The term “Capture the Flag” can mean a lot of very different things depending on context. In the context of a competition held at a computer security conference like LayerOne 2019 this past weekend, I found a technically oriented online digital scavenger hunt. There is a list of challenges, each of which starts with a clue that will lead the intrepid hunter towards an answer (“flag”) that can be submitted to increase their score.
What does it take to solve a challenge? Well, that’s entirely up to the organizers who can devise problems as simple and as difficult as they wished. I attended LayerOne last year though I did not participate in last year’s CTF. What I found everywhere else at LayerOne was a fun mix of activities that start with very beginner-friendly introductions that then climb steeply to still offer a challenge to longtime veterans.
It turns out their CTF is no different. There was one very beginner-friendly challenge — it was literally a reward for reading the hint and following instructions, no technical knowledge required. [Emily] was initially intimidated but quickly contributed by employing investigation skills from her journalism background. Thanks to her skills, our CTF team did not finish dead last.
To keep things on a friendly basis of competition, the targets of investigation are explicitly listed. A security challenge of “there’s a vulnerable computer somewhere nearby, find it.” might be interesting, but a bad idea to encourage probing every computer online. It would harm other conference attendees not participating in the CTF, it would be bad for hotel infrastructure and even other guests at the hotel.
While it is possible to just have a list of computer skill challenges in a CTF, organizers usually put in a little more effort to build around a theme. This year’s LayerOne CTF was about Star Trek. From the narratives presented as clues in many challenges, down to the LCARS style user interface of the main site. While we didn’t get very far in our CTF attempt, I appreciate the effort of organizers to engage beginners. Perhaps we’ll be better equipped the next time we come across one.