 Alrighty, hello everyone. This video that's gonna follow this sort of intro here is a talk and presentation that I gave at the DEF CON group 911, which is Delthy. And it's a presentation and talk on the title, the concept, capture the flag, you mean change your life. And I don't know, I really hope you enjoy it. I hope you take a few minutes to kind of take a gander, listen in on what it's all about. It was a lot of fun for me to put together and I hope it was well received. I think it's prevalent, at least in my life right now, looking back on the last week and everything else that has kind of been going on, I think it does kind of ring true. Like, hey, so many other new incredible opportunities have kind of been opened up for me because of this stuff, because of this scene, because of this thing that we do, right? Cybersecurity, capture the flag, pen testing, hacking, red teaming, bug bounty, whatever you want. So I hope you enjoy it. And I also wanted to put this out, if anything, like truth be told, so I have a little bit more time and kind of a buffer to record some more of the real stuff and normal things that I offer you between, okay, programming tutorials or capture the flag video, write ups or war game playthroughs, like try hack me or hack the box or other other things. Plenty of other war games and practice sites I wanna give some love to, but I need to get back on the saddle. In the meantime, I wanna give you something, I wanna feed the algorithm and I also want you, hopefully, hopefully, please, to do the same thing, YouTube stuff, like, comment and subscribe, I'm super duper grateful, but I sure, sure do hope that you enjoy this talk and this presentation. I'd love to hear your insight, hear your thoughts, get your feedback, so please do leave that comment, like button, subscribe, I'm grateful, I'm grateful. So please do tune in to, wow, I ruined the outro already. Please do tune in, listen in for a little bit and enjoy the talk and presentation on capture the flag, you mean change your life. See you soon, guys. Alrighty, hello, welcome everyone. Thank you, thank you, thank you so much for tuning in, coming to hang out and listening to my talk. This is a presentation. It's titled, capture the flag, you mean change your life. So this is a talk all about cybersecurity, information security, sharpening your skills, getting better, learning, educating yourself, all centered around capture the flag and how honestly it changed my life and I think it can do the same for you. So you might be asking, who the heck is this guy? Hello, my name is John Hammond. During the day, for my day job, for the actual work that I do that pays the bills, I am a cyber training developer over in the United States doing some cool stuff with kind of their government and military side that helps create training material and learning material for our personnel. In my free time at night, I love to play capture the flag. I like to develop capture the flag problems and challenges and training sets and exercises to make people better at cybersecurity and learn new things. I also like to do a little bit of YouTube that's kind of just a side project, a passion that I have. It's a wonderful hobby that I really, really enjoy going ahead and creating content all about capture the flag or cybersecurity or information security and stuff like that. Hopefully, maybe you might have seen me before some recent events that I've helped put together and create were VersetCon 2020. This year in April, we hosted VersetCon or Virtual Security Conference and I ran that capture the flag competition. We also had NomCon or the NomCon CTF that was also seemingly a great success. I helped develop some challenges for Pico CTF or DefCon, the United States DefCon and I also built some rooms within TriHackMe, one of the training exercises and online war games that you can practice and sharpen your skills on there. Okay, so this is a talk, right? But what are we even gonna talk about? This is a quick kind of roadmap agenda, outline and schedule of what we're gonna be discussing in this little show presentation. So what is a capture the flag? I keep saying those words, but what do they really mean? Who cares? Why do we even bother with this sort of thing? Maybe hopefully at that point you're a little bit interested in what capture the flag is if you haven't heard of it before and you might be asking the questions like, well, how do I get better at capture the flag? What do I study? Where do I learn? And what else is out there and what do we do after we're done with capture the flag or kind of that scene? So let's dive into it. Let's go ahead and jump in to the real presentation here. Let's get started. What is capture the flag? What is a CTF? So a lot of people come to me or they might, who knows? They might come to anyone and they just say, I wanna get better at cybersecurity. I wanna learn cybersecurity. I want that cool job that pays X amount of dollars. It seems to do really, really well. That person is loving their life. They're having a great time. They wanna be a part of that scene. They want to learn cybersecurity. So my common response to them is play capture the flag. But you might still be wondering, okay, what is a capture the flag? That doesn't answer the question. So I'm gonna tell you, a capture the flag is a cybersecurity competition. It's a gamified way that you can learn cybersecurity skills and each player or the participant, they're challenged to solve security problems by hacking into or defending computer systems and technology. The whole point is that it's a game. It's a sport. It's for fun. So you enjoy yourself, but it's really, really cool because it highlights and emphasizes real cybersecurity concepts, real vulnerabilities, real tricks and techniques and exploits, et cetera. It's just so cool because you want to play a game, right? It's fun to play a game. Maybe you're competitive with all your friends, the people in the other room, and you want to climb the scoreboard. Maybe you see yourself in that leaderboard and you say, hey, I know I can score more points and I know I can beat that person that's just above me or maybe I wanna get 500 points no matter what that is or what that looks like. So you can solve problems, solve challenges or these tasks that are laid in front of you, accomplish all the stuff all while having fun. That's the whole point. It's a game and you're enjoying yourself learning new things and that's super duper cool. So capture the flag comes in a lot of different kinds or a different flavor of the game, right? So there isn't like a strict definition or a proper term for each of these things. So I might get them wrong. Again, disclaimer, the name of these might be a little subjective. I think we can all agree that there is a jeopardy style capture the flag and that's kind of the most classic commonly found all around the internet or happening all the time during the CTF season, right? The time of the year where a lot of schools, a lot of universities and colleges are getting together so they can host their own capture the flag competition or an event or in a game. So in a jeopardy style game, the challenges are laid out in front of you in different categories, right? Like a jeopardy game. Maybe there's a specific category for binary exploitation or reverse engineering or web or programming or crypto, forensics, stego, OSINT, mobile. There are tons and tons of categories and this list can go on. I'm just kind of enumerating some of the very, very common ones but you'll see often maybe the game board that's displaying them which is, it almost looks like a jeopardy game board, right? There are different boxes for the challenges or the tasks within that category. And then in sort of like an Olympic style game with all these different events or these categories to work in, you will solve challenges or the tasks that might be worth a different amount of points and that point value is usually mapped to how difficult the challenge is. Oftentimes with this style of game, you might find static scoring where the point values for the challenges don't change. If you see a challenge that's worth 200 points, it's going to be worth 200 points throughout the entire duration of the competition. On the other hand, there's dynamic scoring where maybe the first team to solve a challenge would gain all of those 200 points but then the point value of that challenge would go down because someone else has already solved it. They got first blood or they were able to solve that challenge before anyone else did and that helps them in the scoreboard. That way the more people that solve one challenge, that point value will slowly decrease or devalue or decay because maybe those challenges will be easy and a lot of people will solve them. So that point value would shrink. That means that the harder, more difficult and complex and advanced challenges, well, those will be really high value targets, right? Because then less people have solved them and they're worth more points in a dynamic scoring competition. Some people kind of have their own different opinions on what scoring style they like. Personally, I really like static challenges because if the point value goes down on a challenge, well, I'm kind of bummed that I'm losing points for that challenge that I solved. So totally up to you what you like but you can often see that in a Jeopardy style competition and Jeopardy just means, hey, we've got challenges ready and laid out for you within these different kinds of categories. Along with that, you have an attack and defense competition. Now this is a different kind of game. This one might be a little bit more fun for some people because it's very, very active. There are different teams, there's different players but each of those players, that team, they're given a bunch of network services. They're given a bunch of programs that are running and live and have to be maintained. They have to be accessible and available for the game to operate, for them to actually maintain their points on the scoreboard. The gimmick is that each of these network services they have are vulnerable. So they have to go ahead and patch and protect and make sure that their systems and their services are secure so that their challenges, their services aren't exploited or taken advantage of and abused by the other teams. So that way they can retain all of that uptime and service availability and what will give them points in this game. At the same time, those vulnerabilities and weaknesses and flaws that are in their software, all the other teams, all the other players, they're gonna have those exact same services, the same software. So the bugs and the flaws, the vulnerabilities that you might find that you're trying to patch and protect and defend across your services, once you know that technique or that exploit, you can go fire it off and go attack the other players. So you might gain points for, hey, keeping your services alive, defending your turf and your terrain but also going out and attacking other players. And that's where the game kind of gets its name, attack and defense. So Jeopardy style and attack and defense competitions, those names and the terminology there is pretty well solidified. I think the community has kind of got a good articulate and precise name for those kinds of competitions. For other events, sometimes I've heard this referred to as like a hack quest or a boot to root event style, game and competition. These are a lot of fun. Boot to root or a hack quest style games are much more penetration test oriented. They're all about kind of being a red teamer or an adversary doing some aggression on maybe a full network or one specific machine or a box where there's something vulnerable, some computer, some system, some network, something has flaws and weaknesses and you can exploit it, take advantage of it, abuse it and collect flags from that system. And that is the competition going through and collecting flags from that. And it's often a race to collect the most flags from that. That one is a ton of fun because it's very, very real world. You see a lot more stuff that is often used in penetration testing and red teaming. And if you aren't familiar with those words, totally fine. We'll touch on that in just a second. But some question you might come to me with is, okay, John, who cares if it's just a game? Well, that's not real world at all. It's not, that's not realistic. It's a game. So I counter that, that capture the flags are useful. They're fantastic. They're super instrumental to learning because they provide such a great way to learn. It's a game and that's what makes it so much fun because we're doing actual hands on practical stuff. You're actively working on the keyboard like an operator, right? You're doing the real things, exploiting the real vulnerabilities, finding flaws in crypto systems or uncovering secrets and techniques used for steganography. It's not just us talking about security, right? Maybe some of the higher roles or positions you might kind of see within some job. They're a big manager. And I'm not meaning to throw shade or point fingers at them. It's just that a lot of times you might see security where it's maybe a slide on a PowerPoint presentation or you're just pointing at numbers on a graph. You're talking about cybersecurity. I think capture the flag gives you real stuff to work on that's hands on applicable on the keyboard. You're doing it. You're not just talking about it. And that's awesome. The fact that it's a competition that motivates you. If you're a beginner to cybersecurity, you've got so much to learn. You're like drinking from a fire hose because there's so much out there. If you're a professional, if you've seen this kind of stuff over and over and over again, you're an expert, you're a master, you know what you're up against. Well, you're still gonna find really interesting, complex and intricate challenges that will stretch you and help you learn different things. One of my favorite things about capture the flag is that these challenges, they're gonna be alive forever. Not maybe open and accessible, but the fact that, okay, we've just encapsulated one problem. We've distilled down a vulnerability. We've captured and packaged up one mental process and idea to work through in a challenge, right? This conceptual thing that now exists and is part of one capture the flag competition. And soon from that, maybe hundreds or thousands of people have played that capture the flag and they've written blog posts or articles on what they did to go explore and attack that challenge. So that is a bundled up, packaged and encapsulated problem and task. And that's super duper cool because maybe that bug in a real world scenario is gonna be patched or gone away, but the mental idea behind a capture the flag challenge, that's its own standalone thing now. And that's going to be able to be referenced and look back on and read about and studied and that's super duper cool. The challenges in a capture the flag are eternal and they're forcing you to do hands-on, practical, applicable stuff that motivates you to learn. They're awesome. I love capture the flag. I hope you guys do too. On top of that, it's real stuff. You're gonna find real vulnerabilities. You might see some of the events, some of the competitions like the real world CTF that's really bringing in actual products or systems or hardware or real things that are sold out in the real world. And you're gonna be finding and abusing vulnerabilities and throwing exploits at that. Another common thing is the poem to own competition where you've got something in front of you or a tangible actual thing, real world, that if you break it, if you can pawn or take advantage of that, if you can exploit it, hey man, that's yours. That prize, you get whatever you just broke into, whatever you hacked. Maybe it's a new fancy Tesla car or some crazy airplane, who knows? While there are still some of the kind of classic, well-known techniques and tactics, in the capture the flag scene, you're gonna run into some crazy cool stuff, stuff that might be potentially new, complex and advanced zero-day attacks, right? Zero-day as in the world, researchers and blue teamers, defenders have had zero days to prepare for that. They've never had any chance because it's so new. You're on groundbreaking, like you've just made history and that this bug, this vulnerability, this flaw was never found before or you've exploited this in a zero-day attack. Finding that and capture the flag, that's so cool. That's just so cool. And there is just so much out there. You're only one person, right? I'm only one person. Let's say you are just one fellow, one human being and there's a capture of the flag going on and there's another capture of the flag maybe later this week or over the weekend and there's another one the next weekend. Those CTFs, those events, those games are being created and put together by not you, right? Different people. So while you might have your own interests, you might find the things, find the technologies and the languages and the computer systems that you are really interested in and that you work with on a day-to-day basis but all those other people that are hosting these other capture the flag events, they're gonna have their own interests and their own passions and the stuff that they think is really, really cool and really interesting. So they're gonna stretch you because you're gonna get to see some of the technology that they wanna showcase and because there's just so much out there, you're gonna be introduced to new things. You're gonna gain exposure to all the stuff that's out there slowly, right? Maybe one event after another and your skills start to stockpile and accumulate and you grow but capture the flag because they're just so frequent and because there's just so much out there, it's awesome. You're gonna be pushed out of the comfort zone. You're gonna learn new things that you hadn't seen before and you wouldn't normally work with those software or those hardware or those systems in any other environment. So capture the flag is great for that. So some common question that might come from that if someone is a little bit more seasoned, they'd say, okay, sure, whatever, CTFs are cool and all, why not do bug bounty? Well, the answer to that is like, you should do bug bounty. You wanna learn as much as you can, right? You wanna be a sponge. You wanna gain exposure to all these technologies. You wanna think about new, creative and innovative problem solving. So why not do both capture the flag and bug bounty? Practice your skills and keep stretching yourself so you can keep growing. So for those of you that might not know, hey, what even is bug bounty? Bug bounty takes the capture the flag concept, that whole scene, and it takes away the game aspect. It's no longer just for fun or as like a competition or a sport with prizes. If you find a real vulnerability in a real corporate application or some actual maybe endpoint business software thing that's out there in the world, well then you can get paid for that. They'll give you money because hey, you just helped us protect our environment. You helped us protect our systems because this is a real actual application that we use to provide services to real people in the real world. A lot of times that means it's gonna be a lot more front end oriented, right? So a lot more websites, web security, and maybe mobile hacking between an Android app or an iPhone app, but it's real. So that means it's gonna take some advanced maybe complicated filter evasions or bypass techniques or obfuscating your payload in different ways. But to answer the real question, why should I do this instead of bug bounty or why should I do bug bounty instead of CTF? There's no real answer because that's no real question. Do both, do as much as you can. You're all wanting to learn, right? So if you're learning and you wanna know, man, how do I get better? My first advice is to read write-ups. So after a capture the flag competition, the players will typically write blog posts or articles on how they solved specific challenges. This is awesome. This is like the best part after a capture the flag competition because now you're learning ramps up even more. While you're not banging your head against the wall, struggling, trying to just figure out this problem in the moment, after the fact, you can see how other people solved the challenges that you didn't. That way you learn, right? And it's totally okay. It's totally fine to go read and look up, hey, I wanna know the solution to this because it just fascinated me. Look up the solution to the challenges that you did not solve and even look up the solutions to the challenges that you did solve because maybe someone else solved it in a really interesting or unique way. Maybe they found some unintentional solutions or they're using new tricks or techniques or a different tool that you haven't heard of before. That's awesome. Because now, as I said, you're just one person. You are one human being and there are tons of CTFs out there. There are tons of technologies and software and hardware and things to learn. You're just one person but all these other people are also learning and playing and getting better and smarter and sharper. So if they're gonna share how they solve these challenges, you should go read up on how they do that. Learn all those new tricks. Learn that vulnerability or that exploit. While you're reading these, why don't you try and write your own? If you solved some challenges in a capture the flag, you should totally put out your own blog post or your article or even a video. However it's done, however you want to express it, showcase what you learned and how you solved that challenge. That's super cool. Now I mentioned, yeah, make a video. It doesn't have to just be a wall of text, right? Sometimes if you're reading a book, you've got some giant textbook you have to work through for school. If you're reading and there's a lot there, I know your eyes just glaze over, right? It's putting you to sleep because it's just hard to work through sometimes. If that's not your way of learning, totally fine. You don't have to read all those write-ups because right now there's a lot of video resources. Now we've got other forms of media to showcase all this stuff. Personally, I really like YouTube. You might find it to tons of others on different platforms, but I think YouTube is a great place for learning. There are a ton of content creators that will showcase different capture the flag challenges or different aspects of cybersecurity or vulnerabilities or exploits, walkthroughs, et cetera, et cetera. There's the cyber mentor, Heath Adams. I know he's a big guy in the scene. Ipsak, he does fantastic stuff with the Hack the Box platform. Kindred security, a live overflow. I guess myself a little bit in there. It's awesome. It's so cool because it's just a giant, it's growing, I guess. Maybe it's not giant, but it's a wonderful community. It's kind of a family for these content creators that are showcasing what they're learning, how they're learning and how we're growing. Not just the person at the other end of the screen, maybe not just you that's watching the videos, but even the content creators. We want to learn and that's why we try and teach and showcase. That's one of the best ways to learn is to try and teach it yourself. And this isn't specific to capture the flag, right? We talk about penetration testing. We talk about bug bounty. We talk about internet of things or industrial control systems. There's so much out there and the internet. All of it's free open source because we just love that mindset and mentality, right? You can go find it online. YouTube is a great place to learn. Not just read write-ups, but you can watch video guides. Okay, so that's sort of a passive intake, right? You're consuming another person's content or maybe you're reading their write-up or you're watching their video, but how do you actively study? How do you actively learn? What are the options that you can get better there? And to that I say, practice with war games. All those online, maybe cyber ranges that you can go and attack and break into, maybe defend a patch, who knows? There are tons of war games out there that will help you learn new technologies, new systems, new vulnerabilities, exploits techniques, maybe a different category, binary exploitation, reverse engineering, or specifically crypto. There's a lot. This is just a small list. I've kind of showcased this around between over the wire, the crypto pals challenges. Crypto hack is kind of new on the scene. Hack the box, obviously tried and true. Try hack me is turning out to be incredible in my opinion. I really love the stuff that they do there. The sans holiday hack challenges, sans puts out incredible stuff. Nightmare, I've been really learning that. I've been leaning into that more because it's pretty great for showcasing some binary exploitation and reverse engineering techniques because it's presented through the lens of capture the flag competitions. So that's super duper cool. Obviously, Vulnhub, Pico CTF for beginners that are trying to learn. There's just so, so much out there. There's always a new war game you can pick up, try and work through. And just as before, write your own write ups. Create your own content with that. There's so much out there. You can study tons and tons of war games. If you aren't satisfied with just this list, there is an awesome CTF list that's on GitHub. If you simply Google awesome CTF, you should be able to find a good list of other resources that might help you learn and get better and practice. Okay. So what else is out there, right? We talked a little bit about penetration testing. We talked a little bit about bug bounty pen testing. That's going to be more real stuff for corporate networks, for an entire environment that might have potentially vulnerable machines or vulnerable boxes and things that you will need to take advantage of or you could take advantage of. That's very real world, right? There's an outline scope that maybe the client or the customer that is asking you to perform a red team adversarial penetration test. Find out all of the security holes in our real network. That's something that you should absolutely do. Maybe that's your end goal. Maybe you want your job to be a professional penetration tester. You can do that. And I think capture the flag might be a great stepping stone to get into some of that stuff. Bug bounty just as much. If you want to get paid for, hey, bug hunting or finding the bounty, incredible thing you can do with actual real world applications. Obviously, there are tons of other similar but different fields than capture the flag. My advice, it's you, man. You get to choose. What are you interested in? What do you like? What fires you up? What makes you get out of bed in the morning and what do you really love and enjoy? You should explore all those different fields if you enjoy them. If you like capture the flag, play capture the flag. If you're more interested in pen testing, you can still find some of those boot to root or hack west capture the flags that you might be interested in. Or maybe check out bug bounty or focus more on the web category and capture the flag. All of these different fields blend into each other. They blur and start to bleed into each other and overlap in different ways. So find the stuff that you really love because that's where the learning's gonna come from. That's where you're gonna get the most out of it. You're gonna help yourself grow and get better. And that's awesome. Okay. Here are my lasting thoughts, right? Maybe you've played some capture the flag. Maybe you've done some bug bounty or you performed some penetration tests. Maybe you are in the midst of that. Maybe you're still playing. You're active. You wanna keep learning more. You've got that hunger and that thirst for more knowledge. Maybe you're an expert. Who knows? Maybe you're a master and you know everything there is to know. I don't think that matters. I don't think that you need to, I don't know, scale yourself or measure yourself or benchmark yourself on whether or not you're a pro or a beginner or a noob or a guru. I don't care. It doesn't matter. Honestly, in my opinion, and I've said this I think before, I could be doing this sort of thing for 50 years. I could do this my entire lifetime. And I would feel like I'm still a beginner because there's just so much to learn. There's so much out there. I think one way that you can really find success or you can find a lot of fulfillment and just really love and pour the passion of this sort of thing is to share what you learn. Write those write-ups. Make those videos. It doesn't matter what media format you have it in. It doesn't matter if it's your blog post. It doesn't matter if it's on, I don't care, Instagram. It doesn't, I don't care. Share, create, produce. Everything that you learn, every new trick or tool or technique, give it to the rest of the world. Stream it on Twitch, like post it on Reddit. No matter how you do it, I want you to share and help the community grow, not just yourself, but everyone. And that's gonna help you grow even more so. This is how Capture the Flag changed my life. I don't think it's because, like it's not because of skill, like I'm not great or incredible at any of the stuff. I'm not the best, I don't think I ever will be, but I think if you become an active, prolific, content creator is not the right word, but a community contributor, right? All of a sudden, I don't know, doors open up for you. People ask me for these talks, right? Hey, can you come hang out with us over at this DEF CON group? Hey, would you like to make some challenges for PICO CTF, one of the biggest like beginner worldwide Capture the Flag? Would you like to host these CTFs for us for VersetCon or NomCon? Would you like to come to the Google Capture the Flag finals over in London? I don't even have to play the competition. I was invited to London just to be there, just to hang out, just to kind of record and interview and hang out with all these people that are doing the information security things that are playing the Capture the Flag. And that is just unreal to me. I think it's all because I wanna learn, we all wanna learn, we're all trying to grow. So if I share the story, right? If I gift and give all the resources that I'm using to learn and I give back, I guess, I don't know, give back isn't the right word either. It's just share everything that you do, document it. And that's how Capture the Flag changed my life. And I honestly think if you do the same thing, they can change your life too. You're gonna learn so much, you're gonna grow, and it's gonna be incredible. So if you haven't, go over to CTFtime.org, find a Capture the Flag that might be running this weekend, sign up, register, go play Capture the Flag, solve a few challenges, learn some new things, write about it, make some videos, produce, and create, and just repeat that cycle. And soon it'll change your life. Okay, man, thank you so, so much. I can't say it enough. You've heard me probably time and time again just say thank you, but I am so, so grateful for you listening, tuning in to listen to this talk. I hope you gained maybe a little bit of nuggets, something new out of it. I know a lot of this stuff might be kind of surface level for a lot of people that are already in the scene playing the Capture the Flag, but I wanna reach out to the newcomers. I wanna reach out to that person that's kind of wide-eyed, adventurous, eager and excited to jump in. I'm excited for you, because I want you to learn, I want you to grow, and I want this whole thing, information security, cyber security, I want it to change your life. Thanks so much for listening. Take care, everyone.