🎮 Mathlete In the Cybergames!
👾 If you'd like to try the challenges, you may do so here.
I've discovered that I learn best when there's a competitive angle attached to the process, like a leaderboard. This appeals to my gamer instincts, tempting me to try just one more challenge to move up the rankings. In the cybersecurity field, there are challenges known as “Capture the Flag,” which include all the elements I find enticing, such as a scoreboard and a variety of broad challenges to choose from.
I had the opportunity to compete in one last week. The event is known as the US Cyber Games Season IV, and since it was my first formal CTF challenge, I didn't have a clear idea of what to expect. That’s ok. The surprises that awaited me were part of the appeal.
Below, I’ll document not only some of the challenges I was able to complete but also an example or two of where I was stumped. The team at the US Cyber Games did an admirable job of assembling challenges that were simultaneously difficult and satisfying. This is a particularly tough balance to achieve because if the challenges were too hard, competitors might have dropped out early. But they did it! Now, on to the challenges:
Challenge 1: Hunt[Web]
The challenge explains: "Agent, it looks like ARIA has spun up a simple website. Is there anything you can find to give more information about its plans?"
The provided link takes us to a plain web page with stock images of robots and seemingly no useful information. I’m no expert web developer, but I know that summoning the web console can usually provide useful information about a site, so that’s exactly what I did.
In the elements tab of the console, I found the following hidden message embedded in the HTML code:
<!-- Don't forget to check in on the bots! -→
<!-- p1: SIVBGR{r1s3_ -→
Don’t forget to check on the bots. What What secrets are you trying to hide from me, webpage? I racked my brain for a while, trying to figure out what to do. Eventually, I decided to use the limited time I had to attack other challenges. The very next day, a potential solution struck me like lightning: perhaps the website is using a robots.txt file. I remember learning about this file from either Colt Steele, Angela Yu, or some other web development guru, but it had completely slipped my mind until now because I hadn't found a use for it. Anyway, I visited the following site: tab:https://uscybercombine-s4-hunt.chals.io/robots.txt
Where I was greeted by the next part of the flag, and a path to another web page:
User-agent: Humans
Disallow: /secret-bot-spot
p2: 0f_th3_
I'm greeted with another generic-looking web page. I open up the console again and cycle through a few tabs until I find the final part of the flag hidden as a JavaScript comment:
// p3: r0b0ts!
Great! So the flag for this challenge is SIVBGR{r1s3_0f_th3_r0b0ts!}.
Challenge 2: Secret[Forensics]
This challenge wasn’t as involved as the one above, but it did remind me that you don't always need cutting-edge tools to examine a problem. We were given a .pdf file with the flag redacted, and it was our job to 'unredact' it. I simply converted the .pdf into a .txt file, and the flag appeared: SIVBGR{C0nta1n_Th3_Al13ns}. I wonder if this was included to make some of us competitors overthink things. I can definitely see how someone, instead of converting the file into another format, would seek to find an "unredacter".
Other Challenges
One challenge that I failed to complete on time was ringing the bell over 9000 times on this web page.
My mouse wouldn’t appreciate being clicked over 9000 times in such a short span, so I deployed a script in the web console to automate the clicking for me:
(async function() {
const delay = ms => new Promise(resolve => setTimeout(resolve, ms));
for (let i = 0; i < 90001; i++) {
try {
window.ding(); // Attempt to call the ding function
console.log(`Ding ${i + 1}: Success`); // Log success message
} catch (error) {
console.error(`Ding ${i + 1}: Error`, error); // Log error message
break; // Exit the loop if an error occurs
}
// Add a delay between dings to avoid rate limiting
await delay(100); // 100ms delay; adjust if necessary
}
I had to adjust the delay to avoid detection of automation. However, after surpassing 9000 clicks, the console mocked me by saying, "You didn’t think it would be that easy, right?" I found it amusing but had to move on.
There were several challenges related to packet analysis that sharpened my skills with tools like Wireshark. I found hints of cryptic messages in these packets, but time was scarce, so I moved on.
Another curious challenge involved inputting runes into the terminal. My only exposure to runes was in Pokémon and Bloodborne, but after some googling, I found some strange characters that I tried to copy into the terminal. To my surprise, the terminal recognized the characters, but they weren’t the correct ones needed to solve the challenge. Oh well.
In Conclusion
Even though the competition is officially over, you're still able to attempt the challenges, here. A huge shoutout goes to Jacob Elliott for concocting many of the challenges and for preserving them on his github.
Overall, I’m pleased with my performance. About 3000 people registered for the event, and 1353 made it onto the leaderboard. I scored 1000 points and ranked 486th. I solved a bunch of challenges, ate a bunch of pizza and learned a bunch of tech. It was a great weekend!