Skip to content

CTF Week Meeting 2023-03-02

Glad to have a new student who is interested in the CTF, I've talked with him a little bit. Let's start our meeting this week. Don't forget we would have our training this Sunday normally.

Work progress tracking

  1. COMPASS CTF 2022 - 85%
  2. Topic: CTF combined with research - 20%
  3. Multi-platform promotion of COMPASS CTF - 20%
  4. New Platform GZCTF - 55%
  5. Wiki page content adjustment - 20%
  6. CTFtime program: play CTF and share - 17%
  7. New Member Recruitment - 20%
  8. Ande Cup CTF game - 13%
  9. Remedial content session - 0%
  10. Xihulunjian reproduction environment - 50%
  11. CTF from Practice to Principle - 3%
  12. National College Student Information Security Contest - 10%

What we discussed this week

  1. Topic: CTF combined with research.
  2. New Platform GZCTF.
  3. New Member Recruitment.
  4. CTF from Practice to Principle.
  5. National College Student Information Security Contest.

0x1. Topic: CTF combined with research

Discuss later after the meeting.

0x2. New Platform GZCTF

The migration and backup of most of the original titles have been completed and are being deployed to the new platform. Discussion item 1: the type of topics migrated and the positioning of the GZCTF platform.

Positioning of the new platform: used for topic reproduction environment (official environment has ended maintenance) and deployment and distribution of original topics. It can also be used for internal competition activities, competition, and new member recruitment.

Topic migration scope.

  1. the official platform has been closed to the reproduction of the topic.
  2. Deployment of COMPASS CTF self-assigned questions and CS315 original questions.
  3. CTF team for new member recruitment.

The retention of the old account will be discussed this week, whether to retain the original account data or to carry out a new account system. Discussion Item 2: Account data migration will be conducted.

  1. The old account and score information will not be retained (due to the reorganization and redesign of the score of the questions).
  2. If you want to archive your account data, we can do it manually.

0x3. New Member Recruitment

A new approach to recruiting new members this semester will be used to address the issue of basic content training taking time away from training for active members. At one time, when we did new member recruitment, we would embark on 2-3 weeks of basic content training, and it would be difficult for advanced-level members to learn anything new during that portion of time.

poster

Therefore, this semester's recruitment will be in the form of catechism/materials + offline advanced training. I will migrate the basic content training online, and invite the whole school to attend a 3-week basic content training and lecture, after which a recruitment/in-school competition will be held to decide on new members.

The number of new members recruited this semester will be about 5.

Basic content training will be posted on a wiki and linked to online archiving platforms (e.g. social accounts or catechism sites), and sections on basic content include.

  1. introduction to CTF basic content and future directions.
  2. the spirit of network security and how to search for information.
  3. how to install and use Linux systems.
  4. basic program development using Python.
  5. Data forensics and information steganography.
  6. Data encoding and cryptographic security.
  7. Network attack and defense and website penetration testing.
  8. Assembly code basics and reverse engineering.
  9. Binary Security Fundamentals.

Additional information on the foundation content is provided in part as follows.

  1. Introduction to HTML/CSS/JavaScript basics.
  2. PHP code fundamentals.
  3. Program debugging using GDB and plug-ins.
  4. Docker containers and Kubernetes for container management.

0x4. CTF from Practice to Principle

The idea to write the book "CTF: From Practice to Principle" is inspired by my professor Fengwei, Zhang. From all of my personal experience with the CTF challenges and the events, there's always a huge gap between the beginner layer introduction to the advanced layer expert. When I start to step out of the beginner layer, it's very difficult to understand how and why some advanced knowledge.

Under the thought of this aspect of the difficulty, I want to introduce those things you won't know when first solved some challenges. Each chapter of the book would start with some practice knowledge, and end with some difficult advanced principles. The whole book would be divided into two parts: basic knowledge that you can learn from simply reading and learning some limited necessary knowledge, and the hard part is that you need to read more about the principle, source code, and the details of the techniques.

Being restricted by my skills, some parts of the book would refer to online websites, technical books, and research papers. I would carefully note the reference when I use them, and if that reference has violated the terms of usage, please contact me and I would delete those parts immediately. Besides, related apologies and compensation would be discussed.

**Example reference format: **

One of the common tools for web directory scanning is dirbuster[1]. According to ...

[1] dirbuster: https://www.kali.org/tools/dirbuster/ Kali dirbuster description page, https://gitlab.com/kalilinux/packages/dirbuster GitLab dirbuster source code page

The writing of the book is done by my limited experience and the architecture of knowledge. The mistakes and the errors are not avoidable. If you find any of them, please feel free to contact me, very glad to have your advice. By the way, I would like to send some presents (stickers, T-shirts, or other little things) in return. Luckily, we have an online page to host the book during my writing progress. It's also fine to use GitHub's pull request to correct any mistake.

Enough for the book writing, now let's talk about the structure of the book in the next chapter.

0x5. National College Student Information Security Contest

The National Student Information Security Competition is a large-scale network security competition recognized by the Ministry of Education and co-organized by the Office of the Leading Group of Network Security and Informatization of the CPC Central Committee, the National Information Security Engineering and Technology Research Center, the China Internet Development Foundation, and the China Information Security Certification Center, which has been held for fifteen years so far, including Peking University, Tsinghua University, Beijing Institute of Electronic Science and Technology Beijing University of Aeronautics and Astronautics, Renmin University of China, and Fudan University all conduct special training and participation for this purpose.

The competition will be held in two tracks: the "Works Competition" and the "Innovation and Practice Competition". I will introduce them separately and use the 15th National Student Information Security Competition as an example to help you schedule.

The 15th National University Student Information Security Competition Information Security Works Competition

Reference link: http://117.78.33.202/competition/securityCompetition?compet_id=35

I. Contents of this competition

  1. Information Security Competition

The information security works competition adopts open-ended and self-designed questions, and participants must complete the works and submit them online before the deadline. The content requirements of the entries are in accordance with the relevant provisions in the Charter of the National University Student Information Security Competition and the Entry Guide of the 2022 National University Student Information Security Competition-Works Competition (which will be published through the official website of the competition at http://www.ciscn.cn/公布 after the opening of the competition).

  1. Network Security Talent Innovation and Entrepreneurship Development Forum

The Security Forum contains several thematic sections, focusing on current trends and technical hotspots of the network security industry, discussing the cultivation of network security talents and innovation and entrepreneurship of college students, and carrying out colorful keynote speeches and all-around interaction.

II. the object of participation

Participants are full-time college students with official school registration nationwide. Students can form their own teams, and each team should have no more than 4 students (including a team leader). Each team is limited to one designated instructor and each student is limited to one team. The number of teams from each university is not limited and cross-college teams are not allowed.

The Forum on Innovation and Entrepreneurship Development of Network Security Talents held during the final of the Information Security Competition will be open to teachers and students, enterprises, and individuals from universities nationwide.

III. Participation Method

According to the requirements of the Statute of the National University Students' Information Security Competition and the Participation Guide of the 2022 National University Students' Information Security Competition - Works Competition, please refer to the website of the competition for details.

IV. Timetable

Activities Activity Phase Schedule
Information Security Competition. Registration and pre-tournament counseling. April 25-June 13.
Information Security Competition. Online submission of entries. April 30-June 15.
Information Security Competition. Preliminary List Announcement. June 18.
Information Security Competition. Online preliminary evaluation. June 25 - July 25.
Information Security Competition. Finalists announced. July 31.
Information Security Competition. Final evaluation meeting. August 19 registration, August 20 - August 21 competition.
Information Security Competition. Award ceremony. August 22nd.
Network Security Talent Forum. Call for topics and invitation of experts. April 25 - July 31.
Network Security Talent Forum. Main Forum. August 22nd.

V. Registration Instructions

  1. The online registration period for the Information Security Competition starts and ends on April 25, 2022, to June 13, 2022, at 24:00.

  2. After receiving the notification, each university should designate one teacher as the contact person (the contact person must be the university leader) before June 1, responsible for the matters related to the competition of the university, and download the "university contact teacher registration form" (see Annex 1) on the competition website, fill in the teacher's information as required and send it to the organizing committee via email Secretariat (including the electronic version and the scanned copy of the paper version with seal).

  3. The organizing committee will finish the qualification examination for the information security works competition on June 18 and announce the list of participants of the information security works competition. Before June 25, the contact person of each university shall summarize the "Summary Form of University Teams" (see Annex 2, downloaded from the competition website) and send it to the secretariat of the Organizing Committee via email (including electronic version and scanned copy of the sealed paper version). Teams participating in the Information Security Competition are required to pay the participation fee ($200 per team).

The 15th National Student Information Security Competition Innovation and Practical Ability Competition

I. Competition Organization Form

The competition is organized in four stages: online registration and team formation, online preliminary selection, zonal competition, and national finals. There are eight regions in China, and teams from universities in each region will advance to the national finals through the regional competition.

For more details and specific arrangements, please refer to the "15th National Student Competition on Information Security - Innovation and Practical Ability Competition Regulations", which will be announced through the official website of the competition (http://www.ciscn.cn/) after the competition starts.

II. Target Participants and Requirements

The target participants shall be full-time students (including senior high school, undergraduate and postgraduate students) with regular school registration in higher education institutions (undergraduate and senior high school institutions) nationwide, and the specific requirements are as follows

(1) The maximum number of participants in each team shall not exceed 4, the number of teams in each university shall not be limited, and no cross-college teams shall be allowed.

(2) Each person can only participate in one team (i.e. no team can be formed with others after individual participation, or no other team after individual participation in one team), and one instructor is allowed.

(3) The campuses of universities distributed in different cities are regarded as different universities, and each campus can form teams to participate and be shortlisted for the divisional finals of their divisions, as well as the finals stage.

(4) Instructors must be teachers in service at the universities where the teams are located. (3) Instructors can guide students in team formation and knowledge and skill training, but on-site participation must be done independently by participating students.

(6) The instructors are responsible for managing and guiding the participating student teams throughout the whole process, and the participation process must not violate the competition rules, attack the competition platform, system, and third-party services, or violate national laws, regulations, and public order and morals (such as team names, etc.); the organizing committee will select excellent instructors (instructors of the teams that won the national first prize and innovation single award) and give them recognition.

III. Competition schedule

Activities Activity Phase Schedule
Innovation Practice Competency Competition. Registration and coaching. April 29-May 20.
Innovation Practice Competency Competition. Announcement of the preliminary competition list. Around May 24th.
Innovation Practice Competency Competition. Online preliminary rounds. May 28-29.
Innovation Practice Competency Competition. The divisional list was announced. June 3.
Innovation Practice Competency Competition. Divisional competition time. June 6-20.
Innovation Practice Competency Competition. The finals list announced. July 1.
Innovation Practice Competency Competition. The Finals. August 6-7.

IV. Other matters

  1. Important notices and instructions about this competition will be announced and notified by the organizing committee through the competition's official website and official QQ group.

  2. The organizing committee will conscientiously implement the important speeches and instructions of General Secretary Xi Jinping on epidemic prevention and control, and if the situation of epidemic prevention and control of the new crown changes, the competition format, competition time, or content of the competition activities will be adjusted in accordance with the national and superior requirements in a timely manner. The details will be announced and notified through the competition website and official QQ group in a timely manner.

Wrap-up

We've talked about the AEG research idea about CTF this week. About the GZCTF, we've decided on the challenge categories and the data transmission rule. The new member recruiting project is ongoing, thanks for the advice for our poster. A book named "CTF From Practice to Principle" is now writing in order to give a brief idea to beginners in the CTF. At last, be sure you are prepared for the "National College Information Security Competition" as a COMPASS team.

Looking forward to seeing you on Sunday.