Last weekend I competed in the CSAW Capture The Flag, hosted by NYU Poly. It was my first ever CTF, and an overall great experience.
This CTF consisted of challenges in seven categories: Trivia, Recon, Web, Reversing, Exploitation, Forensics, and Networking. Each of those categories involved examining “something” to find a hidden key, which was a small phrase that was easily identifiable as important.
Trivia was a series of simple questions that could easily be found using Google.
Recon involved investigating some of the contest coordinators, often by using old tools like finger.
Web had us attacking websites, using things like SQL injection to access restricted information and features.
Reversing has us try to find secrets in already compiled programs, sometimes needing to change the control flow to see what happens.
Exploitation involved disassembling binaries that were running on a remote machine to find their vulnerabilities, then crafting input that could trigger those vulnerabilities so we could access the other machine.
Forensics made us look through the metadata of several image files to find secrets.
Networking had us looking through packet captures, from the internet or from some other “connected” device, trying to find a pattern and thereby what was hidden.
For my part in the contest, I focused mainly on the exploitation challenges. It’s both thought-provoking and incredibly challenging to try and understand how a program works just from reading the assembly of it, and then to try to find out a small bug that will let you take control. Although I don’t think I contributed too much to the team this time around (I was stuck on finding a string format vulnerability, which I still need experience in), I know what areas I should work on to be more effective for the next contest.
Finally, we placed 115/600 teams, or 26/174 undergraduate and graduate teams in the United States and Canada. Not a bad start, especially since we only got up to three people working, when the team size was unbounded.