As part of an assignment, we were given the opportunity to organize a CTF competition. “CTF” stands for “Capture the Flag” and describes a type of hacking Olympics in IT security. Participants demonstrate their skills in teams or alone by solving challenging tasks. The aim is to find so-called “flags” (hidden keys) in order to collect points. The team with the most points wins the competition at the end. Although some team members already had individual experience with CTFs, it was a new challenge to organize such an event from scratch.
Objective
The task was to develop a hacking event for a client that would raise participants’ awareness of IT security risks and familiarize them with attack methods. The CTF approach offers some clear advantages over conventional training methods: The direct interaction with security problems promotes a deeper understanding of IT security. The participants’ motivation is consistently high, particularly due to the playful aspect, which sets it apart from lectures.
Setting up the infrastructure: The CTF gaming environment
The first question was how the technical infrastructure should be designed to ensure a smooth process for the participants. Each task was given a separate virtual machine to which the teams had access. We opted for AWS and set up several Ubuntu instances that were only accessible via a VPN server in order to seal off the environment. To manage progress and scoring, we used CTFd, an open source framework specifically for CTF events. The usability was very intuitive and our challenges could be embedded very well with the stored flags. The platform served as a dashboard and was therefore the first point of contact for the participants.
The challenges: where creativity meets security gaps
The infrastructure was followed by the design of the challenges. We wanted to offer a range of challenges covering different security areas, including web security, network and configuration errors. Examples included an API challenge that highlighted classic API development mistakes, a login web application and a crawling maze where the file system was a labyrinth designed to mislead the players. It was important to us that each task aimed to reflect different levels of difficulty and expose participants to a wide range of vulnerabilities – from easier to more challenging gaps. Hints could be exchanged for points if required. After an internal test phase, the event was ready for launch.
The event: When developers become hackers
Four teams of three to four developers took part. As studies and training often focus on other topics, the area of IT security is often neglected in application development. As a result, most of the participants had no prior knowledge in this area, but this was no obstacle. Over the course of four hours, the teams worked intensively on cybersecurity, developed solutions and tirelessly searched for the next flag. The feedback from the participants was very positive. Many said that they had gained valuable new insights, which was in line with our goal of raising awareness of security risks. It was also exciting for us to see how the participants came up with innovative solutions that we would not have expected ourselves. As is so often the case, there are several ways to achieve a goal.
Review and outlook
The event was a complete success, and yet: nothing is perfect. We were also able to gain valuable insights. One key lesson was that a large number of challenges can often be overwhelming for newcomers. Many participants had the urge to tackle the challenges one after the other and to bite their teeth out on some challenges. In principle, this is a good thing, as it shows perseverance and a willingness to solve problems. However, due to the limited time frame, it is worth taking a broader approach and trying out different challenges. This mirrors real-life pentesting, where fixed time frames are also set. In order to effectively identify weaknesses, it is crucial to take a strategic approach and not spend too long on individual challenges so as not to lose sight of the bigger picture. Based on this, we have already developed some ideas for future events and will continue to optimize the task structure. All in all, this first CTF competition was an exciting experiment and was great fun for both us and the participants. We are already looking forward to introducing more people to the safety sector in a fun way in the future. A brief summary of the technical set-up:
- AWS was chosen as the hosting provider
- CTFd was selected as the CTF platform (as a kind of dashboard for the challenges and the points collected by the participants)
- Users / teams log in there and can see the challenges from there
- everything takes place within a VPN
- the challenges were specially created by us
- Each challenge offers a short introductory text in advance, which is intended to provide information on the possible security vulnerability
- there are challenges in a wide variety of areas (API, web, crawling, etc.) with different levels of difficulty
