# A Netrunner's Guide to CyberSci ###### By Robert Babaev --- # whoami <!-- .slide: data-transition="slide" -->  ---- <!-- .slide: data-transition="slide" --> - Robert Babaev - 3rd year standing CS, Computer and Internet Security - CyberSci Team Canada player (Jul. 2021 - Dec. 2021) - CyberSci Team Canada captain (Jan. 2022? - Jun. 2022) - Penetration Tester @SoftwareSecured (May. 2022 - Aug. 2022) --- # Stories ---- ## ./hatch <!-- .slide: data-transition="zoom" -->  ---- ## python3 first_pwns.py <!-- .slide: data-transition="zoom" --> - Cybersecurity workshop, basic web hacking - H4TT, first real CTF - First time cracking password-protected file (unsuccessfully) - How precious googling stuff was ---- ## NorthSec <!-- .slide: data-transition="zoom-in slide-out" -->  ---- ## java NorthSec2020 <!-- .slide: data-transition="slide" --> - First major conference CTF - I was practically useless - Communications were terrible - “Okay that didn't work” *What didn't work*? - Lot of stress from the challenge difficulty - Wasn't really able to keep myself calm ---- ## node NorthSec2021.js <!-- .slide: data-transition="slide" --> - Much better than NSEC 2020 - Had acquired some more skills by this point - Was able to submit at least 2 flags entirely on my own - Got a writeup! - Still had a long way to go ---- ## curl “http://cybersci.nationals.2021” <!-- .slide: data-transition="slide" -->  ---- <!-- .slide: data-transition="fade" --> - “Hey, I need a substitute” - Took the shot - International competitions? - Next to no flags of my own - Supporting info helped score points - Team Rocket came 2nd! ---- ## nmap —location=prague ecsc2021.cz <!-- .slide: data-transition="zoom-in slide-out" -->  ---- <!-- .slide: data-transition="slide" --> - Did not practice much - Severely underestimated difficulty - How hard could it be? - I was coming in as a junior - Result? Canada came 18th out of 19 countries - We beat Malta tho - Upside? - Got to visit Europe, see Prague - Drank some beer - Met some new friends ---- ## sqlmap https://icc2022.eu/leadup?id=1 <!-- .slide: data-transition="zoom-in slide-out" -->  ---- <!-- .slide: data-transition="slide" --> - Training was more on the forefront - Attended some CTFs in the months before the event - First taste of attack/defense - SaarCTF 2022 - Working on tooling and knowledge base - Writeups - NSEC 2022 - Working as Team Canada - Used some info from a challenge creator’s video to get a flag ---- ## feroxbuster -u https://icc2022.eu/athens <!-- .slide: data-transition="slide" -->  ---- <!-- .slide: data-transition="slide" --> - First ICC ever - Got to meet the VP of EU Commission - Got to meet players from around the world - 15 players - Big challenge was team comms - Jeopardy and Attack/Defense - Came 5th out of 7 teams - Realized CTFs weren’t for me --- # Takeaways ---- ## Struggling - You WILL struggle at some point - New field - New knowledge - New skills - Programming only gets you so far ---- ## Persistence - Persistence is key - Progression from NSEC 2020 to NSEC 2022 - The solution to a challenge could be one command away - Short term and long term persistence ---- ## Humility - Never underestimate the difficulty of a CTF - If someone can complete every single challenge of a CTF, it was too easy - CTFs are meant to be difficult for the level that they’re in - Never assume you can do a CTF solo - These are team games ---- ## Recon - If you know who made a challenge… - Stalk them (OSINT) - Watch their videos - Read their tweets - Disclaimer: Don’t like actually stalk them and go try to visit them IRL ---- ## Teamwork - COMMUNICATE! - Attack/defense in particular, but Jeopardy too! - If you have something interesting, LET YOUR TEAM KNOW! - Communication goes beyond game day - Coordinate training - Coordinate teambuilding - Work on learning and making tools --- # Other Tips ---- ## Fundamentals - Lock down your fundamentals - If you don’t know those at higher levels, you’re gonna have a rough time - Regionals it’s okay, everyone’s learning - Nationals and beyond, get that stuff *down* ---- ## Googling - Search engines are your friend that will do literally anything and everything for you - Use them - Use them well - Google Dorking - Known recon method - Boolean search ---- ## Pressing Buttons - Just try things - If you think something is impossible - try it anyway - If you think something is possible - probably is - If you’re stuck with no other options, the time cost is probably worth it ---- ## Stepping Back - All else fails? - Take a walk - Clear your head - Think about literally anything but the challenge - Psychology - Brain can “background” thoughts - Ever solved a problem in the shower? ---- ## Writeups - Read writeups - Every good hacker makes and reads writeups - Figure out how they did a challenge - Try it yourself if you can! - Another advantage - Making writeups grants visibility - Put writeup links on your personal website ---- ## Learning - Labs - Home lab with VMs and Raspberry Pis - HacktheBox, HTB Academy, TryHackMe - Learn by Playing - The only real way to get better at CTFs is playing CTFs --- # Ask some questions!