Participants' stories about the recent hack quest

"Ethical hacker", a member of the hack quest



Here is the report from the conference on information security, which came Mitnick. In parallel, there was an offline game - CTF in the corporate network simulator , Symantec Cyber ​​Readiness Challenge. The online stage took place in the summer, and this was the final, its winner goes to the international tournament in Nice to defend the honor of our country.



The speed of flagging by our participants surprised and pleased Symantec technical experts from England.

')

Below are the stories of the participants.

We communicated by mail, so the information is slightly repacked, slightly corrected and collected from the dialogue together.



Phantom confidently proved that the domestic information security specialist or “ethical hacker” is always ready. The fact is that he, like the third place winner, did not play in the online tournament. And there the tasks were in some places similar to offline. That is, without training, Phantom entered the new tournament format and immediately took the top place.

phantom (II place)

Far advanced?

- Honestly, I do not remember. It seems to have stopped at the third level, taking more than 20 flags.



There were some problems with the gaming infrastructure, because of the actions of other players could not capture some flags. In general, everything was simple, unless, of course, you know how to go through them. There were no difficult assignments, but there were such ones, before solving which it was necessary to guess.



For those flags, to which I reached, my skills were enough, but, if I am not mistaken, then there were tasks that required, for example, knowledge of encryption algorithms from “fiction”.



In general, we need all the knowledge that is needed penetration tester. Those. protocols, networks, OS, cryptography, sharpness.



What is the difference from other tournaments?

- The format of tasks - in other tournaments either there is a more clearly constructed technical side of the “storyline”, or it does not exist at all. In this case there was something in between.

I liked the dynamism of the game.



What about other players nearby - distracting their presence?

- Rather motivates. Everyone is so concentrated that others do not notice at all.



What about the organization?

- Everything was on top. From small errors (it is possible not to write on Habré) - small and inconvenient tables.



Where do you work?

- I work in information security, I test the security of systems of other companies.

The gap between the second, third, fourth and fifth place was insignificant - literally in one simple flag, one hint or a few minutes of the game. The last half hour we did not show the standings on the screen - for the places at the top at that time there was a very violent struggle.

Beched (III place)

How long have you been through?

- I got to level 3. Took 23 flags. This is all due to the fact that I didn’t get enough sleep, and my head ached%)



There were a lot of simple tasks from the field of "intelligence". The greatest difficulties were caused by not very logical tasks, where you had to guess something. I took the clue one flag at a time - to the one where I had to find the password from the file encrypted with RC4.



The experience of conducting penetration testing was useful, as well as, of course, participation in CTF competitions, which teach you how to solve many problems in a very tight time.



What would change?

- The format of the game is somewhat different from traditional CTF competitions, but this is not bad. The tasks are simpler, but there are a lot of them, so this creates a drive and movement on the tournament scoreboard, there is a tight struggle, which I liked. Change ... Well, ideally, of course, completely eliminate the questions on a guessing game. And there would be more prizes =).



The organization was also at a height that can not but rejoice.



Was it interesting to see other players?

- Yes, we have known and communicating with many people for a long time.



Where do you work?

- I work in the department of security analysis of the company Informzaschita. I study at the HSE Faculty of Mathematics.

AV1ct0r (IV place)

How is game?

- Took level 2 completely, the third part.

In principle, everything is simple, just not enough time;) I had to make some inquiries on the linux console.



What did you like most?

- DNS and FTP



Distracts or motivates the presence of rivals on the same site?

- Motivates



What about the organization?

- Very good. The atmosphere is working and unstressed, but there is not enough time to understand what people in black are doing. )



What is now a professional activity?

- A postgraduate student and an assistant at the MEPhI, most likely in the future I will work in information security.

Top 10 players (not all)

Heihabarov (V place)

How many happened to take the flags?

- How many flags I collected, I don’t remember. As for the levels, I managed to reach the 3rd. It managed to solve about 30% of the tasks, and as a result I was on the 5th position of the final table.



My laptop let me down: there were problems with the network card, I had to periodically reconnect the network. Also one of the virtual machines prepared by me did not start.



Some tasks are really too simple (by the way, this also applies to online games). For example, the priority value of the MX record or determine the version of the network service issued in the welcome message. The greatest difficulty was caused by a task with an FTP server on which it was necessary to execute the “SITE EXEC” command, as well as a task for cryptography with a cunning graphic cipher. For these tasks I had to take all the available hints.



Knowledge seemed to be enough, but due to the infrequent use of certain utilities, it was necessary to “google” examples of their use. And if in the online game there was more than enough time to search for information, then on an offline game that lasts only four and a half hours, every minute was expensive. Once again, I became convinced that the skills of using certain utilities should be brought to automaticity.



How much harder is the task than online?

- I played online twice. Once in the Russian tournament, and the second in the tournament held by Symantec at the Black Hat 2013 conference. The level of tasks is exactly the same, except that in the Blackhat tournament the tasks were more interesting (not stupid MySQL password brute force, but CVE-2012 authentication bypass bugs -2122, or tasks for Reverse engineering and Forensic).



What did you like in the game and what would you change?

- Liked everything ). What would change? Probably would have made the Internet available with the included VPN game.



What is the difference from other tournaments?

- I can’t answer this question, because before that I had experience of participation only in online hack quests.



What did you like most?

- Most liked the organized trip to the offline game for the top five online tournament. Thank you for this opportunity).



Distracts or motivates the presence of rivals on the same site?

- My presence of rivals only motivates. It is always interesting to see your rivals. A little distracting theatrical performances on the plot, which were played out on the court during the game.



I managed to communicate with someone, but not with someone. I would like to talk more about the organization of the CTF team with vOs, the winner of the game. I have already tried to put together a team in the university where I studied, but without success. I would like to know from the “experienced” CTF-er how their team has gathered, how they train, etc.



What about the organization?

- The organization was on top. Of the minuses - it was very cold in the hall where the event was held.



What are your ideas for the future?

- I connected myself with the information security 7 years ago, when I entered the university for the specialty “Integrated support of information security of automated systems”. And at the moment I work as head of the information protection department at the Krasnoyarsk Hydroelectric Power Station. At the same time I am engaged in scientific work in the graduate school of my native university.

@ v0s (winner)

About the tournament

- This time I managed to take 37 flags out of 40, and pass - 36: I decided to take one of the tasks at the last minute, and it did not take ten seconds to copy the answer into a handout form.



The offline stage was very similar to the previous one, which was conducted online, so there were no surprises during the game. And the organization this time is generally above all praise, and the ball support from Symantec, right on the site was very helpful, so there were no problems at all. But no, I was alone: ​​an hour before the end I wanted to sleep wildly.



The simplest thing is to come to the offline tour, thanks to the fucking organized trip. Respecting The most difficult thing is not to lie, observing how all the participants polls, buried in laptops, ignore the plot of the competition legend that is developing on the stage. Oh, and how Alex Lockwood and Giles Knox speak Russian :-)



It seems google how to query the Responsible Person Record Domain.



Tasks are 100% on the same level as in the online tour.



What would change?

- For an offline tour - would make the atmosphere in the hall less gloomy. Music is lively instead of forcing. I liked, by the way, operational support for the task of the Simantek people.



What is the difference from other tournaments?

- In addition to what I have already said in the online stage - in offline stages, Attack-Defense competitions are usually held: the participants attack each other, and do not solve speed tasks as they did here.



What did you like most?

- Kicked in Quake III a couple of rivals before the start of the competition.



Distracts or motivates the presence of rivals on the same site?

- Distracts :-) Especially in a personal competition: every man for himself, there is no team support nearby. But all in the same conditions, and there is someone to talk to.



What about the organization?

- Everything is cool, without jambs. Missing for 5 minutes, the Internet does not count. There was even an empty glass, in case you don’t want to drink ;-)



Was it interesting to see other players?

- Of course. Besides the fact that I already knew many by sight, there were also people with whom we are familiar in absentia. See you.



Where are you working now?

- I do not work. Offer ;-). Now I'm studying in the last year, of course I plan to work in the field of security.

Some more facts

• In the top ten, only three did not play in the online stage.
• Among the participants of the game were 30 guys and 2 girls.
• The first thing Mitnick asked when he went down to the game hall was where the winner was. It seems he wanted to try to woo Vlad.
• Among the participants of the game there were both students and practicing system administrators, programmers, information security specialists and even heads of information security departments.
• The first 9 participants (27%) took about half of the award points. This is far from the standard distribution - that is, all the participants walked in a fairly dense group.
• All five winners of the online tournament participated in the offline.
• Now Vlad Roskov will go to Nice to perform from Russia for the championship among finalists from Europe, the Middle East and Africa, which will be held on October 8.