I just had the weirdest game…..Both teams in this CTF match apparently decided to throw the match I was all set to attack as Pharah and I realized everyone was standing around emoting and greeting each other….it ended in a draw bc literally nobody did anything it was
It’s so very satisfying to cap the flag start-to-finish as a tiny Korean girl in a hanbok because you got de-mech’d at the start but your tiny fearless ass gives not one single fuck. At one point I almost did it three times in one game, but the enemy Mercy got so fed up with my shenanigans that she hunted me down and killed me on her own (because Mercy is the only one who’s tied for a de-mech’d D.Va when it comes to being out of fucks to give).
On Wednesday I participated in Hurricane Lab’s Hack for Hunger event. I was able to come in second place, losing only to my former boss and friend. After talking to a few other participants afterwards, a few things became very clear and I thought I’d share what I learned.
Unix system administration experience is priceless
My friends success was largely due to him approaching the challenge not from any penetration testing methodology, but if I ran these services this is what I would have locked down. This experience played into #2
Old school exploits and common misconfigurations are your friend
I think in my case, my work environment being very up to date and always patching has pigeon-holed me into a default assumption that only newer attacks need be tried. Its really hard to flip that switch and start with issues from 10-15 years ago and progress to more recent exploits instead of working my way backwards.
For binary anaylsis / reverse engineering challenges, you often only find the key if you don’t think too far into it
This one is kind of true to life. Occassionally you get the reward of grinding on something for hours and finally the hard work pays off. Even more often however is the head slapping moments where you spend a few minutes on something and it almost seemed to be too easy. These happen to occur the most in real life, so the only excuse I have is assuming they were be more difficult by default.
With such a short challenge window, you have to the vulnerability assessment tool
Usually at least 25-50% of a challenge will be issues a vulnerability assessment tool would catch. The problem is you have 3 or fewer hours normally to complete the challenge, and while in some cases thats enough time to finish the scan, you don’t want to be waiting half the challenge for those initial results. The fix to this is have scripts ready to go to cover the basic issues.
If you pentest for a living, you need to flip that switch off
I say this because typically when you pentest for work, you have a lot more time to work with, and you likely have your methodology and process pretty well defined. When you have only a couple hours to find as much as you can, methodology and process kind have to be redefined or go out the window.
I realize not every Capture the Flag contest will be modeled like this, but I think these points are worth taking into any hack challenge.