Skip to content

First Capture-the-Flag

ctf-chacho

A couple of months ago, I was invited to join a team to compete in a capture-the-flag event. Having only joined the cybersecurity community a year and a half ago, the invitation was both appreciated and a bit intimidating. Would I be able to contribute something of value? What if I didn't know how to do anything? What if it showed everyone how much I didn't understand?

* screech the brakes *
Curiosity is the antidote to imposter syndrome. When you care more about learning what you need to know than what people think about you, its a game-changer. So armed with my tenacity for learning and the goal of finding out where my strengths might lie in such an event, I accepted the invite.

The Prep

I virtually met some of my team (sans video) a couple of weeks beforehand. Folks who had participated the year before shared what it was like, but the team leads indicated that this year, the focus would be different. Generally though, some things remain the same:

  • Know how to assess your environment quickly;
  • Identify what services need to be up and which users need access to what;
  • Have a plan for hardening your server(s); and
  • Identify your teammates strengths and weaknesses.

As a newcomer to the team, I realized later how beneficial it would have been to learn a bit about my teammates' backgrounds and experiences beforehand, but alas, this did not happen and there were changes afoot. Just days before the event, several people had to drop out and a team of two was consolidated into just one.

In preparation for the event, I had initially just created the "Hardening a Linux/Windows Servers" posts for reference. But never satisfied with doing the minimum, I decided to try my hand at automating some of the processes so that they would be faster. Having never automated anything and knowing very little about bash scripting, I had several conversations with a generative AI program to create some scripts for grabbing files for password-cracking, configuring SSH to be more restrictive, setting up Fail2Ban, and setting up Ubuntu Firewall.

Side Quest

The act of creating scripts to automate processes turned out to be of particular interest to me for several reasons.

  1. Automation really is faster for specific tedious tasks.
  2. Using AI to quickly generate a script allows someone newer to the field to see quickly the various ways in which a task might be accomplished through scripting; over time, I can more and more readily see how to modify the scripts from what was generated and eventually, generate them on my own with or without the efficiency of AI.
  3. I began to see the different pros and cons to creating simple scripts vs more complex scripts, interactive scripts vs hard-coded scripts, and most importantly, author's assumptions vs script nimbleness.

The First Day

When the time day finally came, I arrived with a mix of emotions and focus. Once settled into the platform after some resolved connectivity issues, our team began tackling the first module of the exercise. Shortly after I began, I realized that I knew enough to help my team make some progress and each of them knew things that I did not. It was a great opportunity to share knowledge and figure out new challenges together.

Defenestrating "Last Year"

When it came time for the portion of the CTF that was the actual cyber combat exercise, I quickly realized that every single script I'd created would be worthless and that any assumptions the team had made based on "last year's experience" did not hold water. What was great though was the quick paradigm shift that happened coupled with some great communication from the team. By the time this last exercise happened, it was clear who had strengths where and we were able to support each other throughout.

Key Takeaways

  • Prep, but don't overkill
  • Automate with caution
  • Find out each team member's strengths
  • Learning = Winning