I recently finished helping to judge and moderate the CyberDrain CTF challenge, a free capture the flag event organised and written by my good friend Kelvin Tegelaar – and what an event it has been. I thought it would be interesting to blog about some of the things that surprised me when judging, including a few things that happened that I didn’t and did expect. I am hoping to provide some hints and tips as well on how you can approach future ones of these. I’m writing this towards the end of the CTF so I apologise for any inconsistencies with tenses, but I wanted to get this down while it was fresh on my mind!

Rush at your peril

Kelvin planted more traps in this CTF than Kevin did in Home Alone 1. Those of you who jumped into the 10 point questions immediately will have felt this the hardest. More seasoned pros who remembered the trolling in the previous CTF left those questions until last, in order to avoid the web and traps left by the CTF master himself. This gave them an advantage, and in the end could have actually meant the difference between winning and not winning the CTF. All though there were players who hit this CTF hard and immediately (Luke Whitelock I am looking at you), some of you spread this out for a number of days. It’s likely in future CTFs this will be encouraged in some way. Another advantage of doing this is all the inevitable problems and bugs are worked out before you start. There’s only so much you can test as individuals, we had to change a number of flags in the first couple of days to account for people answering questions in ways we hadn’t expected.

Testing before the event starts is critical

Funny story, I’d spooled up a Hyper-V environment in Azure to playtest some of the CTFs the weekend before the event started. I could not for the life of me get the VMs to import. After confirming with Kelvin this was not part of a trap he’d laid, we realised after some prodding that he’d exported them with Hyper-V management tools from Server 2022 preview. Oops! They would only then import on Server 2022. Fortunately, a couple of hours later, Kelvin had working VMs up and we could continue the testing.

 

As a judge, I will always award quality and attention to detail

I purposely didn’t really allude to this publicly because I didn’t want people gaming the system, but certain submissions received additional point awards based on their overall quality. I applied this test against any code I reviewed: Could I take this right now and run it straight in one of my production environments, and was there clear effort put into it? If the answer to this was yes, you received an award for quality. We received some fantastic code for all the scripting challenges. The quality on some of it blew me away. The quality was that good in certain submissions for the Outlook Signature Script that they even made me consider how we could replace Exclaimer in our client environments. I did the same for attention to detail. Those of you who renamed the parameters in the deployment template to match what was asked for in the challenge will have found an award for attention to detail added to them! Those of you who went a step further and enforced validation on those parameters also earned an award called “Validation Matters”.

 

It was really enjoyable to give funny awards

If you submitted VBS in the PowerShell script challenge you found yourself awarded “Stuck in the 2000s”. If you wrote code in the application installation scripting challenge that covered Windows, Mac and Linux you got the Multi-Platform Wizard award. If you impressed us with your Outlook Signature Script, you may well have earned the award “Signed, Sealed, Delivered – I’m yours”. For me at least this bought a light-hearted humour to the CTF, and I took great pleasure in awarding Luke the “I WANT MY MUMMY” Award, given for light-hearted whinging about the CTF in the MSPGeek Slack. If I’m involved in the next one, I am going to define more of these awards and make them a bit more publicly visible too. Because of the nature of these, we may have missed some and for that I am sorry. Awarding these to people is very much a manual affair in CTFd. To make this fair, when the CTF finishes we will be reviewing the top 10 players and where Awards led to a difference in points that affected someone’s position we will be re-reviewing more stringently so any “Joke” awards will be discounted in the final positioning.

Reviewing hundreds of Azure Deployment Templates will give you the ability to verify them on sight

Something I didn’t expect. Towards the end of the CTF, I’d reviewed so many of these that I could tell the duff ones from the good ones simply by glancing at them. I verified every single one in the Azure Template editor, but my initial “glance” check was always right.

Flags are hard

We figured out very early on that some of the flags were difficult for people to get, even when they’d essentially solved a challenge. We hope in the future this can be improved by applying Regex flags that trigger for certain things. People ended up solving some of these challenges in ways that were never expected and it’s difficult to adapt to them on the fly.

Read the challenge, and then read it again. Engage it literally.

Honestly, this is the best advice I can give anyone reading this post who engage in future CTFs. Where you are struggling, you should break down every single piece of information given to you in the challenge, because almost none of it is “throwaway” information. Nowhere was this more true than in the replication question. The inclusion of the sentence “and connect them via an IPSec tunnel” was critical to solving this particular challenge. So many people engaged this from a DNS/AD problem perspective. Here’s another hint, if only a couple of people have solved a particular challenge, it’s unlikely to be a problem that is anything “Simple”.

Community Helps

There was fantastic discussion in the MSPGeek Slack‘s #cyberdrain-ctf channel. Especially in situations where you believe you 100% have solved a challenge, but couldn’t get the flag the judges were always available to help. Unfortunately in CTFd when we are rejecting answers too, there’s no real method for us to tell you why we have rejected it.

 

Being Trolled Back is Equally as Funny

After finishing the CTF so early, Luke Whitelock went reverse Home Alone and put together his own mini CTF, a little ditty called WTCTF (What the CTF) for me and Kelvin to work through. It was absolutely hilarious and thoroughly enjoyable and it had so many traps. What was even funnier was him predicting how we’d solve certain challenges, and then preparing traps for them, including:

  • Prepping Duo Solutions Engineer Jacob Heisey to get him to not answer our questions for a complicated Duo licensing question. I fell for it hook, line and sinker:
  • Planting false flags in the EXE for a service not starting challenge, and putting them at the top of the code, knowing I’d attempt to decompile it for the flag:

  • An API question that had hilarious responses when sending incorrect information

I want to thank Luke for this effort in putting this together. I think it was good for Kelvin to have a taste of his own medicine 😀

Huge amounts of effort go into these events

A big thank you has to go out to Kelvin for putting these challenges together. My role in this event has been to assist him in judging and moderating them, but I know that he puts SO much effort into putting these challenges together. Kelvin is an individual who is driven to improve the MSP world, and I am proud to know him and collaborate with him. If you want to enable these types of events in the future, please consider sponsoring him on Github https://github.com/sponsors/KelvinTegelaar – I am sure for everyone involved this has been a great learning experience, and for me at least this is a fantastic practical way to learn new and existing technology. Thank you to everyone who got involved and I hope to see you in future CTFs.