Tuesday, October 30, 2018

Kaizen Singapore CTF - My first CTF experience

Today (27 of Oct, 2018), I attended a CTF organized by Div0, Booz Allen Hamilton, and ICE71, based on Kaizen CTF platform of Booz Allen Hamilton. According to Booz Allen Hamilton, they had done similar events throughout the world using this platform. I got to know about this event through Div0's meetup page (https://www.meetup.com/div-zero/events/255394149/). Although I had heard about CTFs and was interested in participating CTFs for a quite some time, this was the first CTF I felt comfortable enough to attend. Main reasons were, it was a single player CTF and organizers had specially mentioned that this was a beginner friendly CTF which can be an ice breaker of CTFs. As I did not know any other colleagues who were interested and had security skills to form a CTF team, I was not able to attend CTFs which expect teams.

As I learned, there are two types of CTFs. One type is attacker-defender type CTFs, and the other type is jeopardy style CTFs. The CTF organized by Kaizen was a jeopardy style CTF.
The event started by hosting a lunch and networking session at around 1pm, and then after a quick introduction about rules and the platform, the CTF was started at around 3pm.
The time duration for the CTF was from 3pm to around 7pm. At 3pm, the Kaizen platform allowed us to access the CTF challenges. The CTF challenges were categorized under 'coding', 'reverse engineering', 'crypto', 'web', 'networking', and 'forensics'.

As we were instructed not to share the details of the CTF challenges, I will try to give information about the experience without leaking information about the challenges.
I started the first challenge in 'coding' category, although I understood what was the expected algorithm, due to lack of experience in developing expected kind of scripts, I did not continue to work on creating a script for this. I stopped it there and then started challenges in 'Web' category. From around 6-7 challenges in 'Web category, I completed 3. I also almost completed 2 more 'Web' challenges, but I was not able to continue those two at the last step. Then I moved to complete a challenge from each 'Forensics', 'Networking' categories, and 2 challenges from 'Crypto' category.

So I completed 7 challenges and almost completed around 3 more challenges. Although my score was not that high, I think it is a good score for a first time CTF. As I was afraid I would be stuck in rabbit holes, I moved away to other challenges when I felt I was stuck at one challenge for few minutes. I am not yet sure whether that is a good approach for CTFs, or whether I should try to complete high value single tasks taking more time. My strategy was trying to complete basic challenges of each category if I feel like I have the basic knowledge, then move to work on other advanced challenges in categories familiar to me, and to move to next one if I am stuck more than few minutes.

There were very valuable prizes prepared for the top 5 players in the leader board, including 2000 SGD worth training voucher for a security training such as OSCP/OSCE for the first place winner. The organizers had organized this event excellently and only complain I have is that room was too cold at the end. It would be great if there was hot coffee or tea there. Overall it was worthy learning experience and I would like to thank Div0, Booz Allen Hamilton, and ICE71 for their effort on organizing this event.


No comments: