David Soto, winner of the challenge, collecting the prize together with Humbert Ruiz, from 42 Barcelona, Fundación Telefónica’s programming campus.
We organised activities aimed at the technical audience in the Hacking Village area as part of our participation in the Barcelona Security Congress 2023 event. One of the activities consisted of a Capture the Flag challenge in which 74 hackers registered, including both on-site and online participants.
David Soto, our guest blogger, was the first participant to solve three challenges, win the challenge and win the prize. In this post he tells us how he managed to do it using only his mobile phone, and what are the keys to stay ahead in the field of cybersecurity.
* * *
BY DAVID SOTO
CYBER SECURITY SPECIALIST
I am David Soto and I am lucky enough to work as an IT consultant as a cybersecurity and secure development specialist at ERNI Consulting Spain. I have been passionate about this field since I was a child.
In Capture the Flag (CTF) competitions I am known by the alias of JDarkness and I have the honour of having won competitions such as IntelCon, MundoHacker or PwnVerse, among others. And more recently, just a few days ago, the one organised by Telefónica Tech together with campus 42 during the celebration of the Barcelona Cybersecurity Congress.
Capture The Flag are free competitive games that test your knowledge and skills as a hacker.
Participants find themselves in different types of challenges with the objective of getting a “flag”, a code that proves that you have solved the challenge.
On this occasion, since I won the challenge in a somewhat “different” way, using only my mobile phone, I have been invited to write this post telling how the competition went and my experience. So here is my story:
A couple of weeks ago, while looking at the schedule of the Barcelona Cybersecurity Congress, I found out that this year they had prepared a hybrid Capture the Flag challenge, with online and on-site modalities. As I was planning to go to the congress, I signed up with the intention of seeing what challenges they had prepared, sitting down for a while with my laptop and see how far I could go.
Once I received the admission tickets, I started to prepare my itinerary: Tour with the DCA, visits to the exhibitors of interest… I set aside 30 minutes to sit in the Hacking Village and watch the challenges without much intention of winning.
When the DCA Tour was over, I headed to the Hacking Village to log on to my laptop and take on the challenges. However, just at that moment, a presentation had started and there was not a single free seat left. As I needed to connect my laptop, I thought: “Well, I’ll take my chances, as I just want to see what the challenges are about, I’ll watch it on my phone”. So, I went to visit the stands.
I have to say that on my phone I carry a termux with a small Kali Linux distribution, which, although uncomfortable, allows me to carry out small tests and tasks in case I need to do so.
How the Capture the Flag challenge went, step-by-step
1. Warm-up challenge
The warm-up challenge was to find a text string within the main page and pass it as a flag. Easy, I moved on to the next one.
2. Steganography challenge
It is a type of challenge based on hiding information inside files or images that do not appear to be hidden. Participants must discover where the information is hidden and extract it.
After the warm-up, the steganography challenge was the first “real” challenge. It consisted of a login screen with a nice Telefónica Tech logo…
3. Forensic challenge
A forensic challenge involves analysing files and systems in order to recover information (such as encrypted or deleted data), identify intruders, attackers or the perpetrators of computer crimes.
In this case it was a couple of supposedly dumped memory files or disk images… Having neither a keyboard nor the right applications, I didn’t even consider solving the challenge at the time, but I could always come back later if needed.
4. Web challenge
Given the above, I decided to go for the last one, the web challenge. They usually include the identification and exploitation of vulnerabilities in websites, the recovery of sensitive information or the analysis of network packets. Perhaps the most accessible without tools.
The web challenge also started with a login screen asking for a username and password. I applied a
SQL injection that worked its magic and returned a list of users and encrypted passwords.
The challenge statement mentioned a control panel. I found it but it had SQLi protection, so I couldn’t do a SQL injection. But as I had the previous credentials I could log in without any problem. Now yes, and the exercise was completed.
The keys: knowledge, methodologies and tolos
At this point three challenges already had a solution, so I went to have lunch with my colleagues and forgot about the competition.
To my surprise I received an email inviting me to collect the prize for the highest score in person!
I went to collect the prize and the story of how I had won using my phone made a big impact.
The fact that I solved these challenges on the phone is thanks to having clear methodologies.
In this sense, I had the pleasure of learning from the great Francisco Martín, who always insisted on two things:
- Fat-button tools are only used when you know what they do and you are able to manage without them.
- Fuzzing is your friend: fuzz everything.
Jokes aside, I think understanding what we do, how we do it and why we do it is essential for those of us in IT.
So I would like to take this opportunity to encourage future professionals to learn, to investigate and not to remain on the surface of what we are taught. Because, who knows, maybe that will allow you to achieve things that nobody expects you to achieve..