i-HACK 2022 [BLOG]

So, I participated my first Attack & Defense CTF competition in Malaysia.

🥇 Credits

Before starting the iHACK journey, firstly, huge kudos to two of my solid teammates @WesleyWong420 and @redeeF for their contributions throughtout this competition. Secondly, I would also like to appreciate Asia Pacific University of Technology and Innovation (APU) for supporting our students’ financial aids. Thirdly, as an iHACK Player, let me give a special thanks to Malaysia Armed Forces (MAF), Velum Labs Sdn. Bhd., and Sapura Secured Technologies for sponsoring this competition and making this event possible.

👍 Let’s GO!

Let us start with a quick intro regarding the flow of the event. In this event, two separate rounds were involved which are the qualification round and the final round.

Qualification Round

It is a 7-hour Jeopardy-Style Capture-the-Flag (CTF) baseline which started at 10 a.m. and ended at 5 p.m. on 10th December 2022, held online where each team need to compete the top 20 by solving a variety of challenges in order to proceed to the final round.

Final Round

It is another 24-hour CTF competition based on Attack & Defense Style, and it was held on the 19th & 20th December 2022 at Ministry of Defense (MinDef), features a diverse set of mixed challenges from various security categories such as forensics, web exploitation, offensive and defensive strategies with the number of points awarded for submitting a valid flag varying according to the challenge difficulty. Players who proceed to the finals need to head to the stated location to compete physically.

🚩 Obliterate the Quals

As more and more online CTF competitions were joined by us over the past 2 years, we have enough experiences to secure the top 20 easily. However, only 2-3 teams in the same university are able to join the finals according to the rules which creates an additional challenge for us. Due to our ambition and determination, we basically give our all out and we are lucky enough to be the 2nd team which represented APU to compete the next round.

Figure 1: Partial screenshot of scoreboard taken where we managed to secure the 3rd place in the qualification round

Congratulations to other teams that also managed to secure the top 20.

Figure 2: The top 20 teams that are going to proceed to the finals (Alphabetical Order)

🙂 Finals - Day 1

Figure 3: Team x0rry with me, Alvin, and Wesley (from left to right)

Figure 4: Malaysia VIPs randomly visit young talents in cybersecurity

😪 Finals - Day 2

Figure 5: Screenshot where we are trying to solve and patch challenges during 2 a.m.

Figure 6: Exchange solving strategies with Team Cyb3rWarrior (APU) after the competition had ended

Figure 7: Result of final round where we get the 7th place among 22 teams

Figure 8: Team x0rry with Alvin, Wesley, and me (from left to right)

Figure 9: Photo taken with Forensic & Security Research Centre (FSEC) from left to right: Mrs. Nor Azlina, Shiau Huei, Wesley, Alvin, me, Ryan, Jia Qi, William, Lik Ken, Mohin

🗣️ Final Words

Everything happened just a blink of an eye. It was a really fun and unforgettable experience for us not only just the first attack & defense CTF we had joined, but also gain valuable knowledge in terms of hacking and defence in real-world cyber security practices that are not covered in educational modules. The core knowledge that I learnt is the importance of utilizing automated scripts to harvest other teams’ flags, how to patch (but not overpatched) the vulnerabilities to prevent other teams from stealing our flags, and source code reviews that covered majority of the challenges.

Even though we are not able to win the competition, the experience we had gained can be used in the next similar style competitions. Additionally, this provides an inspiration for us to launch a mini hacking box, contains similar scenarios in iHACK challenges for future workshops to provide more interactive and hands-on session to the audience instead of slides and explanations.