We are a group of computer security enthusiasts, and CTF players. Most of us are students at Karlsruhe Institute of Technology, where we meet every week. We teach each other about cryptography, reverse engineering, binary exploitation and web hacking, to advance our knowledge and climb the CTFTime scoreboard.
KITCTF is part of the German Team of Teams Sauercloud competing in the world’s most prestigious CTFs, such as DEFCON CTF and Real World CTF. Also, we host or own CTF events.
You are probably here because you want to hack with us.
Sure, come by our weekly in-person meetings or join us for a CTF on the weekend. We meet every Thursday in the computer science main building 50.34 in room -120 (sometimes alternatively in room -118). Details to upcoming meetings and CTFs are communicated in our Slack. You can join by introducing yourself at firstname.lastname@example.org.
Why play CTFs?
- It is really fun to find vulnerabilities in code most people would miss, and getting a shell on the challenge server.
- You learn a lot about all kinds of technologies and corners of maths. This is helpful whether you become a full time hacker at some point or not.
- Companies (not only in security) will hire you (proof, proof). Past and present KITCTF have very impactful and interesting jobs.
- You work in a team with one common goal: Getting as many flags as possible.
- You travel the world and meet interesting people.
Who are we looking for?
We do not require prior knowledge and welcome everyone. All you need is being interested in the topic, being a self-motivated learner and be willing to spend some time hacking. To be able to follow along in our meetings, it is helpful to be able to read code and to know Linux fundamentals. Also be warned, CTFs can be frustrating. It is not uncommon to spend multiple hours solving a challenge. That being said, it is also very rewarding solving a challenge.
Kinds of Challenges
Every challenge is different. However, they usually fit in at least one of the following categories.
You get a binary (sometimes with source code, sometimes with symbols) that is also running on a challenge server. Put simply, the goal is to interact with the running binary and make it dance, by finding a vulnerability and exploiting it. Often you will end up with a shell on the challenge server. The kind of binaries reach from toy programs, to modern web browser with all security mitigations enabled. If you want to learn binary exploitation, check out pwn.college.
Cryptography is not just done on slides full of formulas in a KIT lecture, but can also lead to real bugs. You will find subtle edge cases in the implementation of cryptography algorithms or combine cutting edge ideas from research papers to decrypt encrypted flag files. To learn about how to break cryptography, check out CryptoHack.
Also, always present in CTFs are web security challenges. These challenges have the same kinds of bugs that real websites have, only that you are allowed to fully take advantage of them. To learn what these bugs are, check out the Web Security Academy.
Between what the hell is this binary doing, to realizing that this is a virtual machine for a custom architecture implemented in C++, are only a few hours of collaboratively looking into a decompiler. Generally, reverse engineering is a very broad category with all kinds of interesting learning opportunities.
CTF challenge authors are creative people. The output for the weirdest of their ideas is the misc category. These challenge make you learn a new thing in record time, like how to completely change the prediction of an image recognition network by only changing one pixel, how to beat a video game faster than the fastest speed runner, or how to drain all the money from a smart contract.