Hacking at InCTF-Part2

This post a continuation of my older post Hacking at InCTF-Part1.

When the organizers of the event called us for announcing the winners, they requested that one person from each team to talk about our experience at InCTF. I was the person who went from my team. Actually I had many thing to say but when I got there I didn’t talk much. Out of 11-13 teams participated we were able to make it to the fifth position. The first thought that came to me when I write this post is that this event had given me a good experience in a totally different field which altogether changed my interests.

Final round of InCTF was conducted at Amrita College, Amritapuri Campus for two days, on June 1, June 2.  First of all it was a great experience reaching there. I took the tickets and was waiting for my friends in front of the train. But they got into the train before calling me and the train started. When the train was at a distance that I could not catch I called them up and said that I didn’t get and made them jump back to the platform :P. Then we had to catch a bus to Kayamkulam and we reached very late, on the last bus to the college.

Next day was a practice session where we were given a vulnerable Ubuntu image. First we had to bypass the login and change the root password. As we were newbies in this area we were only able to bypass this login. But inside we had to start few custom made services and exploit its vulnerabilities. There were three services that we had to start. The source code of the vulnerable services were also provided. It would basically be written in either of Python, C, and C++. We could actually understand what will be the work flow of the program. But even with our basic understanding that we should use a buffer-overflow attack to retrieve whatever data we need, we could not put that into practice. This was when I really felt that our seniors could have helped us a bit more. I don’t want to put blame on them because they were the people who intimated us that there is a competition like this is being conducted. I am really thankful to them for it.

After the first round we three team members did run behind the organizers to give give us some tips on how and what to do. They were very helpful and gave us tips on how to crack this competition. I think we utilized all the chance that we got to talk to the organizers especially Bithin. Seshagiri Prabhu, Aravind S Raj. More than the competition we had a friendly conversation and exchanged our views on various topics not like professionals but as people who want to learn new things.

That night we decided that we read some related materials. But the the situation was against us. No range to get Internet connection… tiredness due to travel… everything came together :(. Even then we sat for some time just talking on what to do the next day. From the inspiration from our seniors and the fact that they were the winners last time, we were looking to forward to doing a good performance at the event.
On the second day when we started there was only one method that was in our mind to get a remote connection, SSH. But the irony was that we could not use it as the password was reset at the beginning. It may be that we did not have knowledge on how bypass it. Initially nobody did get any points. But later one started to score. After sometime we got a different method of attack and we were able to use it effectively. From what my seniors have told, automating the task could fetch us more points. So we automated the task. With this we were in the top three for about half of the event.

But everything reversed within a few minutes…. Some guy used the vulnerability in the service to inject “rm -rf” command to the root directory of the service. By the time we solved this issue by copying files from the backup we had… we lost many points for lagging behind and we came down the scoreboard. Even then we were confident that we could make it to the top by the end of the day. Again problem came in. We could not make the script run correctly. The original one was not backed-up. Solving this issue was like a NP-Hard problem for us at that time. By the time we figured out few new methods time was finished and we had to wind the event. We had to satisfy with fifth position in the event. This was decided on the basis of our performance in both second and the final round.

Even though we could not win the competition, it was a great learning opportunity and a chance to meet many new people. I would like to recommend students or people who are interested in security field to attend this kind of CTF competitions. This could give you a exposure to different kind of techniques and methods that other experts use. And an opportunity to talk to them as well.
Anyway now I am hopping to be a part of future verions of InCTF and many other events of similar kind. 🙂

New link can be found at abijith-kp.github.io

Advertisements

Hacking at InCTF-Part1

Usually I just skim through my NITC mail, and checks only those send by my Class Representative or teachers. One day I read a mail forwarded by one of my seniors Karthik. It was about a hacking competition conducted by Amrutha University called InCTF which had 2 preliminary rounds and a final round. It was a Capture The Flag kind of competition. At that time I wasn’t in the mood of doing anything as I had to complete my lab assignments (which I was in a bad situation) and also if by any chance I got selected, the second round will be at the time of our exams so I ignored it. Later when I was searching for some thing I again came across this competition. This was the first time that this kind of an event comes into my notice(It was pretty interesting one… One that I know I will surely enjoy.. 🙂 ). Then I called one of my friend to tell him about this. I couldn’t make any decision then as I wanted to put my leg on both the boats – do it and not do it. He was very much excited to do the event. So we decided to meet one of seniors Jerin Shaji for getting the details of the event.

Oh….I forgot to tell, last year(2012) for sCTF, a variant of InCTF, the first prize was bagged by our college team consisting of Karthik, Jerin and Nithin.

Jerin told us many things : How they prepared, how they participated in the event, about the event format. He also gave us tips on how to attack the questions and also told us the techniques they used in the final CTF round.  We collected their last year’s question paper also. He was very supportive in all ways.

Till date two round of InCTF is completed. First round was a “learning round”. They gave us something like 2-3 months to learn few concepts and complete a question paper. The second round was a hands-on hacking round. It had different varieties of questions and most of which were of very high quality. Thanks to the support of all my friends our team “dcoder” got selected into the final round. We finished at 24th position out of 158 teams registered and the end of second round.

It was really great experience in participating in the event. The main thing I have to mention is that I learned few methods and techniques during this event. We also had to stay overnight in our lab during the second round, those were great. Those are the points in your life were you start thinking philosophically and talk like a philosopher. The main reason is that at some point we may be half asleep and wanted to answer to all the questions asked to you. These will be few moments that I will forever keep in my memories.

The more interesting part was that the second round was overlapping our exam time. So we had to it in between the exams. For my last exam I couldn’t even prepare much because I was very much involved in this. After I came back to my room I had a mild fewer also. Everything happened was indicating that I shouldn’t write my exams well(Omen kind of, just saying – I don’t believe in those).

Just excited in participating in the final round… 🙂

New link can be found at abijith-kp.github.io