This past weekend (13th April 2019) we attended Pentest Cyprus 4.0, a hacking event that included various talks and culminated as usual with an on-site, jeopardy style Capture-the-Flag (CTF) event. Overall, the event was a good chance to see familiar faces and meet new people in a more casual environment that would appeal more to security enthusiasts rather than your typical corporate conference (yes, you know who you are).
Regarding the CTF competition, it was split into two events this year: an entry-level CTF for beginners and the regular CTF for people who compete in CTFs more frequently. I participated in the regular CTF along with my team-mate styx00 and we managed to finish in the top2, earning some prizes in the process (which is always a small, added incentive).
Shoutouts to all the organizers involved, but an extra warm thank you to the technical team who arranged the CTFs. As things currently stand in the local CY community, these guys are a breed apart when it comes to organizing CTFs; as a security / hacking / CTF enthusiast it’s just a pleasure to be around them.
General Feedback / Thoughts going forward
Like I said, as an enthusiast, attending the event was very enjoyable, however the total participation (especially for the two CTFs) was lower than other years, and in general, lower than other more formal events. I personally find this both disappointing and irritating, so I will offer my personal opinion on some minor suggestions that could perhaps increase participation (already shared with the organizers):
There is a glaring contradiction in the overall tone and culture of the event. On the one hand, the event is called Pentest Cyprus, which attempts to denote something more specific and technical, while on the other hand parts of the event are chained by formalities: case in point, every year the opening speeches are deliverd by individuals from organizations that don’t really have anything to do with computer security, at least at a technical level, nor do the individuals themselves share this technical enthusiasm. I’m not attacking any individuals specifically, but as an enthusiast (yes, I am using the word repeatedly, on purpose) I would rather have someone who shares some technical passion delivering the opening speech of such an event.
This can be extended to the actual “training” talks themselves; although this year’s talks might have been informative, I feel their place should not be at an event that does its best to be both technical and playful (CTF is a game after all). This problem is difficult to address, but to start with, an effort could be made to source local speakers who could either discuss a specific topic related to computer security in a technical fasion, or actually conduct a short training about something specific. In either case, it might be a good idea to require at least one demo to be shown (this was partially done in previous years, however time was more limited).
Capture the Flag
I will speak mostly about the regular CTF since that’s the one I participated in; it was difficult. I’m not being modest. 3 hours was a very short time to attempt to solve some of the challenges, at least at my current skill level (I only solved 4 challenges). I also believe that only having 3 hours for the competition is a disservice to the challenge creators, since they put a lot of effort into creating the challenges (something that is much more difficult than people think). Every year the same group of people who create the challenges seem to push the boundaries further, which helps motivate true enthusiasts in improving themselves; this is ultimately the goal of any CTF.
I truly believe that if all challenges were merged into one CTF, this would comprise a solid intermediate-level CTF when compared to other bigger, older, global CTFs, which is quite an impressive feat. That’s why I would urge the organizers to consider making future Pentest Cyprus CTFs online (this could have easily been a 24 hour online CTF); they could keep prize eligibility reserved only for local teams, much like other online CTFs do.
A note about CTFs
It caught our attention that although the event is called Pentest Cyprus, very few pentesters actually participated in any of the CTFs. My personal opinion regarding this is that some pentesters avoid such “competitions” for fear it might damage their reputation either in the eyes of others or their employers. Having said this, although I managed to finish 1st, I will happily admit that I was lucky to do so since I managed to solve a high-value challenge in an unintended way that was easier than what was anticipated from the challenge creator (this has also happened to me multiple times when I have created challenges in the past). If it were not for this fact, I would have very easily ended up finishing in a very “bad” (notice the quotes) position. This is irrelevant. The reason I participate in CTFs is to learn and improve; earning some “glory” and prizes is and always will be extra. I thus implore those who are hesitant or “afraid” of participating in CTFs to do so anyway. Everyone starts from somewhere and we are all beginners in front of someone else. Also, CTFs have very little to do with competency in performing penetration tests; however, they do serve as a tool (perhaps the most important in my opinion) in improving one’s hacking skills. And if you think they are unrealistic compared to real-world stuff, feel free to hit me up so I can convince you otherwise.
I consider Pentest Cyprus to be the most fun security event that takes place in Cyprus, and since this year’s rendition was more community-focused, I would like this to continue in future iterations. However, every year attendance seems to be getting lower, partly because the main attraction of the event is the CTF.
I would like for the organizers to consider segregating the CTF with the training talks, so that more people who are shy / hesitant to compete in an on-site CTF are incentivized to attend. This could also prove valuable to beginners who want to learn something technical by attending, instead of diving straight into the deep (although this is always recommended as well). Having a full one-day conference with interesting technical talks from local speakers (Cyprus definitely has the personnel to pull this off) and then a 24-hour online CTF would be pretty cool and in my opinion, bolster both event attendance as well as CTF participation, whilst also allowing more time to solve the more difficult challenges.
Talk is cheap so I’m volunteering right here for helping out with future Pentest Cyprus events. Last shoutout to Constantinos Constantinou for very nearly finishing 1st, but more importantly for the huge improvement he has made in the 18 months that I’ve known him. I’ll leave you with this: Always be Learning.