Artwork for podcast Titan of. Tech
4 Lessons I Learned from My First Capture the Flag (CTF) Event!
Episode 725th March 2024 • Titan of. Tech • John Barker
00:00:00 00:14:18

Share Episode

Shownotes

Learning the Ropes: My First CTF Experience

In the Titan of Tech podcast episode, host John shares insights from his first participation in a Capture the Flag (CTF) event in March 2024, covering its nature as a cybersecurity game, the challenges encountered, and four key lessons learned. The CTF event featured jeopardy-style puzzles across various domains like digital forensics and cryptography, emphasizing the importance of hands-on skills, teamwork, and familiarity with tools like Kali Linux and Unix commands. John reflects on his unpreparedness, the technical obstacles faced in using unfamiliar equipment and systems, and the ultimate value of the experience in understanding cybersecurity complexities, especially for IT leadership and those in non-technical roles within the field.

https://podcast.titanof.tech/

https://linkedin.com/in/johnbarker78


00:00 Welcome to the Titan of Tech Podcast: My First CTF Experience

00:21 What is Capture the Flag (CTF)? An Introductory Guide

01:04 The Thrill of the Game: My CTF Event Recap

02:20 The Benefits of Participating in CTF Events

03:21 The Essential Tools for CTF Success

03:47 Four Key Lessons from My CTF Journey

09:47 Who Should Try Capture the Flag? Insights for IT Leaders and Enthusiasts

13:08 Closing Thoughts and Encouragement

Transcripts

Speaker:

Hey, what's up, everyone?

Speaker:

John here.

Speaker:

Today on the Titan of Tech podcast, I want to review four lessons that

Speaker:

I learned when I participated in my first Capture the Flag CTF event

Speaker:

just about a week ago, March 2024.

Speaker:

And the first thing off the bat is don't be me.

Speaker:

Definitely don't be me.

Speaker:

So for those of you that clicked on this and you're like, what is a CTF?

Speaker:

What is a capture the flag?

Speaker:

Let me explain capture the flag.

Speaker:

It's a security vulnerabilities game.

Speaker:

That's conducted in a test environment, you are instructed to

Speaker:

find a hidden piece of information that they refer to as a flag.

Speaker:

Maybe it's a specific file.

Speaker:

And there are typically two types of capture the flags when it's called

Speaker:

the jeopardy style where you're just given a series of challenges and the

Speaker:

other is attack and defense where you've got your teams where you

Speaker:

each have your own specific network and you're trying to protect your

Speaker:

network at the same time you're trying to attack another team's network.

Speaker:

Now, in my particular case, we were in jeopardy style.

Speaker:

It was a three hour capture the flag event and there was a total of 16 different

Speaker:

puzzles that they were that we were given that we needed to solve and we and

Speaker:

there was no way nobody solved all 16.

Speaker:

That was part of the part of the drill.

Speaker:

It was just I think they said it was normally made for a six hour

Speaker:

game, but we did it in three.

Speaker:

Now, as far as the types of puzzles, you have digital forensics, which

Speaker:

is the one that I was able to solve as the as time was about to expire.

Speaker:

There's some reverse engineering.

Speaker:

There's cryptography.

Speaker:

You know, files are encrypted.

Speaker:

There's some Web security trying to break into a website.

Speaker:

And in the case of the one that I saw that the last legitimately there was 10

Speaker:

seconds left before the game expired was a digital photograph of a cat by a pool.

Speaker:

And it was, and the instructions were to find out exactly the location

Speaker:

and name of the building that this photo was supposedly taken in.

Speaker:

And I was able to use some tools that were out there, extract the metadata

Speaker:

that had the latitude and longitude.

Speaker:

slap that into a mapping program and bring up the exact location that

Speaker:

the picture was supposedly taken to.

Speaker:

Now some of the benefits of doing these capture the flag games and

Speaker:

environments are it's, it's risk free.

Speaker:

You're not doing this in production.

Speaker:

In our case, there's a company called Cyber Ranges.

Speaker:

They, that's actually what they specialize in.

Speaker:

Larger companies may have their own Cyber Ranges to keep their skill

Speaker:

sets up of their, of their employees.

Speaker:

And there's other, these third party ones that are out there.

Speaker:

That will run events that are similar to these, so it's completely

Speaker:

virtual risk free environment.

Speaker:

You're not in somebody else's production environment.

Speaker:

You get the hands on skills necessary that that with the with the software

Speaker:

and the tools that you would use in a production environment.

Speaker:

In real time.

Speaker:

This is not theoretical.

Speaker:

This is not book knowledge.

Speaker:

This is real hands on experience.

Speaker:

And you also get to learn teamwork, which comes into one of our, my lessons

Speaker:

learned when producing one of these, as everybody has strengths and weaknesses

Speaker:

when it comes to anything that you do.

Speaker:

And most of these are conducted with teams.

Speaker:

I do believe that there may be some capture the flag.

Speaker:

Events that are solo, but in our case, there was teams of two to four.

Speaker:

And I think most of us had four, our team had three and the tools that

Speaker:

you're typically using with these and the ones that we use were Kali Linux.

Speaker:

We attempted to use wire shark that kind of.

Speaker:

Failed at connecting to the virtual environment with one of our teammates,

Speaker:

as well as just got to understand your Unix prompts, which I'll get into a

Speaker:

little bit of some of the issues that I walked into having never done this

Speaker:

before and having not really used Unix in a, in a really long time.

Speaker:

So what are the four lessons that I learned after going through this?

Speaker:

Gotta practice your Unix commands.

Speaker:

It had been years since I had used Unix environments.

Speaker:

I don't do a ton of hands on keyboard stuff.

Speaker:

I've got a few things like Raspberry Pis.

Speaker:

That I use internally for my own network.

Speaker:

So I, I occasionally get into those, but this is definitely not a regular

Speaker:

basis, you know, maybe once a quarter that I've messed with my own stuff,

Speaker:

performing an update type of thing.

Speaker:

And this specifically, you would need to learn Kali Linux,

Speaker:

which is some of the, the.

Speaker:

The, the, I'm going to use the term cracking tools, but the tools necessary

Speaker:

to help with cybersecurity engineering and vulnerability assessments to go

Speaker:

into there, I had kind of made the assumption that we were going to

Speaker:

be given some sort of cheat sheet.

Speaker:

The, the, the scenarios for, or this capture the flag event was kind

Speaker:

of advertised as beginner level.

Speaker:

Anybody that had any IT experience, please come join us.

Speaker:

It was a free event.

Speaker:

I knew the people that were running it.

Speaker:

was also on my team.

Speaker:

He had not.

Speaker:

He had not done one in years either.

Speaker:

So there was a team of us at least two.

Speaker:

And so I had watched one of these events back in the end of 2023.

Speaker:

And I had swiped a book called breaches and attack simulation for dummies.

Speaker:

I had not flipped through it at all.

Speaker:

I had never went through it.

Speaker:

It had been sitting there for a couple months.

Speaker:

The day before the capture the flag event, I decided I'm gonna sit outside.

Speaker:

It's nice.

Speaker:

I'm gonna read this thing.

Speaker:

I'm gonna At least kind of get myself primed up for what I'm going to

Speaker:

experience for the capture the flag event.

Speaker:

Well, when I started flipping through this, this was more of a managerial

Speaker:

for dummies book, which those concepts I already know already trained and

Speaker:

certified in, in all of those things.

Speaker:

And this was not a refresher or a primer on Unix commands, Kali Linux,

Speaker:

any of the tools or any other tool necessary to be able to participate

Speaker:

in a capture the flag event.

Speaker:

So that didn't help.

Speaker:

So I kind of breezed through that, skimmed it, didn't help.

Speaker:

The next thing after we, so we get into the, the room we were, we could

Speaker:

bring our own laptops, which I had brought mine and I actually do have

Speaker:

some of the tools installed, even though I don't use it for whatever

Speaker:

reason, but I forgot my power cord.

Speaker:

So that didn't work well.

Speaker:

And I had to use one to provided.

Speaker:

Computers that they had, which were essentially fresh Windows 11 install

Speaker:

computers, nothing else was installed, was installed on the machine.

Speaker:

So none Wireshark wasn't installed on the machine.

Speaker:

None of the Kali Linux stuff was installed on the machine to be able

Speaker:

to, we could connect using those computers into the virtual environment.

Speaker:

So that became a little bit of a problem.

Speaker:

An issue with connecting one of our teammates.

Speaker:

We actually had a third teammate walk in the door miles.

Speaker:

I'm gonna tag him into the post.

Speaker:

I appreciate him showing up.

Speaker:

It was great to work with and actually had participated in one of

Speaker:

these recently, but it was having difficulty with the provided equipment

Speaker:

using wire shark to connect into.

Speaker:

So having equipment already installed with the software already known to be

Speaker:

working within that particular cyber range, I think would have helped out a

Speaker:

little bit and not with me not knowing how to use the commands, but for

Speaker:

others that knew what they were doing.

Speaker:

I think that would have smoothed over a couple things.

Speaker:

Also walking into this, I didn't really understand having never

Speaker:

seen it before, how the clues and the scenarios work together.

Speaker:

So you would be given a puzzle and there'd be maybe a one word or a couple

Speaker:

word clue on the direction that you were supposed to take the challenge.

Speaker:

And this was one of those things that I thought, again, we were going

Speaker:

to get some sort of cheat sheet as this was initially believed to be

Speaker:

an entry level capture the flag.

Speaker:

There really wasn't anything given as far as that it was like,

Speaker:

Hey, here's the environment.

Speaker:

Click it, log in.

Speaker:

There's the 16 puzzles.

Speaker:

You can bounce around them.

Speaker:

You can pick whatever you want.

Speaker:

There you go.

Speaker:

And each of the puzzles are weighted a score.

Speaker:

I think it was 10 points, 15 points, 20, and I think up to 25.

Speaker:

Of course, the, the harder the, the puzzle, the more points you

Speaker:

got for being able to solve that.

Speaker:

The one I solved was a 10.

Speaker:

But I got it.

Speaker:

That's the way I look at it.

Speaker:

So I think and also during this process, I, I, instead of seeing that this was

Speaker:

really entry level, I saw that the scenarios were marked as intermediate.

Speaker:

So that kind of a term I had been using was monkey on the keyboard,

Speaker:

where I was just sitting there just kind of hacking away at this.

Speaker:

Where I would have Kali Linux commands up and trying to break through.

Speaker:

I'd actually found something for one of the scenarios that used an old Perl

Speaker:

script for anybody that is familiar with that to be able to backtrack.

Speaker:

And I made it all the way to the end.

Speaker:

It just wouldn't execute the way it was supposed to, supposed to have executed.

Speaker:

I was able to get that installed and work through.

Speaker:

So it was definitely a understanding, just not being able to execute.

Speaker:

And the last thing for sure is that I think teamwork makes the difference.

Speaker:

The team that won the event in the end of last year that I have

Speaker:

observed, They showed back up again, and they crushed everybody.

Speaker:

They finished first they had quadrupled our score, and I think they doubled

Speaker:

the score of the team in second place.

Speaker:

This is a college team that travels around, and this is what they do.

Speaker:

I think they know exactly, everybody has their role defined, everybody

Speaker:

has the tools they're supposed to be used, everybody knows the strengths

Speaker:

and weaknesses of the others.

Speaker:

Which allows them to function as a unit as no different that you would run the

Speaker:

department that you run, the business that you run have predefined roles.

Speaker:

They probably had great communication.

Speaker:

There were a few tables away from us, so it wasn't like I could eavesdrop on them.

Speaker:

Matter of fact, we were at the end, so I didn't have anybody to eavesdrop off

Speaker:

of as we were going through this As we were going through the exercises, because

Speaker:

that probably would have helped but it, you know, the teamwork definitely made

Speaker:

a difference with what they with what they were doing, and they ran away with

Speaker:

it on top of just having the required skill sets to be successful for this.

Speaker:

So now that I've went through the process of of participating in a collapse, capture

Speaker:

the flag, who do I think should try one?

Speaker:

If you are an I.

Speaker:

T.

Speaker:

leadership of any sort.

Speaker:

And I'm talking about CIO, CTO, definitely a CISO of course.

Speaker:

I think this is something that you should go participate in, just

Speaker:

to understand the complexity of what goes into these skill sets.

Speaker:

Particularly for those that, like myself, who kind of been away from

Speaker:

the keyboard for a while, and maybe this was never even part of your job.

Speaker:

That if you, Go and participate in one of these.

Speaker:

It's a game.

Speaker:

It's for fun that you'll be able to communicate that complexity back in

Speaker:

a in a more sound way when it comes to determining budgets, determining

Speaker:

other resources that may need to be protected, particularly if you're

Speaker:

someone that works in a large environment that has a very big threat landscape.

Speaker:

You've got lots of employees, lots of equipment.

Speaker:

Maybe you actually produce code.

Speaker:

You store a lot of customer files.

Speaker:

You have a lot of sensitive information that I think just going through this

Speaker:

experience shows that complexity to you for never experienced for those

Speaker:

that have never experienced it.

Speaker:

And I am definitely not one that says for you to be an effective leader.

Speaker:

That you need to go and understand at every granular level, every person's

Speaker:

job underneath you, absolutely not.

Speaker:

It doesn't work that way.

Speaker:

You go and hire those skillsets, but if you're in a situation where you

Speaker:

just can't grasp the reality of what a role brings and what the value brings

Speaker:

to the table, that spending a couple hours in their, in their shoes, what

Speaker:

you're not going to become the expert.

Speaker:

I won't be definitely have no intention of becoming the expert at some of these

Speaker:

things, I would do it again, it helps reframe your mind for those things that

Speaker:

you don't quite understand if you're in say, if you're working in cyber security,

Speaker:

but you're non technical, let's say you're an auditor or you're just you

Speaker:

know, in the governance and risk piece.

Speaker:

This is something I think you should be exposed to as well.

Speaker:

Again, it goes back to.

Speaker:

Understand the complexity, be able to communicate that complexity when you

Speaker:

start evaluating those environments and seeing where maybe somebody is not

Speaker:

checking all the boxes they need to be if they need to, if they need to

Speaker:

comply with a certain framework within their industry that , you can kind

Speaker:

of elaborate on how the complexities of these types of skill sets and

Speaker:

understanding security vulnerabilities.

Speaker:

And of course, If you are a hands on keyboard, absolutely love threat

Speaker:

hunting and things of this nature.

Speaker:

This is, to me, this is a must do, . It keeps your skills sharp.

Speaker:

It allows you to be exposed to other people in a safe environment

Speaker:

that may have new tactics that you haven't thought about.

Speaker:

If you get locked in stovepiped within a large organization, this will probably

Speaker:

let you get exposed to new areas of work that you've not seen before, as well

Speaker:

as counting to your own work portfolio.

Speaker:

This is one of those things that I think counts to building up your skill sets.

Speaker:

You can work on things maybe you're weak on with other people that

Speaker:

have those as, as their strengths.

Speaker:

You can also do that in reverse.

Speaker:

The things that your strengths, you can give that to others.

Speaker:

I mean, this is a.

Speaker:

You know, to me, it's a unity thing.

Speaker:

It goes back to that teamwork environment, and you can sit there, figure out

Speaker:

how best the teams work together.

Speaker:

So definitely again, I think I was texting, I was texting my wife

Speaker:

and a buddy of mine who another buddy of mine who wanted to

Speaker:

participate and like, how's it going?

Speaker:

And I said, and I just kept using a term and said, I think

Speaker:

I'm monkey hitting the keyboard.

Speaker:

I had not prepped.

Speaker:

Do not walk into one of these prepped if you are in I.

Speaker:

T.

Speaker:

Leadership or you're in a non technical cyber security role and you would

Speaker:

like to participate in one of these.

Speaker:

Absolutely do it.

Speaker:

But at least spend a little bit of time going over basic Unix

Speaker:

commands going over Kali Linux.

Speaker:

Maybe you're looking at Wireshark and just getting a good frame of reference with

Speaker:

How someone that works at a rudimentary level and make sure you're interested

Speaker:

entering, , one of the capture the flag events that is based for beginners.

Speaker:

I don't think I would have had nearly as much fun if we were in the, the

Speaker:

attack defend environment with the teams going against each other,

Speaker:

because it's not what I've done.

Speaker:

It's not what I do.

Speaker:

Talk about getting creamed, but I did solve a puzzle.

Speaker:

So until the next one, talk to you later.

Chapters

Video

More from YouTube