Thrilling Hacking Contests
As we said in a previous blog post,
“for those interested in gaining red team skills”
without engaging in illegal activity,
there are “competitions such as capture the flag (CTF).”
This is perhaps the most common form of ethical hacking competition.
And in this blog post,
we’ll share with you a list of 10 international CTFs
that are popular and thrilling these days.
Let’s start by answering a pivotal question:
What is CTF?
CTF in cybersecurity is a contest
where the participants have to solve different challenges
to catch flags.
Challenges may fall into several categories,
including reverse engineering,
cryptography, web and binary exploitation,
among others.
Flags,
hidden by organizers in purposefully vulnerable software or systems,
are usually files or pieces of code
(it can be something as simple as
flag{this_is_a_sample_flag}
).
Applying their knowledge of security,
participants, alone or in teams, online or on-site,
attack systems to discover as many flags as possible
during a specific time,
which can be hours or even days.
In some events,
there are monetary prizes for those who achieve the top places.
The CTFs can fall into three main styles:
Jeopardy, Attack-Defense, and mixed.
In the Jeopardy-style,
participants encounter a series of challenges in the organizer’s systems,
which is responsible for presenting certain clues.
The more flags they capture in these challenges in the shortest time,
the more points they can accumulate.
It also affects that the tasks are of varying difficulty,
so the more complex ones usually account for more points.
At the end of the total time available,
the individual or team that accumulated the most points wins.
In the Attack-Defense-style,
there is more similarity with the original outdoor game
because two or more teams have their own flags.
The objectives of each group are to defend their flags
on the vulnerable system assigned to them
(closing vulnerabilities in a limited time frame)
and to attack,
exploiting vulnerabilities in the opposing teams’ systems
to capture their flags.
Participants receive points for both defense and attack.
Likewise,
the team with the most points at the end of the predetermined time
wins the CTF event.
Recognizing the abundance of these types of competitions
and how they can be forgotten after they are over,
in 2012,
the idea of keeping track of CTFs worldwide began to take effect
on a site called CTFtime.
There we can find a massive list of around 750 names of CTFs,
each containing its corresponding set of events held over the years.
At CTFtime,
they have a record of past events and some tasks used in them,
as well as a list of upcoming events.
There is also a ranking of teams
that have participated in the CTFs over the years,
and there you can even create a team
if you want to start competing.
Top 10 CTFs
To create the top 10 for this post,
we decided to rely on that list of 750 names of CTFs,
which is organized by descending number of events.
We focused on the first 57 names,
with the first one having 18
and the last one having 6 associated events.
Each CTF event receives a “weight,”
a metric that serves to reflect its difficulty
and rank the teams (see details here).
Its values range from 0 to 100,
the latter corresponding to the greatest difficulty.
Thus,
we took for each CTF the weights of its five most recent events
and calculated their average value
(presented below in front of each CTF’s name in parentheses).
With these values,
we established the top 10,
also considering that all the CTFs in the list would have had an event
for this or the previous year.
10. hxp CTF (65.40)
This CTF contest is organized by hxp,
a group of “exceptionally good-looking hackers”
formed about a decade ago in Germany,
initially with the complicated name “H4x0rPsch0rr”.
They have had an annual CTF event since 2015 (here’s
their own archive).
The latest one was in December last year.
This one was Jeopardy-style, online, lasted 48 hours
and its challenges were on cryptography, pwn (binary exploitation),
reverse engineering, web exploitation, “zaj” and miscellaneous.
This hxp CTF 2021 got a weight of 99.41
and was led by the Israeli team called pasten.
(We don’t know if it’s actually Israeli,
but, for all cases,
we will mention the nationality corresponding to the flag
linked to the team name in CTFtime).
9. ASIS CTF (finals; 78.55)
This CTF competition is organized
by the Iranian academic team ASIS.
They have been featured on CTFtime with annual events since 2013.
As stated on their site,
the challenges they propose “are organized in categories
like general security information (Trivia), web hacking,
modern cryptography, exploit, forensics, reverse engineering,
steganography,” among others.
The ASIS CTF Finals 2021 was Jeopardy-style,
online, and lasted 24 hours.
It had a weight of 65.47
and was won by the U.S. team DiceGang,
a group that,
according to CTFtime data,
appears as the leader in its country
and seventh in the “overall rating” today for 2022.
Even last year and this year,
they set up their own CTF contests.
The next ASIS CTF qualifiers
will be held mid-October this year,
for finals on December 30.
8. Dragon CTF (79.58)
This CTF contest is organized
by the Dragon Sector team from Poland,
which was created in February 2013.
They have been holding annual CTF events since 2015;
the most recent one was in November
last year,
with a weight of 99.33.
It was a 24-hour, online, Jeopardy-style event
with web, reverse engineering, pwn, cryptography and miscellaneous challenges.
The winner of this CTF was the Taiwanese team Balsn.
Which, as stated on their website,
has members who are mostly enrolled in the Network Security Lab
at the National Taiwan University.
Balsn also has had its own CTF contest
since 2019.
7. RuCTF (80.60)
This “International online challenge
in information security”
is part of one of the largest cybersecurity events in Russia
and is the first on our list in the Attack-Defense style.
RuCTF,
born in 2008,
is organized annually by the HackerDom team,
which is associated with Ural State University.
As explained in its rules,
the process of the game is as follows:
The game starts by issuing the participants identical servers
with a pre-defined set of vulnerable services.
For the first hour after the game image is issued,
the network segments are closed,
and teams should concentrate on administering their game server
and analysing the vulnerabilities.
After this hour,
the network opens and for 8 hours teams can exploit vulnerabilities
to gain flags from other teams.
This year’s RuCTF was held in May
and got a weight of 97.62.
The winner was the Russian team Bushwhackers
from Moscow State University,
which in fact outscored the team that,
as we write this,
is in first place worldwide this year:
C4T BuT S4D,
also from Russia.
6. HITCON CTF (80.71)
This CTF competition is organized
by the Hacks In Taiwan Conference
(HITCON),
an event that has existed since 2005
and is part of the Association of Hackers in Taiwan.
Their CTFs have occurred annually since 2014
(the year from which their own hacking team
registers participation in other CTF events).
The most recent one was in December
last year.
This HITCON CTF 2021 was Jeopardy-style,
online, and 36 hours long.
Among the types of challenges were pwn,
miscellaneous, cryptography, reverse engineering, web, and game,
for a weight of 88.98.
The winner was the U.S. team perfect blue,
which also has members from six other countries.
Finding the prizes for this event was quite easy:
First place took USD 4,096,
second place USD 2,048,
and third place USD 1,024.
The organizers also distributed USD 3,000
to the top five Taiwanese teams in the event.
5. Google CTF (80.89)
Well,
it goes without saying
who is in charge of organizing this CTF contest.
In CTFtime,
they have registered annual events since 2016.
It’s noteworthy that,
in their rules,
they highlight that people from all over the world can participate,
except Crimea, Cuba, Iran, North Korea, Quebec and Sudan.
Like some of the aforementioned,
this CTF has a qualification and a final stage.
Recently,
at the beginning of July,
the first of these stages for 2022 took place.
It was a 48-hour, online, Jeopardy-style CTF
with a weight of 97.84.
The challenge categories were miscellaneous,
web, hardware, pwn, reverse engineering, cryptography and sandbox.
There were prizes for the first three places,
being the first place prize a juicy USD 13,337.
First place was achieved by the team perfect r00t,
which is a contribution
between the perfect blue and r00timentary
groups.
The final stage supposedly took place a few days ago,
from September 9 to 11,
in a Google office with 8 of the selected finalists,
who had the option to win more prizes.
4. Hack.lu CTF (83.52)
This CTF competition is organized
by the German academic group FluxFingers,
associated with the Ruhr-University Bochum.
In fact,
this CTF is part of the cybersecurity conference
Hack.lu,
which has been held in Luxembourg since 2005.
It seems that since the inaugural meeting,
there have been Hack.lu CTFs every year,
but the latest one
in October last year was the 11th one
organized by FluxFingers.
This one was Jeopardy-style, online, and 48 hours long.
As in other CTFs,
players could participate alone,
but as they commented on their website,
“we recommend teaming up
because it is more fun
and you can learn from each other.”
The challenges revolved around reverse engineering,
cryptography, web security and binary exploitation.
The weight for this event was 94.48,
and the winner was the Swiss team organizers,
which retains second place in this year’s overall rating
as we write this post.
Hack.lu CTF 2022 is scheduled for October.
3. DEF CON CTF (finals; 85.72)
This CTF contest is part of,
as we said in a previous post
when we gave an overview of this
and other offensive security events,
“one of the oldest and largest hacking conventions,”
which is held every year in Las Vegas, U.S.,
since 1993.
Nautilus Institute currently organizes this CTF,
but in previous years
it was organized by Order of the Overflow,
Legitimate Business Syndicate,
and Binjitsu by ddtek in different periods.
The qualifier in May,
Jeopardy-style, was attended by 1,282 teams.
The DEF CON CTF 2022,
then in August,
as in previous years,
was an Attack-Defense style,
with 16 qualified teams and 72 hours in duration.
The weight for this final stage was 96.33,
and the winner was the team Maple Mallard Magistrates
(aka _MMM_).
As prizes were the coveted DEF CON Uber Badges (aka black badges) which,
as someone once said in a Hackaday blog post,
grant “lifetime free admission” to the event
and open “just about any door when listed on your resume.”
2. PlaidCTF 2022 (94.60)
This CTF competition is organized
by the U.S. academic team Plaid Parliament of Pwning
(aka PPP)
of Carnegie Mellon University,
formed in 2009.
At CTFtime,
there is a record of annual PlaidCTF since 2011.
The most recent event was in April
of this year
and was named Plaidiverse.
It was a 24-hour, online, Jeopardy-style CTF.
The challenge categories were binary exploitation,
reverse engineering, cryptography, web exploitation,
and miscellaneous,
for a weight of 93.67.
The event was sponsored,
and the prizes were USD 2,048 for first place,
USD 1,024 for second place and USD 512 for third place.
As in the Google CTF 2022,
the victorious team was perfect r00t.
1. 0CTF (96.25)
This CTF contest is mainly organized
by the Chinese academic group 0ops
from Shanghai Jiao Tong University.
They have held an annual CTF event since 2015.
Since 2018 it has been presented under the name 0CTF/TCTF,
perhaps because of the intervention made in its organization
by the “Chinese multinational technology
and entertainment conglomerate
and holding company” Tencent,
specifically with the brand
Tencent Security and associated groups (see here).
The latest event was in September 2021
(months after the qualification stage),
followed the Jeopardy-style, was online and lasted 48 hours.
It is known that
at least there were web and binary exploitation challenges,
being a CTF with a weight of 95.00.
As in the Hack.lu CTF 2021,
the winning team was organizers.
And although on CTFtime,
they appear presented like this:
“0x20000 CNY”
(that’s also how it looks on the event website
for this year),
we assume the prizes were CNY 20,000 for first place,
CNY 10,000 for second place and CNY 8,000 for third place.
(At that time,
as we see on Google,
CNY 20,000 was about USD 3,100.)
The 0CTF/TCTF 2022,
which will be a single stage,
apparently, will be held soon on September 17
and is open to any team in the world,
with no restriction on the number of participants per team.
Would you be up for it?
This has been our top 10 CTFs.
Surely later,
we’ll open space to talk about alternative competitions
(e.g., Pwn2Own, and Tianfu Cup),
in which participants don’t work
on intentionally vulnerable systems or services
but on widely used “real-world” devices and software,
in which it’s wanted to discover zero-day vulnerabilities.
CTFs,
as we have seen,
are often sponsored by universities or other organizations
and undoubtedly work as an incentive
to test skills and knowledge in ethical hacking
and learn even more.
Because of this and the fun they bring,
these hacking competitions become appealing not only for professionals
but also for beginners in the field
and people who are looking for where to direct their future.
As Raman et al. said a few years ago,
“Due to the extreme shortage
of talented security professionals,
there exists a critical need of holding CTFs.”
Are you interested in cybersecurity?
Would you like to be part of a red team
to ethically hack into organizations’ systems
and contribute to their security?
If so, follow this link.
*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/top-10-ctf-contests/