Heng Ye's Logs

cat /var/log/heng_ye.log

View GitHub Profile

# Team Tournament 2020

Security Innovation hosted a team event on their DigiExchange cyber range, one of their hardest ones. It was a really nice free learning experience and had a large variety of challenges including RE, injection, OSINT, and XSS. Unlike their easier CTFs such as Shadow Bank, there were filters in the challenges that had to be bypassed.

Unlike most CTFs, there is auto-scoring so when a vulnerability is exploited you get points automatically for most challenges so you don’t have to enter flags. There were a few flags though. Also it is different from both Jeopardy style and Attack/Defense style CTFs in that you are hacking one web site with all the vulnerabilities in it. It is somewhat more realistic than other CTFs because it is simulating a real website with all functionality, which was a great learning experience for me as I am a developer.

The event organizers discourage giving answers because they re-use their CTFs across multiple events. DigiExchange in particular was open multiple times at major security conferences in the past such as OWASP AppSecDays.

When attacking, it was very helpful to map out the attack surface like any pentest as the cyber range is a relatively large website with lots of functionality. I was in a team so this stage was completed fast. Bypassing the filters took more time as frequent trial and error was required.

Before this event, I practiced on their free on-demand CTF to hone web app hacking skills. However, DigiExchange was much harder as it is more of an “advanced” CTF. I also attended the CMD+CTRL event at Def con and multiple previous events of Security Innovation, which were concentrated on easier and more often reused ranges such as Shadow Bank and Shred.

At the end, my team (Exquisite Execution) got in second place!