BAE Capture the Flag
Back in February, I participated in my first live capture the flag (CTF) contest. It was presented by BAE with the Open University. Because of the remote nature of the OU, the CTF was online only with no campus for students to get together. Teams were also randomly allocated to make it more accessible for students spread across the country who might not necessarily be able to form a team easily in advance. A Discord server was setup for us all to communicate with each other with channels for individual teams.
By the time the CTF kicked off, we had four team members allocated on the website, three had made it to the Discord server and only two of us turned up for the CTF weekend. Neither of us were experienced and we didn’t think we stood much chance against larger teams with more experienced members, but neither of us were concerned with winning either. We both just wanted to give it a try and see what we could learn. All things considered, we didn’t do too badly and we both learned a few things; from the challenges themselves and from each other through collaboration.
I spent a fair amount of time getting to grips with telnetlib on Python. Once I’d mastered that, I stormed through a number of problem solving challenges. There was a ‘High or low’ number guessing game, a complicated maths game and a series of mazes (among other things) that had to be solved faster than humanly possible over telnet servers. This is where Python scripts helped. After the CTF was over, I learned about pwntools. I modified my scripts while I still had access to the challenges (they were still accessible for a few days after the CTF) and found it much easier.
My team mate focused on forensic style activities. They were stuck on a stegonography challenge. They were overthinking this one (we both were guilty of that on a couple of challenges); I had a look at the image itself. A bunch of criss-crossing black lines on a white background. I wont give the solution away (BAE reuses/rotates challenges when they take the CTF to other universities), but the message was in the actual image itself.
I was stuck on the Konami code challenge. Either there was an error with the browser or I mistyped several times in a row. I probably did mistype, it’s been a while since I used the code. After the CTF closed, I looked up the code and gave another go. I highly recommend you have your volume on for this one.
By the end of the CTF, we’d got through a decent amount of the challenges. The nature of the competition was motivating – even when not taking the contest itself seriously. I learned a lot and my team mate said the same. Once the contest had ended and I’d took a break, ideas started pouring in my head for how to solve some of the remaining challenges. Not trying to force yourself to work our solutions can be a good way of working out solutions. I think I probably got almost as many extra flags in the few hours after the CTF closed as my team mate and I got between us over the full weekend. Admittedly, part of that was down to how long it took me to troubleshoot how to correctly use telnetlib and ran out of time leaving a couple of related challenges until after deadline.
I’ll definitely be participating again next year, and will be looking for other CTFs to take part in. If you’re interested in trying a CTF yourself, my advice is to just go for it. You’ll almost certainly have fun and you’ll definitely gain experience worth having.