At 11 a.m. on April 9, 2022, NJIT’s second annual Capture the Flag competition, JerseyCTF, began. Capture the Flag here is not referring to the popular playground game, but instead to a common type of cybersecurity competition.
Participants are provided with a series of challenges based in various areas of computer exploitation and information security. They are expected to puzzle their way through these problems using an array of different techniques in order to find hidden strings of text — known as flags — which will give them credit for completing the problem.
Challenges are usually given varying point values based on their complexity and obscurity of the techniques used to solve them. The goal being to accumulate the most points before the competition deadline.
In the case of JerseyCTF, participants formed into different teams competing over the course of 24 hours. They were faced with a wide array of challenges from having to geolocate a specific statue to find the three word representation of its location in “Photo-Op Spot,” to decrypting a string of text where the key is the solution to a half-finished wordle in “Would You Wordle.”
These teams were divided into two divisions: the open division which accepted all participants, and the student division which accepted only university-affiliated teams. In both divisions, top placing teams were entitled to cash prizes up to $1000 as well as additional benefits for each teammate such as tickets to cybersecurity conferences, free professional certifications, or McAfee antivirus depending on the team’s place.
Winners of the student division in this year’s competition are, in ascending order, “carl g evans’ week 3 discussion” of the University of Illinois at Urbana-Champaign, “KnightSec” of the University of Central Florida, and “fierceBadRabbits” of Duke University. The team names become even more creative in the open division where the winners are “🐻❄️,” “View Source,” and “idek.”
The competition, a year in the making, represented a larger organizational undertaking. It was primarily a joint initiative between NJIT’s Association for Computing Machinery, a student-run computer science organization, and the NJIT Secure Computing Initiative, an organization which delivers U.S. government-sponsored CyberCorp scholarships to NJIT students.
Additional support in planning the challenges and event was given by engineers/interns at the New Jersey Cybersecurity and Communications Integration Cell, members of the Rutgers Security Club, and engineers at FRSecure.
The attitude among the event organizers seemed quite confident. Participation in this year’s CTF is more than double than last years. Registrations increased from around 600 in 2021to 1470 in 2022, with 668 teams competing this year for the top prizes.
Registrants participated from as far as Brazil and Indonesia, with a Japanese team even placing third place in open division. The competition also included several “Tech Talks,” through which participants could earn points by attending, by industry specialists including Brian Herron, Supervisory Special Agent of the Federal Bureau of Investigations, and Max Saltonstall, IT Technical Director for Google.
Additionally, participants could participate in ancillary events throughout the 24-hour time frame including a Pokémon Showdown tournament, a game of heist/security themed Scribbl.io, as well as a catered in-person team building event at GITC for heist participants on campus.
According to ACM president and third-year information technology major David Garcia, though there were technical problems that required the team’s attention throughout the night, such as improperly formatted flags and Google Drive download quotas, the turnout to the CTF and the quality of the events was quite exciting. “For having this be our second year running the event, this went much better than we could have expected,” Garcia said.
Participants likewise seemed to have an overall positive outlook on the competition. Marc Tullier, a junior computer engineering major at NJIT, noted that while the competition posed “one heck of a challenge,” he found the overall format of the competition to be intuitive and easy to use and the staff to be helpful.
First-time CTF participants Patrick Krawczyk and Dustin La were likewise supportive of the CTF staff, however noted some hurdles the competition posed for those who were less experienced with the CTF format, noting that it would be “nice to have introductory level with a couple problems for absolute beginners to learn the tools and how to use them.”
Ultimately, it seems that this year’s CTF seems to have been a success by the metrics of its organizers. High enrollment, a wide array of events, and little in the way of controversy. Though, as with anything, there can be room for improvement. Hopefully, the organizers of NJIT’s next Capture the Flag event will be just as excited about the product as this year’s staff.