Last weekend we’ve organized our very first Howest Capture The Flag competition in cooperation with the university of Skövde in Sweden. Now that the dust has settled and we’ve all got the chance to catch up on some missed sleep it is time to have a look back and try to recap this event.
The Belgian chapter in the NSAHACK story started when some lectors of Howest visited the university of Skövde where for the last four years they had been organizing this competition. Fun fact, in contrary to popular belief the name NSAHACK does not refer to a certain American government Agency. It is the abbreviation of “Nätverks- och systemadministration”, which is the name of the IT department at Skövde university in charge of organizing this competition. Not long after returning from this trip the two bachelor programs TI & MCT bundled their forces and started preparing for a Belgian edition which would run concurrent to the competition in Sweden . For the people involved with the organization this meant that most evenings and weekends for the next few months would be spend making the challenges, setting up all the logistics and trying to get sponsors.
On the day of the competition, having to configure networking, challenge servers, livestreams, monitoring setups,… combined with the fact that one of our reserved rooms was (by mistake) booked for classes until 4 o’clock meant that not only the contestants started the CTF with a good dose of adrenaline in their blood. While the first teams were arriving at the location (carrying unhealthy amounts of energy drinks and snacks) a lot of work still had to be done. Still we were able to make it all happen and at the foreseen time we could start with the introduction.
Following the Swedish example, the rules for this CTF were a bit different compared to your standard Jeopardy style competition. All challenges were made available without any additional information about them, so no categories, difficulty levels or hints whatsoever. The teams had to do their own triage and determine on what to focus. Add to this, the concept of bonus points for first blood (first team to solve the challenge) and you have a competition style where all teams are racing to be the first team to find a solution. It only took 2min and 2 seconds for the first team to put some points on the board and during the first hour of competition a total of 9450 points were earned by the Belgian teams. Talk about starting an endurance race with a sprint…
Over the next 18 caffeine and sugar fueled hours an existing battle unfolded with teams competing for the top spots throughout the night. With only short breaks for dinner and breakfast most teams saw the sun go down and come back up again from behind their computers screens. Those who did take a powernap did it like a true hacker, underneath their desk (and some other places we would unexpectedly find someone sleeping). Throughout the night we did some ‘soft challenges’ like unannounced trivia questions to keep everyone alert and active (the memory of 10 people sprinting towards me to be able to read the conference name on my shirt still frightens me).
With more than 7000 points being scored in the last hour of competition no one was planning on giving up. When our big red doomsday-clock displayed 00:00:00 our final top three emerged, Serverhamsters, Red Deamons & TheNotSoLeetHakkers (in that order). They truly deserved the victory (and the spoils of that victory). Seeing as all teams truly exceeded our expectations, this was a competition with no losers. We would like to congratulate all the contestants on their achievements and we were very glad we could present each and every one of you with a price!
Lastly I would like to thank our sponsors, Fortinet, Deltalink, Intigriti, Detectify, Hackerone, Savaco and PVE security because they really do deserve it. They supported this event without any information on what they could expect from us. We came to them with an idea and good intentions but we didn’t have a clue about the number of participants or even (social) media coverage they could expect. Still they generously donated and we could offer prices and goodies to all our contestants. Thank you so much!
For more pictures of the event, see the MCT facebook page
Some stats about the CTF:
- Number of contestants: 177 ( of which 73 in Belgium)
- Number of challenges: 60 (not counting ‘soft’ challenges like the trivia rounds)
- Max total score without bonus: 14900 (not counting ‘soft’ challenges)
- Number of challenges left unsolved: 8
- First solve time: 17:32:02 by Red Daemons
- Last firstblood on challenge: 09:38:28 by Serverhamsters
Solves per challenge
Belgium vs Sweden
TOP 10 Teams (Mixed) | Members | Points | Flags | Country |
LiUHack | 4 | 12510 | 50 | Sweden |
serverhamsters | 4 | 11870 | 49 | Belgium |
Red Daemons | 4 | 10530 | 45 | Belgium |
IndianTuesday | 4 | 10270 | 44 | Sweden |
TheNotSoLeetHakkers | 3 | 9950 | 43 | Belgium |
Kebabsoffan | 3 | 9570 | 42 | Sweden |
Wazza | 4 | 8370 | 37 | Sweden |
AnythingForMyBoys | 4 | 7860 | 38 | Belgium |
Yaait | 4 | 7450 | 34 | Belgium |
Het Vaticaan | 4 | 7390 | 35 | Belgium |
Stats comparison | Belgium | Sweden |
# Teams | 24 | 31 |
# Students | 73 | 104 |
# Points gathered (total) | 136120 | 123370 |
# Flags solved (from 60) | 51 | 52 |
We would like to thank all the people that helped with or participated in this event. If you have any feedback on how we could do better for future events or just have something you would like to share please get in touch!
See you at the next event!
Hendrik Derre