WHYcast transcript episode 27

From WHY2025 wiki
Jump to navigation Jump to search

Disclaimer

This is the full transcript generated using AI tools and some human oversight. It may contain errors. Please review and correct obvious mistakes before publishing.

Remark: Nancy and Chantal made a little mistake, they talk about episode to 28, when they are actually recording episode 27.

Transcript 27

Nancy: And welcome to the WHYcast episode 28. I’m Nancy.

Chantal: And I’m Chantal.

Nancy: And we are the hosts of the only podcast about a hacker camp in the universe. This volunteer-run event will take place this year in the Netherlands, approximately 42 kilometers north of Amsterdam, from August 8 to 12, 2025. So, Chantal, what are you about today?

Chantal: Well, we have a packed episode today with the news, of course, but we also have an interview with Thijs from the WHY2025 CTF. We already talked to him before, but they just ended the CTF teaser round, so we’re talking about that and we’re also talking to the winner of the teaser round. We also have a vacancy of the week and, of course, a Where to Hack segment.

Nancy: And I’m so happy that you could help out in filling in for Ad for now. Of course, you were there at episode zero and now you’re back for episode 28—so good to have you. Very, very cool to do this together. Thanks. So let’s talk about some news.

Nancy: I think it’s very cool that sometimes when you create something, someone else takes it and makes it even more awesome. That’s what Robert did: he transcribed our podcast and created some tooling around it to turn it into blogs. I hope to have him in a future episode to explain how he did it. If you go to the website now—why2025.org—select Whycast in the menu, and there you can read our podcast. So if you don’t want to take the time to listen, you can always read us now.

Chantal: Yeah, you can read what was in the episode, which is definitely very cool because some people don’t like podcasts and prefer reading.

Nancy: I think it’s a great addition. So thanks, Robert, and hopefully you’ll be available soon to give an explanation on how you did it.

Nancy: When we look at the ticket sales, there are less than 800 tickets left.

Chantal: Oh my goodness.

Nancy: So if you’re still lacking one, please—well, don’t let us know, just go to tickets.why2025.org and get them.

Chantal: Yeah.

Nancy: I think it’s also worth mentioning we had our last online org meet last Wednesday, and next weekend—not tomorrow, but the weekend after—that will be the field day org meet. That’s a live organ meet on the field where the actual event is going to happen.

Chantal: So that’s a live organ meet on the field where the actual event is happening.

Nancy: We have availability of a canteen at the Manege—Manasia, I think it’s called? It’s a horse stable, but we’ll be in the canteen. We’ll start around lunchtime, and there will be lunch and dinner. Please sign up on the Wiki—the link is in the show notes—if you want to be there and want to be fed.

Chantal: Don’t forget to sign up or else you won’t get any food. So go to the Wiki, put your name down, and let us know what kind of food you want or need.

Nancy: You can take the time to talk to other teams, walk around on the terrain, and we’ll have some short presentations on where things are standing. You can find the program on the Wiki for that afternoon. Please be there. There will probably be cake because it’s Simon’s birthday—no big surprise since we’ve dolted a couple of times. I hope to see you there, and if you want to be on the WHYcast, find us and we can record an interview with you.

Chantal: Yeah, or send us an email up front and we’ll schedule something with you.

Nancy: Awesome. So I guess we can go to the interview. Can you tell a little bit about it because we recorded it, of course?

Chantal: Yeah, so we talked to Thijs. He is the team lead of the WHY 2025 CTF, and the winner of the teaser rounds happened actually last weekend. We did quite an extensive interview and they told us a lot about how it went and what went wrong but also what went well. It’s a very cool interview, and it’s useful if you’re planning to play the CTF in August—hint, hint.

Nancy: Let’s listen to them. Here today with us are Thijs and Peter. Thijs, you promised to come back to the show to explain a little bit about how the teaser went. Can you tell us something about it?

Thijs: Yeah. The teaser took place this weekend from Friday eight o’clock till Sunday eight o’clock. We had no idea how many teams would join when we set this all up, but in the end more than 200 teams—223 teams—joined and played. They took a look at the CTF, and 81 of those teams actually managed to solve at least one challenge. We saw a lot of new players, also some people from WHY, so we were really happy with that. People played until the very end. We even had to take a new screenshot of the scoreboard for socials because in the last minutes the top 10 changed. Team Plain Text got seventh place, and the 81st solve happened right at the end, so that was really cool to see. We got a lot of great feedback and were very happy with the turnout, especially a lot of first-time players.

Chantal: Thijs, did you get a lot of reactions on the CTF?

Thijs: Yes, we have a Discord channel where people can discuss anything with us, and I want to thank everyone. There were so many people joining, and if anything went wrong we could fix it quickly. We got a lot of great feedback in the Discord channel. Nothing major went wrong; all systems go. The first 15 minutes were a bit stressful, but once it ran everything worked.

Chantal: Did you see any people doing weird stuff to solve challenges?

Thijs: Well, doing weird stuff is part of hacking, of course. Most of the stuff we see isn’t that weird. What we do see is a lot of people using automated scanners. In the CTFs we create, you don’t need them. They only waste resources and bandwidth.

Chantal: No, that’s good to know: for WHY 2025, you don’t need automated scanners.

Thijs: No, you’re just wasting your time.

Nancy: And the winners—five teams solved all the challenges.

Thijs: Yes, five teams solved everything. We were really happy that at least one person or team solved it. When you build something, you hope people can solve it, and they did.

Chantal: What do you think, Nancy? You also joined in a very special team together with Ad and Paul.

Chantal: I was the only one with some CTF experience, so I had to explain that you need to think outside the box. We solved two challenges on Friday night, and the rest of the weekend we didn’t really have time or experience to solve the rest. But it was really fun and we had a lot of fun doing it.

Thijs: I actually had a discussion with Ed—he was really close.

Chantal: It’s a shame he didn’t finish it.

Thijs: Yeah! He can try again at WHY, because we’ll bring back all the challenges. Of course, we’ll change the flags, but everyone who wants to try them again can do so.

Nancy: Very cool. I thought it was great fun.

Chantal: Yeah, we had a lot of fun and a lot of frustration—but that’s part of the fun.

Thijs: Yes, frustration is part of CTFing.

Chantal: A lot of swear words.

Nancy: Well, let’s talk with someone who actually solved all of the challenges—all of them—and was the first one to solve everything. Peter, welcome.

Peter: Yeah. So maybe it makes sense to give a bit of backstory here. Thijs and I have known each other for probably more than 20 years—close to 25 years or something. I first ran into him at an event called Outer Brains in 2002, which was 23 years ago. He was part of the organizing crew. That was more of a long party event where everyone brought tower PCs and huge CRT screens. Very few laptops back then. Fast forward, we met again at R in 2009; he was working for Verizon then. We started playing CTF—this was when CTF was still in its early days, with a few online competitions maybe once a month. We formed a Dutch team called the Eindbasen (“final bosses”), a group from various universities, high school dropouts, professionals like Thijs. We got pretty good, qualified for in-person finals around the world: Russia, Korea, Canada. From around 2011 to 2013 we were grinding these competitions every weekend for 48 hours. Then somebody made CTFtime, a platform with a calendar of upcoming CTFs. Competitive element grew, more teams joined. Over time, life happened—real jobs, families—and the team disbanded a bit. At our peak in 2013, we came third worldwide, which was huge at the time.

Peter: I stopped making challenges and mostly played casually. When I heard last week about the teaser CTF for the WHY camp, I thought, “Okay, sounds cool, I might just have a look.” It was Friday evening; I have kids, a dog, work, so I set an alarm to show up on time. I started looking at the challenges. Knowing how the designers think helped a bit. There were two beginner challenges worth 50 points—entry-level stuff, good for people new to CTFs. I solved those in five minutes, even though I was on a new Mac Mini with no tools installed.

Peter: The second task was a network capture (pcap) with ransomware traffic. You had to extract an encrypted file from the capture and reverse the encryption. I opened ChatGPT, pasted the script, asked it to write the reverse in Python, and it gave me exactly what I needed. That’s why I solved it quickly. With all this AI stuff, I see potential—if you know how to prompt AI, it’s powerful.

Peter: Then there were some harder tasks—two web challenges and a miscellaneous one. The miscellaneous was another pcap, this time Bluetooth traffic. I shelved it initially because it looked intimidating. My technique is: if I don’t understand something right away, I move on to the next thing. Later, I came back. One of the web tasks was a flyer generator: you input text, it renders a PNG. They provided the source code. I looked at it, tried AI suggestions, but they were partly wrong. I did deeper analysis, isolated parts of the code in a harness, fed random data until I triggered the intended route and got arbitrary command execution.

Peter: The Bluetooth task turned out to be a Brother label printer; you had traffic from it. I found GitHub code that reverse-engineers the printer protocol. I needed to reverse the printer output, so I wrote a dissector, extracted an encoded bitmap, compressed it, and used an image editor to adjust dimensions until something looked familiar. It ended up being an upside-down flag; I flipped it and typed it in.

Peter: The final festival web challenge used GraphQL but was actually an XPath injection. You reconstruct the XML document of all hacker festivals starting from HIP 97, then derive characters one by one via boolean queries. It took me about five or six hours of grinding. It was intense but a good balance between entry-level tasks and more seasoned-player tasks. Five challenges total—enough for a full weekend for many.

Thijs: We heard quite some seasoned players had never done XPath injection before, so that was fun. The flyer task was hard to spot; it was inspired by a real code snippet I wrote once. We made it vulnerable this time. It’s chilling because you don’t even have to know where the “book” is to exploit it.

Nancy: Peter, you mentioned tiny wins help motivate you, and if you get stuck, move on and come back. Any other tips for beginners like me?

Peter: Practice, practice, practice. Read write-ups after a CTF to see how others solved things—often there are multiple solutions. Outside competitions, there are websites where you can play CTF challenges all the time. Programming background helps, but you can also learn programming by doing CTFs. It’s just syntax and rules. For beginner learning, force yourself to learn a technology or methodology during a CTF.

Thijs: I’d add: don’t focus too much on solving challenges—if you don’t solve them, you still learn. Some of the most interesting things I learned during CTF weren’t directly about the challenge but about new tools and techniques. Also, play with a team; you learn from each other and share solves.

Chantal: And at an event like WHY, it’s great to play with more people—you’re in a tent on the field, you can have a drink together afterward and connect.

Thijs: Plus we have on-site challenges like lockpicking, something completely different from online CTFs. Some hackers are great at hacking but bad at lockpicking.

Chantal: Too bad we missed that one this time.

Nancy: We’ll see you in August!

Chantal: There will be many picking challenges in August—Chantal, will you be on my team then?

Nancy: Sure, cool. Are there other things you’d like to add or share?

Thijs: I’d like to do a shout-out to the whole CTF team—especially Bus Esp, who worked his ass off to get everything working. Because of him, everything went smoothly.

Nancy: Good job, boss—we’re really happy with that.

Chantal: Well then, for the final thing… oh yes, Peter has won the CTF, and we promised a special prize. Your calendar is free for August 8 to 12, right?

Peter: Definitely.

Nancy: I’m happy to announce that, by winning the CTF, you have won tickets to WHY!

Peter: Oh, that saves me a couple hundred euros. How much is a regular ticket these days?

Thijs: Regular is €362.42.

Peter: Is there still tickets available for purchase at that price?

Nancy: We have approximately 800 tickets left. We now have the late-nerd price and a procrastinator tax for last-minute nerds—so they pay more.

Peter: Makes sense—sorry for the ADHD tax. Thanks a lot, you’re very welcome.

Thijs: We also have a second-place winner, Morbion, but we haven’t been able to reach him. Morbion, if you’re listening, please contact us on Discord. Third place is Bah. Second place will get a WHY sweater; third place, a bucket hat. Because we don’t collect email addresses at sign-up, we have no way to find Morbion. We didn’t want to gather private data—that’s a privacy win. We tried OSINT, but he remains a mystery. Please come forward to claim your prize.

Nancy: Thank you very much for all the time and effort you put in creating with the team, playing, and winning this CTF. Thank you for being on the show and explaining what went on.

Peter: Thanks for having me.

Nancy: If you’re gonna help Team:CTF with some OSINT to find winners, that would be lovely. Or if you are the winner, please reach out to Thijs to claim your prize. Then I think there is a vacancy of the week, and that is a vacancy from Team:Content—can you explain a bit about what type of volunteers you’re looking for?

Chantal: Yes. Team:Content—you know us from the CFP process where we collect info on speakers and talks. We want people to review those submissions blind. We’re calling for blind reviewers: people to go through submissions and rate them so we have a good feel for their quality. If you’re interested, contact us via the Wiki—info and an email address are there. You don’t have to attend all meetings; you can do this from home. We want you to review multiple submissions so we get a broad view.

Nancy: I think it’s a cool volunteer job—no heavy lifting: just read and give your opinion. Very helpful.

Chantal: Then let’s go to Where to Hack. Each week we share where you can find WHY-minded people. This weekend—tomorrow, actually—is Hope and Hackerspaces Day, when hackerspaces open their doors for people who want to look inside. There are usually activities, too. Check out your local hackerspace and visit them tomorrow—it’s an international event. We’ll put a link in the show notes so you can see which spaces participate.

Nancy: And from what I recall, most Dutch hackerspaces are open for all ages, so you can bring your kids. It’s a nice way to spend your weekend or at least a Saturday.

Nancy: I don’t see any listener messages in the mailbox this week, but if you’d like to leave feedback, do so in the comment section of your listening platform or send us an email at whycast@why2025.org.

Chantal: Thank you so much for listening, and we hope to see you next Friday.

Retrieved from "https://wiki.why2025.org/index.php?title=WHYcast_transcript_episode_27&oldid=9622"