We (Team Probably, at that time CTF Probably) had just come back from Amrita InCTF 2019 which was held in Kerala.
You can read about our experience and some introduction to CTFs here
Spoiler: We won and also had a celebratory ice cream cake 😋.
The Freaking Plan Probably
The first step to planning anything, Google Docs. We created a document and started brainstorming about how we wanted to approach this and came up with The Freaking Plan Probably… yeah that was the name of the document (LOL we just can’t stop including probably in everything)
The plan included starting with an Introduction to CTF and Cybersecurity session and then sessions on each of the fields: Web exploitation, Pwn, Binary exploitation, Forensics and Cryptography. We were thrilled to be conducting these sessions and hosting challenges and scared at the same time as this was the very first time we were doing this in college on our own without the help of our seniors who always took care of official procedures like permissions, labs, etc. Also, Amrita InCTF was our very first CTF ever and apart of that the lack of experience about CTFs and cybersecurity meant we had to work harder exploring the various topics so that we are good enough not only to teach them someone but come up with challenges that would keep the participants interested. Each one of us was better(I won’t say a master as that’s just not possible) at one field like web exploitation or forensics or cryptography than others. So we divided our tasks accordingly such that each one of us would make the challenges and the presentations for sessions in the fields they are good at.
So everything’s planned and we started working. Due to the lack of our experience, it was pretty hard for us to come up with challenges so we thought of referring to the past challenges that we had solved and maybe combine or modify them to our requirements since most of them were open-source. But we had to make sure to keep the challenges easy to understand for beginners and fun to solve, not trying to scare them off as it would be the first time for most of the participants. With this, we released the registration forms for our very first session and hoped for the best. To our surprise, we received an amazing response with more than 150 registrations and now we had to deliver what we had promised, making sure not to screw up our very first impression or else bye-bye to The Freaking Plan Probably.
Until the session we spent most of our college time always sitting in our den working together prepping for the session, making sure all permissions are sorted and we are good to go. Since we had an overwhelming response and it was just the 5 of us, and we knew we just couldn’t handle the crowd so upon asking a few of our friends who had also participated for InCTF they agreed to help us out during the session. FRIENDS to the RESCUE
You could find Challenges along with their write-ups for the first session here: Team-Probably/CTF_Session.
Now we needed a place to upload these challenges for the participants to view and submit while maintaining a leaderboard so that it would be competitive and fun. CTFd was being used by most of the CTFs, which provided the exact same thing we wanted a platform for our CTF. We had already tried setting up this before during the InCTF but after hours of trying, we failed to do so at that time. But now we tried a different way, to set up using docker and ever since that day we fell in love with docker which made us wonder why the heck didn’t we do this the first time. All of us had AWS educate accounts which we used to use on a rolling basis for 6 months on one student’s account since it had limited credits but it was free… who doesn’t like free stuff? We got a domain teamprobably.cf (now expired) which just felt right and then we were good to go.
Finally, with everything set-up, it was the day of the session although pretty nervous we kinda knew that we could pull this off having put so much effort into this. To our surprise, the session was a bigger hit then we thought it would be, there were students from all the years and all of them had fun solving the challenges and they got hands-on experience of exploiting the services which were our goal from the very beginning. It felt amazing looking at them cracking their heads to solve the challenges and see the joy on their faces when they finally solved them and found the flags. With everything just as we imagined, in fact better, now we were much more confident about our next sessions. Thanks to our friends who agreed to help us out otherwise we would have struggled to handle so many students. All classes were over capacity but at the same time, everyone was overjoyed.
Given the response, we thought we could take in some members of our team so that it would help take some stress off us and make it easier for us. But things just didn’t work out and we continued on our own with the 5 of us with help from some of our friends now and then. So the plan was, that session 1 would have fun-filled challenges scrapping the surface of different domains to lure participants into future sessions and by extension into Cyber Security. Now with the introductory session done, it was time for deep dives.
All of us are web developers at some level and have used many web applications and solved web exploitation challenges we had many ideas as to how to make these challenges interesting, also the response from the previous session helped. So we decided that Web will be the first domain we will be deep diving into. Once again we got back to working on the challenges. Due to various reasons we just couldn’t get things done on time. We had about a day for the session, and we didn’t have the challenges ready and this time we had to make sure there were some challenges which were very difficult covering the core concepts that should be considered while developing web applications like storing cookies, sessions, CSRF tokens, etc. As always, we were late but had to make sure to end with a bang.
We were not sure whether we could continue conducting these sessions since we had Smart India Hackathon(Read more about that story here) coming up and some other commitments so this was going to be our last session for a long time or maybe ever. Trying to cover up for the lost time we planned to stay up all night at one of our houses prepping for the contest all night. We worked non-stop for hours with most of us making challenges and the others testing them and making sure they are hosted without any issues. Learning from last time we had to make sure to use ports that are not blocked on our college network and this time we used docker-compose since there was a chance of challenges going down, due to lack of testing. About the time most of our planned challenges were done it was early morning around 5. The challenges were just about perfect; we were delighted with them and were eager to see the reactions of the participants the next day.
To make sure we don’t doze off while conducting the session we slept for around 2 hours and just went to the college without having taken bath or having any breakfast. A few friends attending the workshop had reached before us, so we asked them to grab some juice or something for us.
We made sure to cover the web fundamentals like HTTP requests-responses and sessions before we went on with how to exploit the services so that they are aware of how things work because generally that’s never taught and people tend to skip on those basics. The participants were finding it difficult to solve the challenges but given certain tips and hints, they were able to solve them in the end. After seeing the demo for session hijacking on an actual Microsoft live website, all of them were pretty shocked at how easy it was to grab some cookies of someone’s session and use them to log in as the victim(it was as if they were now part of Fsociety). The session was a huge success and we were blooming with joy although very tired due to lack of sleep.
We were bumped that we couldn’t continue conducting these sessions and set up the CTF lab that we wanted to. But it was an amazing experience, in the end, having learned a lot of stuff and spreading knowledge among our peers and starting the culture of CTFs in our college.
Lastly, I would like to say if you would like to set up a CTF Lab or conduct such sessions and would like to discuss anything about it feel free to reach out to me. Below are some great resources for starting out with CTFs and Cyber Security.
Special thanks to @RusherRG for helping out with this writeup.