It’s that time of year again folks. The time where we abandon our families and hunker down in the basement for a 48-72 hour hackfest against the rest of the worlds “31337.”

It’s time for some CTF.

This year there are two great CTF’s relatively close to each other. First, starting on 4/22 is pCTF a CTF organized by the continually qualifying Plaid Parliament of Pwning. With a slightly different format (scenario based including web) it promises to be a great competition. Big money sponsors (Lockheed Martin) have donated prizes and cash for the top 3 teams (209 teams registered as of now).

Next is arguably the biggest and most important CTF, the Defcon CTF qualifiers. Upwards of 400 teams play to get a chance to compete in Las Vegas. The Top 3 spots are reserved for winners of last years competition (ACME Pharm) and the winners of UCSB’s iCTF and CODEGATE’s CTF winners. The rest of the pack have to compete in the qualifiers for a chance at the remaining 9 spots – totaling 12 teams that will be in the finals in Las Vegas.

A while back (sorry I have been slacking) I had a chance to interview some hackers from a few successful teams; shellphish and ACME Pharmaceuticals.

First up was Sean Ford aka “odo” who plays on Shellphish. Shellphish has won the Defcon CTF and made continual appearances in the Finals over the last few years. They also put on the previously mentioned iCTF for collegiate hackers all over the world. Led by their graduate professors, most notably Giovanni Vigna, these hackers are students of UC California Santa Barbabra who focus on research in malware analysis, advanced exploitation, advanced IDS and traffic analysis, etc.

> Hi Sean, Thanks for responding, What CTFs have you competed in?

I have competed in UCSB’s iCTF and the Defcon CTF. I also helped
organize a UCSB iCTF after joining UCSB Security Lab as a grad
student.

> How do you manage your teams? Do you have Scheduled practice times? How many hours pre CTF do you spend preparing?

Team management and scheduling, at least for shellphish, is fairly
loose. There is a flurry of activity right before and during the
quals, and then we will spend a couple weeks before the actual
competition making sure “the bomb” (our mini rack :-) is ready. This
generally involves updating software repositories and ISOs (tough to
find reliable Internet to download tools/ISOs at Defcon), and setting
up a nearly endless number of VM’s with obscure operating systems…
because, you never know when the organizers will switch away from
FreeBSD, to like, um, BeOS, or something… :-)

For the most part, shellphish is made up of active academic security
researchers which helps keep every one’s skills sharp when not
competing.

> Are there different roles people play on the team?

There is a blurred line between defensive and offensive roles. There
are certainly individuals who will focus on keeping the services up
and analyzing the network logs. Others will focus on offense and
writing exploits. After analyzing the binaries for vulnerabilities,
you generally have an idea on how to keep the service up and patched,
which helps on the defensive side.

> How close to real world hacking are most CTF’s you play in?

Depends on what kind of real world hacking you are doing… Defcon CTF
is all about binary analysis… there is no source code and the
binaries only exist to be exploited. You spend almost all your time
looking at assembly trying to figure out how get the service to do
what you want (read or write a flag).

UCSB iCTF takes more of a “real world” approach. In iCTF 08, there was
a network that contained 4 hosts that you had to infiltrate. You first
had to hack into a public web server and obtain a root shell on the
box. With the shell, you were then able to access the private network
behind the web server which contained higher valued hosts that you had
to break into.

In iCTF 09, you had to write malware to infect the browsers of
simulated users to create a botnet.

> Do you commonly know players on the other teams?

I don’t personally know too many people on other teams. I am familiar
with lot of the other teams though because you tend to see the same
teams competing in the various competitions.

> What is the most difficult CTF? How about the most fun?

Defcon CTF is certainly the most difficult. Not only are you competing
with some of the most talented hackers in the world, you have to do it
in one of the most distracting locations known to mankind… the
Defcon CTF room. Loud music, tons of people, constant bombardment of
videos projected on the walls. Try analyzing x86 asm in gdb looking
for a specific sequence of bytes while there is a video of a hundred
topless skydiving chicks playing on all four walls in the room (those
who hung out in the CTF room at Defcon 2010 know what I am talking
about… :-)

Defcon CTF is the most fun too… I mean, what is better than hacking
in Vegas with all your friends??

> When competitively playing at DC do you get to do much else?

Playing CTF at Defcon is a full time job :-) The CTF network is
shutdown at night so you can’t score points then; but, we always end
up back in our hotel rooms preparing for the next day… finishing up
exploits, analyzing network traces, and trying to patch services. If
you are not hacking, you are sleeping.

> How do you track your progress and collaborate when doing challenges?

We all meet up together at UCSB to work on the qual challenges
together so collaborating is fairly easy. During the competition, we
try to keep an wiki updated to see what everyone is working on and
their progress.

> How do the quals and actual CTF differ?

Check http://nopsr.us/ for all the past Defcon qual challenges. Pick
one of the binary challenges, make it a few times harder, and then you
will get the the CTF :-)

> What tools and platform do you use most? What kind of test platforms and lab do you have to have rigged up and ready for a serious competition?

Whatever gets the job done :-) Python is generally my first choice for
exploit writing though. gdb, objdump, and IDA for disassembly and
analyzing binaries. hexedit for binary patching. burp for analyzing
web applications (non-Defcon competitions). Virtualization software
(take your pick) is quite helpful too when you need to test on a
machine that has the same OS/arch as the target host.

> How do you feel about professionals playing against academics?

No problem with it at Defcon… this will probably sound idealistic
but it should not matter if you have an academic or professional
background, just that you have the skillz to qualify at the quals.

I do think it is valuable to have competitions such as UCSB iCTF that
only allow academic teams because it allows people to experience a
hacking competition who might not have the experience necessary for
Defcon. The final project for the UCSB graduate security class is to
participate in UCSB iCTF. The class is open to all computer science
graduate students (ie, not necessarily focused on security), and there have
been UCSB teams that have done quite well despite their only hacking
experience is from the class.

> What kind of opportunities does winning a CTF afford your school or team?

Bragging rights :-P