My participation in France Cyber Security Challenge 2020
On June 27th 2020, I participated in the finals of the French Cyber Security Challenge, a capture the flag brought by the ANSSI (France’s National Cybersecurity Agency).
Qualifications happened in April, where 15 “Seniors” (born 95-99) and 15 “Juniors” (born 2000+) were to be selected, in order to compete for a spot in the national team for the ECSC (European Cyber Security Challenge), gathering young talents from several countries across Europe. This year’s ECSC was meant to take place in Vienna, Austria, in November. I ended up 14th in the Senior category (if I were born just a few months later I would have fallen in the Junior category, which had a much weaker score threshold, but I guess I didn’t need that…!).
So I barely got in and got qualified for the finals, that were to take place this June 27th in Paris. Of course, the event was kind of shut down by the sanitary crisis, but they thanksfully still let it happen online instead of onsite (looking at you, Wavestone). What is heartbreaking, though, is the cancellation of the European finals in Vienna, which means the french finals were only maintained for fun.
I had literally no expectation whatsoever with these finals; as stated, I was relatively hanging by a thread and most other Senior contestants seemed quite intimidatingly skilled to me. I thought I had zero chance and would literally get stomped. It turns out I actually performed well!
The competition ran from 10am to 10pm. Like the qualifiers, the finals consisted of a jeopardy-style CTF, featuring reverse engineering, cryptography, forensics, web, pwn and hardware. I started with the very first blood, 20 minutes in, on a web task. I did quite good, very surprisingly to me managing to keep the first place up until around 2pm. However, I wasn’t able to flag anything the whole afternoon; I reached some kind of slump. I guess most contestants experienced this slackening too, because somehow, in some way, I managed to stay 3rd place, until the fateful hour. And by this locution, I do not mean the end of the competition. At 8pm, the organizers decided to cut off the scoreboards and freeze all the points, to maintain the suspense until the very end.
It shouldn’t come off as a surprise that the two last hours were brimming with tension, and even more so after realizing that two Seniors still hadn’t submitted a single flag yet! Were they keeping those to themselves to make an unexpected comeback at the end?
Luckily, I found two more flags in the middle of this hazy phase. At this point I was somewhat confident that I had a chance to make it to the top 5. 30 minutes before the end, I discovered what could potentially secure my spot in the top 5: a vulnerability in the last and most difficult web challenge (some sort of pièce montée with HTTP response splitting sprinkled on top) and spent all my efforts in trying to exploit it, without success. The event was over.
They made us wait for two days before publicly releasing the actual final rankings. And eventually…
I ended up 2nd!
I am largely satisfied with my performance, which clearly exceeded my expectations. How did I do better than all these guys who made it so hard during the qualifiers? I still feel like they’re more skilled than me in a lot of categories. The main difference between the qualifiers and the finals being the duration, speed might be a clue, but even then I don’t consider myself as especially fast at solving these challenges. Anyways, I made it up there, though I guess hexabeast is like Airman: you can’t defeat him.
Overall, I thoroughly enjoyed the competition. Both qualifications and finals were crazy fun and high quality. The challenges were well-rounded and creative, with a balanced difficulty. The organizers were great; the staff was really kind and professional.
I am not going to do write-ups for the finals' challenges, because I feel like I don’t have anything special to bring to the table (except maybe for a certain web challenge which I was the only one to solve in time, but which was more about making fudging PhantomJS behave rather than anything else lol). However, you can still check out my write-ups for several of the qualifiers' challenges (in french):
Heartfelt thanks to the ANSSI guys and shoutout to the other players that made it tough (even though I ranked high, I’m still impressed by people who can do pwn… I have a lot of things to learn!). I hope to reiterate next year and perhaps be part of the ECSC 2021 in Prague!