CTF Chronicles: Unpacking Our Wild West Hackin' Fest Experience Artwork

Security Chipmunks

Welcome to Security Chipmunks where we talk about the development of cybersecurity skills. To stay up to date in today's world you need to be resilient, that’s why as Advanced Persistent Chipmunks we keep chipping away at it.

All Episodes

Security Chipmunks

CTF Chronicles: Unpacking Our Wild West Hackin' Fest Experience

March 07, 2025 • Edna • Season 4 • Episode 16

Send us a text

Dive into our exhilarating adventure at Wild West Hackin' Fest, where our casual visit transformed into a thrilling Capture the Flag (CTF) competition! Join us as we share our journey from team formation to victory, highlighting the unique dynamics of working as a group in high-pressure scenarios. In this episode, we discuss the preparation that went into strategizing and setting up our technical environments, showcasing the importance of diverse skill sets among team members.

Capture the Flag events challenge participants not only to excel in their technical abilities but also to think critically and adapt quickly. Our discussion reveals the real lessons learned from both successes and setbacks, where communication played a critical role in navigating the challenges faced during the competition. You’ll hear stories of camaraderie and shared knowledge as we engaged with our peers and competitors, making connections that extend beyond the event.

As cybersecurity continues to challenge professionals in innovative ways, our experiences at the Wild West Hackin' Fest provide valuable insights into the blend of fun, teamwork, and learning that defines CTF competitions. Whether you're a seasoned competitor or just starting in cybersecurity, there’s something to learn from our adventure. Be sure to subscribe and share your thoughts with us!

We are joined by our guest today Derek Rook

LinkedIn - https://www.linkedin.com/in/derekrook/

YouTube - https://youtube.com/@derekrook

Twitter - https://twitter.com/_r00k_

Socials

Join our Chipmunk community Discord server: https://discord.gg/9yfWP6evYQ
Follow us on Twitter: https://twitter.com/SecChipmunk
You can find us online at: https://securitychipmunks.com

Speaker 1: 0:00

is from a cooperative project for acquiring skills essential to learning.

Speaker 2: 0:06

Welcome to the Security Chipmunks podcast. I'm Edna Johnson, I'm here with my co-host, neil Smalley, and today we have a very special day. Special guest today Rick Rick is here joining us.

Speaker 1: 0:21

Hello.

Speaker 2: 0:23

Hey Rick, how are you?

Speaker 1: 0:24

I'm good. How are you?

Speaker 2: 0:26

I'm doing great. Thank you for joining us.

Speaker 1: 0:29

Well, thanks for having me.

Speaker 2: 0:30

Yeah, absolutely so. We had a really fun experience when we went to Wild West Hackenfest. We competed together on a team. Do you want to talk a little bit about that?

Speaker 1: 0:44

Yeah, well, I mean, first of all, I got to meet you, which I think was super fun, and we had yeah, we had a pretty good team. I believe you started the team. If I remember correctly, it was announced and I was there with some of my friends, some of our mutual friends. How I met you and we had not intended on playing the CTF that weekend, how I know them is actually through CTFs. We used to compete CTFs together quite a bit, so we were just kind of planning on hanging out and enjoying the conference and instead we hung out and enjoyed the conference in a very different way, through the CTF, which was a good time. Yeah, we had a blast. I forget, did you say we won Spoilers? We won, yes, we did Sorry.

Speaker 2: 1:38

Yeah, we did great.

Speaker 1: 1:41

Yeah, we did super well. I think we played well as a team. One of the things I really like about that format of CTF is that it's not just hacking all the time it gives. I think CTFs I think this is changing a bit, but I think CTFs are largely focused on offensive skills, and attack and defense really gives an opportunity for more skill sets to participate and have a good time. So, yeah, I think we did a fantastic job yeah, yeah, no, that was really interesting.

Speaker 2: 2:15

This is my first like attack and defend ctf competition it was my first of this kind and, uh, that was a bit of a learning curve in itself, like what do I do? And I was really glad that I had you and jose and others on the team that kind of knew what needed to get done. Um, I remember on thursday like we found this table behind the fireplace and like we're just like trying to stay out of the way but like trying to work all together at this big table, um, getting things lit, yeah yeah, yeah, no, I I think I think one of the things, one of the reasons we weren't going to compete, is because we don't really have a, a casual competition mode.

Speaker 1: 3:03

We kind of we either go all in or we don't going to compete is because we don't really have a, a casual competition mode.

Speaker 1: 3:05

We kind of we either go all in or we don't.

Speaker 1: 3:08

And if your objective is to do well in a ctf, um and in a competition, the main thing you need to understand about ctfs is that, while the ctf is itself is time bound, there is ample opportunity to do work and get head start and gain advantages outside of that time.

Speaker 1: 3:30

And so that's what we were trying to do the day before is just prep as much as we could, knowing full well that most of it was going to be thrown away. But prepping scripts, debbing against the APIs, making sure that we had scripts uh, debbing against the APIs, making sure that we had um, you know, good templates set up and kind of strategy around, like how we want to handle certain things. And you know, do we want to um, collect and replay attacks or do we just not want to care about what the other team is doing? Like having all those decisions ahead of time, sort of like incident response. You don't want to be deciding all that complicated nuance stuff Like while an incident's happening. You want to solve as much of that as upfront as possible so you're not having to think as much, and that's kind of the way we handle CTOs as well.

Speaker 2: 4:15

Yeah, it was really good to see because this is my first time being on such a competitive team and so it was great to see how y'all work and it was quite the learning experience. And everybody had their computers all like you had everything set up for a lot of things, even like you weren't planning to compete, but you already brought your computers with the environments ready to go and everything like that, so it was a lot of fun to watch and be a part of.

Speaker 1: 4:51

I think that's a testament to how Roman and the Meta CTF team run CTFs. I've played a lot of CTFs that are very much a CTF versus a skills event I don't know how to describe this. I didn't bring a CTF computer and I didn't have like ctf specific vms. I just had, like my, the stuff that I do work with um and sometimes you have to download like a bunch of esoteric, like nuanced niche tools to solve challenges, because they're very kind of on the edge of of reality, uh, which is fun because it lets you explore skills that you don't touch a lot. But I do enjoy CTFs that are very much like.

Speaker 1: 5:51

Here is a kind of hyper aggressive version of kind of a real world sort of a thing. Like you wouldn't deal with this number of bugs in this short amount of time in real life. But none of the bugs and none of the things we were working on was this. You know out there sort of a concept. It was. You know we were in VS Code, we were in Terminal, we were, you know, writing Python and Go and you know just doing stuff, we normally do.

Speaker 2: 6:19

Yeah, I think our team. We were lucky that we had so many people that knew different languages like C and Go and Python, because some of the challenges involved those languages and I think that gave us a competitive edge having such a diverse team with a lot of experience with different technologies, with a lot of experience with different technologies.

Speaker 1: 6:44

I agree, I think you know, back when Jose and Ethan and I and Sean wasn't present but Sean was part of the original group and I met Coop later. Coop was kind of part of a more recent iteration of that group. But one of the reasons we worked so well together is because of that diverse set of skills that we had. Like, I come from systems administration and systems engineering, so I know a lot about Linux and firewalls and I'm kind of a serial generalist. I got started as a web developer and then got into help desk and all kinds of stuff, so I've got a really broad background but less dev. And Jose and Ethan and Sean all come from dev backgrounds of various languages and so kind of that's the, that's the.

Speaker 1: 7:33

That is a very well put together CTF team is when you have all those diverse skills and then an attack and defense. We added people like you and we who had more of a blue teamer background incident response, soc kind of security engineering stuff which in attack and defense is just as important, if not more important, than just having pure offensive skills. Right, yeah, I mean we had. I mean obviously we had the best team of the day. There were other very talented groups as well, so that could have been very different a different weekend, but we had a very good team. We had a solid, well put together team and it's all because of that. You don't want eight people who all know the same thing, no matter how well they know that thing. You really want that kind of diverse background and experience, uh, as part of the team.

Speaker 2: 8:29

Right, yeah, so I was really glad to see us uh, do so well and um, and then we had our points were just off the charts, um, but it was great and uh, uh, so it was my first ctf win and uh oh, congratulations, that's exciting.

Speaker 1: 8:52

I didn't realize that oh yeah, thank you.

Speaker 2: 8:55

I love playing ctfs, but like I've never um been in the top, so I was like yay, yay.

Speaker 1: 9:04

It's a, it's a good feeling. It's addictive, for sure.

Speaker 2: 9:07

Yeah, I've been doing CTS for a few years, but first time winning, so it was fun. So, yeah, and we got. We got some cool prizes, like the training that we got for 12 months and we got one of us got the black badge.

Speaker 1: 9:25

Yeah, yeah, showed off. Do you have it?

Speaker 2: 9:28

I do have it. It's right here.

Speaker 1: 9:30

Heck, yeah, that thing's awesome, yeah, so it's always nice, it's always nice to have, you know, kind of a black badge, cause if you wear it around the conference, people, um, you know, people notice and they're like, oh, who is that? Like why, why don't, why don't? I know that person, that person must be cool. And the whole time you're thinking like, oh, they don't know, I'm just me like yeah but, yeah, no, that's awesome, that's really cool.

Speaker 2: 9:57

Yeah, it was really nice of uh cooper to once we got off the stage he he just had his laptop ready and he plugged it in like here's your firmware update. And I was like yes.

Speaker 1: 10:10

I was sitting next to him while the closing ceremonies were happening and he before the, basically when the CTF announcement started. So ours was announced last because it was the main event. But as the CTF announcement started he pulled out his laptop and started working on it, so he had it like ready instantly. Yeah yeah, coop's a good guy. I haven't known him very long, but I'm glad I know him. He's rad.

Speaker 2: 10:33

Yeah, he's really nice. Yeah, so you know, wild West is where I met you, but I've heard you go to other conferences too. So what are some of your conference recommendations?

Speaker 1: 10:49

I think Wild West, in any of its iterations, is probably the top right now. I haven't been, unfortunately, the last couple of years since the pandemic I haven't really been traveling as much as I used to pre-pandemic, but Wild West even since the very beginning, traveling as much as I used to pre-pandemic, but Wild West even since the very beginning. The talent and the community that Black Hills drives and I usually credit John for this, but I mean Black Hills is much bigger than John these days and so it's one of the few places where I can go and my partner was with me for this one and she even noticed she's just like we showed up early the conference that was there before I don't even know what it was, but it was very different vibe and my partner took off to visit a friend for a couple of days and when she came back the Black Hills conference had started. And she's just remarking on, you know, everybody's happy, everybody's excited to see each other, the, the excitement levels are very high, um, you know, and the speakers are all top-notch.

Speaker 1: 11:53

There's a huge breadth of labs that you can try and skills that you can enjoy. So, uh, wild west, any of the ones you can get to even online, I think, are great. Uh, they keep the price pretty low, which is, I think, a boon. Um, yeah, I, you know local b-sides. Uh, I hear orlando is spectacular.

Speaker 1: 12:14

One of these days I'm going to make it out to orlando I'd love that yeah, yeah, I'd really like to make it out there because I think, um, you know, outside of vegas, for obvious reasons, uh, for vegas, but outside of vegas, obvious reasons for Vegas, but outside of Vegas. I think it's probably the second most well-known nationally. I mean, I'm on the other side of the country, so I think Orlando is really well-known.

Speaker 2: 12:35

But any of the besides.

Speaker 1: 12:36

Yeah, yeah, I mean we were talking pre-show that I'm really bad at my local community and I need to take more of a effort to participate, but your local community is what matters to you the most as far as support and professional opportunities and networking and all that stuff. So you know, if you have a local B-Sides, get involved, go. But but yeah, I like the. I like the smaller conferences. I kind of came out of SANS so I was taking SANS classes and then I taught for them for a couple of years. But, like you know, those are much more, I think, education focused kind of events rather than conferences. So yeah, I think Wild West and B-Sides are kind of where it's at. Def CON is just a big, you know everybody's going to be there kind of thing, so it's good to network, but I think for sheer concentration of good events, wild West is where it's at.

Speaker 2: 13:37

Yeah, I agree, Wild West is just. It's the kindest conference and that's the best way I can put it. If you talk to any of these people, they just become like your best friends immediately. Pretty much, they're so nice.

Speaker 1: 13:55

I think one of the ways I describe DEF CON is that it's the clickiest conference and so it's not necessarily a bad thing. It's not like most of those clicks are exclusionary. But I've talked to several first time Defcon attendees and they hear about how great Defcon is but they're struggling to see it. They're like I just don't see it. It's not. I don't get the same vibes that everybody else is getting and I, one person specifically I saw, not last year but the year before. I saw them like three hours later and they had found kind of their tribe. You know like they ran into them and once you do that, I think DEF CON can be that way.

Speaker 1: 14:33

I think individual groups are very accepting. But Wild West, like there is no click, it's just kind of everybody is your tribe at a Wild West event. Yeah, yeah, it's a stellar environment and honestly, I've attended Wild West a couple times remotely, just in their Discord, and I think you don't get the same level of 3 am hallway conversations that you might get at the event, but it's still very active and very inclusive and you still get a lot out of it, which is which is nice to see. It's not everybody can travel.

Speaker 2: 15:12

Yeah, yeah, no, that's for sure. And their online is great. They will send you swag and a whole badge and it feels like a great value for what you pay as a virtual attendee, because you get so much and they are very good about including you online yeah john is john is on record that he doesn't want to make money through wild west.

Speaker 1: 15:37

Uh, so like basically all money that goes into that conference from you know, uh, attendees and everything kind of goes back into the conference which is why the prices are low and you get such good value out of it. And you know it's, it's fantastic yeah.

Speaker 2: 15:53

Yeah, all right, so you used to teach for cybersecurity. You used to teach for cybersecurity. Do you want to tell us a little bit about that?

Speaker 1: 16:07

Yeah, so I started. How did that start? I spoke at a lightning talk at a SANS conference one year no-transcript like blurb about how, um, how I was trying to implement like offensive stuff into my security engineering role. Uh, back before I ran offensive teams, um, and a couple of the instructors at the time afterwards asked me if I had thought about teaching and I hadn't, um, and nothing really came of it for a while.

Speaker 1: 16:51

Uh, sans is notoriously hard to teach for they. They have a very long funnel of instructor development, um, and so what I ended up doing instead was I started making videos, um, I think as a CTF write-up one time, and what I realized is that, even though I'd been in tech for 15 something years by that point 20 years something everything I knew I kind of knew how to do, but I didn't really know why those things were the way they were or what series of implications led to things being this way, which is kind of something you need to be able to do to teach, especially the way my brain works Like it's hard for me to follow along with somebody if I can't kind of derive what's happening and making those videos really pushed me, um, really pushed me to kind of learn things more in depth and I made those videos. Then I started a YouTube channel and from the YouTube channel is I got back into SANS and kind of followed through their instructor dev. But I love teaching, I enjoy pushing myself to know more, but I really love especially like as I had trouble in school growing up because either it was hard for me to latch on to things or really understand what the teacher was trying to describe. I really love it when I'm describing or trying to teach somebody a really complex topic and people are like okay, I understand, like I get it now, like I, I understand why this is the way it is, um, and that's, that's stellar. That's something I don't see enough of.

Speaker 1: 18:38

When I interview people, uh, for jobs is is, I get a lot of people that were kind of like me earlier in my career where they just kind of know if I type this in, this happens and and I know to type that in because it's doing this thing sort of knowledge which is fine through a lot of your career. But as I interview for like red team and offensive roles, like you really have to have a deeper understanding of how things are kind of built and put together so that you can be very deliberate and precise in how you apply pressure to an environment to to make it do what you want it to do. So I, I like, I like, I like promoting that sort of understanding inside of tech. So so yeah, yeah.

Speaker 2: 19:26

That's very nice, very neat.

Speaker 1: 19:28

Yeah, I'm actually writing right now. I'm writing two classes. I'm writing two classes. I'm writing a linux class um, that's basically just foundational linux, because I don't think enough people know it um, but applied to security and and things like that. And then I'm I'm writing a, um, kind of a full stack. I call it full stack hacking, which is just buzzwordy nonsense, but basically it's. You know, if you're going to attack a web application, you should know how web servers work. If you're going to do SQL injection, you should know how to write SQL. If you're going to, you know, do command injection into a web or app like mobile app, you should understand what Linux is doing with that command that you're injecting and basically teaching penetration testing from a developer and system administrator perspective of. Once you understand how this infrastructure is put together, you can make more intelligent decisions about what attacks you want to apply. You can do better at your write-ups on how to fix things, stuff like that very nice, that sounds exciting I hope so.

Speaker 2: 20:38

We'll see yeah, um, all right. So I know you've told me that you are running teams and doing management things. So what are some things that like, once you got into that role of running teams that really like you're, like this is something people should know about.

Speaker 1: 21:00

Huh, I think I think it's a lot of just what I was talking about. I think I'll I'll be interviewing people and I'll ask questions about I don't know like. So SQL injection is like, let's say, the canonical example. If you've got this website, it's got a login prompt. Sometimes when we do interviews, like in-person interviews I don't do take home stuff, but in person interviews we'll kind of do like kind of a live hacking thing where it's like hey, here's a, here's kind of a CTF that I wrote. You know, let's walk through it and you know, tell me how you're thinking about these problems. And a lot of times I'll just see people throw in like a you know, the canonical, or one equals one SQL injection into the login field, canonical, or one equals one SQL injection into the login field. And I'll ask them like why they did that or like what you know, like what do, what does that? I call them incantations, because they're basically casting spells. At that point, if they don't know SQL, then they're just saying the magic words and hope that the thing falls out. But I'll ask them, like what does that do? How would you change it? Things like that. And I'll just kind of get back well, it's a login page, you put in this string and then it lets you log in. And I think people, when you're first learning, I think that's acceptable just to kind of go oh, sql injection exists. You can do malformed SQL to make the database do weird stuff. Well, the next level of that isn't you're putting in malformed SQL, you're actually just writing SQL statements. And the more you know SQL, the more advanced SQL injection you can do.

Speaker 1: 22:45

And I think when you're learning, when people are learning, especially when people are trying to get into offensive security, you need to push past that surface level. Oh, this is how I make the thing break and push into the how does this thing work? Because a lot of times, especially internal teams, we're not testing test environments. We're in the corp environment, we're in prod, we're in these environments that you can't just throw a, you know, an automated scanner at and if it knocks something over, like okay, well, that's a problem. You know, like here's a denial of service finding that we found it's well, you knock something over and now we're losing like a million dollars a minute until that thing comes back up, right. So you have to kind of consider what you're doing and why. Also, you're doing your customers, whether they're internal or external, a disservice if you can only break the thing and you can't help them fix it.

Speaker 1: 23:40

The whole reason offensive security exists is to make things better and to improve things, not to just kick over somebody's sandcastle and laugh at them. That's not what we're here for. So I want to see more people in tech. This is not just Red Team specific, but I want to see more people in tech really drive past this. Like I'm a cybersecurity professional, I learned cybersecurity and all I do is cybersecurity.

Speaker 1: 24:09

Cybersecurity is really just kind of advanced IT and advanced development. If you're really good at IT, you're really good at software development. You don't need security because you don't have any bugs. You have all of your resiliency in place, like nothing falls over. Now that's an unattainable goal.

Speaker 1: 24:30

I'm not saying that we never need cybersecurity, but I want there to be more of a blurred line between people who do IT and people who do security, and I think that security has been held up as this like easy, high paying industry that people can just get into, where there's like jobs everywhere and we're just like throwing you know jobs out of a plane for anybody who can grab them and I think anybody who's an entry level can clearly see that's not true. You know there's a lot of competition at the, at the entry level areas, because of this this huge influx of people taking, you know, getting cybersecurity degrees and things. So I think the way that you can really stand out is don't just be a cybersecurity person like understand what you're, what you're protecting, why you're protecting it. You know what, what. What outcomes are you trying Like? Why? Why is the company paying you the money? They're paying you Like they? They're doing it for a reason.

Speaker 1: 25:33

they're not doing it because cyber security is cool yeah um, I also think, oh, red team is like over hyped, like and obviously I do it, I enjoy it, I think it's a great job. I, I love it. But I I see a lot of people kind of like getting into college or coming out of college and it's like, oh, I want to be a pen tester and it's like, well, I mean, great, that's good, we need great pen testers always. But I think that there's this really good PR about how cool pen testing is and I think that there is less of that PR for other areas of security and I want other people to see how interesting security operations is.

Speaker 1: 26:12

Incident response is fascinating. That's actually what I taught for SANS. I didn't teach hacking, I taught IR and incident handling, which is fascinating. It's super important. It is more high pressure and more badass than red teaming. When you get into it, it's a lot of the same skillsets. Like I want, I would, yeah, I just I want people to see the reality of security and really enjoy doing it and learning about it. Um, more than just this, you know like, oh, I saw Mr Robot and I want to do that. Like I want, I want people to care about it. I guess is what I want to see in that I interview.

Speaker 2: 26:50

Yeah, that's great. Yeah, there's definitely a huge number of people that go into you know school for cybersecurity and their goal is I'm going to become that great pen tester and I'm going to become like the next John Hammond or something like that. Because that's what they see when they go on YouTube and, you know, looking on InfoSec, twitter and all of that, it's like they see a lot of that offensive side and think that's so cool, but there's just not enough jobs for all of the people that want to do the red team. But there's still a lot of like great jobs out there, like IAM and GRC and SOC. That has a lot of demand for you know people, but it's not as um, as shiny as the red team.

Speaker 1: 27:43

Sure, but it, but it can be. I think, I think it can be. It's just like the PR for those fields aren't, aren't quite there, quite? There yet yeah, but you know, threat hunting is super exciting, ir is super exciting. Ir is is literally just like facing off with adversaries, like like that's, that's incredible, incredibly exciting, you know, it's just I don't think it's marketed very well is the problem?

Speaker 2: 28:09

yeah, yeah, no, I, no, I do, I are, I definitely agree. It is so fun.

Speaker 1: 28:14

Yeah.

Speaker 2: 28:14

It's fun when you get to kick somebody off a box.

Speaker 1: 28:18

Yeah, or when you like, when, when I mean, I've experienced this from the other side. But you know, you, you kick somebody off the box and we're like, oh okay, I guess we'll get in and through our you know back doors or whatever, and like, as we're starting to log in, those get slammed shut too. And you're like whoa, like yeah, it's, it's gotta be satisfying to to execute that kind of IR program.

Speaker 1: 28:42

So you know as long as, as long as you know, we aren't burning out our incident handlers, which I think is you know. Another big industry problem is is you know we burn out a lot of our people because, frankly, from a business perspective, there's more people lining up to take those jobs. So, like, I don't agree with the business practice, but it's definitely something we do in the industry yeah, yep, all right.

Speaker 2: 29:08

Well, thank you so much. We're glad to have had you on the episode.

Speaker 1: 29:11

Yeah, thanks for inviting me. I'm always happy to to ramble at people, right? Well, thank you so much. We're glad to have had you on the episode. Yeah, thanks for inviting me. I'm always happy to ramble at people.

Speaker 2: 29:17

Yeah Well, I wasn't rambling. You're telling us great things here.

Speaker 1: 29:22

Great, I'm glad you enjoyed it.

Speaker 2: 29:24

Yeah, appreciate you having me on.

Speaker 1: 29:27

Yeah Well, thanks so much for the invite.

Speaker 2: 29:32

Yeah, all right, this has been an episode of Security Tipmunks. Remember as you're learning, keep chipping away at it.