Learning the Ropes: My First CTF Experience
In the Titan of Tech podcast episode, host John shares insights from his first participation in a Capture the Flag (CTF) event in March 2024, covering its nature as a cybersecurity game, the challenges encountered, and four key lessons learned. The CTF event featured jeopardy-style puzzles across various domains like digital forensics and cryptography, emphasizing the importance of hands-on skills, teamwork, and familiarity with tools like Kali Linux and Unix commands. John reflects on his unpreparedness, the technical obstacles faced in using unfamiliar equipment and systems, and the ultimate value of the experience in understanding cybersecurity complexities, especially for IT leadership and those in non-technical roles within the field.
https://podcast.titanof.tech/
https://linkedin.com/in/johnbarker78
00:00 Welcome to the Titan of Tech Podcast: My First CTF Experience
00:21 What is Capture the Flag (CTF)? An Introductory Guide
01:04 The Thrill of the Game: My CTF Event Recap
02:20 The Benefits of Participating in CTF Events
03:21 The Essential Tools for CTF Success
03:47 Four Key Lessons from My CTF Journey
09:47 Who Should Try Capture the Flag? Insights for IT Leaders and Enthusiasts
13:08 Closing Thoughts and Encouragement
Hey, what's up, everyone?
Speaker:John here.
Speaker:Today on the Titan of Tech podcast, I want to review four lessons that
Speaker:I learned when I participated in my first Capture the Flag CTF event
Speaker:just about a week ago, March 2024.
Speaker:And the first thing off the bat is don't be me.
Speaker:Definitely don't be me.
Speaker:So for those of you that clicked on this and you're like, what is a CTF?
Speaker:What is a capture the flag?
Speaker:Let me explain capture the flag.
Speaker:It's a security vulnerabilities game.
Speaker:That's conducted in a test environment, you are instructed to
Speaker:find a hidden piece of information that they refer to as a flag.
Speaker:Maybe it's a specific file.
Speaker:And there are typically two types of capture the flags when it's called
Speaker:the jeopardy style where you're just given a series of challenges and the
Speaker:other is attack and defense where you've got your teams where you
Speaker:each have your own specific network and you're trying to protect your
Speaker:network at the same time you're trying to attack another team's network.
Speaker:Now, in my particular case, we were in jeopardy style.
Speaker:It was a three hour capture the flag event and there was a total of 16 different
Speaker:puzzles that they were that we were given that we needed to solve and we and
Speaker:there was no way nobody solved all 16.
Speaker:That was part of the part of the drill.
Speaker:It was just I think they said it was normally made for a six hour
Speaker:game, but we did it in three.
Speaker:Now, as far as the types of puzzles, you have digital forensics, which
Speaker:is the one that I was able to solve as the as time was about to expire.
Speaker:There's some reverse engineering.
Speaker:There's cryptography.
Speaker:You know, files are encrypted.
Speaker:There's some Web security trying to break into a website.
Speaker:And in the case of the one that I saw that the last legitimately there was 10
Speaker:seconds left before the game expired was a digital photograph of a cat by a pool.
Speaker:And it was, and the instructions were to find out exactly the location
Speaker:and name of the building that this photo was supposedly taken in.
Speaker:And I was able to use some tools that were out there, extract the metadata
Speaker:that had the latitude and longitude.
Speaker:slap that into a mapping program and bring up the exact location that
Speaker:the picture was supposedly taken to.
Speaker:Now some of the benefits of doing these capture the flag games and
Speaker:environments are it's, it's risk free.
Speaker:You're not doing this in production.
Speaker:In our case, there's a company called Cyber Ranges.
Speaker:They, that's actually what they specialize in.
Speaker:Larger companies may have their own Cyber Ranges to keep their skill
Speaker:sets up of their, of their employees.
Speaker:And there's other, these third party ones that are out there.
Speaker:That will run events that are similar to these, so it's completely
Speaker:virtual risk free environment.
Speaker:You're not in somebody else's production environment.
Speaker:You get the hands on skills necessary that that with the with the software
Speaker:and the tools that you would use in a production environment.
Speaker:In real time.
Speaker:This is not theoretical.
Speaker:This is not book knowledge.
Speaker:This is real hands on experience.
Speaker:And you also get to learn teamwork, which comes into one of our, my lessons
Speaker:learned when producing one of these, as everybody has strengths and weaknesses
Speaker:when it comes to anything that you do.
Speaker:And most of these are conducted with teams.
Speaker:I do believe that there may be some capture the flag.
Speaker:Events that are solo, but in our case, there was teams of two to four.
Speaker:And I think most of us had four, our team had three and the tools that
Speaker:you're typically using with these and the ones that we use were Kali Linux.
Speaker:We attempted to use wire shark that kind of.
Speaker:Failed at connecting to the virtual environment with one of our teammates,
Speaker:as well as just got to understand your Unix prompts, which I'll get into a
Speaker:little bit of some of the issues that I walked into having never done this
Speaker:before and having not really used Unix in a, in a really long time.
Speaker:So what are the four lessons that I learned after going through this?
Speaker:Gotta practice your Unix commands.
Speaker:It had been years since I had used Unix environments.
Speaker:I don't do a ton of hands on keyboard stuff.
Speaker:I've got a few things like Raspberry Pis.
Speaker:That I use internally for my own network.
Speaker:So I, I occasionally get into those, but this is definitely not a regular
Speaker:basis, you know, maybe once a quarter that I've messed with my own stuff,
Speaker:performing an update type of thing.
Speaker:And this specifically, you would need to learn Kali Linux,
Speaker:which is some of the, the.
Speaker:The, the, I'm going to use the term cracking tools, but the tools necessary
Speaker:to help with cybersecurity engineering and vulnerability assessments to go
Speaker:into there, I had kind of made the assumption that we were going to
Speaker:be given some sort of cheat sheet.
Speaker:The, the, the scenarios for, or this capture the flag event was kind
Speaker:of advertised as beginner level.
Speaker:Anybody that had any IT experience, please come join us.
Speaker:It was a free event.
Speaker:I knew the people that were running it.
Speaker:was also on my team.
Speaker:He had not.
Speaker:He had not done one in years either.
Speaker:So there was a team of us at least two.
Speaker:And so I had watched one of these events back in the end of 2023.
Speaker:And I had swiped a book called breaches and attack simulation for dummies.
Speaker:I had not flipped through it at all.
Speaker:I had never went through it.
Speaker:It had been sitting there for a couple months.
Speaker:The day before the capture the flag event, I decided I'm gonna sit outside.
Speaker:It's nice.
Speaker:I'm gonna read this thing.
Speaker:I'm gonna At least kind of get myself primed up for what I'm going to
Speaker:experience for the capture the flag event.
Speaker:Well, when I started flipping through this, this was more of a managerial
Speaker:for dummies book, which those concepts I already know already trained and
Speaker:certified in, in all of those things.
Speaker:And this was not a refresher or a primer on Unix commands, Kali Linux,
Speaker:any of the tools or any other tool necessary to be able to participate
Speaker:in a capture the flag event.
Speaker:So that didn't help.
Speaker:So I kind of breezed through that, skimmed it, didn't help.
Speaker:The next thing after we, so we get into the, the room we were, we could
Speaker:bring our own laptops, which I had brought mine and I actually do have
Speaker:some of the tools installed, even though I don't use it for whatever
Speaker:reason, but I forgot my power cord.
Speaker:So that didn't work well.
Speaker:And I had to use one to provided.
Speaker:Computers that they had, which were essentially fresh Windows 11 install
Speaker:computers, nothing else was installed, was installed on the machine.
Speaker:So none Wireshark wasn't installed on the machine.
Speaker:None of the Kali Linux stuff was installed on the machine to be able
Speaker:to, we could connect using those computers into the virtual environment.
Speaker:So that became a little bit of a problem.
Speaker:An issue with connecting one of our teammates.
Speaker:We actually had a third teammate walk in the door miles.
Speaker:I'm gonna tag him into the post.
Speaker:I appreciate him showing up.
Speaker:It was great to work with and actually had participated in one of
Speaker:these recently, but it was having difficulty with the provided equipment
Speaker:using wire shark to connect into.
Speaker:So having equipment already installed with the software already known to be
Speaker:working within that particular cyber range, I think would have helped out a
Speaker:little bit and not with me not knowing how to use the commands, but for
Speaker:others that knew what they were doing.
Speaker:I think that would have smoothed over a couple things.
Speaker:Also walking into this, I didn't really understand having never
Speaker:seen it before, how the clues and the scenarios work together.
Speaker:So you would be given a puzzle and there'd be maybe a one word or a couple
Speaker:word clue on the direction that you were supposed to take the challenge.
Speaker:And this was one of those things that I thought, again, we were going
Speaker:to get some sort of cheat sheet as this was initially believed to be
Speaker:an entry level capture the flag.
Speaker:There really wasn't anything given as far as that it was like,
Speaker:Hey, here's the environment.
Speaker:Click it, log in.
Speaker:There's the 16 puzzles.
Speaker:You can bounce around them.
Speaker:You can pick whatever you want.
Speaker:There you go.
Speaker:And each of the puzzles are weighted a score.
Speaker:I think it was 10 points, 15 points, 20, and I think up to 25.
Speaker:Of course, the, the harder the, the puzzle, the more points you
Speaker:got for being able to solve that.
Speaker:The one I solved was a 10.
Speaker:But I got it.
Speaker:That's the way I look at it.
Speaker:So I think and also during this process, I, I, instead of seeing that this was
Speaker:really entry level, I saw that the scenarios were marked as intermediate.
Speaker:So that kind of a term I had been using was monkey on the keyboard,
Speaker:where I was just sitting there just kind of hacking away at this.
Speaker:Where I would have Kali Linux commands up and trying to break through.
Speaker:I'd actually found something for one of the scenarios that used an old Perl
Speaker:script for anybody that is familiar with that to be able to backtrack.
Speaker:And I made it all the way to the end.
Speaker:It just wouldn't execute the way it was supposed to, supposed to have executed.
Speaker:I was able to get that installed and work through.
Speaker:So it was definitely a understanding, just not being able to execute.
Speaker:And the last thing for sure is that I think teamwork makes the difference.
Speaker:The team that won the event in the end of last year that I have
Speaker:observed, They showed back up again, and they crushed everybody.
Speaker:They finished first they had quadrupled our score, and I think they doubled
Speaker:the score of the team in second place.
Speaker:This is a college team that travels around, and this is what they do.
Speaker:I think they know exactly, everybody has their role defined, everybody
Speaker:has the tools they're supposed to be used, everybody knows the strengths
Speaker:and weaknesses of the others.
Speaker:Which allows them to function as a unit as no different that you would run the
Speaker:department that you run, the business that you run have predefined roles.
Speaker:They probably had great communication.
Speaker:There were a few tables away from us, so it wasn't like I could eavesdrop on them.
Speaker:Matter of fact, we were at the end, so I didn't have anybody to eavesdrop off
Speaker:of as we were going through this As we were going through the exercises, because
Speaker:that probably would have helped but it, you know, the teamwork definitely made
Speaker:a difference with what they with what they were doing, and they ran away with
Speaker:it on top of just having the required skill sets to be successful for this.
Speaker:So now that I've went through the process of of participating in a collapse, capture
Speaker:the flag, who do I think should try one?
Speaker:If you are an I.
Speaker:T.
Speaker:leadership of any sort.
Speaker:And I'm talking about CIO, CTO, definitely a CISO of course.
Speaker:I think this is something that you should go participate in, just
Speaker:to understand the complexity of what goes into these skill sets.
Speaker:Particularly for those that, like myself, who kind of been away from
Speaker:the keyboard for a while, and maybe this was never even part of your job.
Speaker:That if you, Go and participate in one of these.
Speaker:It's a game.
Speaker:It's for fun that you'll be able to communicate that complexity back in
Speaker:a in a more sound way when it comes to determining budgets, determining
Speaker:other resources that may need to be protected, particularly if you're
Speaker:someone that works in a large environment that has a very big threat landscape.
Speaker:You've got lots of employees, lots of equipment.
Speaker:Maybe you actually produce code.
Speaker:You store a lot of customer files.
Speaker:You have a lot of sensitive information that I think just going through this
Speaker:experience shows that complexity to you for never experienced for those
Speaker:that have never experienced it.
Speaker:And I am definitely not one that says for you to be an effective leader.
Speaker:That you need to go and understand at every granular level, every person's
Speaker:job underneath you, absolutely not.
Speaker:It doesn't work that way.
Speaker:You go and hire those skillsets, but if you're in a situation where you
Speaker:just can't grasp the reality of what a role brings and what the value brings
Speaker:to the table, that spending a couple hours in their, in their shoes, what
Speaker:you're not going to become the expert.
Speaker:I won't be definitely have no intention of becoming the expert at some of these
Speaker:things, I would do it again, it helps reframe your mind for those things that
Speaker:you don't quite understand if you're in say, if you're working in cyber security,
Speaker:but you're non technical, let's say you're an auditor or you're just you
Speaker:know, in the governance and risk piece.
Speaker:This is something I think you should be exposed to as well.
Speaker:Again, it goes back to.
Speaker:Understand the complexity, be able to communicate that complexity when you
Speaker:start evaluating those environments and seeing where maybe somebody is not
Speaker:checking all the boxes they need to be if they need to, if they need to
Speaker:comply with a certain framework within their industry that , you can kind
Speaker:of elaborate on how the complexities of these types of skill sets and
Speaker:understanding security vulnerabilities.
Speaker:And of course, If you are a hands on keyboard, absolutely love threat
Speaker:hunting and things of this nature.
Speaker:This is, to me, this is a must do, . It keeps your skills sharp.
Speaker:It allows you to be exposed to other people in a safe environment
Speaker:that may have new tactics that you haven't thought about.
Speaker:If you get locked in stovepiped within a large organization, this will probably
Speaker:let you get exposed to new areas of work that you've not seen before, as well
Speaker:as counting to your own work portfolio.
Speaker:This is one of those things that I think counts to building up your skill sets.
Speaker:You can work on things maybe you're weak on with other people that
Speaker:have those as, as their strengths.
Speaker:You can also do that in reverse.
Speaker:The things that your strengths, you can give that to others.
Speaker:I mean, this is a.
Speaker:You know, to me, it's a unity thing.
Speaker:It goes back to that teamwork environment, and you can sit there, figure out
Speaker:how best the teams work together.
Speaker:So definitely again, I think I was texting, I was texting my wife
Speaker:and a buddy of mine who another buddy of mine who wanted to
Speaker:participate and like, how's it going?
Speaker:And I said, and I just kept using a term and said, I think
Speaker:I'm monkey hitting the keyboard.
Speaker:I had not prepped.
Speaker:Do not walk into one of these prepped if you are in I.
Speaker:T.
Speaker:Leadership or you're in a non technical cyber security role and you would
Speaker:like to participate in one of these.
Speaker:Absolutely do it.
Speaker:But at least spend a little bit of time going over basic Unix
Speaker:commands going over Kali Linux.
Speaker:Maybe you're looking at Wireshark and just getting a good frame of reference with
Speaker:How someone that works at a rudimentary level and make sure you're interested
Speaker:entering, , one of the capture the flag events that is based for beginners.
Speaker:I don't think I would have had nearly as much fun if we were in the, the
Speaker:attack defend environment with the teams going against each other,
Speaker:because it's not what I've done.
Speaker:It's not what I do.
Speaker:Talk about getting creamed, but I did solve a puzzle.
Speaker:So until the next one, talk to you later.