# Yes But No's inaugural CTF! On the 18th of November, Yes But No (YBN) organised its very first Capture-the-Flag (CTF) competition. This 2-day event saw teams from various academic institutions in Singapore, such as Nanyang Junior College (NYJC) and Singapore Polytechnic (SP), signing up to take part. YBN spent several months planning out the event, such as the challenges included as well as the infrastructure hosting the CTF itself. [We wrote about our infrastructure in a seperate blog post.](https://blog.yes-but-no.org/ybn-ctf-2023/infra) ### About the CTF YBNCTF was a 24-hour CTF, lasting from 18 Nov, 1200h to 19 Nov, 1200h. The CTF had 45 teams who signed up, with a total of 112 participants. The infrastructure was hosted on a Kubernetes cluster on Oracle Cloud Infrastructure and Amazon Web Services. For more information about the infrastructure used for this event, please refer to the dedicated blog post. The top 5 teams for this event were: 1. blÄhaj (from NUSH) 2. KKWindowsWarriors (from SP) 3. Graifons (from SP) 4. ze womanz (from NP & ASRJC) 5. joelt.io

Final Scoreboard of Top 10 teams

### ### Challenges YBNCTF featured a variety of challenges of varying difficulty levels across multiple cybersecurity domains: #### Reverse Engineering * ELF binary reverse engineering * Python obfuscation * Includes the infamous Flag Server challenge * Lua obfuscation (using Roblox Studio) #### Open Source Intelligence (OSINT) * Travelling Intern challenge series (Japan) * Extreme Location challenge series (India) * Public Transport challenge series (Singapore) * Misc. challenges #### Web Security * JWT manipulation/exploitation * Curl (command-line utility) * HTML code analysis (looking through the HTML code to find flag/flag fragments) #### Cryptography * Base65536 - A custom encoding format adapted from Base64 * Fermat's Attack on RSA #### Remote Binary Exploitation (pwn) * Buffer Overflow * Ret2Win #### Miscellaneous * LLM (Large Language Model) prompt injection * Verilog * Netcat * Excel ### Publicity

The banner that we sent out

To promote this event, YBN members sent out advertisements to the Discord channels of various cybersecurity interest groups several weeks in advance to inform others of the upcoming CTF, to encourage them to participate. In addition, we advertised on several channels including: * BuildingBloCS * NullSec * NYJC's Computing Discord
We can see that this mostly worked out well, as a large number of participants knew about the CTFs via our advertisements, some of which were in schools (such as NP (NullSec) and NYJC), and word of mouth. ## Statistics Since this is our first time hosting a CTF, we mainly targeted students.\ We had 45 teams and 114 users registered, which is not too bad seeing that we only spent about a month getting the word out. From the form responses, our participants were mostly Poly/JC students, which corresponds to the channels we had publicized in (to Poly/JC students)

Demographics of our participants

Teams were in groups of 3 or less, and of the 45 teams that signed up (some after the form was closed), 32 teams were active (solved at least 1 challenge).

Statistics for challenges and scores (with 1 hidden admin team)

Infrastructure planning had started in September, and challenges and social Media in October, we had to move quickly to spread the word while creating challenges. By the start of the CTF, we had about 43 challenges ready and had added 8 more during the duration of the CTF.
### Feedback After the CTF, we received some feedback with regards to the CTF. The feedback we received was generally positive, and participants do seem to enjoy the CTF. The CTF also gave participants quite a challenge.

Feedback on the event

Difficulty of CTF

Participants also enjoyed OSINT challenges the most, which included the Travelling Intern and Extreme Location series.
### Areas of improvement Looking at the feedback, we see some issues participants had and would like to address some of them. * 3 person team * We will consider increasing the team size for the next YBN CTF. * Quality of challenges * We will vet the challenges more thoroughly and include challenges of appropriate difficulty in the next YBN CTF. ## Acknowledgements * YBN would like to thank NullSec and NYJC's Computing Department for posting about the CTF in an official announcement. * A shoutout to those who shared about YBNCTF on LinkedIn! * [Sora ](https://www.linkedin.com/posts/sorahehe_got-top-3-in-ybnctf-2023-with-zavier-lee-activity-7131879000469098497-FtDa?utm_source=share\&utm_medium=member_desktop) * [Jun Jie (minty)](https://www.linkedin.com/posts/ongjun-jie_spent-the-weekend-playing-in-yes-but-nos-activity-7132170689050005504-t628?utm_source=share\&utm_medium=member_desktop) * Lastly, thank you to all participants, challenge creators and infrastructure managers for making YBNCTF possible. We hope to see you next year at YBNCTF 2.0! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.yes-but-no.org/ybn-ctf-2023/ctf.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.