Jun 09, 2020

CTF 2020

Written By: Harshvardhan Patel

Frenzied keystrokes, intense brainstorming, shrieks of eureka and sighs of dismay - were all at display on a chilly night of February 24, 2020. With participants huddled as a tean in their hostel rooms, everyone raced against time to capture 12 flags hidden in 12 problem statements provided by de.ci.phe.red LAB as part of the first ever Capture The Flag (CTF) Contest to be hosted at IIT Bhilai.

Capture The Fla…? Wait What?

For starters, Capture The Flag competitions, widely known as simply CTFs are competitions which require participants to compute a secret flag (usually a string or an integer value) which is obfuscated and embedded inside one or more of the following: - object code, - image headers, - HTTP requests etc. The problem statement includes the above resources containing the secret flag, followed by a paragraph providing context for the flag and some pointers on how to query the above resources as a black box. In case of a binary file, canditates might first run the file and notice some outputs. The binary file might ask for a password. Since the password is secret, the candidates might choose to view the disassembled code of the binary in order to check for any hardcoded strings. Maybe they find a human readable string that makes sense, and submit it as a flag. But to their dismay, they might be greeted with a wrong answer on the CTF Submission Portal. And hence, the cycle repeats of scraping shovels against a wall untill they find a weak spot (an input which crashes the executable) and are able to find another potential flag.

Relevance of CTFs?

As one might notice, the domain underlying a CTF problem is very open-ended and that virtually any piece of software can be programmed as a CTF challenge. Hence, a top CTF problem solver would mostly need to know how to reverse engineer a piece of tech. For the same he would need exposure to myriad tools like debuggers, disassemblers, network-packet analyzers, web-page inspection etc. Furthermore, CTFs are the starting points to Bug Bounties (or White Hat Hacking) in which participants are invited to find (fatal) bugs in the state-of-the-art software written by tech giants.

Motivation behind hosting a CTF

At de.ci.phe.red LAB, we are dedicated towards exploring vulnerabilities in the concepts and implementations that support the digital world. Solving CTFs is a great way to orient one’s technical arsenal towards finding out the breaking points of digital systems and subsequently fixing them. Hence, aligning with the spirit of our LAB and leveraging the curiosity of the human mind to peer beyond what visible, we took a step forward to host a CTF competition with the aim of learning as well as spreading awareness about the vibrant CTF community.

de.ci.phe.red LAB CTF

The de.ci.phe.red LAB CTF was hosted completely online, on the platform powered by Techtud - an interactive online classroom and teaching portal. The main contest held on February 24 was preceeded by an orientation session for all the participants, briefing them on what to expect and how to prepare.

The Competition

The CTF contest was held across 24 hours with new questions of increasing difficulty being added up untill 10 hours into the round. The following points summarize the de.ci.phe.red LAB CTF:

• 12 Problem Statements
• Points diminishing with increase in number of correct submissions of a problem statement (The most solved problem statement will be worth lesser points to someone who solves it next)
• More than 20 teams consisting of 60+ students as participants
• Atleast 15 teams solved atleast one question in the contest
• 3 Teams were able to correctly solve 11 questions
• Problem statements spanned domains such as image forensics, reverse engineering gcc/g++ binaries, cryptography, web technologies and pattern predictions

de.ci.phe.red CTF Archived

For furure reference, we have archived the problem statements and their solutions on Github. Interested readers are encouraged to go through the resources and share their feedback on the same. The following are the relevant links:

• Problem Statements
• Solutions
• Reverse Engineering Binary Source Code

Reception and Results

The competition is one of the flagship activities of de.ci.phe.red LAB at IIT Bhilai. Hence, this was an opportunity for us to introduce ourselves to the student community in a more interactive fashion. The reception was overwhelming, with over 60 participants enrolling for the competition, organizing themselves in teams of 3 or 4. The competition offered atleast something to take-away in terms of knowledge for all the batches of study. For many, this contest served as an intitaion into the world of CTFs. The top 3 teams were chosen as winners of the competition. The prize distribution was to be held in-campus in presence of the LAB lead Dr. Dhiman Saha, but due to he unprecented scenario created by the pandemic, it was decided, in consultation with the winners, to have a Virtual Prize Distribution ceremony.