Ethical Hacking at Mason

Allie Thompson/Fourth Estate

Mason Competitive Cyber hosts CTF event


Fourth Estate sat down with Mason Competitive Cyber (Mason CC) president Michael Bailey, a senior information technology major, to discuss recent developments in the world of ethical hacking at Mason.

This interview came at the same time that Mason CC hosted a a Capture the Flag (CTF) event, patriotCTF, after finding victory at a competition that the University of Virginia (UVA) held Saturday, Oct. 20.

Bailey spoke first about the recent win they had at the UVA competition, MetaCTF. While Mason students gained 11,458 points, UVA’s own team, E-Gvng, came only 25 points behind.

Bailey explained that the team’s success came largely as a result of a set of unconventional short-answer questions, which each team submitted for points. Before these points were counted, Mason CC trailed behind several teams, only becoming the first-place team in the final hour. The victory was especially tense because of MetaCTF turning on the scoreboards before the competition was over to increase the anticipation of the results.

Clarifying the content of CTFs in general, Bailey said, “CTF generally will cover something like forensics, reverse engineering, different cybersecurity topics. Web exploitation is one of the flashier ones. You are literally hacking a website [in] those kinds of categories. UVA’s was unique because it had a section on policy and law.”

Information security competitions like patriotCTF and MetaCTF are important because they help students learn the rules of professional computer security work through solving the challenges presented.  

Bailey’s preferred form of hacking is forensics, when the challenge is to find a piece of coded information that is hidden and process it from the environment that competitors are using for the event.

“Forensics takes a couple forms at a cybersecurity competition,” said Bailey. “They usually give you a number of artifacts: logs, a copy of an Android phone. … CTFs get creative so it’s not usually ‘what IP address [address assigned to a device on a network] attacked you?’”

Bailey continued, “[It is] hey, I think someone did something wonky on our network, and they pulled out a picture through a suspicious way across the network.’ You look into that, you investigate that, you bring up the picture and the picture has the answer in the picture.”

Generally, a flag takes the form of a string of text, which is then entered into a field on a website to check for correctness. If the answer is right, the team gets both the flag and the points associated with it.

Categories for the flags are formatted similarly. In general, competitors comb a webpage, web server or other set of code for exploits, which allow them to discover the flags they need to obtain.

Bailey then spoke about the way that the Mason competition specifically worked. Held on Saturday, Nov. 3, patriotCTF was run on a separate Wi-Fi network from Mason’s regular networks to prevent any possible issues. The temporary server was accessible only from the Hub.

The competition had its quirks. “We are taking a weird approach to it,” said Bailey. “Generally, you don’t want to have vulnerabilities that can be used to just wipe out the page. Ours (sic) leans towards vulnerabilities that you could use to wipe out the page if you wanted to. … In our case, we are offering our competitors a button to reset the server, so if somebody breaks it, they press the button and it will reset.”