Microsoft Build the Shield National Qualifiers ’15
a 24 hours long jeopardy-style Capture the Flag competition based on information security was organised by Microsoft on January 30-31 ’15 for Undergraduate students on a National level.
the competition started at 7 PM IST on 30th January and consisted of 15 questions initially. All of the questions produced a flag which was supposed to be submitted as the answer to that question.
The questions were based on basic information security, network security and cryptography.
- Starting with the first question, we had a nested zip file and had to retrieve a file containing the flag, which was supposed to be done by a basic script which recursively unzips the file. (50 points)
- The following questions were in an increasing level of complexity. The second question we had, was based on stenography. We were supposed to recover data from a jpg file. On closer inspection of the jpg file, it consisted of merged protected files which after retrieval was supposed to be opened after cracking the password. (100 points)
- Further ahead was a question related to web security in which we had to manipulate a system by gaining its administrator rights and then further gaining the flag. (100 points)
- a basic question based SQL injection was there which expected the tester to penetrate into authentication layer of a poorly designed web application based on loose SQL queries. (100 points)
- next ahead was a question based on steganography again in which information was hidden in an audio file and we were supposed to analyse the file in order to obtain the information/ flag. (100 points)
- then there was a question which had a combination of both SQL injection attack and XSS attack which expected the user to calculate the administrator’s password, which was the flag according to the hint which tester got after the first SQL injection. (400 points)
- then the final question we attempted, was a very interesting one, it had some data hidden in a jpg image (embedded on a separate web page) but it was very unclear. on a closer inspection of image name and page source we noticed, there could be another image on that server, which hosted the image, and we found one. after some attempts we created another file with the help of both images which contained an image which looked something like a morse code but the lines and dots weren’t uniform and it didn’t make any sense after decoding. after thinking a lot we finally concluded that it might be a binary code. after converting the image into a binary stream, we successfully captured the flag. (400 points)
the overall experience was thrilling and very interesting.
The competition was supposed to shortlist a total of 50 teams on a National level, and we ended up being on a National Rank 59.
The National finale were scheduled to be held in March ’15 in Microsoft India’s office and we all wanted to be a part of it.
We were little upset about the final result but it gives us motivation to learn a lot of other things related to security and do better next time.