Tracelabs Judge Writeup: SANS and Global Missing Persons CTF September 2020

Opening

I applied to be a Trace Labs Judge for the SANS Student and Alumni event. I'm not a past or present SANS student, so the only avenue to participate was judging. I was interested in judging to see what it was like.

For the SANS event I was given 1 team. They weren't active the entire time. I multi-tasked during the event. I cleaned my house, hacked away at my OSCP labs, and checked the submissions every 20 minutes.

Coming into the Global September CTF I thought it would be a bit more busy, but I could still clean and hack away. Oh boy, was I wrong. At the worst I had 30 different submissions in the queue.

I was given two teams. One of the teams I recognized. I'm glad I got them because I knew they would keep me busy. They are one of those teams that keeps fighting until the last minute. My 2nd team I didn't recongize, but they also submitted every hour until the last minute.

The first and second hour were intense. Mid-day (hours 3-4) were the worst. I walked away for 10 minutes to do my laundry and when I got back I had 30 submissions.

I'm really impressed with how some judges had three, four, or five teams. All the judges had 2 teams and then there was overfill, and then more overfill. You want to check for duplicate submissions, and I'm sure that gets confusing when your juggling multiple teams. I was using the history tab just for two teams.

The cool thing about the Global September 2020 event was the Australia timezone. The event was held from 5pm CST to 1am CST. Not bad. I got things done during the day.

Submissions

I accepted 77 submissions. I can't go back and see rejected. I know it was at least 10+ I rejected. Its important to have a good evidence writeup. Even a simple "profile picture is the same as the missing photo", "they look like the missing person, see the ears and nose match", "same username as twitter account" helps. Law Enforcement is going to see it so there has to be a tracable path to the thought process.

There were some interesting and unique submissions. Someone took a professional paper PDF and got a phone number out of it. Another person used Google maps to trace public transit routes and match pictures. I submitted them for MVO award (Most Valuable OSINT). They lost to someone who found the same thing, but wrote a better submission and made a custom screenshot. Lesson: If you think its MVO worthy, spend some time on the writeup! I'll warn future teams to write better submissions if its MVO worthy and I'm going to throw them in the hat.

MVO - Most Valuable OSINT Award

I like this new award! As a judge you can nominate your team for a unique, creative, and hard-to-find submission. It awards people for sifting through hours of Youtube videos to find a location, license plate, or other unique information. Or people who are Google Mapping "walking around" to find a location/picture match. If you do these time intensive activities, your sacrificing your CTF placement on the board. An MVO award reconginizes these activities.

Closing

Good job Trace Labs team on a smooth sailing event! Cya next CTF.

Comments

Popular posts from this blog

Palo Alto for GNS3 CCDC Tutorial

Trace Labs Global Missing Persons CTF V

Release of CCDC ISE Manager Website