The 7th edition of the European Cyber Week took place between November 15 and 17, 2022, in Rennes. Matthieu Daumas, a third-year student at Epitech Brussels, went there to participate in the final of the Capture the Flag challenge. Traditionally dedicated to students, during this edition, the challenge was also open to professionals of the cybersecurity sector and the military. Enthused by the experience, Matthieu answered our questions.
How did you find out about European Cyber Week and what made you go to Rennes and take part in the event?
Matthieu Daumas: I heard about this event on a Discord server created on the theme of cybersecurity. A member had sent the link during the selection phase and I thought it would be fun to participate. The selection process lasted around two weeks during which we carried out challenges that were listed by category: cryptography, web, hardware, etc. I did the challenges and I started to get good results. This encouraged me a lot, so I went further and further and finally I qualified. Only the first 48 of the ranking were selected to participate in the final of the Capture the Flag challenge and go to Rennes.
Have you been involved in this kind of cybersecurity activity in the past?
MD: This was my first CTF challenge, at least the first one I qualified for and that also required traveling. Otherwise, it’s true that it’s something that interests me. I used to like watching people do it because I didn’t think I was good enough to do it myself. But thanks to everything that has been put in place around cybersecurity on the Epitech Brussels campus, I have progressed enough to take things into my own hands and to participate in this year’s edition of the European Cyber Week, which has been a very good source of experience for me.
Apart from the CTF Challenge, did you participate in other activities and conferences during European Cyber Week?
MD: ECW is a trade show dedicated to cybersecurity and new technologies in this field. Being busy with the CTF challenge, I couldn’t attend everything. But I was still able to spend a whole day there, I visited the booths and discovered many technologies and companies related to cybersecurity.
What did the CTF challenge consist of?
MD: The CTF challenge was very different from what we dealt with during the selection event. We worked in teams of four constituted beforehand. People from the same school were automatically put together unless there was a shortage in a team. In that case, the schools were mixed. That was my case. I was the only student from Epitech and I was mixed with other students who were also the only representatives of their school.
As for the challenge itself, everyone was connected to an individual machine. Everyone had access to a network that represented a company. It was a logistics company and we had to find out for ourselves what was underneath that network – all the different services, all the websites, etc. There were vulnerabilities in most of the services and it was up to us to figure out where they hid in the network, recognize what challenge they represented and solve them. Sometimes some of the challenges impacted others and some were progressive. For example, in the Forensics category there were five stages. During one of them, you had to physically go explore the ECW booths. The organizers had created a “mock booth” that contained the information we needed to progress in our search. It was almost like a scavenger hunt.
What were the results of your efforts?
MD: For the qualifications, I finished second in the overall ranking. In the final ranking, my team finished seventh with 3000 points, very close to second place which had obtained 3200 points. The competition was very close in the rankings. Only the first place really stood out with 5000 points, which is huge. Otherwise, we fought a lot with the others. At the beginning, we were 3rd, then we were ranked very low, in 12th place. We managed to make our comeback at the last minute by solving several challenges. We had a pretty balanced team and we did our best despite the fact that most of us were beginners.
Do you have any anecdotes to tell?
MD: Yes. I had just found a piece of code and was about to complete a challenge, but just as I wanted to send the flag, the organizers announced that it could no longer be submitted. That’s part of the game. Others were faster. If we had gotten those points, we would have at least tied for the top three, maybe even the top two.
Some of the challenges were far-reaching and others were very subtle. For example, each team had a mug in the center of the table. We thought it was a simple goodie like all the others, except that we found it strange that there was only one mug for every 4 participants. The organizers had told us to pay attention to details! It turns out that all around the logo printed on the mug, there were little inscriptions that were a cryptography challenge. It took me a while, but I finally figured out what it was and I think I was the first to solve it. So I was able to take the cup home.
What did you learn from this experience?
MD: The final was quite different from the gamified version of the qualifiers where each challenge was well separated, clearly identifiable, etc. During the final, I basically learned how a real CTF worked. We were in a black box, facing the unknown. You can literally call what we did a “real-life application”. We practically infiltrated a company to find all the information we could in less than 10 hours and solve the security breaches.
So we suppose you’re looking forward to attending the next edition?
MD: Indeed, I really want to participate in this challenge next year too. Now that I have some experience, I feel like I will do better or at least as well. Cybersecurity is both a fun and exciting field. Sometimes you get caught up in it because you’re pretty sure you’re there but there’s a piece of the puzzle missing. You want to get to the bottom of it, and that pushes you to go further and further.
What was the most memorable thing about this event?
MD: I was surprised by the extent to which the military was invested in this area. I met a lot of generals and very high-ranking people in the military who had come to see potential candidates and recruit in cybersecurity. It’s something that’s very popular at the moment with the explosion of the internet, etc. However, I didn’t imagine that there would be so much military presence, or even companies presenting different solutions. I must admit I was quite impressed by the size of the event. Cybersecurity is something important that should not be neglected. In this field, it is generally useful to go towards the youngest generations to get inspired, look for renewal and let them bring their vision of cybersecurity.