Warriors of the Web: cyberevolution Capture The Flag 2023

Thank you very much Benwood for this introduction and thanks to the students. I think the applause was for me for sure, or maybe for your teacher first. First of all, we start with a short introduction. My name is Christopher. I would also like to welcome you to the cyber evolution, really new format. I see a lot of people really interesting and I'm here with Sebastian maybe. Hello Again.

Hi, I'm Sebastian. I'm professor of for computer science at Berlin School for economics in law. And so we don't have tech in the name, but we are quite techy. So we have some students for computer science, business computer science. They're also in the master's course where which we offer with a specialization in cybersecurity. Besides that, we are pretty broad and I'm doing research in intersection of machine learning and IT security and embedded systems engineering.

Yeah, it's a pleasure to be here. Thanks. Perfect. And maybe you ask yourself, or that was basically the question, password raised. Why do we do that?

I mean, cybersecurity is really an interesting topic. There are a lot of threat challenges we've seen with the scenarios. How does the future look like? But we think it's also very beneficial for the audience and for sure also for the attendees to share a bit how does real world hacking look like? What is it, how do you, how do attackers work and things like that. And I mean, is there any other or better format than something like competition during the event where we can challenge or where the teams can challenge during the event.

And on the other hand, the audience can get some insights into how to deal with that and that that is basically the idea of the capture the flag event, which is in parallel mainly tomorrow and Sebastian, and I want to introduce that to you. So let's start with the first slight, ah, here we go. There's some delay capture, the flag has different formats and let's start with the first one. Jeopardy.

Sebastian, what is that format about? Yeah, Jeopardy is like solving puzzles, right? That's consider this you, you are trying to capture the flag, which is at the end of string usually in a special format. Like if it's from hack the box, it's htb and then some string encoded with some curly brackets. And you need to find that somehow by solving puzzles for instance, breaking some, some crypto challenge or in in in invading a system and so on. Now we come to the categories later, but maybe next to the next one, what is attack and defense? Christopher?

Yeah, attack and defense is an other possible format for a typical capture of the flag where you have on the one hand, red team on the other hand, the blue team. So really fighting one team against each other, trying to defend to get hacked. And the other team is trying hardly to get into other systems and that is also really interesting format, but it is a little bit difficult for conferences like that. This is more for real big capture the flag events because you need to know the teams, you need to be careful, but we will see this on the next slide.

And then there's also a third format, so no surprise, some kind of mixture, some kind of hybrid. So capturing the flag on the other side after attacking or defensing a defense, the the attackers or the defense team and a little bit forecast that is already, we will do the jeopardy style. So we have multiple single tasks that needs to be solved with a different level of difficulty. And that is what the teams need to solve tomorrow. Some words about the format maybe Ian?

Yeah, we have two groups. Yeah, we have, so that, that's also why we do this together. So Christopher represents basically the, the enterprise teams and I represent the academic teams, but that's how we approached our network. That's the idea. And we also, we have teams that come from colleges, universities and teams are purely from enterprises. And we have, so we have eight challenges and we have a prize for every group.

So every, so each group, so students, both students and enterprise teams will the the other, the winner will be determined and then win a prize. Exactly. And coming back to the attack and defense format, for sure, we had in our mind as a first competition, let the students fight the professionals or the other way around. But at the end one team would cry and this is what we don't want to have. That's why we decided we will two have two winner teams. So one of the student teams and one of the enterprise teams will win the prize. Okay. Talking about the challenges.

So there are multiple formats that can be used for those challenges. And Sebastian and I picked some out and let's phrase or share some thoughts about it. The first one is a web challenge. What's it? What is it about? So web is what you would think of first I I guess is you have the web application running in the container in in some or sub server.

Then you, you have some endpoints and then you try to exploit some vulnerabilities. You find for instance, by doing some injection attack like injection or doing a cross scripting, SSRF and so on. Yeah. And they then by trying, by doing that, extracting the the flag and then presenting this flag as evidence to the system that you have solved this challenge. Next one is forensics. What is that?

Yeah, forensic is, so we will also have two forensic challenges. It's basically from starting to analyze the log files, see what happened, for instance, if you became the victim of a ransomware attack, really trying to investigate what happened, which system are breached, where is anything you need to fix to solve. And that is more or less the category forensic again, two of them and two of the web ones. The next one osint.

Then we have open source intelligence, which means you find some, for instance, there are also, we have white box and black box challenges and, and then you find for instance the white box, which means the, the source code is available. You find some hint which then triggers your action to, to look for this in the open, in the internet.

Yeah, like social media and so on, which gives you internal more information and then you can finally solve this challenge, right? Next one is cloud.

Yeah, cloud. I mean you can do multiple things. Just think about APIs, how to access them, how to manipulate ai, API accesses and things like that. This will be covered and no details about the challenge because honestly we also don't know the challenges. That's why Sebastian by the way, has also two teams we know nothing. I'm surprised as well, right? Maybe we'll we will join in the third category to see.

Okay, next one. Also typical one reverse engineer. Reverse Engineering is like trying to understand the inner mechanic mechanics of, for instance, for instance, yeah, of a system, right? In general, right?

For instance, a file that is stored some information in a structured way and you find need to find out how this is done and then yeah, understand it and use that information to extract the information or more generally you have a web application platform which is you can like following a state machine and you find, try to find out in which sequence are under, which conditions are these states followed. And then you find specifically assumptions that the developers made ex exploit those assumptions and then use that to extract the information.

And crypto, And last but not least are crypto current cryptography. So for instance, you will receive some kind of document and need to decrypt, you need to find the the secret, how to encrypt, how to decrypt. And then you have the flag, the result. And that is, or these are our eight challenges that the teams will have to solve by tomorrow. We have different levels of difficulties. So idio easy, medium high and very difficult. There's only one very difficult and we will not tell which category, but it really depends.

So I think if, if one team will solve everything, then it is really also it should be the winner. So it should be really interesting. So hint to the teams, focus on the things you're good in And nobody should be disappointed because also some easy is in there and nobody should be done in 50 minutes or something. So this is good. Good distribution I guess. Exactly. And maybe a few birds about the platform we use. That's a very common platform. Hack the box with multiple things that basically offer a service to exactly do something like those capture the flag events, they prepare everything.

Also the challenges. This is why we don't know the details and that was for a reason.

And yeah, that will be done by the platform. Let's start with the teams, the enterprise teams. So first of all, all students and enterprises should be now a little bit afraid because I have a microphone and we really try to share a little bit who is there. So I'm not 100% sure whether all teams are already there. Maybe we start with a telecom team. Lucky meteors, can you please stand up if you're here, that would be awesome. Woo. So no worries. I will only ask one question. How did you prepare for this challenge? Anything specific? We didn't really prepare I guess.

Oh, I mean we, we took part on Saturday on ACTF, but we didn't, you know, made some major efforts there. So you know, we're just here having fun I guess. Oh Good man. Perfect. Thank you Ben. The second team, The next one is from Adidas, the Keepers. Are you here? The keepers.

Ah, wow. Okay.

Yeah, don't be shy. I see. Next time we place the people strategically, did you prepare on a specific purpose? Did you do some training before? Well I think that we prepare day-to-Day National, our work because we are trying to solve these kind of challenges every day. Perfect but nothing special. We are just here to have fun and and do some teamwork.

Great, thank you. And then we have the next team. Next one is from Ian Power Rangers.

Ah, Perfect. Thank you. I don't want to ask anyone a question just to be a little bit afraid here. Okay. Then the next team then we Have the next one. Please tell me how to Pronounce.

Yeah, that is the most. Okay. The Bank of Georgia.

Ah, okay cool. That would be the question. Well welcome guys. And the question is basically how to spell your name. It just means like lions in Georgian, but with some twisting letters as you see.

Yeah, yeah. Perfect. Thank you.

Okay, then we have Next and we have from Dutch Bank. Feel fake. Newtons.

Okay, perfect. Now Sebastian is able to run. Okay. Through the audience.

Sure, sure thing. Let's jump into the student teams. We have two pages. So we have five enterprise teams and seven student teams and Sebastian is approaching his students right now. That's why they laugh probably Team number one is no one Way with Lucas, Benjamin, Philip, Johannes and Za. True. Awesome. Hey guys. So any last words? We'll fight to the end. You should have asked, do you know the answers already? No they don't. The next team is Munich, which is the red cube. Dominic Yannick, Edward Marios on Julian. Ah. Alright guys, how do you feel? Well prepared. I hope so.

Let's hope Probably it's going to be a long night. Prepared. No Thank you. Then we have Tom Fhe, it's Mark for team and Tim and Benedict.

Ah, KU what about you? How, how do you feel? Well prepared. Not actually, this is the first time, the first one. I am participating in such an event. So that's first time hack.

Ah, cool. Perfect. Awesome.

Yeah, thank you. Amazing. Then we have Team Noland, which is really a cool name from Te Te. That was Jacob, Dominic, Micha and Jonas.

Hey, great to have you. Anything to share before the competition begins?

Yeah, we tried to brush up on our PA skills and now there's no PA challenge. So good start.

Yeah, said Next team is the senior team from ER field technique on in Berlin. Felix Lucas. Okay.

Norwin, Felix and Patrick Are here, not yet here. So they will have a big disadvantage in not knowing what to do. Yeah. Then we have another team from Sebastian and re in Berlin. Pigeons. Pigeons aren't real with Alexander, Lisa, Aaron, aria and Mele. So philosophical. Any any anything to add? No. Pigeons unreal. So We can't lose. And the last team maybe stand up if you are here. Perfect. And se Sebastian, I guess your question is obvious.

Yeah, again, what about the number? It just Beat number eight. Okay. It's so easy.

Okay, good. No, no deeper meaning. Perfect. Thank you very much. And as you can see, we have a lot of people here and for, for the students and enterprises for sure. They join the conference and for the conference attendees you can see what they will do tomorrow. And that is basically, that's why we have this slide with a plan, the schedule. So all of you participated right now, the introduction, congratulations. And tomorrow starting at nine o nine o'clock in the morning till 5:00 PM we will have the main CTF challenge.

It'll be outside here on the tables for sure with some power supply and all the needed stuff. And not to this tur the, the teams too much. We will have three slots, 20 minutes each where I will do some kind of insight. So really trying to share a bit what are the challenges about how did you approach, for sure not explaining in detail for, for the competitors, what is going on here, but that is more or less the idea a little bit to share how to do something like that. And for the participants of the conference, feel free to look at them, but don't touch them. Yeah.

And the award ceremony will be done on Thursday in the closing keynote as well. That is the plan for the capture the flag during the cyber evolution. I'm really looking forward to this cool format and cool event, which is also a new thing for us. And any famous last words?

Yeah, have fun. So I, I hope you everybody learns that and embraces the challenge. So nothing, nothing can go wrong. I think it's, it'll be cool then. Now look forward to it.