Frenzied keystrokes, intense brainstorming, shrieks of eureka and sighs of dismay - were all at display on a chilly night of February 24, 2020. With participants huddled as a tean in their hostel rooms, everyone raced against time to capture 12 flags hidden in 12 problem statements provided by de.ci.phe.red LAB as part of the first ever Capture The Flag (CTF) Contest to be hosted at IIT Bhilai.
For starters, Capture The Flag competitions, widely known as simply CTFs are competitions which require participants to compute a secret flag (usually a
string or an
integer value) which is obfuscated and embedded inside one or more of the following:
HTTP requests etc.
The problem statement includes the above resources containing the secret flag, followed by a paragraph providing context for the flag and some pointers on how to query the above resources as a black box.
In case of a
binary file, canditates might first run the file and notice some outputs. The
binary file might ask for a password. Since the password is secret, the candidates might choose to view the
disassembled code of the binary in order to check for any
hardcoded strings. Maybe they find a human readable string that makes sense, and submit it as a flag. But to their dismay, they might be greeted with a wrong answer on the
CTF Submission Portal. And hence, the cycle repeats of scraping shovels against a wall untill they find a weak spot (an input which crashes the
executable) and are able to find another potential flag.
As one might notice, the domain underlying a CTF problem is very open-ended and that virtually any piece of software can be programmed as a CTF challenge. Hence, a top CTF problem solver would mostly need to know how to
reverse engineer a piece of tech. For the same he would need exposure to myriad tools like debuggers, disassemblers, network-packet analyzers, web-page inspection etc. Furthermore, CTFs are the starting points to Bug Bounties (or White Hat Hacking) in which participants are invited to find
(fatal) bugs in the state-of-the-art software written by tech giants.
At de.ci.phe.red LAB, we are dedicated towards exploring vulnerabilities in the concepts and implementations that support the digital world. Solving CTFs is a great way to orient one’s technical arsenal towards finding out the breaking points of digital systems and subsequently fixing them. Hence, aligning with the spirit of our LAB and leveraging the curiosity of the human mind to peer beyond what visible, we took a step forward to host a CTF competition with the aim of learning as well as spreading awareness about the vibrant CTF community.
The de.ci.phe.red LAB CTF was hosted completely online, on the platform powered by Techtud - an interactive online classroom and teaching portal. The main contest held on February 24 was preceeded by an orientation session for all the participants, briefing them on what to expect and how to prepare.
The CTF contest was held across 24 hours with new questions of increasing difficulty being added up untill 10 hours into the round. The following points summarize the de.ci.phe.red LAB CTF:
reverse engineering gcc/g++ binaries,
For furure reference, we have archived the problem statements and their solutions on
Github. Interested readers are encouraged to go through the resources and share their feedback on the same. The following are the relevant links:
The competition is one of the flagship activities of de.ci.phe.red LAB at IIT Bhilai. Hence, this was an opportunity for us to introduce ourselves to the student community in a more interactive fashion. The reception was overwhelming, with over 60 participants enrolling for the competition, organizing themselves in teams of 3 or 4. The competition offered atleast something to take-away in terms of knowledge for all the batches of study. For many, this contest served as an intitaion into the world of CTFs.
The top 3 teams were chosen as winners of the competition. The prize distribution was to be held in-campus in presence of the LAB lead Dr. Dhiman Saha, but due to he unprecented scenario created by the pandemic, it was decided, in consultation with the winners, to have a
Virtual Prize Distribution ceremony.