Two teams including students from the HSE Faculty of Computer Science and the Moscow Institute of Electronics and Mathematics, are the best in Russia in practical cybersecurity in the framework of the Capture the Flag (CTF) competitions. The main purpose of this type of competition is the exchange of experience and knowledge in the field of information security, professional growth and the development of programming and system design culture among students and young scientists involved in cybersecurity.
The VI CTF Cup of Russia is one of the largest Russian information security tournaments in the CTF format, in which participants practice methods of protecting digital systems in a game format. The competition tasks involve virtual machines with a set of services issued to teams for deployment and analysis to detect vulnerability in them. The participants also need to write patches for their set of services and sploits (a programme or technique that exploits a vulnerability in other software) for the services of their opponents.
Team members need broad knowledge in the field of information technology and information security, especially programming languages that are used when writing services, such as C/C++, C#, Go, Haskell, Java, Perl, PHP, Python, Visual Basic, as well as skills in security administration of modern operating systems and networks.
The Ar team (Ivan Kochkarev, Svyatoslav Klimov, Vladislav Smorodov, Ivan Machugovsky, Vyacheslav Luchkin, Andrey Surovykh, Alexey Kosmachev), represented mainly by students from the HSE Faculty of Computer Science, won the competition this year. Team .einabe (Theodor Arseny Larionov-Trishkin, Alisa Kulishenko, Tatiana Kurmasheva, Grigory Kopeliovich, Konstantin Veselov, Maxim Emelianenko and Platon Shcherbinin) from HSE MIEM reached the final, coming 4th overall. In total, more than 400 teams participated in the competition. Students from the .einabe team were the first to complete the task with the great mettender service, which the organisers themselves positioned as unsolvable.
For two days, the students competed in the Attack — Defense format: they found vulnerabilities in services, eliminated them, wrote exploits and maintained the infrastructure. The final task was kept secret until the final day of the competition— in 4 hours it was necessary to find and exploit vulnerabilities in the service on smart contracts by understanding the implementation on the go.
The team members shared their impressions of the competition.
In the semifinals, our team members, Platon Shcherbinin and Konstantin Veselov, jointly managed to find a vulnerability in the most complex service — great mettender (which, as it turned out later, was unintended) and implemented a sploit for it in C. After the vulnerability was successfully exploited, the services of the opposing teams moved to ‘Corrupt’ status. At first we thought that this was an error in the implementation of our sploit and that we were overloading other services with requests, but later it turned out that other teams, seeing the successful operation of our sploit, started to turn their services off intentionally. It was rather funny.
The service itself was a tender system with the ability to submit applications for participation and execute their applications if they won. The protocol of interaction with the service is gRPC over QUIC, which made it difficult to analyse traffic and repeat other people's exploits. The application for participation in the tender is a programme for Brainfuck in a compressed format, and each tender contains private information (flags), which is submitted to the programme during the execution of the application. The output of the programme was shown only to the tender author. This service was rated by the organisers as the most difficult. I remember trying to figure out smart contracts during the finals.
How to prepare your team for CTF? It's really simple: the team should just play. That is, at least once a week or two, a month - for a while, but it should be regular, as in any sport. For example, in rowing, if you practice three times a week you get visible results. The situation in CTF is the same, because a person gets used to it, the team becomes familiar with the format, especially if we talk about Attack — Defense. Participants start to understand how to interact with other team members, there is some kind of mental connection that helps to optimise many processes. In Attack — Defense, victory is mainly based on the fact that you and your team can quickly find and patch bugs, exactly the things you can train for.
First we had an online qualifying round using a task-based format. This offered several tasks in each category (vulnerability search in web applications, binary file analysis, cryptography, etc), and the teams reaching the top 10 made it to the onsite round which was held in the Attack - Defense format. We received a server running four programmes available to other teams. Our task was to find vulnerabilities in rival services, get the necessary data and protect ourselves from their attacks. Following the results of this round, the top five teams made it to the final. The format was the same, but this time all services were presented in the form of smart contracts on the blockchain, and this greatly changed the available attack vectors.
The attacker's part is the most fun — this is the hacker familiar from the movies who finds vulnerabilities and bypasses security systems. This is true, of course, but both in the competition and in the analysis of the company's security, it is important to find a middle ground between defense and attack. Yes, you can find vulnerabilities, gain access to the internal network, get to users' personal data. But if you do not work together with employees after that, do not help set up a more secure development process, then a year later during re-checking, the same vulnerabilities will be found, and the usefulness of your services for business will be zero.
The success of our team is based on practice-oriented training at MIEM and the high motivation of our students. A free academic atmosphere at the university contributes to team-building among students. A serious level of training provided by our ‘Information Security’ and ‘Cyber Security’ degree programmes give them the necessary technical skills. Students study operating systems, secure protocols, cryptography, secure development in C/C++, PHP, JS, Python, current web vulnerabilities and many other practical disciplines already during their junior years. This gives them a serious technical basis both for the implementation of projects led by MIEM and for participation in competitions. Students also spend a lot of time self-studying: they participate in competitions, and analyse typical cases. This victory is the result of serious work, long preparation, and a professional and focused approach to solving competition tasks.
Today, there is no need to explain how important information security is. But it's also a very exciting activity. A lot of the faculty graduates decide to build their careers in the field of information security. The fundamental training in programming and data analysis that the students get as part of the bachelor's degree programmes at the Faculty of Computer Science gives them all the opportunities to choose this career path. And I think they’ll be in high demand going forwards. The high placing of HSE University teams in this competition clearly demonstrate the high qualifications of our students and graduates, we can consider it as independent expert assessment.
Thanks to Tatiana Kurmasheva (.einabe) for her assistance in preparing this news item.