Nixu’s summer trainee Mattias Grenfeldt participated in the Midnight Sun CTF in the team KTHCTF0x1. We got a chance to interview Mattias and two of his team members, Mattias and Hannes.
The Midnight Summer Capture the Flag finals was held for the second time in Stockholm during June 2019. The event is organized by Saab and Nixu in cooperation with MSB – Swedish Civil Contingencies Agency. In 2019, 763 teams from 93 countries competed in the qualifier, capturing a total of 1134 flags. The purpose of the tournament is to create an opportunity for teams, from all over the world, to challenge and develop their knowledge within cybersecurity.
What made you interested in hacking? How did it start?
Mattias: I’ve always played with computers and liked problem-solving. But it took a while before I found computer security. I looked at it from the outside and it seemed interesting, but I didn’t know how to get into it. Then I found a CTF a few years ago, and that’s how I got started basically.
Hannes: I’ve always been playing with computers, and maybe about six years ago I got interested in security. I started learning things and getting into places I shouldn’t. I like to experiment.
Viktor: I have a similar background. I started programming somewhat young and then began to do some web stuff. After a while I specialized in IT security. It’s been an interesting process.
Mattias: Hacking and cybersecurity often involves a lot of creative problem-solving. It’s creative in a way that programming or other computing things are not. In security testing, you must look at things in unconventional ways. That is very stimulating and fun to investigate.
Hannes: It’s always interesting to break something into parts and see how it works.
Mattias: From a security perspective, you must look at what a software or device actually does, not what it’s intended to do. Observation tells the real story of the case.
Tell us about your team.
Mattias: Our team KTHCTF0x1 was created last year for the previous Midnight Sun CTF. We wanted to compete, and we needed a team of Swedish students. So, we found a couple of friends and made a team. Since the first CTF, we’ve attended plenty of other CTF contests and have been playing together since that.
Hannes: We have a diverse set of skills: some of us are good at cryptography, others are good at reverse engineering and so on. Everyone is quite familiar with their role in the team. Half of the team already knew each other when the team was founded, but we’ve also become good friends. That helps when you must work together in a competition, and most importantly, it makes it really fun.
How was the CTF this year?
Mattias: It was fun and exhausting, but definitely worth it. We were the best team in Sweden, which was nice. We really wanted to beat an international team, and we were very close this year. The level was high, as you’d expect from the finals.
Hannes: I think we have more experience than last year, even though we still didn’t do as well as we wanted to. We were really close to solve the toughest challenges. Last year, we didn’t have much of an idea of what to solve next.
Viktor: On the other hand, our experience didn’t help that much, because the organizers showed us challenges from unconventional categories and made it harder that way.
Mattias: In general, The Midnight Sun CTF is a nice event, because it’s close by and we know the organizers. It’s the only on-site CTF where we’ve been to. On-site challenges are more interesting and competitive. When you see other teams getting excited or reacting to something, it brings pressure to your own doing.
What was the biggest surprise?
Hannes: I’d say the hardware challenges. We had to plug a little microcontroller into an oscilloscope to try to do a side-channel attack on it. Basically, like taking a small circuit board and trying to figure out what it is doing by just looking at its power consumption. I’d say that was the strangest one this year. We didn’t manage to solve it, and in fact, no other team couldn’t either.
Mattias: There were more hardware challenges this year. They aren’t that common in CTF’s, because most CTF’s are held online. Especially the GameBoy challenge was new.
Viktor: Yeah, they had a physical GameBoy, which was running a homemade application. The task was to find a vulnerability and make this Gameboy run any code you want. The GameBoy stuff was a good example of how the challenges can be unconventional. Usually, you just get a program and the task is simply to hack the program that’s running on the internet.
Hannes: These sort of hardware or physical device challenges will probably become more popular, as the IoT devices become more common target for hackers.
What was your top moment in the 24-hour challenge?
Mattias: In the middle of the night, me and another team member had been solving this one challenge called pytte1337en. We were half asleep and just slowly worked along with the task. We were exhausted, but at some point, the task transformed to a whole new challenge. We discovered more depth, a new layer. It was like a chain and we followed the links in it. Finally, we solved it! There weren’t a lot of teams that had figured that one out.
How do you see your future in CTF’s or cybersecurity?
Mattias: Right now, we’re all studying computer science at the KTH Royal Institute of Technology in Stockholm (that’s where our team name comes from). CTF’s help us in school, but, at least currently, not the other way around. To be honest, CTF’s has taught us more about computers than school.
Viktor: This industry is quite equal in a way, because your success doesn’t depend that much on age or anything other than your skills. If you are dedicated and want to learn a lot of this, you can simply sit down and do it. If you have the patience to spend time trying different stuff, you’ll learn a lot.
We have a very own challenge as well: go to https://thenixuchallenge.com/c/ to capture some Nixu flags!