Working in collaboration with the internal security team – ISRM (Information Security and Risk Management), I, along with a few other colleagues (all fresh hires), started CTF for Microsoft employees in 2012. With just 3 iterations, the architecture of CTF has evolved a lot but the model adopted is still the same – Attack-and-Defense.
Every participating team is given a server (VM) of their own which has a set of applications, written by us, running on them. While some of these applications are server monitors to monitor specific applications and some specific user activities, the remaining are the actual applications which they have to safeguard and exploit. Basic play in the game involves finding these applications, figure out the bugs in them and then fix them without altering their functionality. Moreover, as all participants get the VM made from the same image, the bugs, if not fixed, should also exist on the opponents systems as well. So, they can exploit these vulnerabilities on others system and in turn win flags which are convertible to ’winning points’.
The hacks which could be found in the systems vary from the basic ones like SQL injection, HTTP parameter injection, XSS and CSRF to reverse engineering of codes which can have escape sequence or buffer overflow issues or might allow shell code injections. There are also some cryptography based questions which might be mathematically modeled or may have some Steganography based attack or may be even a mixture of both. Since, the VMs basically belong to the participants during the game time, users can explore other hacks like phishing or denial-of-service as well.
The internal CTF received participation from teams like Azure, Windows, WP, Skype, XBOX Red Security, Office, O365 and Trustworthy Computing with an overwhelming feedback. BTS (earlier called HackCon), which started in 2014, received participation from around 1k college students from IITs, IIITs and other top colleges from India and would be conducted annually. Starting this year, CTF would also be conducted in the universities of US (starting with universities of Washington) too.
Teammates – Vijay Chekravarthy (PM), Vijay Shankar, Rohit Gurunath, Aakansha Nagwani, Ajay KN, Smarth Behl, GK Aswin Kumar, Rafi Alam