A Fun Security Weekend with null and sCTF
I know it’s quite late to post about the last weekend when another weekend is around the corner, but couldn’t control myself as the last one was so eventful. :)
It was almost 2 weeks back that I got to know about sCTF 2012. I have always wanted to learn about computer security (and the darker side of hacking), but haven’t been able to give time it to it. What followed was a quick search for team members from among my batch via FB - Nithin immediately showed interest, we pulled Jerrin in too. We quickly registered ourselves as Team KaNiJe (sounds Manga-ish right?) after calling Vinod Pathari Sir and convincing him to become our mentor.
We were handed over the first set of questions for Round 1 via email. What I liked most about sCTF and its organizers was that they focused on being newbie friendly and were maintaining a decent level of quality with the contest. This was demonstrated in the Round 1 (christened - Learning Round by them) questions. They ranged from basics like installing VirtualBox, learning basics of PHP and SQL, and going up to buffer overflow exploits and reverse engineering. The sets of tasks were many and very few days with us - June 16 was the deadline. During this period I enjoyed hacking the basic missions at hackthissite.org, learnt a lot about iptables - default linux kernel firewall, buffer overflows, etc. I also went through my study report prepared for my Networks course assignment on common networking tools like ping, ssh, traceroute, ifconfig, netstat, wireshark, etc. to recall useful stuff and then tried to familiarize myself with the ethical hacking parlance using the suggested flashcards.
I also happened to attend null Bangalore’s monthly meetup on Saturday (16th) and, need I mention, this was THE best community meetup I have ever attended! I got to learn basic SQL injection, some JavaScript obfuscation techniques and some memory forensics basics, the last one was arguably the best session in the meetup. Through the meetup I got in touch with an MCA alumnus from my college - Shruti (who apparently knew me by name already) and then enjoyed a buffet at a nearby restaurant with her friends (a gang of 6 white-hat hackers!). I was astonished to discover a whole new (for me) world of security professionals in India and how deeply they enjoy their work. This will definitely keep me interested in security area for a while, more so because I will be taking Vinod Pathari Sir’s elective on Computer Security in the coming sem. Sadly, I was unable to attend BangPypers June Meetup due to approaching deadline of sCTF’s first round.
Earlier, on 15th night, we had divided the tasks among ourselves with 2 sections for each. On 16th afternoon, Jerrin and me met at CIS to finish up our submission for the first round, Nithin was collaborating from his home at Trivandrum. We had about 3 hours remaining for the deadline and I was yet to start on my sections (the lazy procrastinator that I am; and there had been a confusion about extension of deadline to add to my procrastination). My sections were Part 2 (mysql, apache, hardening, log file, php log file etc) and Part 4 (secure coding, attacks). Given my experience sysadmining for about past three years, it didn’t take me more than an hour to finish up the first section (of course, there were new things to learn as well). The other section was more of a problem with the time constraint but I managed to do most of it. Just near the deadline of 7 pm we submitted our partial solutions (the poor reverse engineering section was left blank completely!) and parted for the day.
The next day was the second round (also online), scheduled from 10am to 4pm and which along with round 1 would decide our qualification for the finals. I reached CIS at 10 and logged in to the contest portal, Jerrin joined in soon and Nithin too remotely. There were questions divided into multiple sections - Crypto, Web, Binary, and Trivia. We got a good lead in the beginning when Nithin solved the first two in Binary section. I started with Trivia and found it fairly easy (Google was our assistant for that section ;-) ) in the beginning, but really got stuck at two questions in that section. Jerrin was solving Crypto questions one by one. The fun part was that all the teams and organizers were connected together with irc. We could ask doubts from them and they kept us entertained with their irc bot, live announcements of score board, and poking fun at each other and us. So, after a while I discovered that organizers had done a minor mistake which led to our advantage (I managed to finish those nasty 2 remaining Trivia questions) and put us on top for a while on the rankings. The next 2-3 hours were spent struggling on remaining questions with little progress and we ended up at rank 5 among the total 18 teams that were present.
Two days later, we were informed via mail that we had qualified for the finals! And that we were fully sponsored to attend the first International Conference on Security of Internet of Things to be held from August 16 to 19 at Amritapuri campus. The final round of the contest will be held on Aug 20 after the conference. I was overly excited because I was not aware that we were eligible to attend the conference just by qualifying for the finals. According to Vinod Sir it will be great to listen to Ross Anderson who is speaking at the conference. Looking forward for a great experience at our first academic conference (and lots of learning in the field of security to prepare for the finals). :)