Earlier this month Pratum sponsored the ISSA Secure Iowa Conference, and we are proud to announce that Team Pratum (AKA Pratumeers) placed 2nd in the Capture the Flag (CTF) competition hosted by SecDSM!
What is a CTF?
Capture the Flag is an information security competition designed to increase the knowledge and speed of penetration testing workflows. Each “flag” (challenge) is obtained by exploiting vulnerabilities, reconstructing encrypted messages, or by solving cryptographic puzzles. Team members submit flags on a Jeopardy-style board that tracks each team’s overall point count. The goal is simple: solve as many challenges as possible in one day.
Our Experience at Secure Iowa 2018
Following the conference keynote, the teams filed into the CTF conference room and eagerly began solving challenges. The first flag was solved within minutes after the keynote, and Team Pratum promptly responded with 2 flags submitted. Everyone started to get into a rhythm, and the solved challenges began flooding into the scoreboard with Team Pratum in the lead.
Not surprisingly, we were first to pick one of the challenge locks, and shortly after picked another MasterLock. Only two locks were left unpicked, as we began strategizing our time for higher-value flags.
Team Pratum (Pratumeers) competing in 2018 Secure Iowa - Capture the Flag (CTF)
A total of 6 flags were in the Packet Capture (PCAP) category, which we scored 300 points from. We learned a few new Wireshark tricks, specifically carving image files out of HTTP frames. Our brilliant challenge writers hid some cat memes, which brought some much-needed laughter.
After lunch, Pratumeers were able to divide into respective roles and almost complete the entire Misc category. Some Docker images were broken, rebuilt, and then broken again to compromise accounts containing the flags. Pratum’s CTO Steve Healey dove into some PCAP files while our Security Consultant Jason Moulder started to brute force the vulnerable web applications.
From Left: Chad Porter, Steve Healey, and Tanner Klinge
As the conference came to a close, the race was tight and Team Pratum decided to try out some SDR (Software Defined Radio) tools. Pratum’s Security Analyst Tanner Klinge tuned into an unlicensed pager channel to intercept an encrypted Morse Code message, while the rest of the team chased after a mini-bug bounty challenge.
The Pratumeers placed 2nd overall and were awarded some prizes sponsored by SecDSM. We certainly learned a lot, enjoyed the opportunity to compete and look forward to new challenges next year.
Capture the Flag Key Takeaways
- Constant CTF team communication is vital, leveraging something like Microsoft Teams.
- Test and become comfortable with all tools prior to competing.
- Time management based on point value of the target.
- Debrief with your team afterwards and have them show other people how a particular challenge was solved so everyone can learn new tactics. Contact Pratum