With the holiday season behind us so are the yearly holiday themed CTF challenges. I participated in 2 of them , TryHackMe’s Advent of Cyber and SANS Holiday Hack Challenge.
Going into TryHackMe’s Advent of Cyber I was not sure what to expect. I had been using TryHackMe off and on for learning. I had found them a bit easier to navigate and honestly more my speed right now compared to Hack The Box. The first thing about it was the format had not really changed from their normal learning paths except for one thing. They supplied a browser connected attack box if you chose to go that route. If you were not a paying member of TryHackMe you had to use that browser based box, otherwise you could use your OpenVPN connection and use your own VM/System for doing the challenges. The browser attack box I found a bit painful to use due to lag. Booting it up you were warned would take a bit, but once up it was slow responding for me. Also it split my browser in half, and no real good way of resizing. The minimum to help out with this would have been being able to open the attack box in a new tab. This would have minimized scrolling and not having the desktop real-estate that many would be use to having. It also would have stopped the constant side scrolling back and forth which causes redraws of the desktop and slows the process down.
The challenges on the other hand were a great tool, and fun. There was a whole Santa’s been hacked theme going on. The idea was one topic to learn (multiple questions) per day. So one day you would be using nmap, one day burp, one day something else. 25 days, 25 direct topics. The Advent style of this meant you do not have to spend hours upon hours on the CTF. Most days took me no more than 45 minutes to go through. Also, a top level topic would span days. so you would get multiple days of web attacks, with each day covering a different thing (command injection, burp, slqi etc…), and it would follow that top level topic day to day. Each topic could build upon the prior ones at times, or be stand alone. The accompanying video for each day was a nice added touch for people that learn better that way, and while they did get into the topic a little bit more, and occasionally give the thought process of the person doing the video, the basically amounted to reading the actual written instructions/explanations of the topic written before you get to the actual CTF questions. At the end of the video though they did do a walkthrough. This was nice if you got stuck, but since it gave the answers in most instances it could be use to bypass actually doing the challenge itself. Rating Advent of Cyber on a scale of 1-10 I would give it a solid 8.
Kringlecon, otherwise known has SANS Holiday Hack Challenge is a different creature. Yes it is a story driven type CTF, with a web based interface. It also has mini terminals for you to use to solve the challenges so you do not need a VPN setup at all. There are challenges for every skill level and this year they added a Discord server where there was rooms for each individual challenge so you could get help if needed. Most challenges had multiple ways to figure them out, and there was a wide variety of challenges included. The intro to Linux challenge was a good mini-version of what I got when doing my SANS504 class last year. The intro to scapy again is a great base tool learning challenge. There were 12 main objectives and a number of side ones. Overall I solved 7 of the main Objectives and a number of the side ones. I had unlocked 4 of 7 parts of the narrative. This was better than I had done the prior year, so while not finishing everything, I was very satisfied. The talks that lined up with objectives worked well. As it was free flowing and everything there at once, it was also easy to get lost for hours on end. I spent 2 hours one the scapy intro only to run into a problem where I accidently deleted the file I needed on the final question and had to start again. Moving around was tough at times, and even tougher if you did not use the option to make other players disappear from your screen. The other advantage is while the competition is over, you can still go and do the challenges(and all the past Holiday Hack versions also). One thing missing is a way of saving your progress when in a challenge, as going out to get hints or look at hints you got from the elves meant restarting the whole challenge. Rating Kringlecon on a scale of 1 to 10 again it gets a solid 8.
One last thing is prizes for these. With the Holiday Hack Challenge they choose from write ups of the event that are sent in by a specific date, which has passed at the time of this post. Advent of Cyber, for each day you completed you got your name entered into a drawing for prizes, this also has passed. The write up method is nice since part of security is being able to write what you have done and how you accomplished it, especially on the red team side of things. Just getting entered into a drawing on the other hand makes the prizes available to a wider range of people, including those who are not good at write ups.
I do recommend both, although it looks like Advent of Cyber is not available anymore, but there are other leaning paths, all are in their CTF style, at TryHackMe (they just added a Blue Team based path). I do look forward to seeing what they come up with for the 2021 challenges.
Leave a Reply