Yes But No's inaugural CTF!
Organizing and Hosting a Capture the Flag competition.
Last updated
Organizing and Hosting a Capture the Flag competition.
Last updated
On the 18th of November, Yes But No (YBN) organised its very first Capture-the-Flag (CTF) competition. This 2-day event saw teams from various academic institutions in Singapore, such as Nanyang Junior College (NYJC) and Singapore Polytechnic (SP), signing up to take part.
YBN spent several months planning out the event, such as the challenges included as well as the infrastructure hosting the CTF itself.
YBNCTF was a 24-hour CTF, lasting from 18 Nov, 1200h to 19 Nov, 1200h. The CTF had 45 teams who signed up, with a total of 112 participants.
The infrastructure was hosted on a Kubernetes cluster on Oracle Cloud Infrastructure and Amazon Web Services. For more information about the infrastructure used for this event, please refer to the dedicated blog post.
The top 5 teams for this event were:
blåhaj (from NUSH)
KKWindowsWarriors (from SP)
Graifons (from SP)
ze womanz (from NP & ASRJC)
joelt.io
YBNCTF featured a variety of challenges of varying difficulty levels across multiple cybersecurity domains:
ELF binary reverse engineering
Python obfuscation
Includes the infamous Flag Server challenge
Lua obfuscation (using Roblox Studio)
Travelling Intern challenge series (Japan)
Extreme Location challenge series (India)
Public Transport challenge series (Singapore)
Misc. challenges
JWT manipulation/exploitation
Curl (command-line utility)
HTML code analysis (looking through the HTML code to find flag/flag fragments)
Base65536 - A custom encoding format adapted from Base64
Fermat's Attack on RSA
Buffer Overflow
Ret2Win
LLM (Large Language Model) prompt injection
Verilog
Netcat
Excel
To promote this event, YBN members sent out advertisements to the Discord channels of various cybersecurity interest groups several weeks in advance to inform others of the upcoming CTF, to encourage them to participate.
In addition, we advertised on several channels including:
BuildingBloCS
NullSec
NYJC's Computing Discord
We can see that this mostly worked out well, as a large number of participants knew about the CTFs via our advertisements, some of which were in schools (such as NP (NullSec) and NYJC), and word of mouth.
Since this is our first time hosting a CTF, we mainly targeted students. We had 45 teams and 114 users registered, which is not too bad seeing that we only spent about a month getting the word out.
From the form responses, our participants were mostly Poly/JC students, which corresponds to the channels we had publicized in (to Poly/JC students)
Teams were in groups of 3 or less, and of the 45 teams that signed up (some after the form was closed), 32 teams were active (solved at least 1 challenge).
Infrastructure planning had started in September, and challenges and social Media in October, we had to move quickly to spread the word while creating challenges. By the start of the CTF, we had about 43 challenges ready and had added 8 more during the duration of the CTF.
After the CTF, we received some feedback with regards to the CTF.
The feedback we received was generally positive, and participants do seem to enjoy the CTF. The CTF also gave participants quite a challenge.
Participants also enjoyed OSINT challenges the most, which included the Travelling Intern and Extreme Location series.
Looking at the feedback, we see some issues participants had and would like to address some of them.
3 person team
We will consider increasing the team size for the next YBN CTF.
Quality of challenges
We will vet the challenges more thoroughly and include challenges of appropriate difficulty in the next YBN CTF.
YBN would like to thank NullSec and NYJC's Computing Department for posting about the CTF in an official announcement.
A shoutout to those who shared about YBNCTF on LinkedIn!
Lastly, thank you to all participants, challenge creators and infrastructure managers for making YBNCTF possible. We hope to see you next year at YBNCTF 2.0!
