Author: Sebastian Guimaraens
“I am (hopefully) soon to be an Honours Computer Science student with a love for all sorts of problem-solving and good competition. I might’ve been Seb’s third choice for a teammate (Seb’s note: Hey!) but in the end, I think we turned out to have great team chemistry and I am extremely grateful for the experience we had.”
“Hi, I’m Caelan Hill. Recently, I’ve delved deep into the world of cybersecurity, particularly exploring how hackers exploit vulnerabilities and devise countermeasures. This competition only fuelled my passion further (hopefully it rubbed off on the rest of the team too!). We had an absolute blast competing with the other teams and can’t wait to tackle more challenges like this in the future!”
“I am the guy the last two will say I owe Porsches to. Additionally, I had taken the initial interest in the CSC challenge. Cybersecurity has been on my career radar since high school, so this was my inflexion point. And despite their vexing comments, I couldn’t have asked for a better team with which to go into this challenge. Being an avid writer, I am also the elected author of the masterpiece you are about to read, so please do enjoy!”
In one of our COS 330 (Computer Security) lectures, Dr Heloise Meyer of SANReN (a guest lecturer), gave us an overview of the Cyber Security Challenge (CSC) and what it would entail. One of the key points was that participation would eventually lead to the finals being held at a conference, more specifically the CHPC Conference in Port Elizabeth, Gqeberha. The competition would be teams of three to four members. I asked my fellow students, Caelan & Michael, if they would like to form a team. I need to mention that when Michael agreed to join, it wasn’t with specific enthusiasm. It was more a case of “Eh, sure, why not.” I think it’s amazing what can come from spontaneous decisions, as little did we know how successful our team would be, based on a spur-of-the-moment agreement to participate!
Fast forward many weeks and exams and we had placed high enough during the preliminary rounds that we had made it into the group of top 10 teams (out of 183). We were then selected to attend the finals in Gqeberha, and assigned our mentor, Mr Mark Makura. Mr Makura would be our support and would make sure that we didn’t go too far off the rails. We thank him for his kindness and positivity throughout the competition. And so, on the 30th of November, we met at OR Tambo International Airport and it is here that our story begins.
The flight to Gqeberha wasn’t eventful, but the sight of the beautiful coastline was certainly motivating. We were admittedly anxious as the very recent exam season left us with little to no practice time for the Capture the Flag (CTF) rounds to come, and even less to plan for the Live Attack & Defend round.
After a brief shuttle ride to our accommodation, the Roadside Lodge, we found it to be a great location garnished with a fantastic view of the sea, right on our doorstep. More importantly, there was a bar right across the road. Things were looking good! But jokes aside, we made our way to the conference centre to explore the venue. We discovered that our hackathon would be taking place in a fully equipped basement lined with booths for the various other student competitions taking place. After decorating our booth with banners we had a buffet dinner, also inside the basement (most meals would end up taking this format, except for breakfasts at the lodge). We then retreated to our accommodation to recover for Day 1.
After scoffing down a breakfast of scrambled egg and orange-flavoured juice, we made our way to the conference centre. We were given the second most important thing: information on prizes. Dendrite Cyber had sponsored a staggering R190 000 in prizes for first, second, and third place overall. That equated to R100 000, R60 000 and R30 000 respectively. Holy moly! Now we were excited! And decidedly miffed that we’d had such little preparation, but we were all the more motivated. After this revelation, we strolled over to our booths downstairs and received some merchandise (love a free shirt) followed by the first and most important thing: free coffee.
Finally, at 13h30, the gates were opened. There was a frenzy as everyone was out to get the “first-blood” bonus points earned from completing challenges before anyone else. We ended up getting a few and were off to a decent start, placing initially at about 5th. We grinded through to about 23h15 and ended up taking 2nd place.
We adopted a strategy of trying to go to bed earlier in hopes we could make up for lost time with sharper minds the next day. As far as we could tell, most teams were already settling in for a long night. With hindsight, we are confident our strategy did end up helping us on days to come.
It’s a conference, so there’s always a keynote or two to attend. We started off with some introductory presentations, but I was interested to observe some of the teams were fighting to keep their eyes open. The early night seemed to have been a good idea. Observations aside, some very interesting keynote addresses, but my favourite would happen on the following day.
With the formalities behind us, we made our way back to our battle stations below and proceeded with day two of the CTF round. We had only dropped a few places from 2nd to about 5th. Brilliant. By midday we had already caught up to 2nd and after a major series of breakthroughs with a particularly tough challenge, we pulled through into 1st place. This would be the start of many long and tiring back-and-forths until the CTF round finished.
On the side, there was a lock-picking tutorial in preparation for an individual challenge the next day. Michael would go on to win this, inciting Caelan and I to consider upgrading the locks on our bags at the Roadside Lodge. After an action-packed day, we left the venue still in 1st and with high spirits, but the following day, that would all change.
Day 3 equated to all work. We effectively spent all day in the booth, from 07h00 to 00h00, taking short breaks for meals and going on brief walks to delay our mental degradation. That’s not to say we didn’t enjoy doing the challenges, tiredness only really settled in around 21h00 and we started the day only having dropped to 2nd. Then it went crazy.
Hackathons boil down to how fast you can find needles in haystacks, but we were running out of haystacks. Due to the dwindling number of challenges left unsolved, the lead we had once owned had diminished from a dominant 300+ points to a barely holding 10-point difference as other teams caught up.
For the last half of the day, the scores were on a rollercoaster and after cracking what we thought was the last challenge in the Orange Cyberdefense API category, we found a staggering 750 points worth of previously hidden challenges waiting for us. At this point, my soul left my body. I knew our competitors would be gunning for it overnight, so to stand a chance, we’d have to try as well, seeing as the CTF round would close early the next morning at 08h00. Additionally, the scoreboard would be hidden at 20h00, so we had to assume the worst thereafter in terms of the other teams’ progress.
As mentioned earlier, we actually headed off to bed at around midnight (avoiding an all-nighter), but the damage had been done. We’d been stuck on the discovered API challenges for a while, mindlessly exhausted, and we would have to make our last stand the next day before the deadline closed.
To keep a long story short, we awoke early and sacrificed breakfast to do as much as we could before the deadline. We narrowly missed obtaining another flag, having just run out of time. We made peace and estimated that at the very least we were still in the running for top three.
Later in the day, we held the defence and then the attack round of the Live Attack & Defend challenge. These were great fun, but sadly the attack round suffered some technical difficulties, reducing the time we could spend attacking to about an hour as opposed to the intended three. This meant that we would not be able to exploit all the vulnerabilities we had discovered on our virtual machine (what we were tasked with defending, and what other teams would be attacking) on other teams’ machines. I will append a better explanation of how this challenge worked at the end.
From our team’s perspective, it seemed that our biggest rival for the Live Attack & Defend challenge was the team from UCT (who would end up winning this specific challenge). We played cat and mouse, fighting over ownership of most of the other eight teams’ user management services, for which we had discovered the same vulnerability. They eventually were quick enough to automate the exploit that we were initially applying manually. Credits to them for this, it was both a hilarious and horrifying realisation when we figured out what they had done. When the time ran out, we were able to have a good laugh about it and ended up chatting with the wits (engineering) Team as well as the UCT team later.
Day 4 was the same day that the Awards Dinner took place. Following a final keynote by Thomas Sterling on the state of high-performance computing, and some food, the awards were announced. Now, remember, we did not know the scores and we had just been outmatched in the Live Attack & Defend challenge, so our expectations were low. We had managed to win the API Challenge award so far, sponsored by Orange Cyberdefense, but everyone was worried about the top three placements. So, imagine our shock when Dr Meyer announced:
“And in 1st place… I LAK LINUX from UP.”
Our minds were blown. Talk about a Denial-of-Service attack, try a Denial-of-Thought! We went up to grab our medals, trophy and cheque (we had a fun time fitting that on the aeroplane). It was surreal to think of how we got there, but we relished the moment and will continue to. We owe a lot of thanks to SANReN for setting up this event, it was life-changing. We are also grateful to Dendrite Cyber and Orange Cyberdefense for sponsoring such generous awards. It shows great dedication to supporting future generations of ethical hackers.
And so, we retired to our rooms later that evening, trying to find the difference between the dreams in our sleep and the dreams we had just lived.
Besides the fun of walking through the airport with a billboard-sized cheque with six digits on it, attracting way too much attention, there was nothing much else to it. We got back to OR Tambo, where it had all begun, and parted ways. It was time to catch up on sleep and hide away our laptops whilst we recovered from what had to be at least seven distinct RSI’s.
For anyone wanting to try out the SANReN CSC challenge in the future, would I recommend it? Yes, yes and yes. It is an amazing experience with awesome people. Also, now we need people to continue the winning streak…