Learning the Ropes: My First CTF Experience

In the Titan of Tech podcast episode, host John shares insights from his first participation in a Capture the Flag (CTF) event in March 2024, covering its nature as a cybersecurity game, the challenges encountered, and four key lessons learned. The CTF event featured jeopardy-style puzzles across various domains like digital forensics and cryptography, emphasizing the importance of hands-on skills, teamwork, and familiarity with tools like Kali Linux and Unix commands. John reflects on his unpreparedness, the technical obstacles faced in using unfamiliar equipment and systems, and the ultimate value of the experience in understanding cybersecurity complexities, especially for IT leadership and those in non-technical roles within the field.

https://podcast.titanof.tech/

https://linkedin.com/in/johnbarker78

00:00 Welcome to the Titan of Tech Podcast: My First CTF Experience

00:21 What is Capture the Flag (CTF)? An Introductory Guide

01:04 The Thrill of the Game: My CTF Event Recap

02:20 The Benefits of Participating in CTF Events

03:21 The Essential Tools for CTF Success

03:47 Four Key Lessons from My CTF Journey

09:47 Who Should Try Capture the Flag? Insights for IT Leaders and Enthusiasts

13:08 Closing Thoughts and Encouragement

Hey, what's up, everyone?

John here.

Today on the Titan of Tech podcast, I want to review four lessons that

I learned when I participated in my first Capture the Flag CTF event

just about a week ago, March 2024.

And the first thing off the bat is don't be me.

Definitely don't be me.

So for those of you that clicked on this and you're like, what is a CTF?

What is a capture the flag?

Let me explain capture the flag.

It's a security vulnerabilities game.

That's conducted in a test environment, you are instructed to

find a hidden piece of information that they refer to as a flag.

Maybe it's a specific file.

And there are typically two types of capture the flags when it's called

the jeopardy style where you're just given a series of challenges and the

other is attack and defense where you've got your teams where you

each have your own specific network and you're trying to protect your

network at the same time you're trying to attack another team's network.

Now, in my particular case, we were in jeopardy style.

It was a three hour capture the flag event and there was a total of 16 different

puzzles that they were that we were given that we needed to solve and we and

there was no way nobody solved all 16.

That was part of the part of the drill.

It was just I think they said it was normally made for a six hour

game, but we did it in three.

Now, as far as the types of puzzles, you have digital forensics, which

is the one that I was able to solve as the as time was about to expire.

There's some reverse engineering.

There's cryptography.

You know, files are encrypted.

There's some Web security trying to break into a website.

And in the case of the one that I saw that the last legitimately there was 10

seconds left before the game expired was a digital photograph of a cat by a pool.

And it was, and the instructions were to find out exactly the location

and name of the building that this photo was supposedly taken in.

And I was able to use some tools that were out there, extract the metadata

that had the latitude and longitude.

slap that into a mapping program and bring up the exact location that

the picture was supposedly taken to.

Now some of the benefits of doing these capture the flag games and

environments are it's, it's risk free.

You're not doing this in production.

In our case, there's a company called Cyber Ranges.

They, that's actually what they specialize in.

Larger companies may have their own Cyber Ranges to keep their skill

sets up of their, of their employees.

And there's other, these third party ones that are out there.

That will run events that are similar to these, so it's completely

virtual risk free environment.

You're not in somebody else's production environment.

You get the hands on skills necessary that that with the with the software

and the tools that you would use in a production environment.

In real time.

This is not theoretical.

This is not book knowledge.

This is real hands on experience.

And you also get to learn teamwork, which comes into one of our, my lessons

learned when producing one of these, as everybody has strengths and weaknesses

when it comes to anything that you do.

And most of these are conducted with teams.

I do believe that there may be some capture the flag.

Events that are solo, but in our case, there was teams of two to four.

And I think most of us had four, our team had three and the tools that

you're typically using with these and the ones that we use were Kali Linux.

We attempted to use wire shark that kind of.

Failed at connecting to the virtual environment with one of our teammates,

as well as just got to understand your Unix prompts, which I'll get into a

little bit of some of the issues that I walked into having never done this

before and having not really used Unix in a, in a really long time.

So what are the four lessons that I learned after going through this?

Gotta practice your Unix commands.

It had been years since I had used Unix environments.

I don't do a ton of hands on keyboard stuff.

I've got a few things like Raspberry Pis.

That I use internally for my own network.

So I, I occasionally get into those, but this is definitely not a regular

basis, you know, maybe once a quarter that I've messed with my own stuff,

performing an update type of thing.

And this specifically, you would need to learn Kali Linux,

which is some of the, the.

The, the, I'm going to use the term cracking tools, but the tools necessary

to help with cybersecurity engineering and vulnerability assessments to go

into there, I had kind of made the assumption that we were going to

be given some sort of cheat sheet.

The, the, the scenarios for, or this capture the flag event was kind

of advertised as beginner level.

Anybody that had any IT experience, please come join us.

It was a free event.

I knew the people that were running it.

was also on my team.

He had not.

He had not done one in years either.

So there was a team of us at least two.

And so I had watched one of these events back in the end of 2023.

And I had swiped a book called breaches and attack simulation for dummies.

I had not flipped through it at all.

I had never went through it.

It had been sitting there for a couple months.

The day before the capture the flag event, I decided I'm gonna sit outside.

It's nice.

I'm gonna read this thing.

I'm gonna At least kind of get myself primed up for what I'm going to

experience for the capture the flag event.

Well, when I started flipping through this, this was more of a managerial

for dummies book, which those concepts I already know already trained and

certified in, in all of those things.

And this was not a refresher or a primer on Unix commands, Kali Linux,

any of the tools or any other tool necessary to be able to participate

in a capture the flag event.

So that didn't help.

So I kind of breezed through that, skimmed it, didn't help.

The next thing after we, so we get into the, the room we were, we could

bring our own laptops, which I had brought mine and I actually do have

some of the tools installed, even though I don't use it for whatever

reason, but I forgot my power cord.

So that didn't work well.

And I had to use one to provided.

Computers that they had, which were essentially fresh Windows 11 install

computers, nothing else was installed, was installed on the machine.

So none Wireshark wasn't installed on the machine.

None of the Kali Linux stuff was installed on the machine to be able

to, we could connect using those computers into the virtual environment.

So that became a little bit of a problem.

An issue with connecting one of our teammates.

We actually had a third teammate walk in the door miles.

I'm gonna tag him into the post.

I appreciate him showing up.

It was great to work with and actually had participated in one of

these recently, but it was having difficulty with the provided equipment

using wire shark to connect into.

So having equipment already installed with the software already known to be

working within that particular cyber range, I think would have helped out a

little bit and not with me not knowing how to use the commands, but for

others that knew what they were doing.

I think that would have smoothed over a couple things.

Also walking into this, I didn't really understand having never

seen it before, how the clues and the scenarios work together.

So you would be given a puzzle and there'd be maybe a one word or a couple

word clue on the direction that you were supposed to take the challenge.

And this was one of those things that I thought, again, we were going

to get some sort of cheat sheet as this was initially believed to be

an entry level capture the flag.

There really wasn't anything given as far as that it was like,

Hey, here's the environment.

Click it, log in.

There's the 16 puzzles.

You can bounce around them.

You can pick whatever you want.

There you go.

And each of the puzzles are weighted a score.

I think it was 10 points, 15 points, 20, and I think up to 25.

Of course, the, the harder the, the puzzle, the more points you

got for being able to solve that.

The one I solved was a 10.

But I got it.

That's the way I look at it.

So I think and also during this process, I, I, instead of seeing that this was

really entry level, I saw that the scenarios were marked as intermediate.

So that kind of a term I had been using was monkey on the keyboard,

where I was just sitting there just kind of hacking away at this.

Where I would have Kali Linux commands up and trying to break through.

I'd actually found something for one of the scenarios that used an old Perl

script for anybody that is familiar with that to be able to backtrack.

And I made it all the way to the end.

It just wouldn't execute the way it was supposed to, supposed to have executed.

I was able to get that installed and work through.

So it was definitely a understanding, just not being able to execute.

And the last thing for sure is that I think teamwork makes the difference.

The team that won the event in the end of last year that I have

observed, They showed back up again, and they crushed everybody.

They finished first they had quadrupled our score, and I think they doubled

the score of the team in second place.

This is a college team that travels around, and this is what they do.

I think they know exactly, everybody has their role defined, everybody

has the tools they're supposed to be used, everybody knows the strengths

and weaknesses of the others.

Which allows them to function as a unit as no different that you would run the

department that you run, the business that you run have predefined roles.

They probably had great communication.

There were a few tables away from us, so it wasn't like I could eavesdrop on them.

Matter of fact, we were at the end, so I didn't have anybody to eavesdrop off

of as we were going through this As we were going through the exercises, because

that probably would have helped but it, you know, the teamwork definitely made

a difference with what they with what they were doing, and they ran away with

it on top of just having the required skill sets to be successful for this.

So now that I've went through the process of of participating in a collapse, capture

the flag, who do I think should try one?

If you are an I.

T.

leadership of any sort.

And I'm talking about CIO, CTO, definitely a CISO of course.

I think this is something that you should go participate in, just

to understand the complexity of what goes into these skill sets.

Particularly for those that, like myself, who kind of been away from

the keyboard for a while, and maybe this was never even part of your job.

That if you, Go and participate in one of these.

It's a game.

It's for fun that you'll be able to communicate that complexity back in

a in a more sound way when it comes to determining budgets, determining

other resources that may need to be protected, particularly if you're

someone that works in a large environment that has a very big threat landscape.

You've got lots of employees, lots of equipment.

Maybe you actually produce code.

You store a lot of customer files.

You have a lot of sensitive information that I think just going through this

experience shows that complexity to you for never experienced for those

that have never experienced it.

And I am definitely not one that says for you to be an effective leader.

That you need to go and understand at every granular level, every person's

job underneath you, absolutely not.

It doesn't work that way.

You go and hire those skillsets, but if you're in a situation where you

just can't grasp the reality of what a role brings and what the value brings

to the table, that spending a couple hours in their, in their shoes, what

you're not going to become the expert.

I won't be definitely have no intention of becoming the expert at some of these

things, I would do it again, it helps reframe your mind for those things that

you don't quite understand if you're in say, if you're working in cyber security,

but you're non technical, let's say you're an auditor or you're just you

know, in the governance and risk piece.

This is something I think you should be exposed to as well.

Again, it goes back to.

Understand the complexity, be able to communicate that complexity when you

start evaluating those environments and seeing where maybe somebody is not

checking all the boxes they need to be if they need to, if they need to

comply with a certain framework within their industry that , you can kind

of elaborate on how the complexities of these types of skill sets and

understanding security vulnerabilities.

And of course, If you are a hands on keyboard, absolutely love threat

hunting and things of this nature.

This is, to me, this is a must do, . It keeps your skills sharp.

It allows you to be exposed to other people in a safe environment

that may have new tactics that you haven't thought about.

If you get locked in stovepiped within a large organization, this will probably

let you get exposed to new areas of work that you've not seen before, as well

as counting to your own work portfolio.

This is one of those things that I think counts to building up your skill sets.

You can work on things maybe you're weak on with other people that

have those as, as their strengths.

You can also do that in reverse.

The things that your strengths, you can give that to others.

I mean, this is a.

You know, to me, it's a unity thing.

It goes back to that teamwork environment, and you can sit there, figure out

how best the teams work together.

So definitely again, I think I was texting, I was texting my wife

and a buddy of mine who another buddy of mine who wanted to

participate and like, how's it going?

And I said, and I just kept using a term and said, I think

I'm monkey hitting the keyboard.

I had not prepped.

Do not walk into one of these prepped if you are in I.

T.

Leadership or you're in a non technical cyber security role and you would

like to participate in one of these.

Absolutely do it.

But at least spend a little bit of time going over basic Unix

commands going over Kali Linux.

Maybe you're looking at Wireshark and just getting a good frame of reference with

How someone that works at a rudimentary level and make sure you're interested

entering, , one of the capture the flag events that is based for beginners.

I don't think I would have had nearly as much fun if we were in the, the

attack defend environment with the teams going against each other,

because it's not what I've done.

It's not what I do.

Talk about getting creamed, but I did solve a puzzle.

So until the next one, talk to you later.