Capture The Fun - Gamified Learning by Andras Borbely

uh thank you and welcome all and thank you for choosing to be here especially on such a nice sunny afternoon which is not too common in the area so i truly appreciate you guys and girls being here uh just a quick introduction uh my name is andres i've been considering myself to be a cyber fossil we've been doing it for about 20 odd years by now i've done everything from blue teaming to red i'm currently working as a solutions architect architected mandiant and also a ctf player slash challenge creator uh i volunteer with the biohacking village with devcon and trying to help running their ctfs and running some new challenges for the competitions they doing

in the summer i'm essentially here just to talk about what capture the capture the flags are and why i encourage people getting involved with them and also highlighting the main reasons i see lots of people don't want to get engaged on ctfs lots of the reasons i had myself as a mentor blog as well before i started and just to supply some resources to anybody who would like to get themselves involved in the fun and immerse world of ctf games i don't know if anybody here played ctfs before or actively playing uh if you did then some of this may be not too beneficial at this stage but uh hopefully it can be some information for all parties

involved in the room so why personally i recommend to get engaged on ctfs the biggest side is i do find them as a great experience to learn new skills and new talent especially if you want to get engaged in a certain part of the hacking or direct teaming part of the world but it's also great if you're working as a blue teamer to actually understand how some of these attacks work in real life because it's easier to defend if you know what you are trying to protect against and i find ctf to be able to give you the opportunity to to start learning about these i also do find them being an awesome for persist building persistence as a skill

by which i mean i remember multiple times banging my head to the wall 2 a.m in the morning trying to go down yet one more rabbit hole and also had situations when after possibly a week of trying to solve a challenge he eventually thought i found the solution when i found the flag which ended up just being uh a redirective recashless youtube video which again resulted me trying to bring my head to the wall a few more times but uh never give up and it's a good great way to to learn that skill and to keep going regardless what the outcome is um i do find a social side being beneficial uh you may not tell i have a quite a bit

of social anxiety so i'm not great with meeting new people or standing in front of people i'm trying to work on it so it's also a good way for me to find new like-minded people in the ctf world i met lots of new friends and lots of new people through just playing challenges and working through some of the experiences and essentially i find them fun to be fair and that's the main thing it's a good way to have fun and learn something new and again it just gives it extra buzz at the end of it again what ctfs are i've think most of you know in the room but essentially they are competitions where you are

trying to either solve a puzzle uh or break a system and trying to get the flag at the end which proves that he managed to achieve the set requirement or there's also a different type when you are actively doing an attack defense type but that's when you got two teams trying to fight against each other trying to take over each other's machines and keep against so what was my main reasons why i didn't want it to get into ctfs at the beginning which stopped me stopped me from years to play and also which i found lots of people i speak with new to the environment struggle with the same and again apologies for the x-men ah

while i was a comic and i wanted to have the chance to finally use comic sense as a letter in a professional environment which gave me a chance to do so one of the main reasons i found is people have an issue of were being worried if they try ctfs they try to enroll on one and it's like okay what if i won't be able to solve any of any of these challenges which it's a possibility but there's lots of user beginner friendly ones out there which helps you teach and being afraid of failing should not stop you trying it so it's one thing which you can easily get away with again people i normally believe that

everybody else is playing ctfs they must be more experienced than me so i don't wanna fall out of line i don't wanna look stupid but again everybody has to start somewhere and the community is absolutely encouraging and you never have the issue that people will try to look down in either way again or people all the people who play they know how to hack i don't i don't really want to be there it's not for me which is again most of the ctf that you can find they will try to build the challenges in a way to help you learn and if you get stuck you can always engage with the community you can work together in groups and

you always find help from people who are trying to play the same game so again being afraid of not knowing how to hack or being afraid of people being more experienced should never stop you from starting because it's a friendly world and people just want to make sure people are successful overall and as a last one even if i wanted to play the games i possibly don't have time which is a standard excuse i heard from lots of places i had the same excuse myself plenty of times and even if i have the time don't know where to start because there's just so much information out there hard to find where to start because there's millions

of different pages and resources and videos so again hopefully anybody who wants to get engaged in this world i'm trying to give a couple of useful resources where you can start which can give you a good chance to just to get engaged really so back to that question where do you start uh one of the biggest issue i had i was afraid being in cyber for 15 20 years i didn't want to look stupid in front of the front of people by enrolling myself onward and i'm so i made up a fake persona uh charlie fearful you possibly wouldn't know him is a unless you watch late 70s italian comedies so again if you're afraid of being

exposed then i don't think i was making fake personas i use them for awesome collection for different projects but if that's the issue just make one and enroll under absolute name i recommend having a virtual machine or some methods to to play through because i just don't like exposing my host machine so there's lots of great tools out there which are pre-built with dozens of tools which you can use for some of some of these activities you got kali or parrot for the linux side or if you prefer to go with windows you can use commando vm as well which is a great selection of tools which you can use to as a base system to start your

experience without the need to build something new and again the best way to start just pick one and crack on really like there's no better way than just to try to get your hands dirty and fail and fail and keep going eventually you will succeed and you will enjoy but essentially stop putting it off stop blaming it on time as i did for a long time and just get in uh some resources especially if you're starter in this environment to go with uh over the wire org is an awesome web page where you got lots of different challenges from beginners to advanced with explanations and with guides of running through so if you want to get immersed if you got

no even with no red teaming experience no hacking experience required basic knowledge of os would be sufficient which i expect most people who are here would have way more than that but you should be able to easily learn more skills ctf hacker 101 again i found as the second great resource those were the two i used when i started and i can certainly recommend them for anybody who wants to get engaged in this and discord again i would assume lots of people in the room has discord access and discord accounts but most of the community can be found in most of the ctfs on different discord servers so it's a great place to try to find people who are like-minded

trying to find new teams and trying to build new connections and trying to engage with like-minded people and some additional resources you can potentially use as well which can be beneficial once you started which can give you a great set of additional skills in my mind uh ports figure the company behind burp sheet has a great online academy which is again free again most of the resources listed here are either free or have a free version of it but portfigo is a great one to learn all the different web exploits and try them in a safe environment without having to worry about any legal complications of trying and hacking i also find try hack me and hack the

books equally as beneficial try hack me is aimed slightly more the more beginner type users so you can if you're trying to get engaged on it they got three different sections different rooms you can learn them they got the free tier but they also option to uh have a subscription based method where you get access to a few more features but again i'm not here to encourage to buy anything so i'm not going into details on those uh hack the books i do find a bit more at once than try hacking and the rest so once you feel comfortable enough once you played a few uh ctfs uh and you want to engage in a bit more depth you want to have a

bit more serious challenges than hack the books eu is again an awesome resource to use which i use most of these as of today as well in most of my activities most of these ctfs are online they accessible 24 7. you don't need to uh wait for a certain time of the year uh but some of these etfs which may be running could be time based they do different ctf competitions for blackhead defcon and any major conferences if you want to find any online attacks and attacks etfs ctf.org is a great place to go which lists all the available upcoming ctf challenges globally so again you can find your local find your remote fun and uh find one to play with it

uh again i recommend to start with the the jeopardy style ones which are more puzzle based more giving a sink a single attack scenario but once you built your network once you got your social side and you got some teams to work with and you want to get on a more challenging part of it it's always fun to engage on the attack defense type scenarios uh i put gchq cyber cyber fs2 which again some of you may be aware especially gch gchq being local for the area uh their cyber shift is an absolute awesome tool in my mind and it's great for especially for ctf challenges to reverse anything and work on any encryption or

other type of challenges which could have uh solutions as the last one i included uh tringle cone from sense purely because it was the one i started with about a couple of years ago it's a christmas-based ctf uh it's normally on in december so if you want to play that one you have to wait uh but it's an absolutely awesome challenge i find which has almost accompanying videos for some levels starts with beginner level with challenges to expert level so you can find equal challenges to all levels based on what you want or what you want to achieve and at the next or what's next has a couple of closing words from my side if you haven't played yet please if you

can take away one action go play i love the community i love ctf's and that's the reason why i decided to promote and try and to get more people in the industry to get engaged because i think this is absolutely awesome if you do play engage with the community don't just try to solve everything on your own try to work as a team try to work and try to find new friends i would say which i was lucky enough and just respect as well with the community if you do work with ctfs don't try to post flag solutions don't try to search or google for the flag itself but try to find the way uh it's the journey you want to enjoy

and the journey is the learning curve you want to enjoy not just having the the solution again as you said persistence required and persistence will be built during these challenges so just don't give in keep going even if you think that it's not gonna work even if you think you've been doing it for a while just walk away have a coffee but then come back and try again have a sleep try again go until you find a solution or at least try and uh yeah try to have fun in the process because in my mind that's the biggest part especially finding the flag at the end of two three hours two three days it's just a massive

buzz for me and it's just a absolutely awesome experience as i mentioned discord feel free to reach out to me as well you will find me as charlie here pro with the lovely gentleman's picture from the movie uh almost same just a bit more beard required but it's really just uh go and play and have fun hopefully that's all from from my side if you want to reach out feel free on linkedin twitter or discord i would be valuable if you want to have your first game you want us some help again feel free to reach out you will have a team reach out happy to join up and happy to play together really and just uh

trying to be helping people any way possible to yeah just to get more immersely engaged in it uh that's all for me as any questions let me know but otherwise thank you for the attention and thank you for joining this afternoon

[Applause] [Music] yes [Music] [Music] um [Music] okay so the question just to repeat i assume we possibly heard but being asked to repeat is to what potential encouraging things could have been said to me to engage earlier than that uh i think one of the biggest one for me was to not to care about the results not to care if you fail because nobody will laugh at you nobody will start pointing fingers and that's i think that's i find is a big block for lots of people that they don't want their reputation to be badly affected by people would expect okay i got these classes i got this knowledge i should be able to just respond to everything like

this and when you get there and you can't get the just to be scared in my mind and i i was scared so if on those levels if i would understand it earlier i would have an older inroad earlier or in my case eventually came up with my fake persona which again i'm not going to encourage people doing so but you're not doing it for catfishing people so you may as well and i think it's more as well try to concentrate on the social part of it and trying to concentrate to maybe encourage them to join us teams like the cts we do sometimes help supporting with universities we normally try to try to encourage them from the

organizers point of view as well by setting a challenge almost to try to if you're coming from a unit try to join at least like with two people or three with three people teams in which case once you got somebody else in a team with you you are more likely to actually do it because if you just enroll yourself as a single person you will be like i can't be bothered it's hanging out with the pub or whatnot when you got people relying on you or when you got people more visibility you are more likely to stand up and to be there for a team so i do find highlighting the theme aspect of it

especially at unis is beneficial for encouraging people to to actually engage on it no thank you yes

or

now again the question was the resources for beginners to start because there's just too many out there uh yes i would say the ones i would go back to from the first slide on that like there is as you mentioned millions of them out there if you want to try at least one from the ones listed i would personally go with over the wire or as the one to start with because they have i think they have a good bunch of different challenges and have a good way of going from an easy option from a complete beginner to almost a more advanced so it's catering for all parties so you got like almost a full

learning curve the only other one maybe which can be beneficial for a starter for ctfs is the the ports figure academy i found or equally as useful because they concentrate mainly on web-based attacks uh with cross-site scripting and injections and such but a large chunk of ctfs are based on those kind of activities at the beginning so again going through the academy which has a fairly or organized ways based on attack types and attack scenarios you can have you have a description of what the vulnerability is you got a demo platform where you can try it and you also have a step-by-step way to explain how that works so i would say the combination of over the

wire and port cigarette would be my recommendation personally for somebody who is an absolute beginner for the area [Music] thank you

if there's no more questions then again thank you for the attention and have a great afternoon and enjoy the rest of the sessions