It’s that time of year again! RVAsec is right around the corner, and the MetaCTF Team as well as a small army of volunteers are hard at work preparing some exciting challenges for this year’s competition. In keeping with the format of the past several years, we’ll be running a practice CTF on the first day of the conference (Wednesday, May 22nd). This will be a great opportunity to get familiar with the platform, and if you’ve never done a CTF before, a perfect time to try one out with plenty of people on hand to help!

On Day 2 (Thursday, May 23rd), we’ll be running the actual competition. Even though it will contain some hard challenges, this is a learning CTF – not a stump-the-chump competition. As such, there will be plenty of challenges including lockpicking, recon, web & binary exploitation, forensics/IR, and more designed for people of all levels and backgrounds. Additionally, you may choose to compete as an individual or form teams of up to 4 people – there are separate prize categories for both.

You will need an updated Kali machine, but we will provide everything else. In addition, we’re excited to announce that Capital One will be sponsoring the CTF this year!

Below is a list of some of the skills/topics that have been covered in previous years:

Entry Level: Primarily aimed at beginners and those with a less technical background, focusing on basic infosec skills and concepts.

  • Rot N encoding
  • Google Fu / OSINT
  • Examining website source code
  • Basic file analysis (eg. file, strings)
  • Trivia

Intermediate: Expect to begin taking a deep dive into the core categories by finding and exploiting vulnerabilities, cracking passwords, etc.

  • Extracting objects from Wireshark dump
  • SQL Injection
  • Recovering and analyzing forensic artifacts
  • Cracking password hashes (using john, Hashcat, etc)
  • Reverse Engineering and Disassembly

Hard: For our battle-hardened, seasoned CTF players which will challenge competitors to truly think outside the box, crack encryption, exploit binaries, and more.

  • Blacklist filter evasion for SQL Injection
  • Binary Exploitation (buffer overflows and ROP chains!)
  • Cracking RSA Encryption
  • Multi-step OSINT investigation
  • Hardware / Wireless 🙂

Finally, good luck to everyone, and we’ll see you in Richmond soon!

CapitalOne