DKHOS CTF - General Review

I got a text message on 10.01.2018 from one of the few people I enjoy working together on CTF competitions.

Basically, he informed me about one of the biggest CTF events in Turkey and added 2 important things:

• This time we have a great team named KHORNE
• The goal is securing the first place and all members already agreed on donating prizes to The Foundation for Children with Leukemia in Turkey

Big day came and tasks were split. Everyone was so motivated and skillful in their field. Hours started to pass and we could see the scoreboard was changing already…

After solving the first tasks we started to slow down with the harder ones. There is a time of desperation on every CTF that you are actually about to finish the task but just cant go through the last step! Just after this, I heard someone yelling on the second night of the event :

Guys, do not forget why we are doing this. We are so close to make those children happy!

After 4 sleepless nights, 2 workdays in between, couple of disputes among members, we actually made it to the top between 478 teams !

This is the brief story of my first triumph on securing the first place in a big CTF event.

From here, I’ll talk about DKHOS CTF in details.

DKHOS is the sequel of DKH and DKHO (Dunyayi Kurtaran Hacker & Dunyayi Kurtaran Hackerin Oglu), held by Invictus/Prodaft. It’s by far the biggest and most innovative CTF events in Turkey. (In here I should also mention the Siberyildiz failure). They actually put a flag on top of Bosphorus Bridge!

(from https://twitter.com/ctfturkey)

Scenarios were taken from real-life situations and put together such in a way that solver actually learns by solving it. There was even a Twitch ‘hacking royale’ in where 3 people choosen amongst the best in Web category and were given a machine with 7 flags.

Of course there were things I also didn’t like and can consider these as great downsides.

• Group challenges were meaningless. Especially the last one with potential 700 points. There were groups who couldnt even get this much points. Yes, its innovative. Yes we did enjoy it. But potential 700 points was too much. NERF THIS!
• Naming conventions were absolutely odd-awkward. If the solution is understanding ‘whatsapp service’ from task’s name ’naber’ (whats up!? in TR) then this is not a hacking question. Period.
• There were quite a number of cheating attempts we heard of. DKHOS team was successful on monitoring and finding these but in the end even we were accused of minor cheating. We were expecting to at least getting some congratulations.
• And the thing I disliked the most is the actual problem in Turkey. Security, CybSec is just seen as red teaming. There were not even 1 hint of how these tasks should have been secured in the first place. As an Application Security Engineer with interest on blue teaming, next year I’m expecting an Attack and Defence style rather than Jeopardy.

All in all, we are the official winners now and learnt a lot in the way. I’ll be publishing some writeups when I have more time.