Cyber CTF Adventures: Black Badge and Priceless Lessons Artwork

Security Chipmunks

Welcome to Security Chipmunks where we talk about the development of cybersecurity skills. To stay up to date in today's world you need to be resilient, that’s why as Advanced Persistent Chipmunks we keep chipping away at it.

All Episodes

Security Chipmunks

Cyber CTF Adventures: Black Badge and Priceless Lessons

February 28, 2025 • Edna • Season 4 • Episode 15

Send us a text

Welcome to the Security Chipmunks podcast where we talk about the development of cybersecurity skills. To stay up to date in today's world you need to be resilient, that’s why as Advanced Persistent Chipmunks we keep chipping away at it.

Step into the exhilarating world of cybersecurity competitions with our latest episode as we dive into the highs and lows of Capture The Flag (CTF) challenges at Wild West Hackin' Fest. Our team scored the coveted first-place title, but it wasn’t just about winning; it was an adventure filled with learning moments that every aspiring hacker should experience. From unforgettable team camaraderie to the rapid pace of competition, we share firsthand stories that showcase the thrills of testing skills against some of the best minds in the field.

We discuss the diverse types of challenges encountered, reflect on the importance of preparation, and emphasize how automation can streamline the competitive process. Whether you’re a seasoned pro or a novice intrigued by cybersecurity, our conversations serve as valuable insights into the CTF landscape. One key takeaway is the power of teamwork and collaboration, helping us troubleshoot and innovate amidst the pressure.

Join us as we not only celebrate our achievements but also provide valuable advice on how to get started in the world of CTFs. Don't let hesitation hold you back—embrace the excitement and dive into this immersive learning experience. Join us on this journey and expand your cybersecurity skills today! Remember to subscribe, rate, and share the episode with fellow cybersecurity enthusiasts!

Socials

Join our Chipmunk community Discord server: https://discord.gg/9yfWP6evYQ
Follow us on Twitter: https://twitter.com/SecChipmunk
You can find us online at: https://securitychipmunks.com

Audio track: 0:00

is from a cooperative project for acquiring skills essential to learning.

Edna Jonsson: 0:05

Welcome everyone to the Security Chipmunks podcast. Today we're going to be talking about getting started with cyber CTFs in 2025. And we have our hosts, edna Johnson, neil Smalley and Patrick, and our guest today is Wheat Aaron Fillmore.

Aaron Fillmore: 0:28

All right, glad to be here.

Edna Jonsson: 0:31

Yeah, absolutely, thank you for joining. So three of us went to Wild West Hackenfest earlier this month, right?

Aaron Fillmore: 0:43

Oh yeah, it was way too much fun.

Edna Jonsson: 0:46

Oh my gosh, it was wild. I had so much fun. We did compete in a CTF I just want to start off with that. Right off the top, and we were amazing. Our team Shall we Play a Game? Placed first. We had double the points of the team behind us and we went home with this beautiful black badge from Wild West Hackenfest. So our team got first place and won that.

Aaron Fillmore: 1:17

Oh, we also got the. I'm so glad I have this in arm's reach the trophy that is anatomically correct, might I add, was not expecting that. I won't show it, but I looked at it, I looked behind. I was like, okay, someone had fun with that.

Edna Jonsson: 1:35

I did not look that closely.

Aaron Fillmore: 1:39

They're hidden a little bit. I'll just send you a picture later.

Edna Jonsson: 1:43

Yeah, thanks. Oh, that's funny. Yeah, so we competed in a CTF. So what were some things that were lessons learned?

Aaron Fillmore: 2:00

Oh, man, a lot. I learned that there's a lot that uh, I don't know. I mean, I obviously you know there's always that that aspect, but um, it was kind of nuts, listen. Um, you know some of the uh, other guys, you know derrick him, him talking, I'm just like holy crap, I can't keep up with this, like this guy's next level talking about some stuff, and I'm just like, yeah, holy crap, I can't keep up with this, like this guy's next level talking about some stuff and I'm just like, yeah, I think I can do that sort of thing.

Edna Jonsson: 2:29

But yeah, it was an amazing opportunity.

Edna Jonsson: 2:34

Yeah, it was an amazing opportunity. I'm really grateful that we had such an amazing team Like Derek and Jose and others are incredible CTF players and I just felt so honored that like they would include me on a team. And and then you and Patrick joined. I was like this is like the dream team and I I was like riding this high the entire time, like, oh my god, I'm surrounded by incredible people. I'm learning so much. Yeah, and they were just you know all these challenges and like what do I do next? And um, for me, like the dopamine just kept going so that was fun oh yeah, yeah, it was amazing.

Aaron Fillmore: 3:20

the uh, um, just just like that kind of high tick rate, just like boom, boom, boom, boom, boom, like okay, there's this, there's that, and it's oh crap I see this in the logs Like there's a lot of flags coming out, and then, especially with the Nginx, it's like, do we implement this? It's like, let's do the math. It can't mathematically win if we just don't roll dice with taking down the entire infrastructure. Yeah, win if we just don't roll dice with taking down the entire infrastructure. Yeah, but it was, it was a lot of fun, like the experience of trying to figure out how are we going to do this with, like nfx and filtering things out and trying to, you know, work it down. Um, yeah, it was.

Aaron Fillmore: 3:57

it was a lot of uh, my brain was a little mush after that, but uh, well, worth it for sure really it's funny, like what, what I really realized about the ctf, because I will admit I am really kind of like a newbie at the attack defend style of ctfs, right. Um, I was really starting to see how the power of automation can be applied to the red team side of the house, right, with some of the code and the infrastructure that was put up by our team to automatically go out and grab flags and then submit them and things like that. And I was just sitting here thinking in my mind like now, imagine doing that with like known bad vulnerabilities against people's infrastructure and like this is just crazy how you can do this you know, oh yeah, that was nuts.

Aaron Fillmore: 4:58

How like we were sitting there. It felt like it was 10 minutes in and someone's just like cool, so I automated this exploit here. I'm just like you what? They're just already sitting there ready to submit flags and the Discord channel starts and flags start flying in left and right and we're like whoa, that's nuts, yeah.

Edna Jonsson: 5:20

So the entire day before Thursday the five of them were just like huddled together over computers. I was trying to pay attention to what was going on but it was kind of going over my head a lot of it against those services and how they can jump in and start fixing things and patching right away and examining what scripts they could pre-prepare. They had stuff ready that they didn't use because it didn't apply, but there was so much preparation that went into that.

Aaron Fillmore: 6:04

Like there was so much preparation that went into that. Yeah, it was. I felt bad cause I wanted to be engaged more on that day before but I was so focused on uh, um, what was it? The? Uh? I think it was the extra flags or whatever. Um, on the website I was like I have to, or it was the uh other, um, I was the the other the MAC address captures. Like I have to figure out the last couple or whatever, walking around with the pineapple stiff MAC addresses. Yeah, it was that little badge, ctf stuff. The first time I'd ever done a hardware hacking badge challenge like that. It was a lot of fun. I learned a lot.

Aaron Fillmore: 6:44

Yeah, that's kind of like the great thing about um, like the wild west hacking fest competitions. Uh, there's always like multiple uh ctfs. So, um, jason from uh red siege, he was doing uh vishing uh ctf. I'm not sure if you guys took part in that or not, uh, but it was really interesting, did you?

Edna Jonsson: 7:08

it was really fun.

Aaron Fillmore: 7:10

It was so fun yeah and then, um, there was also like the jeopardy style, uh, ctf, that took at place, right, and didn't you do pretty good in that, aaron?

Aaron Fillmore: 7:21

yeah, yeah, I managed to take, uh, take second place and, oh man, I I was sitting in uh, I felt bad so I wasn't paying attention a couple of workshops, because as soon as that thing opened up I was like boom, knocking things out and I was sitting in first and then suddenly bad wolf just comes in halfway through, goes straight up and I was like who, where, what? I don't know if he's flag hoarding or what, but he passed me and I'm like, oh, I'm not getting that back, like the best I could do is fight for second. Yeah, it was a lot of fun too yeah, that was amazing to see that.

Edna Jonsson: 7:58

Uh, I think that was a high school student that one. Oh, for the badge one, yeah, oh yeah, no, I'm sorry, I meant the jeopardy was it um bad wolf?

Aaron Fillmore: 8:13

I don't know if he's a high school student, if I mean, if he is I know I'm getting the ctfs confused. I'm talking about the jeopardy one yeah, I know um the guy who took first um ladder logics I think is is what he goes by. Yeah, he was saying that he basically took a week off of high school to attend.

Edna Jonsson: 8:32

And.

Aaron Fillmore: 8:32

I was like that is freaking amazing. I love that for him, that he's able to not just take time out of high school to go compete but to kick ass. But to kick ass like him and I were sitting there battling and they got. They got pissed off at us because we were doing some of the challenges that before the actual conference started and they reset our scores and said chill the hell out. Apparently they sent him an angry DM and when I went and asked about it they were like you can do the badge ones, the infrastructure stuff that you've fricking done, stop.

Edna Jonsson: 9:04

Yeah, yeah, nice. So, other than like showing up and doing awesome at multiple CTFs in one conference, how have you? What has your learning journey with CTFs been like? How did you get started?

Aaron Fillmore: 9:39

So I, one of my favorite things I like to tell people is that I was kind of engaged in a multi-year CTF with my father which, for context, so he was the program director for the Marine Corps PKI infrastructure implementation for data centers. So he was aware of the dangers of the internet and what was out there. Granted, my threat profile as a four-year-old um was not that of the united states marine corps. However, you can imagine it's probably a little bit of overlap there. Um, so when we got our first computer, um, you know, delt, the gray dell, dark gray dell, the massive crt monitor, um, uh, from from then on, he spent a lot of time, you know, putting technical and administrative controls, if you will, in place to protect me from stuff, and I was like how about? No, there we go, okay.

Edna Jonsson: 10:25

So you had an interesting way of learning, yeah.

Aaron Fillmore: 10:30

Yeah, yeah, it was definitely um uh trial by fire or or, I guess, um a lot of trial and error.

Aaron Fillmore: 10:37

I should say Um but, uh, I think one of the things that uh really helped a lot too, and one of the things that I like to tell people to do is, um, you know, get involved with like communities and whatnot, uh with other people. Uh, cause there's so much that can be learned from others. Everyone has different backgrounds and experiences. So, especially a team game like that attack defense, ctf or like NCL or whatnot especially like NCL, you get a good team of different perspectives and experiences. Oh my gosh, you could do really well and we almost got so close to that. Um, that top five, uh, well, top, yeah, had I not I was missing four letters, had I got those four letters, then I think we would have been top four or five for the ncl team game last last fall.

Aaron Fillmore: 11:27

But we're coming back to reclaim that position, hopefully.

Edna Jonsson: 11:32

Yeah, well, I'm hopefully going to be on a team with you, oh yeah.

Aaron Fillmore: 11:37

I'm going to cry. I'm pretty sure you will be. I would be shocked if you weren't.

Edna Jonsson: 11:44

Yeah, last year we did really well when we were on a team together.

Aaron Fillmore: 11:48

Oh, yeah, yeah, because I think I was in Denver again, ironically during the team game and I felt bad because I was like I can't participate. But I was really thankful that you guys let me hop on. I was glad I was able to get that last web challenge. I don't think we had a lot of time left and I was like what if? And it just happened to be it.

Edna Jonsson: 12:08

I was like oh my gosh yeah that was amazing, great time. That was fun. So what is your favorite CTF type of challenge?

Aaron Fillmore: 12:24

Ooh, I'd probably have. It's a toss between, I'd say, osint and forensics. I like the challenges with OSINT, especially the CISA Update 1 challenge that they had in NCL. Man, that was rough but it was so satisfying when you got it. The tree they had a picture of a tree in a building. They're like what's the ID for this tree? And everyone's like has PTSD still from that. Like what's the id for this tree? And everyone's like has ptsd still from that? Um, but it's, it's something about that like that end goal sort of thing and just navigating through the maze until you get it and it's really addicting, um, especially with forensic challenges.

Aaron Fillmore: 13:06

Uh, like memory dumps and all that. Um, I know a lot of people don't like them, which I I get, because it can be kind of cumbersome to work with, especially like multi-gig memory dumps. And thank God they're not giving out like 16 gigabyte memory dumps because those are really painful. But they're just, they're a lot of fun and admittedly, I'm sure part of that is because that forensics is kind of my background, so I've got experience doing it. But yeah, it's just, they're a blast. I love those ones. What about you guys? What are y'all's favorite categories? Everyone's got to have a favorite, I'm sure.

Edna Jonsson: 13:46

I like crypto. Those are fun Getting to figure out. What is the cipher, what are we deciphering here? Those can be really challenging too oh yeah. I also love OSINT. That is so fun to find things. I like going down the rabbit holes and all the pivots until you oh, there it is. There's the thing I've been looking for. I found it. I like going down the rabbit holes and all the pivots until you're like, oh, there it is, there's the thing that I've been looking for. I found it, oh yeah.

Edna Jonsson: 14:21

How about you, Neil or Patrick?

Aaron Fillmore: 14:25

I'm a fan of a lot of the ones that I guess they're the exploit category Right, ones that I guess like they're the exploit category right. So you know, some CTS will give you like a buffer overflow to do or here's the source code you know figure out how to do this type of thing. So that's always to me pretty rewarding once you're able to do that and then get the flags from it. So, uh, that'd probably be my like number one favorite thing to do nice that's.

Aaron Fillmore: 15:03

Those things are tough. I I hate those ones. I'll be honest, mainly because I'm bad at them.

Aaron Fillmore: 15:09

Well, I'm not great at them either, but I love the challenge right. It's like a secondary one will be crypto right, because it's the puzzle to it that I love.

Edna Jonsson: 15:27

Nice. All right, Neil, what's yours?

Neil Smalley: 15:32

Miscellaneous just because you never know what you're going to get. Half the time, people don't know what category to put challenges in, and so they end up under miscellaneous, and so you can get all sorts of different ones under there.

Neil Smalley: 15:48

I would have to say that and just stuff I haven't come across before. So probably a lot of like the Pwn stuff or what not. I would have to say that and just stuff I haven't come across before, so probably a lot of the like the poem stuff or whatnot. I haven't necessarily done as much, but anything that forces me to learn right. So if I haven't done something it forces me to learn something and that's all to the good in my book.

Neil Smalley: 16:09

Very cool. I just love seeing the different creative and interesting things people come up with or different uh things. Oh, I will say one of the. I guess it would fall under crypto categories, but some of my favorites have been the ones where it's like a white space encoding or something like that, or like just spaces or white space or various like Unicode stuff wrapped around everything else yeah definitely has been interesting like those od level challenges where he comes up with something and you're like what?

Neil Smalley: 16:50

that's a little bit different than what I was talking about. That's more oh gotcha od is in his own category I felt bad.

Aaron Fillmore: 17:01

He sent me some challenges and he was like what do you think about these? I'm like I'm gonna be honest, dude, I don't know what I'm looking at Like. I genuinely just had no freaking clue.

Neil Smalley: 17:10

I honestly felt like he would do better, like if those challenges were like in one of the more serious ones that prep you for DEF CON or something. Honestly, oh yeah, the the difference between going to no offense, like the cyber info ctf, and then going to like I don't know, like the plaid parliament and poning uh, ctf is going to be a world of difference and you just kind of set your expectations differently.

Aaron Fillmore: 17:39

so oh yeah, yeah, his, his challenge was like a I'm pretty sure I rated it like very hard or insane or something like that, and tacked a lot of points onto it, because I was like I don't even know how to solve this one man, so somebody somebody with way more experience in cts than I have so oh yeah and I mean like, if you look at some of those, it's pretty insane.

Neil Smalley: 18:02

Probably one of my favorite ones I've seen it, um, I think it's like from an old one, from a CTF, where they had like a robot arm writing with like the laser pointer that wrote the flag out or something like that. So you'd like to decode the flag. You had to like decode the movements of the robot arm, but that was a fun one to read out. That is so cool.

Aaron Fillmore: 18:23

Oh man, I got to find that now.

Edna Jonsson: 18:26

Nice, All right. So for the final question if you were to start again today and you knew nothing about CTFs and you were starting fresh, where would you start learning to prepare for CTFs?

Aaron Fillmore: 18:45

Oh, I think for me personally and I know a lot of people learn differently. However, I'd say it, probably I feel like the vast majority of people that are in this industry probably learn in a similar fashion by doing. I think that that's probably where I would start is just dive in, and I've seen a lot of people be kind of averse to that, where they they say, um, like I don't, I don't think I'm there yet, or I need to learn more, or this, that or the other, and I'm like, well, how, what's, what is? There's never going to be the right time, there's never going to be a, a light switch that trips in your head where you're like I'm now at a point where I can, you know, do a ctf, um it, you just have to go do it, just hop in, try it, even if you don't complete the challenge, if you learn something new, um, that's ultimately what matters. Like you know, there's obviously the competitive aspect, which is fun, um, but the benefit is really learning something new and taking something away, especially if you can apply that practically, which there are plenty of challenges where you can't. You're not going to be decoding SSTV signals in a sock, and if you are, maybe you're working for NASA or something like that, I don't know, but just the process of figuring that out and learning something new that's beneficial, just the process of figuring that out and learning something new that's beneficial.

Aaron Fillmore: 20:10

So I would, I think, if it was, I would try to, you know, like, get on Pico, ctf or just whatever the case may be. Ask like, can I join someone? And even I think it was either yesterday or today someone was talking about how, um, uh, they were messaging me about something and, uh, they had seen that our posts on LinkedIn about wild west hack and fest. And I'm like, yeah, I, it's fun, you know, living vicariously through year or whatever. And I was like, what do you mean? And uh, he's like well, I don't remember specifically what he said, but the general sentiment was that he's just not there yet with ctfs. And I was like I think you're wrong. If you can learn how to google, you can do a ctf, um and and contribute on some level. Like you don't have to be sitting here swinging hammers around and knocking out challenges left and right. Um, even just being there and having a different perspective, uh, uh on something can be the thing that completely changes a challenge Like uh.

Aaron Fillmore: 21:13

In a specific example with NCL, I was, uh, odie and I were sitting there banging our head against the wall trying to extract, um, something out of a memory dump and then someone was like, well, someone else said something about a key logger and we went, okay, hold on and dumped out the memory of a Python process and, sure enough, there were the key presses and whatnot.

Aaron Fillmore: 21:34

And had they not said that and they're not a forensics person, but it's just another thought and had they not said that, we probably would have still been trying to dump that crap out to this day and not figured it out. So I think that's a big thing, is just not, don't be afraid to um, to ask or or to, uh, you know, involve yourself, um, which I know is a lot easier said than done. Uh, I think there's probably plenty of us in this industry who find it hard to put yourself out there and I'm definitely one of them and go talk to people and like, hey, can I join you because I'm like, I don't want to impose, but, uh, I think there's a lot of benefit if you do, and the right people, who you do want to be around with, uh, who you do want to be around, will have no problem helping you out and involving you in some way.

Edna Jonsson: 22:25

Very nice, that's good advice. Thank you, I try. All right, this has been an episode of Security Chipmunks, remember as you're learning, just keep chipping away at it. Thanks for listening in. Make sure you like and subscribe and we'll see you next time.