The Hacktober 2020 CTF is by far the most fun and educational CTF I have ever participated in.
Players have to take on a group of notorious hackers:
Hacktober CTF differs from your normal CTF in that it considers a cohesive story that ties challenges together to be essential, letting players know why they need to find a flag.
DEADFACE is a notorious hacker group who increase their activity particularly in October. They're all about theatrics and inciting fear. They employ a variety of different hackers, each with their own unique skillsets. One of the calling cards of DEADFACE is that they use a Halloween-themed naming convention for their attacks and artifacts left on their victim's machines.
The challenges are broken down into various categories, and many of them require knowledge acquired throughout the CTF, as part of that previously mentioned cohesive storyline. The challenges mainly revolve around members of DEADFACE leaving information, files, and hints on a public forum for us to find. We can then start forming a picture of the various members, what they do, what kind of person they are, the techniques they use, and so on and so forth.
The main challenge categories are:
- traffic analysis
- web exploitation
My writeups for the solved challenges will be linked at the end of this article.
My favourite categories were mostly well represented in this CTF. There were a lot of forensics and OSINT related challenges. Web exploitation was definitely the least represented one, but often the most guessy, or the easiest challenges in these competitions.
As per usual, I participated alone and managed to climb my way to 151st out of 1062 participants. 🥇
The biggest take-away from this competition though is the amount of newly acquired knowledge. From new steganography techniques I had never heard of, to learning how to read and evaluate memory dumps, prefetch informatio, and the likes.
Cash prizes are provided for US residents. The top three US based teams are awarded $400, $200, and $100 respectively.
Non-US residents participated for bragging rights, and some digital badges to be redeemed at badgr.io.
I'm posting all my writeups as separate blog posts, minus the challenges that are split into multiple parts, those have all been merged into one.
Updated as all writeups are published ⏰