Blog

Dec 17, 2011

The ever evolving CTF strategy

On Wednesday I participated in Hurricane Lab's Hack for Hunger event.  I was able to come in second place, losing only to my former boss and friend.  After talking to a few other participants afterwards, a few things became very clear and I thought I'd share what I learned.

  1. Unix system administration experience is priceless

    My friends success was largely due to him approaching the challenge not from any penetration testing methodology, but if I ran these services this is what I would have locked down.  This experience played into #2
     
  2. Old school exploits and common misconfigurations are your friend

    I think in my case, my work environment being very up to date and always patching has pigeon-holed me into a default assumption that only newer attacks need be tried.  Its really hard to flip that switch and start with issues from 10-15 years ago and progress to more recent exploits instead of working my way backwards.
     
  3. For binary anaylsis / reverse engineering challenges, you often only find the key if you don't think too far into it

    This one is kind of true to life.  Occassionally you get the reward of grinding on something for hours and finally the hard work pays off.  Even more often however is the head slapping moments where you spend a few minutes on something and it almost seemed to be too easy.  These happen to occur the most in real life, so the only excuse I have is assuming they were be more difficult by default.
     
  4. With such a short challenge window, you have to the vulnerability assessment tool

    Usually at least 25-50% of a challenge will be issues a vulnerability assessment tool would catch.  The problem is you have 3 or fewer hours normally to complete the challenge, and while in some cases thats enough time to finish the scan, you don't want to be waiting half the challenge for those initial results.  The fix to this is have scripts ready to go to cover the basic issues.
     
  5. If you pentest for a living, you need to flip that switch off

    I say this because typically when you pentest for work, you have a lot more time to work with, and you likely have your methodology and process pretty well defined.  When you have only a couple hours to find as much as you can, methodology and process kind have to be redefined or go out the window.
I realize not every Capture the Flag contest will be modeled like this, but I think these points are worth taking into any hack challenge.

Comments

blog comments powered by Disqus