This month we’re taking our ‘Big Bugs’ podcast out of hibernation for a special podcast on one of our favorite topics–Capture the Flag Competitions!
In this podcast, I’m joined by a major contributor to the CTF scene, Kevin Chung who wrote the open source CTF framework, CTFd. At Bugcrowd we’re big fans of CTFd; last year we ran our own first internal Bugcrowd CTF with the help of CTFd, and it was a great experience. Later on, in the year, we utilized CTFd for the Car hacking Village CTF.
In this podcast we talk about the CTF scene in general, explore what the motivations are for people to participate in CTFs, discuss interesting ways apply CTF, and more.
For those that aren’t super familiar with CTFs, I wrote up a quick primer to go along with the podcast...
First, how do they work?
Capture the Flag (CTF) competitions are puzzle-based information security challenges that have become a bit of a microculture in the past decade. There are three common types of CTFs: Jeopardy, Attack-Defence and mixed. (Thanks CTFtime for the documentation)
Jeopardy-style CTFs have a couple of questions (tasks) in a range of categories. For example,
Attack-defense CTF is another type of competition. In this type every team has, it’s own network (or only one host) with vulnerable services they must run. The team has to split up to both patch the services (while keeping them up and functional) and develop exploits against other teams services. Behind each service is your team's secret flag, if people capture it and submit to the organizers, they score points! Historically this was the 1st type of CTF, and is the format they play at the DEF CON CTF Finals - the World Cup of all hacking competitions.
Mixed competitions may vary in formats. It may be something like wargame with special time for task-based elements (like UCSB iCTF).
CTF games often touch on many other aspects of information security: cryptography, steno, binary analysis, reverse engineering, mobile security and others. Good teams generally have strong skills and experience in all these domains.
Example: A Very Simple Challenge!
When presented the image you can use google reverse image search on it:
Antonín Dvořák is a famous Czech composer but… doesDvořák ring any bells in the computing world? Yes, it does!
If we take the text at the bottom of the image “unai]ekrpatodmrpat” into a Dvořák to QWERTY converter we get:
Voila, 75 points! flag=dvorakshmorak
The CTF Scene
You may have heard of the DEFCON CTF and wondered how they got started, what the scene is about, and why people love them. In doing this podcast, Kevin and I discuss numerous CTF competitions and their roots and history.
Some of the more popular CTFs can be seen below. If you win any of these competitions they qualify you to play at the DEF CON CTF finals:
Over the past few years, ctftime.org has become the default tracker for these types of competitions, allowing more exposure, more participants, and a single source of truth for write ups and challenge archiving:
CTFd - CTF in a can
CTFd has helped organizations (like Bugcrowd), universities, and workshops run CTFs of all sizes and scopes run CTFs. This is an amazing project that helps make managing scoreboards, hosting challenge questions and running CTFs more accessible and secure. We discuss the future the CTFd, as well as its' edge case, uses in the podcast.
Why do we love CTFs?
As we talk about in this podcast, CTFs are a great way to teach/learn hacking skills, use as training programs for developers, and just bring people together to solve puzzles. Personally, I love hosting CTFs because I love building challenges and see my friends learn. From both sides of the equation, game design, and participant, there’s just nothing quite like a CTF!
I encourage everyone to get involved in a CTF team; for tips on how to get involved, find teams or just learn more about CTFs, listen to the podcast!
You can read our blog write-up to read more about Bugcrowd’s recent CTF experience.