Central InfoSec Capture-The-Flag (CTF) hacking event 2021

The Central InfoSec team decided to build a free, team-based, Capture The Flag (CTF) hacking event to provide the security community with a place to have fun and learn. This included 260 total challenges and a custom vulnerable VM with 130 flags to capture. We also added a scoreboard for participants to track their progress and to compete with others.

Throughout the CTF event, we made a lot of friends and built some great relationships with people in the community. We also learned that many teams invited team members to help others get into cyber security and learn more about cyber security. This was awesome to hear and shoutout to everyone that use this CTF event not only as a learning opportunity for themselves, but as an opportunity to help others learn! This was amazing to hear!

CTF Statistics

• 260 Challenges
• 420 Users
• 170 Teams
• 3 Users/Teams rooted the Central InfoSec Vulnerable Web Server 01

Central InfoSec CTF Winners

Below are the results of the Central InfoSec CTF 2021

1st Place Team

The winning team (and overall winner) of the 2021 Central InfoSec CTF is Kill The Dragon, Get The Girl which consisted of two team members The4rchangel and rez. Congratulations!!!

• Kill The Dragon, Get The Girl (The4rchangel and rez)

1st Place Individual

The winning individual (single-user team) of the 2021 Central InfoSec CTF is BytePen which consisted of one user bamhm182. Congratulations!!!

• BytePen (bamhm182)

Central InfoSec CTF Top 10 Teams/Individuals/Users

We decided to break down the results in multiple ways. The scoreboard platform currently only supports either Team-Mode or Individual-Mode, but not both at the same time. We decided to host the CTF in Team-Mode to promote collaboration through a team-based event. When the scoreboard setup in Team-Mode, if someone wants to challenge the CTF by themself, they still have to create a team. We decided to manually break down the results in to two categories: Team (regardless of size) and Individual (team of one user). We also added a third category for this year: User (regardless of team size).

Top 10 Teams

Below are the Top 10 Teams (Regardless of team size. Team size in parenthesis)

• Kill The Dragon, Get The Girl (2)
• BytePen (1)
• Yeti (9)
• CTFMonStars (9)
• Adorably Persistent Team (4)
• InfoSec (5)
• 1337B01S (7)
• BLU3 M07H3R5H1P (4)
• redsec-1 (4)
• jetosd (1)

Top 10 Individuals

Below are the Top 10 Individuals (Single-user team. User in parenthesis)

• BytePen (bamhm182)
• jetosd (jetosd)
• SYN-bit (SYN-bit)
• santaa (santaa)
• newb#101 (crypto22)
• fzhshzh (fzhshzh)
• TukangKetik (TukangKetik)
• mistadobalina (mistadobalina)
• Fun_starts (Jaga9946)
• r3in3MY (r3in3)

Top 10 Users

Below are the Top 10 Users (Regardless of whether the user is on a multi-user or single-user team. Team in parenthesis)

Note that a user may have been the designated "person to submit flags" for a majority of the team.

• bamhm182 (BytePen)
• bawolff (Yeti)
• The4rchangel (Kill The Dragon, Get The Girl)
• 4n6lee (BLU3 M07H3R5H1P)
• pozer (CTFMonStars)
• jetosd (jetosd)
• sp1icer (redsec-1)
• Lennaert89 (Adorably Persistent Team)
• SYN-bit (SYN-bit)
• santaa (santaa)

Are Write-Ups Allowed?

We allow write-ups for challenges. We ask that you redact the actual flag values and do not write up too many of the challenges.

If you write up a challenge, please include the following three sections about Central InfoSec:

Central InfoSec

Central InfoSec is an award-winning cyber security company that offers professional security services including Red Teaming, Penetration Testing, and Security Training. The Central InfoSec team consists of skilled security professionals bringing a total of 20+ years of red teaming, penetration testing, web application, and exploitation experience. Central InfoSec team members have achieved industry leading professional certifications including OSCP, OSWP, GXPN, GPEN, GWAPT, GMOB, AWS-CSS, AWS-CCP, PenTest+, CEH, CISSP, and more. The Central InfoSec team goes one step further and develops open-source tools including Burp Suite extensions, Cobalt Strike aggressor scripts, scripts tying into tools (including GoPhish, PhishMe, Slack, Lair), other custom-built security tools, and Capture The Flag (CTF) events!

Achieved Awards

Central InfoSec has achieved the following industry awards:

• Best Penetration Testing & Security Consulting Firm — Corporate Excellence Awards, 2021
• 5 Best Cyber Security Companies to Watch — The Silicon Review, 2021
• 10 Best Security Companies — CIO Bulletin, 2021
• 10 Most Promising Cybersecurity Consulting/Service Companies — CIO Review, 2020

Social Media links:

• https://www.facebook.com/centralinfosec/
• https://twitter.com/centralinfosec
• https://www.linkedin.com/company/centralinfosec
• https://twitter.com/JAMESM0RR1S

What!? We Allowed Someone To Post Write-Ups During the Event?

We received questions and critique from multiple people, that we shouldn't have allowed anyone to post a write-up while the CTF event was still going on. We initially thought the same thing but then we changed our minds. Hope the following helps explain our reasoning to everyone.

Day 5 of the event, someone asked if they could work on a write-up of the "Hack the MySQL / MariaDB" challenge. We learned that this individual had never posted a write-up before.

• To see someone so excited about our CTF event that they wanted to write and publish their very first CTF write-up was incredible to see! We couldn't shoot down someone's dreams. This could be a life/career changing moment. What if the person realizes that they like writing/instructing so much, they decide to create additional write-ups, become an instructor, create a local security meetup (DefCon Group/CitySec), etc. This could be a single great blog post or even lead to something much larger.
• Have you posted a CTF write-up yet? In all seriousness, this is a great way to showcase your talent, help others learn, mention in an interview, etc.
• We didn't want to hold back someone's potential by telling them no.
• Even if we said no, the person could have still published it. At least this way they have our support and are motivated to continue doing awesome things!
• The one challenge was 300 points out of 40,200 possible points and 260 total challenges. We felt that 300 points was not going to make or break a team if they were stuck on this challenge. The difficulty of the challenges ramps up to some extremely difficult challenges!
• The goal with the CTF event was to give back to the community, host a free team-based CTF event, and to provide a fun environment to help people learn!
• The write-up supported our goal to help people learn. Who are we to tell someone that they can't help others learn? If the flag value is redacted, it would prevent people from getting a free answer. At least this way they would have to actually solve the challenge, even if it required a little guidance.

Why We Paused the Scoreboard on Day 7 for Point Corrections

We paused the scoreboard on day 7 for point corrections. Many people asked about this and we felt like we owed an answer to all of the participants.

Hints cost points. Some teams created secondary teams to use hints to avoid losing points on their primary teams.

• Day 1: There were many lead changes. Finally a team (Team A) takes the lead. Multiple teams questioned how this team took the lead so quickly.
• Day 2: A new team (Team B) takes the lead. Multiple teams reported that this team had similar usernames as another team and had a perfect score.
  The Central InfoSec team performed analysis and ultimately confirmed that Team B had created another team with similar usernames (bob and b0b), similar emails (bob.smith and smith.bob), and same source IP addresses. Team B used their other team to use hints for advance challenges, then seconds/minute later, submitted the answer from Team B coming from the IP address using the similar username/email.
  Although this is a hacking event, we felt like this violated our rules.
• Day 3: We perform additional analysis, correlating timestamps of used hints and challenge submissions of Teams A.
• Day 4: With Team B still in 1st place, we also noticed that the now 4th place team (Team A) also created a secondary team to use hints.
  We perform even more analysis.
• Day 5: At first we questioned if we should ban these teams for cheating. We had a wide mix of emotions on this.
  While some may agree with this, our goal with the CTF was to offer a fun and free team-based CTF event that would hopefully provide learning opportunities to many people.
  We decided to take additional time out of our evenings and nights to add up all the hints used by these secondary teams, and only deduct the hint points that these teams used through their secondary teams.
• Day 6: We correlate the used hints with timestamps, usernames, source IPs, etc. so build of list of hints that were clearly used from the same IP, similar username, similar email, same time, etc. It didn't make sense that a team which hadn't solved the easy/medium challenges would be requesting the hint for the most advanced challenges.
• Day 7 (Part 1): We consider the easy option of giving Team A and B a manual award of a negative points value. This would look odd on the scoreboard graph being a huge dip in points. This may be noticeable to other teams. We didn't want to draw attention to these teams.
  We decide to go with the harder option that would make the scoreboard look pretty and as if the teams used the hints when their secondary teams did.
  The CTF platform allows the administrators to export/import data. We exported the CTF data, updated the user IDs and team IDs for those exact hints, then imported the data back into the CTF platform.
  CRASH! The CTF scoreboard crashes...
  Still not sure why this happened. The way Team B used hints on their secondary team, made Team B's points go negative at one point early on. It is possible the CTF platform didn't like this. We also customized many of the backend files to provide customized user/team/dashboard/challenge pages with small tweaks from the original pages. It is possible this caused an issue. It is also possible that the amount of data being imported caused an issue. Over 20,000 challenge submissions alone.
  We spent hours troubleshooting. We even build a second server and stood up a brand new CTF scoreboard, tried importing the data here and it crashed again.
  We repeated this process what seemed like 15-20 times.
  Eventually we get it working but running through the same process that we previously ran through multiple times. We felt like we were running in circles with this and almost called the CTF since we had reached the 1-week mark.
  Overall, we dedicated almost our whole weekends to the CTF event. (We are still sorry to our families and friends for the time we had to put aside for this.)
• Day 7 (Part 2): The CTF scoreboard is back up!
  A new team (Team C) takes the lead without using any hints. We perform analysis and see secondary teams were created to use hints. We decide to go with the easier option of manually awarding negative points to the team.
  After point corrections, Teams A/B/C are in places 4/5/6.
• Day 8: Two teams quickly shoot to 8th and 10th place in a matter of minutes of being created. The users of these teams shoot to 1st and 3rd place within minutes of being created. These two teams created vertical lines on the scoreboard right next to each other. Many teams reported this odd activity.
  Guess what? It looked like Team B created a third and fourth team from the same IP addresses. We perform analysis and it is pretty clear.
• Day 9: We are beyond tired of playing whack-a-mole. We decide to wait until the end of the CTF to perform additional analysis and hide those two teams from the scoreboard.
• Days 10-15: People continue challenging the CTF. We received lots of positive feedback and three users/teams were able to root the Central InfoSec Vulnerable Web Server 01 using three different techniques.

Areas for Improvement

Overall we received numerous emails and direct messages thanking us for hosting the CTF event. Many people mentioned that they enjoyed the CTF, thought it was fun, and that they learned a lot while working through the challenges. We appreciate everyone’s' feedback and suggestions. We plan to make improvements and deliver an even better CTF event in the future!

Challenge #7 (Challenge 007)

Possibly the Worst Challenge That We Created?

Many teams used the hint, used all 10 challenge attempts, and still did not get the correct answer. Could we have created multiple correct answers? Yes, but we thought that we gave enough clues to make this one straight forward and fun. Sorry to everyone that said this was the most frustrating challenge.

• Flag 1: Two "a" characters were "@", one "s" character was "$". "Central-InfoSec{X@XX$}"
• Flag 2: Two "s" characters were "$", one "a" character was "@", one "e" character was "3". "Central-InfoSec{X@X3$}"
• Flag 7: The Name's Bond, _____ Bond.
• Use 1337 $P33K and the flag format: "Central-InfoSec{XXXXX}".
• "1337 $P33K" has "3" for "e", "$" for "s", and uppercase letters.
• Flag 7 Hint: Have you caught on to the format of the flags?

When you put all of this together, we thought this would make for an easy/fun challenge while being funny that it was challenge #7 or "007".

"J@M3$" was the intended solution. Why? Capital letters for "j" and "m", "@" for "a", "3" for "e", "$" for "s".

"J4M35" and "J4M3$" were the most common answers submitted. We understand why so many people went with this being that it was simple letter/number substitutions.

We decided to remove any hint points used for Challenge #7 (Challenge 007). We also removed the points used for Hack the VM Config because most teams thought this was a hint on how to long into the VM. We placed a link to download the Central InfoSec Vulnerable Web Server 01 within the first VM-related challenge description. This confused many teams and was intended to be straight forward. Due to the CTF Scoreboard platform not supporting this type of bulk removal, we manually removed any used hint points for the top teams/individuals/users so that the points across the Top 10 categories would be fair. These two hints only cost 50 points each and in the end did not affect the final positions of the CTF winners.

Future CTF Events

Follow Us for Updates on Future CTF Events

Follow us for updates on future CTF events. We appreciate everyone that shares our content with others!

• https://twitter.com/centralinfosec
• https://www.facebook.com/centralinfosec/
• https://www.linkedin.com/company/centralinfosec/

Central InfoSec - Red Teaming & Penetration Testing

"Best Penetration Testing & Security Consulting Firm"
- Corporate Excellence Awards

“Central InfoSec helps organizations by discovering network and web application vulnerabilities before the hackers do!”

Central InfoSec is an award-winning cyber security company that offers professional security services including Red Teaming, Penetration Testing, and Security Training.

The Central InfoSec team consists of skilled security professionals bringing a total of 20+ years of red teaming, penetration testing, web application, and exploitation experience. Central InfoSec team members have achieved industry leading professional certifications including OSCP, OSWP, GXPN, GPEN, GWAPT, GMOB, AWS-CSS, AWS-CCP, PenTest+, CEH, CISSP, and more.

Best Penetration Testing & Security Consulting Firm

Central InfoSec can quickly uncover critical vulnerabilities that have been missed for years. No automated scanning tool can replace high-quality security professionals. Utilizing Central InfoSec’s custom-built tools and manual analysis, Central InfoSec’s security experts have found numerous vulnerabilities within web applications including multiple 0-days allowing direct access to web servers hosting the applications.

Every organization, at a minimum, should receive both network penetration testing and web application penetration testing.

Best Penetration Testing & Security Consulting Firm

Central InfoSec performs a variety of penetration tests including external-networks, internal-networks, web applications, and APIs. The company quickly informs clients of critical vulnerabilities by creating ad-hoc reports and hosting ad-hoc debriefs as necessary.

Central InfoSec strengthens the security posture of businesses by reducing cyber risk through offensive security testing, red teaming, penetration testing, web application assessments, managed phishing services, managed vulnerability scanning, and security training.

Let’s Work Together

If you’d like to see why the Corporate Excellence Awards selected Central InfoSec as the Best Penetration Testing & Security Consulting Firm, let's have a chat to see how you could benefit from Central InfoSec security services. It’s simple and easy. We’ll even include a free customized quote. Let’s get started: Contact Us

Central InfoSec specializes in web application penetration testing and tailored phishing services, to help you reduce risk to your organization. Managed phishing services will test and measure the effectiveness of your security awareness program. By offering managed phishing services, your organization can receive tailored phishing campaigns, historical reporting, and metrics.

Central InfoSec offers a variety of other professional security services to help you test, measure, and improve your overall security posture. Security services offered include red teaming, penetration testing, vulnerability assessments, web application testing, managed phishing, and other tailored security services to help you reduce risk to your organization.