place. The participates ATE THIS UP! At one point, he even mentioned the credentials for the HVAC server being admin...Then pointing at a fellow coach wanting an answer, who spat out "admin", without even hesitating! The crowd was going wild! Dan was putting on a show, while going into the CIS top 6 . Even though the stories were fun to hear the students also took away so much about the security industry.

Following up a performance like was going to be difficult. However, Gerard built upon the foundation that Dan had started. While Dan went into what went wrong and what should have been done, Gerard went into what now? The day before the CTF, Gerard had been on his third emergency call of the month trying to recover a ransomwared out company in Albuquerque. He got back on the day of the contest at 2am! So, he went into what fixing the systems looks like, finding out what happens and how to prevent it...Again, another amazing talk.

The food was good; the speakers were great and everything was going very well. The next stage of the contest was upon us!

Second Half

At this point, all of the attack/defense challenges got added to the game. I was amazed by how fast all of the attack/defense challenges got broken... By the end of the hour two teams (one in each league) had successfully found an exploit to all three of the services! Besides these two teams, every team found at least one exploit on the attack/defense challenges. This allowed the students to have a really fun time breaking and pwning other people! I mean, who doesn't like to be top dog!? My personal favorite was the development of an exploit for an arbitrary file upload bug in a PHP site. The SCC (Spokane Community College) team figured out that teams were patching their PHP service by adding a filter to only accept jpeg files. However, the check for this just validates the header of the file, not the actual content. So, the team started uploading files with a jpeg header but a PHP file body! I thought the development of a challenge feeling like a chess match was really cool. Also, it reminded me of the terribly fake hacker scenes from movies where the people go back and forth protecting/hacking each other, such as this .

Mistakes

Of course, with 29 unique challenges something was bound to not be set up correctly... I will discuss a few of the more interesting/funny ones.

I ended up fixing the same permissions issue on a C based challenge 3 times. How did this challenge keep getting messed up!? I then realized a HS team was compiling over the binary, making the permissions of the executable unable to read the flag file. I realized we had not disabled gcc or made the file unalterable. We resolved by changing the permissions on gcc and making the file unalterable.

One of the hardest parts of creating the CTF was validating all of the flags were perfect. However, we came across multiple instances where people seemed to be getting correct answers but the flag was wrong? This ranged from having an extra space at the end of a flag's answer to calculating the answer of a math problem incorrectly. Most of these got fixed part way through the contest, but it was definitely a major hindrance.

Ending

At the end of the competition Gerard did a demonstration on a stoplight that he had been messing with (which was wicked cool) from CybatiWorks. From there, we thanked everyone for coming, gave them some additional resources to play with and asked if anyone would like to continue the CTF for next year.

Through the event it was awesome to see so many industry professionals that I only knew by name attend! Extending my network with local security experts and hackers in the area has been quite useful and beneficial for me. Besides me, it gave other the students the opportunity to chat with industry professionals.

After the competition we compiled some interesting statistics for the contest. For the wargame section, each team solved at least 8 challenges, while the highest amount solved was 23 (out of 25). Doing well in a contest brings people joy; so, we were really happy to see everyone succeeding on the challenges. Secondly, each challenge was solved at least once (one of the challenges was solved by a total of one team, which happened to be in the lowest league). I was very pleased that we did not create an impossible challenge for the students to try to solve.

Moving Forward

At the current time of the writing I am a senior at Gonzaga University, who is moving to Seattle for a job. However, the coaches/professionals that were at the contest want to make this an annual event. Because of how big of a success the event was, I would love to see this event continue on for the upcoming years! Hence, the first post blog (this one) was about the gaining of interest and how to get people excited. I will eventually follow this up with a technical blog post about how to run the CTF to help keep the contest alive. If you are interested in continuing the Spokane CTF or need help setting up a similar type of event then I would love to talk about it! Just shoot an email (that is in a link in the footer) if you'd like to chat more.

Improvements

Before the next blog post I would still like to address the feedback that I got about the CTF. Even though the first Spokane CTF went quite well, there are always things to improve on...

• Try to delegate more! Even though people will let you down there is only so much a single person can do.
• Have ice breaking events for the students and coaches to get to know each other! I am personally quite extroverted, making it easier for me to communicate with others. However, most CS people are not that way. This would allow the people from other schools to get to know each other, as well as the student to be more comfortable talking to the industry professionals and coaches.
• Listen and allow people to use their skillsets for the contest! If someone is passionate about something then let them be passionate about the topic! If you let people do things they like to do, you will get many more people involved.
• Bring powerstrips! This was up and away the biggest oversight we had for the contest.
• Issues are going to happen, no matter how much you prepare. Stay calm, understand the issue then finally come up with a solution.
• Carol Joplin (who was the main event coordinator the event) brought up to me the lack of women of the event. In order to encourage all genders to participate in future events it would be good to include several females in the planning process of the event.
• Finally, the best advice I got about the CTF was to "keep it your own". This allowed me to be very creative and run it my way.

All in all, the 7 months of effort put into this capture the flag contest was worth it! Even with school, senior design, a girlfriend and job applications the time was well spent. Even though the networking and event running was a wonderful experience (and will help me in the long run) I also grew technically! By setting up the scoreboard I had to learn how to use some quite complicated bash scripts, as well as read code that was not mine in a new Web Framework (Flask). I had to learn how to deploy websites to production, automate tasks on AWS, learn how to be proficient in Vim... The contest benefited the students and professionals, sure. But, the people who learn the most are the ones who organize and run the contest. Hope you enjoyed! Cheers from Maxwell Dulin (ꓘ).