Secure360 just took place here in Minnesota on May 14th through the 15th. One interesting addition this year I noticed was the Cyber Range Capture The Flag (CTF). At the bottom of the email received from Secure360 (below).
I didn’t think the CTF would amount to much being that this conference doesn’t draw in many technical hacking talks. Geared up with my laptop I decide to inquire further about the CTF. Finally getting settled in and registered I was able to access to the vulnerable application (ShadowBank).
Now I won’t give away any hints to the flags but straight off their website “Shadow Bank includes 48 challenges ranging in difficulty – great for novices and experts alike. It includes vulnerabilities such as cross-site scripting (XSS), password cracking, authorization bypass, business logic abuse, SQL Injection, and others.” As soon as I started testing various areas of the application, I would receive a “Challenge Completed” alert with an amount of points that would get added to my username within the “Scoreboard” area.
The application was continuously polled to automatically add points to your account. There was even functionality to use points to purchase hints at other flags within the application.
The person with the most points at the middle of the second day of the conference would be deemed the winner. Digging into the application functionality and exploiting business logic flaws I was able to gain enough points to secure the 1st position at the end of the CTF.
This CTF was definitely different than other events I’ve participated in. I was very impressed with the automatic scoring engine and the variety of exploits / logic flaws incorporated into the application. Hope to see this CTF style at future conferences here in the Minnesota area.
