Capture the Flag: Meet the team bossing one of the toughest hacking competitions around

Polish team Dragon Sector clinched last year's competition, and they're now looking for their next challenge.
Written by Michiel van Blommestein, Contributor
The winning Dragon Sector team.
Image: Katarzyna Zakrawacz-Święcki
Nobody doubts that the amount of tech talent that Poland has at its disposal is substantial and a team of security specialists' triumph in the recent Capture the Flag series of hacking contests seems to confirm it's not short of ability, even when some parts of the country's own cybersecurity could use some improvement.

Poland's winning team was Dragon Sector, a group which currently consists of 13 active members from organisations including Google, the Polish CERT, as well as students.

In a whole series of events, Dragon Sector competed in various tasks to show their hacking prowess and cyberdefence skills. Among the challenges were solving a number of problems within a set time period, and gaining access to opposing servers while trying to keep their own network safe.

Out of the total 33 on-site and online events they attended, Dragon Sector won seven and took runner-up or third place for a further 11. Other recent high-profile wins for Dragon Sector include last year's Positive Hack Days Capture the Flat (CTF) in Moscow and Hack.lu CTF in Luxembourg.

"For me, the best victory was the competition in Geneva," Tomasz Bukowski, a Dragon Sector member who works at CERT Polska, told ZDNet. "It wasn't the most valuable in terms of points, but it was my first on-site event where I got to meet everyone. It really is a diverse group. We have data experts, network security specialists, mobile applications, and other areas covered. Myself, I am mostly involved in mobile, web applications, and computer forensics."

It's the diversity that sets the CTF competition apart from other hacking contests, according to Bukowski. "It's really hard to win every single event," he says.

"The competition is very broad and covers many areas, from mobile applications to reverse engineering. It really is the best way to test your skills, since you learn them by actually using them.

"One of the most uncommon things we had to do was to probe, or blackbox, an actual circuit. We fed a certain amount of voltage at various points to a circuit board, in an effort to get any response back. From there, we needed to take the next step and get a desired answer back, and so forth."

An additional motivation for Dragon Sector to aim high is that there is actual money at stake in the competition. The prize money doesn't make them rich, but it helps fund travel to foreign events when costs are high and support sporadic.

And online battles like these hardly make for thrilling viewing, consigning Dragon Sector to something of a niche.

"Sometimes our employers pay expenses if there is a conference attached to the CTF, but that is always limited to that particular employee and not the whole team. In most cases, we pay it out of our own pockets, or get it covered with the prize money. Sometimes, the organiser pays for the hotel if we are a top qualified team, so that usually helps. We're looking for more sponsors, so winning the overall competition definitely helps."

According to Google security engineer and team captain Gynvael Coldwind (who prefers to go by his nickname rather than his real name), the thing that has set Dragon Sector apart is dedication. "We try to appear in as many Capture The Flag events as we can," he says. "There are about 40 [separate events] held over the course of the year, usually during weekends, and each CTF takes 48 hours, so it is quite hard." By attending all these events, mostly online, there is no time or need for training in between, Coldwind says.

Programmer Coldwind is especially proud of an achievement during one challenges called dosfun4you, which got a Golden Flag award for being the most difficult challenge of the year.

Like most challenges, it centres on an application or network built specifically for the contest. "It was a virtual machine image running on the organiser's servers. It turned out to be a police force management application running on FreeDOS, where the idea was to hack it to get access to their server," he recalls. "We spent about 20 man-hours to reverse engineer it - me and a colleague who is great at reverse engineering."

Coldwind looked at the application from the top level, the general way an application behaves, while his partner kept an eye on specific functions.

"Normally, one person tackles one task, but in this case, we worked together, with me feeding him top-level information and him checking the bottom-level details."

In the end, they found a vulnerability in the memory manager. "The funny part was that the author of the challenge didn't know about this particular vulnerability. Normally, those designing the challenges have one or two vulnerabilities in mind when creating it, but sometimes they introduce another one by accident."

This year, Coldwind's aim is to focus more on winning the DEF CON Capture the Flag finals in Las Vegas, the most prestigious single tournament of the year. Specifically, the team plans to work on the attack-defence format, where each team has a server running services and has to hack into the server of all other teams while simultaneously defending its own.

"We learn a lot during those contests," he says. For example, in order to monitor whether someone has planted a backdoor on your server, you look at crontab, a Linux task scheduler. "We looked at crontab, and it was empty, which is good as it indicates nothing is wrong. However, our opponents indeed changed our crontab list and managed to put in a command followed by a carriage return character and a large number of spaces, making it appear empty. It was great to learn a trick like that which rather exploits human weaknesses and the way terminals work rather than typical technical issues."

Dragon Sector's success is yet another example of the robustness of Poland's IT talent pool. Even though much attention is paid to cybersecurity, especially with the country's relationship with Russia at a low, there are still areas that could use some work.

"Overall, I think most Polish institutions have organised their cybersecurity pretty well," Bukowski says. "From my personal experience most institutions have employed really good people in that field. There is still lot of work to be done on education, especially in general law enforcement. They do have experts, but there are too few of them in my opinion. Regular Officers know how people steal cars, for example, but don't fully understand how digital theft is committed."

Read more on this story

Editorial standards