2025 was the first year we had a CTF that included some common challenges hackers are familiar with in these types of events. The goal of the challenges were to test participants overall knowledge not only to create a fun game, but to understand where we are as a group in the Eastern Washington community in terms of interest and skill. What a ride it was building this out, the amount of knowledge gained in the process was massive, we had great team collaboration, and everyone got to do something they loved (I hope!). While it was fun, it wasn’t easy. I had no idea the technical and administrative stuff this would involve, but everything that we did paved the way for next years CTF and more.
Having tackled the prior CTF setup, I knew we needed more help to create an event that was well-rounded and enjoyable. I reached out to the DC509 community via Discord and immediately had xmasterxquiltx volunteer for assistance. We started a new channel and began the planning process…
The vulnerable VM’s were built with randomness in mind. We hoped to challenge everyone to utilize different skill sets and learn new things that weren’t too cumbersome. The VM’s developed by the group are available in Google Drive publicly, which I will post at the bottom of this page.
Building a CTF was new to all of us, so we looked around at what other CTF’s were doing for challenges, hosting, and their backup plans in case things didn’t go smoothly. TryHackMe was a promising choice that we explored, but soon discovered the kernel in some of the VM’s already developed by xmasterxquiltx were not supported. This was important for his exploit to work, so we looked elsewhere. After considering local VM’s distributed via thumbdrives, Google Drive, S3 Buckets, or hosting them all locally, we decided the easiest way was to host these in AWS minus one VM that didn’t play nice with any cloud provider we looked at.
We built the VM’s locally (I used Virtualbox) and then packaged them up via VboxManage to a RAW format. This allowed me to send the image up to S3. It would be imported into EC2 which then would sit dormant until we needed to build them out. S3 prices weren’t worrying for this portion and saved a lot of heartache staging them before hand.
Keep in mind, this was my introduction to basically all of these tools so it took me a while to figure out how everything worked in AWS. My goal was to build something that was very simple to connect to, was stable, and not drastically expensive. The final tool to tie all of this together was Terraform, which is just amazing. Once I had a working config that provisioned the VM’s, built all the VPS’s, security groups, etc, it took less 5 minutes to build 18 virtual machines with their own LAN’s. Even better, it can reverse all the things it did, so we don’t go over AWS Free Tier limits. Cloud hosting providers, do better at your pricing, it’s plain evil. Having to “enable” services to keep track of costs is obviously a cash-grab.
Once we got a cheap soho router running and the projector, it was time to start the event. I’ll post the slideshow we started with at the bottom of this article too, but it was basically an introduction to the group that developed the CTF and a small tutorial on how to access the scoreboard and challenges.
Event turnout was awesome, we ended up having 6 different hackers in the CTF: 0xdstn, red4kted, J3ffyBo1, dsiddy, Arcadian, and Helaman_99. CruXSS showed up with his card game Cyber Realm, but he was also the developer behind almost all of our OSINT challenges. It was really cool that he came and provided support on the OSINT challenges he came up with for the CTF. AdaZebra went out and brought in pizza for everyone. It was an awesome experience to see everyone interested in in-person CTF’s.
A few lessons were learned from this experience: First off, we have a super convenient way of rapidly deploying virtual machines. AWS proved to be the most effective way of providing victim machines to our participants. Second, our community is just awesome, seeing everyone come out and enjoy the challenges felt good and I can’t wait for next year where it’s going to be bigger and better than ever. Finally, we learned who is willing to help the group out of the kindness of their hearts. They built challenges, used their own money, and spent their own time to build something the group can enjoy. I can’t thank the DC509 group enough for all you do!
Until next time!
-