B34R5HELL(Bearshell), a student organization at the McKelvey School of Engineering, is one of the first capture-the-flag (CTF) competitive hacking teams at Washington University in St. Louis. The organization, founded in 2019 by graduate students from the lab of Ning Zhang, assistant professor of computer science & engineering, has been active in cybersecurity competitions throughout the country and is preparing for its next event in October. The team’s current roster is comprised of 15 students who meet on a weekly basis to prepare for upcoming events.
In celebration of National Cybersecurity Awareness Month, Will Rosenberg, a junior majoring in computer science and co-captain of Bearshell, shared more about the team and how CTF competitions work.
How did you get involved with Bearshell?
I first got involved with Bearshell after seeing one of their posters in Urbauer Hall. At the time, I had just enrolled in “Capture the Flag Studio” with Professor Steve Cole (senior lecturer in computer science & engineering) and had little clue what a CTF challenge was.
After attending my first meeting, I left with the impression that I could learn a lot from the club and its members. I appreciated its relaxed nature, as well as everyone’s passion, which came from a genuine desire to learn and a sense of humor derived from hacking. All of these things made me excited to keep attending and learning about the club.
How does a capture-the-flag hacking competition work?
Capture-the-flag (CTF) competitions come in two forms: jeopardy style and attack-defense. We primarily focus on jeopardy-style competitions but plan to begin competing in attack-defense competitions as well.
Each varies in format and approach, but the overall style of a CTF challenge is a simple title, a one- to two-sentence description and some files or a server address. With this vague starting point, teams must explore the information given and use their security knowledge to exploit a system’s vulnerability to extract a string, known as a "flag," in order to solve the challenge.
The jeopardy-style competition presents teams with a large number of challenges — 15 to 30 depending on the competition — that cover many topics and styles including web, pwn (hacking binaries), reverse engineering, open-source intelligence, cryptography and forensics.
What skills does a student need to join the club?
We focus on teaching the skills necessary to succeed in these competitions, so students of all skill levels are welcome. The ultimate goal of CTF competitions is to develop a deep knowledge of security practices, tools and skills, and to learn how to apply this knowledge. However, computer security boils down to a fundamental understanding of computer science concepts, so CTFs are a great way to learn even for those not interested in computer security.
What accomplishments has the team earned so far?
In past years, we have won first place at the 2019 Gateway Higher Education Cybersecurity Consortium CyberCup Hackathon and 2019 STLCyberCon CTF event. Recently, we placed ninth out of nearly 450 teams at the 2023 DeadSec CTF event and tied for 75th out of more than 2,400 teams at picoCTF, which is the largest student cybersecurity competition in the nation.
What events or activities do you all have planned for the coming year?
Aside from our weekly general body meetings on Fridays, we’ve already competed in our first CTF Sept. 16, and plan to compete in one competition a month. We will also attend multiple in-person cybersecurity conferences and CTF events over the course of the semester, including one at St. Charles Community College Saturday, Oct. 14.
If anyone wants to join us, they can join our Slack channel, which we use for all our club communications. We also have a website where people can read more about us.