Skip to main content

DKHOS CTF: General Review

··460 words·3 mins
Kaan S. Karadag
Author
Kaan S. Karadag
Founder & Lead Cyber Security Consultant | CISSP | CEH | ECIH
Table of Contents

Introduction
#

In January 2018, I received an invitation to participate in DKHOS, one of Turkey’s most prominent Capture The Flag (CTF) competitions. Our team, KHORNE, entered with dual objectives: to secure first place and to donate all prizes to The Foundation for Children with Leukemia in Turkey.

Competition invitation

Competition Overview
#

DKHOS is the successor to previous competitions DKH and DKHO (Dunyayi Kurtaran Hacker & Dunyayi Kurtaran Hackerin Oglu), organized by Invictus/Prodaft. The competition has established itself as Turkey’s most innovative CTF event, incorporating unique physical elements—including placing an actual flag on the Bosphorus Bridge.

Flag on Bosphorus Bridge
Image source: Twitter @ctfturkey

Team Strategy and Execution
#

Our approach emphasized specialization and clear task allocation. Each team member focused on their area of expertise, allowing us to tackle challenges efficiently. The competition structure required:

  1. Initial momentum - Rapid solving of easier challenges to build confidence
  2. Specialized focus - Distributing complex problems to subject matter experts
  3. Perseverance - Working through multiple nights with minimal sleep
  4. Motivation maintenance - Regular reminders of our charitable objective

A critical moment occurred during the second night when team morale temporarily faltered:

"Remember why we're doing this. We're so close to making those children happy!"

After four days of intense competition, including working through regular business days and overcoming inter-team disputes, we achieved victory among 478 competing teams.

Victory screenshot

Technical Challenge Design
#

The competition incorporated several innovative elements:

  1. Real-world scenarios - Challenges derived from authentic security situations
  2. Educational progression - Tasks structured to build and reinforce knowledge
  3. Live competition - A Twitch “hacking royale” where selected competitors tackled a machine with seven flags

Critical Analysis
#

While the competition was well-executed overall, several aspects warrant critical examination:

Competition Design Issues
#

  1. Point distribution imbalance - Group challenges awarded disproportionate points (up to 700) relative to individual challenges, creating scoring inequities
  2. Non-technical challenge elements - Some challenges relied on cultural knowledge rather than technical skill (e.g., inferring “WhatsApp service” from the Turkish phrase “naber”)
  3. Anti-cheating measures - Despite effective monitoring, legitimate teams faced unwarranted accusations

Security Industry Implications
#

A significant observation concerns Turkey’s cybersecurity landscape, which emphasizes offensive security (red teaming) while neglecting defensive measures. As an Application Security Engineer with defensive security interests, I would recommend evolving the competition format toward Attack and Defense rather than purely Jeopardy-style challenges.

Conclusion
#

Our victory in DKHOS CTF represents both a personal achievement and a contribution to a worthy cause. The competition provided valuable learning opportunities while highlighting areas for improvement in CTF design and broader security education.

I will be publishing detailed technical write-ups of specific challenges in subsequent posts, focusing on methodologies and security principles that can be applied in enterprise environments.

Note: This post reflects experiences from 2018 and the security landscape has evolved significantly since then.