Learning by Capturing Flags at the CrySyS Security Challenge

April 7, 2022

The CrySyS Security Challenge is an annual Capture-The-Flag (CTF) competition held by the CrySyS Student Core and c0r3dump. It is a solo competition mainly for students of the Budapest University of Technology and Economics (BME).

Nevertheless, it attracts many competitors from outside the university, including alumni and hackers honing their skills through various competitions.

The CrySys Security Challenge

The competition itself is a Jeopardy-style CTF, meaning there are independent tasks, usually sorted into categories, and each participant scores points based on the tasks solved.

CTFs Are a Great Place to Learn

The first time I participated in the competition was during my bachelor’s studies at the CrySyS Lab of BME in 2019. It was my first CTF, and I could barely solve some of the challenges. Nevertheless, I got hooked: it was interesting, challenging and made me want to improve. I’ve participated in every Security Challenge since then, improving every year.

The first time I solved a decent number of challenges was last year, and it was the first time I felt that solving the easier challenges didn’t take that long. Even after a few years of playing CTFs, finding a challenge that stops me in my tracks is not hard. However, I see it as an opportunity for learning and improving my problem-solving skills.

Getting the Most out of a CTF

A great habit that helps me learn is reading/writing write-ups after a competition. It is a good way to learn how other people approach a particular challenge or to find the solution to the one you had struggled with during the competition.

A year ago, I started my blog to help other people and keep a memo of the solutions for previous challenges. I don’t include solutions in this post. However, you can read about the challenges I managed to solve on my blog.

CrySyS Security Challenge 2022

This year, there were six categories, each containing five tasks: Crypto, Pwn, Reverse, Hardware, Web, and Misc. There was a wide variety of tasks in each category: from breaking the Enigma to MD5 collision in Crypto, and from basic SQLi to Java Deserialization to RCE in Web, to name a few.

The Challenge ran between February 25 and March 16. A total of 30 + 1 challenges were available for the 150+ registered participants. I managed to solve 13 + 1 challenges, which placed me 4th overall. All the challenges I solved were excellent in quality, without too many red herrings and cryptic solutions. My favorite categories were Web and Misc, which had a good amount of rickrolls and memes, such as this one:

ctf meme saying the flag is at another castle

If you want to check out some of the challenges, you can do so until summer by visiting the competition’s site. At last, a big thanks goes to the CrySyS Student Core and c0r3dump CTF Team for organizing such a great event.