Work I Completed
This week I competed in Pecan+CTF2022 cyber-security competition and placed second nationally in the beginner division, and 10th overall. I competed in a team of 4 year 11 students from my IT class. The competition ran from 10:00AM - 4:30PM with only one short break. The challenges involved locating a flag in various media. The challenges fell under 6 categories: forensics, web explotation, steganography, reverse engineering, open-source intelligence and cryptography. I will try to cover a brief explanation of each.
Forensics involves finding data after a cyber-security attack has occured. The main challenge I solved in this category was based off the iconic ransomware - WannaBruz. A similar virus was supposedly detected, and the task involved finding a flag within some HTTP request logs. The logs originally opened in wireshark, which was difficult to navigate due the large amount of requests, and I also had no idea what wireshark was, or what I was looking at. I instead decided to open the logs as a text document, which contained the flag. Not using wireshark made the problem significantly easier.
Web exploitation is what it says, you have to exploit vulnerabilities in webpages. The main challenge I solved in this category involved using SQL injection to sign in to a webpage as the ‘superadmin’. The SQL statement is given as a comment in the client-side because the webpage creator was ‘dropped on the head as a child’. The server would not inject the SQL if the password contained OR, or, =, spaces or 1. The SQL statement and my solution is below:
SELECT * FROM creds WHERE username='%s' AND password='%s'; -- The SQL statement
-- A suitable password for the superadmin user is:
-- '/**/|/**/null/**/is/**/null;--
-- This works as an or statement is given, the is statement for null and null is true, and open and closed comments are seen as a space.
-- When the SQL is injected, it looks like this:
SELECT * FROM creds WHERE username='superadmin' AND password='' | null is null;-- ';Steganography involves finding hidden information within a file. Mainly this involved finding hidden information within an image. I did not actually solve anything within this category, however I did need to look at meta tags (exif data) for other challenges.
Reverse Engineering involves manipulating the code within a program without changing it to give access to otherwise inaccessible information. I also did not do any of these challenges, so I have nothing to comment on them, other than that they are my least favorite.
I did all of our teams open-source intelligence questions. These were my favorite. The main questions involved a kidnapping, with picture clues to find the location of the kidnapper. These were fairly easy as google maps made it easy to find the landmarks in the images. The most enjoyable one of these was finding the flight number of the kidnapper. We were given a time frame and a location, then we had to fight number based on their current location. It was rather easy, but was less mind-numbing than scanning streets on Google Earth.
Cryptography involves decrypting encrypted messages to obtain the original message. Honestly, I did not even try to do any of these questions - they were targeted by other team members.
Reflection
Do you think you did your part?
Looking over all the challenges I did, I am realizing that I did all the easy challenges. My main source of points was from open-source intelligence, which were solved by most teams. The other challenges that I did were similarly easy - I generally targeted the challenges with the most solves. I definitely got over 1/4 of the points for the team, but I was doing the easy problems - anyone in the team could have done these. What I added was support for the team, as I was generally the one helping them with their issues and providing suggestions. I think I played my role, however I would have liked to be the person who did all the hardest questions and got all the points.
Did you enjoy PeCan?
The fact that the competition ran for six and a half hours was not overly enjoyable - my mind was numb throughout most of it. However, the CTF format really worked for me. Personally, I enjoy doing self-directed tasky learning like math textbooks, and grok learning. The CTF format is very similar to these - you are given a plethora of task, and there is only one answer to solve each of them. This is much better for me than listening to a presentation, or reading an article. I have continued to do some CTF challenges on picoCTF, which is continuing my learning about cyber-security.