Since last year, my university has orchestrated a yearly Capture-the-Flag, and this time, I am one of the organizers of the event.

In a CTF, we simulate a voluntarily vulnerable network that we may find in a company or at home.
The players will have to search and go as deep as possible to find pieces of texts called flags, that all give points. The team with the most points at the end win.

I participated in the previous edition, which was pretty nice but suffered from some issue: the path was very linear, so being stuck at any moment would meant total stop in progression until solved. We started strong the event and were headed first, but we stayed stuck on a flag about nested base64. We understood what to do with base64, but we didn’t understand that one of the steps was the flag itself. All the other teams were given hints to catch up with us, and we lost our advantage in a very frustrating way.

So in the next edition, we wanted to make the best version possible: no weird random flag like the nested base64, no free hint, no linear path that would make you totally stuck.

I thought about possible flags from that day and noted them somewhere. When I had an idea, I appended it to the list. At the end of our first semester, we ended up with a list of around ~90 ideas, all more or less twisted. With the whole class, we decided to make a “tierlist” of all our ideas, classing them for “we absolutely need this” to “how are they even supposed to think of this in their whole life.”

We had flags for different platforms: Windows, Linux and Android. We knew that this was not very common in these kinds of CTF to have Windows or Android, so we thought that it would allow us to test their research capabilities instead of spamming prepared scripts and acquire new knowledge.

Some flags where about booting up a computer remotely through Wake-on-Lan, other where about simple privilege escalation through a DirtyCow, a Log4Shell on a Minecraft server, an AI that would challenge you in order to tell you a flag, sticking a fake “recycle” sticker on their screen with a flag on it… We had so many diverse ideas, and we weren’t able to implement all of them since the event would only last 7 hours.

We decided to split the flags into two categories: the main ones, and the bonus ones. The main ones cost more, can be seen from the flag validation website, and hints can be paid for them. The bonus ones are invisible and so cannot have hints, and give additional points. They are very easy to miss.

At the event, the teams would start with a USB stick to give them all a different copy of a VPN that would give them access to a different copy of the network they will play on. We also added a short introduction to
finding a Tor URL and accessing an HTTP, IRC and FTP server over Tor. I didn’t even know Tor did something else than HTTP before, but it does support all TCP protocols (and I even consider deploying a Tor website way easier than a normal one). Also, we hid a corrupted second partition on the USB stick with a bonus flag, a team almost found it, but though “eh, nobody would hide that here.” If only you knew…

The flags were going to be implemented on Virtual Machine on our CyberRange, our virtualization machine. Since we didn’t have access to it at the begging of the year, we instead trained a bit on the open-source equivalent: GNS3. It is a pretty good tool, more specialized for networking. Importing QEMU VM inside was not that easy, but it was a perfect substitute.

Once we had access to the real virtualization machine, we realized it was not that the UI may be easier to use for our event, but the machine had some serious issues, like the impossibility of using “gates” to connect to the internet due to expired certificates, or the creation of a VM that would lock the whole machine. The online documentation barely exists since this is a niche device. We tried reaching the support, but the communications was not always easy, and it has often required using the CLI of the machine that was broken and couldn’t connect to the machine.

Instead, I decided to reverse engineer it. It was a bit stressful the time it happened just before the event, but it may have been the experience that made me learn the most in the whole university: virtualization, routing, VLAN, certificates, postgres, everything a system administrator would love. This ended up working, and we were able to fix the machine quicker and quicker every time.

We wanted a visual identity too, and a story that would make people trying to understand it have a big advantage. We made a logo looking like the San Francisco golden bridge, and decided that the story would be about a growing San Francisco mafia trying to sell its cryptocurrency. The police would then sponsor the players to track them. Being in France, the event would that at around ~01h00 at San Francisco, when the organization members would be sleeping.

We had the idea to stream the event on Twitch at some point, but this would have required too much authorization from everybody, and one refusal would mean multiple footage of about 7 hours of event to censor in live.

The idea was abandoned, but we still were able to get some player screen to look at how they were doing though ffmpeg and an OSSRS server.
I bought some high-end cables to be able to withstand the traffic, and I was thrilled about the result.

One of us was given the task of preparing the music and orchestrating it with OBS. We used much video games music because they often don’t contain lyrics and often keep an average rhythm, without being too strong or too low at a some points. Some people though the volume was a bit too high at the event, but he did a really good job, and the OBS scenes he prepared with countdowns and a slight glitched effect was absolutely perfect.

The last few days before the event, we prepared the room: some cameras poorly taped to the wall, some Wi-Fi routers and Ethernet cables to make everybody able to play, preinstalled Kali computer with required software already available, arranged the table for all the registered teams, prepare the monitor with our OBS scenes. It was not easy with the little time we were given, but we ended up with something perfect.

The CyberRange broke a few days prior to the event. We accidentally selected a reserved cable on the UI to access our template network, but it changed its internal VLAN and this port was virtually used to connect the internal virtualization software. (Reserved cables should not be able to be selected for this usage, it would avoid this kind of incident.) We were very stressed and went back to reverse engineer it, and a friend came up with a solution to fix the VLAN that saved the whole event.

Reassured and prepared, we were able to start the event on time. People were supposed to enter the room a few minutes before the end of our start countdown, but they stayed outside to speak with old friends they just found back, while we were supposed to introduce the lore. We almost forgot to explain the story, but everything went fine (Please send mails saying that the event starts at least 30 minutes prior to the real time for the next iteration).

Everything worked almost flawlessly for the whole event, there were just very minor issues, like one of the Android machines that broke and refused any connection to ADB, and the Windows machine that didn’t have its brute-force protection disabled, making a team locked out of it.

In the end, everyone was happy and learned new things thanks to this event, event the most experimented players that were often participating in CTF.