{"id":19010,"date":"2022-11-11T13:52:57","date_gmt":"2022-11-11T12:52:57","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=19010"},"modified":"2022-11-11T13:52:58","modified_gmt":"2022-11-11T12:52:58","slug":"defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/","title":{"rendered":"Defcamp finals 2022: Feedback on our first Attack\/Defense CTF"},"content":{"rendered":"\n<p>Yesterday, the team <strong>YoloSw4g<\/strong> from <strong>Wavestone&#8217;s Cybersecurity practice<\/strong> took part in the <strong>2022 Defcamp CTF finals<\/strong>. Defcamp is one of the <strong>top cybersecurity conference in Europe<\/strong> and every edition is hosted in Bucharest, Romania. Wavestone had the opportunity to play the CTF and finals for the two previous editions, and the format and quality of challenges have always been appreciated. Unlike previous editions where the format was <strong>Jeopardy<\/strong> (a list of challenges to solve that each bring points), this year was <strong>Attack\/Defense<\/strong>.<\/p>\n<p>\u00a0<\/p>\n<h2>The attack\/defense (A\/D) format<\/h2>\n<p>During this the A\/D exercise, teams have literally been competing against each other, on the <strong>10AM &#8211; 7PM slot<\/strong>, with the 10AM-11AM slot dedicated to hardening rather than attack. Each teams had two virtual machines that were running a variety of services:<\/p>\n<ul>\n<li>The first VM hosted services in <strong>Docker containers<\/strong>: songs\/singers management webapp, auction website, binary application to emulate a business service, etc.<\/li>\n<li>The second VM offered s<strong>ervices directly on the host<\/strong>, through services and workers ran by <strong>dedicated users<\/strong>: CVE search website, remote control webapp, etc.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19022\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/2022-11-11-13_49_09-Clipboard.png\" alt=\"\" width=\"1440\" height=\"684\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/2022-11-11-13_49_09-Clipboard.png 1440w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/2022-11-11-13_49_09-Clipboard-402x191.png 402w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/2022-11-11-13_49_09-Clipboard-71x34.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/2022-11-11-13_49_09-Clipboard-768x365.png 768w\" sizes=\"auto, (max-width: 1440px) 100vw, 1440px\" \/><\/p>\n<p>The services had been<strong> intentionally modified to include vulnerabilities<\/strong>, misconfigurations and backdoors that can be exploited. Upon exploitation, for each service there was a <em>flag<\/em> file that could be stolen to bring points to the exploiting teams, and remove points from the victim. Flags were renewed every two minutes by the organizer&#8217;s bot, so <strong>teams were gaining and losing points as long as the services remained vulnerable<\/strong>.<\/p>\n<p>There were also misconfigurations in the Docker containers and on the host that allowed for <strong>lateral movement between the services<\/strong>, escape from the containers and even <strong>privilege escalation to root<\/strong> for complete takeover and persistence.<\/p>\n<p>Finally, to provide a kind of realism for the exercise, <strong>the teams had to keep the services operating or they would lose SLA points<\/strong>. Preventing the organizers to renew or read the flags also result in point loss.<\/p>\n<p>Given the nature of the exercise, the teams were <strong>encouraged to patch their services<\/strong> during the CTF to remove the vulnerabilities. However, in doing so it was easy to damage a feature of the service and to lose points in the process: since the SLA checks were not documented, there was no way at first to know if we could remove the vulnerable part of the application or if we had to spend time to keep it running.<\/p>\n<p>\u00a0<\/p>\n<h2>Let&#8217;s talk strategy!<\/h2>\n<p>In this CTF format, there are few valid strategies to try and win the 1st place:<\/p>\n<ul>\n<li><strong>Focus on attack:<\/strong> there are many other teams so while they remain vulnerable, a single exploit could provide access to many flags and points<\/li>\n<li><strong>Focus on defense:<\/strong> if the services are correctly patched and no persistence is established, it is easier to later focus on how to exploit while preventing point loss<\/li>\n<li>Split the team to do a little bit of both<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<h3>The attack strategy<\/h3>\n<p>The teams had <strong>one hour before the opening of the network links between each other<\/strong>, so this had to be spent to analyze their own services. The goal at this point is to <strong>quickly identify vulnerabilities<\/strong> that can be exploited in a few lines of codes, so configuration and code review is key:<\/p>\n<ul>\n<li>The little-known <em>grep<\/em> tool that allows for identification unsafe of function use (for example <em>shell_exec<\/em> and <em>system<\/em> in PHP, <em>execSync<\/em> in NodeJS, etc.)<\/li>\n<li>The <a href=\"https:\/\/github.com\/carlospolop\/PEASS-ng\/tree\/master\/linPEAS\">LinPEAS<\/a> \/ <a href=\"https:\/\/github.com\/diego-treitos\/linux-smart-enumeration\">Linux-Smart-Enumaration<\/a> open-source tools to find misconfigurations on the hosts<\/li>\n<\/ul>\n<p>Due to the fact that security issues had mainly been voluntarily introduced in the applications rather than embedded within the codebase in a complex way, this strategy is efficient: calls to vulnerable functions can easily be traced back to URL and API endpoints with few prerequisites for exploitation.<\/p>\n<p>However, the downside is that <strong>exhaustivity is hard<\/strong>: the codebase and amount of misconfigurations is high enough not to find them in one hour. And with webshells appearing everywhere once the exercise starts, searching for code execution functions or public keys is not always representative.<\/p>\n<p>\u00a0<\/p>\n<h3>The defense strategy<\/h3>\n<p>This strategy is really all about <strong>preventing point loss rather than making points<\/strong>. On the long term, teams gain more points by exploiting the services than losing from not patching them, so it is <strong>not a viable strategy for the whole CTF<\/strong>.<\/p>\n<p>The teams had been informed a couple weeks ago by the organizers about the nature of the exercise and on some details of the infrastructure. Therefore, <strong>teams had some time to prepare defense mechanisms<\/strong>, although the exact nature of challenges was not really known.<\/p>\n<p>We also figured that <span style=\"text-decoration: underline;\"><strong>visibility was key<\/strong><\/span>, for a lot of reasons: finding the nature of SLA checks, detecting exploit attempts, detecting flag leaks or communication with other teams infrastructure. In this effort, the following tools can be used to observe what&#8217;s happening in the infrastructure:<\/p>\n<ul>\n<li><strong>At the system level:<\/strong> <em>auditd<\/em>, and if motivated forwarding logs to a SIEM instance to automatically detect strange behavior<\/li>\n<li><strong>At the application level:<\/strong> Apache logs and <em>mod_security<\/em> to find execution errors, malicious payloads and also block some of the attempts<\/li>\n<li><strong>At the network level:<\/strong> <em>tcpdump<\/em>, <em>tshark<\/em> and <em>Wireshark<\/em>, which give the most insight on the other teams&#8217; activity towards our own infrastructure, but is limited by encrypted protocols and volumetry of traffic<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<h3>The &#8220;why not both&#8221; strategy<\/h3>\n<p>Teams were limited to 5 people onsite, so this strategy may be the most efficient, it is not really optimal given the conditions of this exercise. However, it is still what most teams do because it is hard to properly organize on-the-fly. However, it can be optimized by assigning players on both attack and defense on a single service rather than specializing them in attack or defense.<\/p>\n<p>\u00a0<\/p>\n<h2>What we did in practical<\/h2>\n<p>During the pre-exercise phase, we thought that the ratio between binaries and web applications would be quite balanced, so we had to come up with protections for both:<\/p>\n<ul>\n<li><strong>For binaries<\/strong>, most of the exploits use vulnerabilities to launch a shell to read the flag, or the chain open-read-write operations to print the flag contents on the standard output. We tried to rely on the <strong>SECCOMP kernel feature<\/strong> that mimics a firewall logic (based on the BPF technology) to allow or prevent some system calls and apply constraints on their arguments: the goal here was to learn about that normal behavior, and block all deviations, either <em>execve<\/em> system calls to launch a shell or <em>open<\/em> system calls on the flag file.<\/li>\n<li><strong>For web applications<\/strong>, we thought that deploying Apache <em>mod_security<\/em> was a good compromise in terms of setup complexity, gain in visibility and basic exploit prevention. We also came up with a list of functions that could be used in a malicious way, such as <em>system<\/em>, <em>shell_exec<\/em>, <em>eval<\/em> and so on.<\/li>\n<li>Finally, since we knew there would be <strong>Docker containers<\/strong>, we thought about ensuring that none of them were too privileged to allow for container escape and host compromise.<\/li>\n<\/ul>\n<p>Finally, we knew about the flag system and the frequency of flag change, so we designed a <strong>Python orchestrator<\/strong> to run exploit scripts, collect flags, and submit them to the validation platform.<\/p>\n<p>On D-Day, during configuration review on the hosts, we noticed that <strong>SECCOMP had been disabled at the kernel level<\/strong>, so our winning strategy took its first hit. However, there was only 1 binary for 6 web applications, so its efficiency would have been limited.<\/p>\n<p>We spent the first hour trying to <strong>identify the quick win vulnerabilities<\/strong> and found some of them. We swiftly developed <strong>scripts to exploit them<\/strong> with our orchestrator and thought that we were ready for the opening of communication between teams. <strong>We were not<\/strong>. Almost half of the teams had patched the vulnerabilities we had found, and many of them were stealing flags we thought we had patched vulnerabilities for. We realized at this point that for each flag there would be many more vulnerabilities leading to their theft.<\/p>\n<p>We quickly decided to <strong>increase our visibility<\/strong> on the situation by running <em>tcpdump<\/em> and analyzing the traces with <em>Wireshark<\/em> and what we observed was a lot of different exploits. Patching the issues was not as easy as initially thought due to the potential number of entry points and the impact of the patches on the services. However, by <strong>looking at other people exploits<\/strong>, we were able to <strong>replicate them<\/strong> and launch them at other teams to compensate for the points that we were loosing.<\/p>\n<p>At one time, we noticed that one of our exploits, which should have been working, did not. We had code execution on a server, but it was impossible to read the flag files: the team had found a way (which was borderline anti-game in our mind, but still) to make the flag unreadable by the vulnerable services and only to the organizers. This lead us to <strong>tighten the host security<\/strong> by focusing on <strong>least privilege strategy<\/strong>:<\/p>\n<ul>\n<li>The flags should in theory not be read by more than the user launching the service and the organizer&#8217;s account<\/li>\n<li>Teams were actively exploiting one service to dump all flags at once<\/li>\n<li>Therefore, we decided to create new groups on the host restricted to these users, and make the flags unavailable to other service accounts<\/li>\n<\/ul>\n<p>This became quite efficient, and the visibility we gained gave us much insight and what could be exploited and what needed to be patched. Due to our hardening actions, <strong>we had finally reduced the amount of points lost<\/strong> due to flag stealing, so we had time to<strong> focus on creating exploits<\/strong>, some of them quite basic, but which worked on almost half of the teams until the end!<\/p>\n<p>Two or three hours before the end, a few teams managed to break out of the containers and services to get root permissions on other teams boxes. They quickly began to <strong>install persistence,<\/strong> create flag stealing scheduled tasks, and perform binary backdooring. At this point, at every tick of the exercise, they were stealing all four flags from each VM effortlessly which gave them lots of points, locking the podium away. Like in real-life, it becomes very complex to eliminated the persistence due to the simplicity of reinstalling it in opposition to the number of entry points to patch.<\/p>\n<p>Our strategy designed on-the-fly still <strong>granted us the 4th place<\/strong>, which was a nice surprise for us:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-19014  aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/photo_6012721676736903843_y-e1668166077816.jpg\" alt=\"\" width=\"679\" height=\"422\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/photo_6012721676736903843_y-e1668166077816.jpg 1225w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/photo_6012721676736903843_y-e1668166077816-307x191.jpg 307w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/photo_6012721676736903843_y-e1668166077816-63x39.jpg 63w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/photo_6012721676736903843_y-e1668166077816-768x477.jpg 768w\" sizes=\"auto, (max-width: 679px) 100vw, 679px\" \/><\/p>\n<p>\u00a0<\/p>\n<h2>Takeaways<\/h2>\n<p>We really did appreciate the <strong>format of the exercise<\/strong> and its <strong>quality<\/strong>. It was a welcomed change from the standard jeopardy format we had been playing for years and it forced us to think differently. In some ways it was much closer to our pentester \/ incident responder daily jobs:<\/p>\n<ul>\n<li>Sometimes we have to focus on impacting vulnerabilities rather than exhaustivity, for example during red team assignments from the Internet<\/li>\n<li>It gave us insight on the complexity of patching vulnerable applications in a limited timeframe with limited to no impact on its business features<\/li>\n<li>It highlights the effect of stress during situations such as cyber crisis where organization between actors is the key factor, but too often neglected in favor of other seemingly important actions\u00a0<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p>However, if we take a step back, we also noticed that:<\/p>\n<ul>\n<li>The complexity of organizing such an event is really high: the system and network infrastructure would need to be perfect in every way for it to work as intended. But there are always unplanned issues and bugs which allow for bypassing some of the game&#8217;s rules and the limit between fairness and antigaming is often blurry.<\/li>\n<li>Due to the limited time of the exercise, we almost never had the time to implement recommandations that we would communicate to our clients after a pentest. There were too many hotfixes with limited efficiency and even more limited clarity.<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p>I would like to conclude this article by really <strong>thanking all the actors involved in this event<\/strong>:<\/p>\n<ul>\n<li>The <strong>organizers<\/strong> Defcamp team and CyberEdu for setting up this exercice<\/li>\n<li>The <strong>other teams<\/strong>, for letting us exploit their vulnerabilities and for coming up with always inventive exploits, patches and backdoors<\/li>\n<li>My colleagues from <strong>YoloSw4g<\/strong> team: Maxime MEIGNAN, Gauthier SEBAUX, Thomas DIOT, Yoann DEQUEKER<\/li>\n<li>All CTF players from Wavestone who keep the team alive and allow us to participate in these competitions<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-19017 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/31d27270-4c47-4769-88c9-edb53549b712-e1668167165995.jpeg\" alt=\"\" width=\"1280\" height=\"662\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/31d27270-4c47-4769-88c9-edb53549b712-e1668167165995.jpeg 1280w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/31d27270-4c47-4769-88c9-edb53549b712-e1668167165995-369x191.jpeg 369w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/31d27270-4c47-4769-88c9-edb53549b712-e1668167165995-71x37.jpeg 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/31d27270-4c47-4769-88c9-edb53549b712-e1668167165995-768x397.jpeg 768w\" sizes=\"auto, (max-width: 1280px) 100vw, 1280px\" \/><\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: right;\"><strong>Jean MARSAULT<\/strong><\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Yesterday, the team YoloSw4g from Wavestone&#8217;s Cybersecurity practice took part in the 2022 Defcamp CTF finals. Defcamp is one of the top cybersecurity conference in Europe and every edition is hosted in Bucharest, Romania. Wavestone had the opportunity to play&#8230;<\/p>\n","protected":false},"author":1421,"featured_media":19019,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3975,2777,3273],"tags":[4178,4179,3921],"coauthors":[3475],"class_list":["post-19010","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-challenges-en","category-cybersecurity-digital-trust","category-ethical-hacking-indicent-response-en","tag-ctf-2","tag-defcamp","tag-pentest-en"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Defcamp finals 2022: Feedback on our first Attack\/Defense CTF - RiskInsight<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Defcamp finals 2022: Feedback on our first Attack\/Defense CTF - RiskInsight\" \/>\n<meta property=\"og:description\" content=\"Yesterday, the team YoloSw4g from Wavestone&#8217;s Cybersecurity practice took part in the 2022 Defcamp CTF finals. Defcamp is one of the top cybersecurity conference in Europe and every edition is hosted in Bucharest, Romania. Wavestone had the opportunity to play...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-11T12:52:57+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-11-11T12:52:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/21dae488-36f4-4f47-82c1-feda36586502-e1668167066360.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"636\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Jean Marsault\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jean Marsault\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/\"},\"author\":{\"name\":\"Jean Marsault\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/b91c655837841792e8ad612de7c9cced\"},\"headline\":\"Defcamp finals 2022: Feedback on our first Attack\/Defense CTF\",\"datePublished\":\"2022-11-11T12:52:57+00:00\",\"dateModified\":\"2022-11-11T12:52:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/\"},\"wordCount\":2036,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/21dae488-36f4-4f47-82c1-feda36586502-e1668167066360.jpeg\",\"keywords\":[\"ctf\",\"defcamp\",\"pentest\"],\"articleSection\":[\"Challenges\",\"Cybersecurity &amp; Digital Trust\",\"Ethical Hacking &amp; Incident Response\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/\",\"name\":\"Defcamp finals 2022: Feedback on our first Attack\/Defense CTF - RiskInsight\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/21dae488-36f4-4f47-82c1-feda36586502-e1668167066360.jpeg\",\"datePublished\":\"2022-11-11T12:52:57+00:00\",\"dateModified\":\"2022-11-11T12:52:58+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/21dae488-36f4-4f47-82c1-feda36586502-e1668167066360.jpeg\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/21dae488-36f4-4f47-82c1-feda36586502-e1668167066360.jpeg\",\"width\":1280,\"height\":636},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Defcamp finals 2022: Feedback on our first Attack\/Defense CTF\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/b91c655837841792e8ad612de7c9cced\",\"name\":\"Jean Marsault\",\"sameAs\":[\"https:\/\/x.com\/iansus\"],\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/jean-marsault\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Defcamp finals 2022: Feedback on our first Attack\/Defense CTF - RiskInsight","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/","og_locale":"en_US","og_type":"article","og_title":"Defcamp finals 2022: Feedback on our first Attack\/Defense CTF - RiskInsight","og_description":"Yesterday, the team YoloSw4g from Wavestone&#8217;s Cybersecurity practice took part in the 2022 Defcamp CTF finals. Defcamp is one of the top cybersecurity conference in Europe and every edition is hosted in Bucharest, Romania. Wavestone had the opportunity to play...","og_url":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/","og_site_name":"RiskInsight","article_published_time":"2022-11-11T12:52:57+00:00","article_modified_time":"2022-11-11T12:52:58+00:00","og_image":[{"width":1280,"height":636,"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/21dae488-36f4-4f47-82c1-feda36586502-e1668167066360.jpeg","type":"image\/jpeg"}],"author":"Jean Marsault","twitter_misc":{"Written by":"Jean Marsault","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/"},"author":{"name":"Jean Marsault","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/b91c655837841792e8ad612de7c9cced"},"headline":"Defcamp finals 2022: Feedback on our first Attack\/Defense CTF","datePublished":"2022-11-11T12:52:57+00:00","dateModified":"2022-11-11T12:52:58+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/"},"wordCount":2036,"commentCount":0,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/21dae488-36f4-4f47-82c1-feda36586502-e1668167066360.jpeg","keywords":["ctf","defcamp","pentest"],"articleSection":["Challenges","Cybersecurity &amp; Digital Trust","Ethical Hacking &amp; Incident Response"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/","url":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/","name":"Defcamp finals 2022: Feedback on our first Attack\/Defense CTF - RiskInsight","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/21dae488-36f4-4f47-82c1-feda36586502-e1668167066360.jpeg","datePublished":"2022-11-11T12:52:57+00:00","dateModified":"2022-11-11T12:52:58+00:00","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/21dae488-36f4-4f47-82c1-feda36586502-e1668167066360.jpeg","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/21dae488-36f4-4f47-82c1-feda36586502-e1668167066360.jpeg","width":1280,"height":636},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/defcamp-finals-2022-feedback-on-our-first-attack-defense-ctf\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"Defcamp finals 2022: Feedback on our first Attack\/Defense CTF"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/b91c655837841792e8ad612de7c9cced","name":"Jean Marsault","sameAs":["https:\/\/x.com\/iansus"],"url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/jean-marsault\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/19010","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/1421"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=19010"}],"version-history":[{"count":9,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/19010\/revisions"}],"predecessor-version":[{"id":19027,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/19010\/revisions\/19027"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media\/19019"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=19010"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=19010"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=19010"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=19010"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}