Q&A Session with Snyk & John Hammond: Your Fetch the Flag Questions, Answered

Following Snyk’s Fetch the Flag CTF event on February 27 and 28, the Snyk team sat down with cybersecurity educator and developer influencer John Hammond—along with challenge designer Matt Kiely (aka huskyhacks), and developer advocates Micah Silverman, Sonya Moisset, Vandana Verma, and Elliot Ward—for a live Q&A session.

From beginner advice to deep-dive tooling tips, here are five standout questions and answers from the session.

1. What advice would you give to someone new to CTFs and cybersecurity?

John Hammond: Keep it fun. Whether it's your first CTF or you're diving into a new security domain, burnout happens when the process stops being enjoyable. Focus on challenges you're genuinely curious about, and let that interest fuel your progress.

Matt Kiely: Community is everything. Collaborate, even if it’s just asking questions in a Discord thread. And don't be afraid to step outside your comfort zone—maybe you're great at web challenges but struggle with binary. That’s where teammates and community come in.

Sonya Moisset: Read write-ups and watch walkthroughs to see different problem-solving approaches. And always think like an attacker: question how systems can fail, and you'll start spotting misconfigurations others miss.

Elliot Ward: Resources like PortSwigger Academy and PentesterLab are fantastic to build foundational skills. And if you want to go deeper, check out YouTube channels like LiveOverflow and John Hammond’s own content.

2. How do you approach challenges that involve Netcat?

Matt Kiely: Netcat is like a minimal interface to interact with a challenge over an open socket. It’s great for binary exploitation or interactive games (like our Fallout-style terminal challenge). But because it’s so limited, use tools like pwntools to script and automate your interaction—especially if timing is critical.

John Hammond: Exactly. Automating with pwntools—or even Python’s built-in socket library—gives you flexibility and saves you from typing everything manually. And don't overlook Telnet or Paramiko, depending on the protocol you're targeting. The key is to automate what you can.

3. How can someone exploit Math.random()?

Matt Kiely: Great question—and one inspired by our “D0nut Shop” challenge. JavaScript’s Math.random() uses a predictable algorithm (Xorshift128+ in V8), which makes it unsuitable for secure contexts. In this challenge, it was used to generate OTPs.

Once you collect enough OTPs, you can reverse the PRNG and predict future ones—including those for an admin account. It's a reminder that cryptographic security depends not just on using randomness but on using secure randomness.

4. What tools do you recommend for CTF beginners?

The team played a rapid-fire round of “name two tools,” and here’s what they said:

• Matt: Python and Google (yes, Googling is a skill).

• Elliot: A browser and Burp Suite.

• Sonya: Metasploit and Snyk Open Source.

• Vandana: nmap and Kali Linux.

• Micah: Telnet and protocol documentation.

• John: VirtualBox (or any VM setup) and AI tools like ChatGPT—especially for speeding up boilerplate scripting.

The key takeaway? You don’t need an elite hacking rig. Start simple and focus on tools that help you explore, iterate, and learn.

5. How was the "Padding Gambit" challenge solved?

Elliot Ward (creator of the challenge): It was a crypto challenge involving padding oracle attacks. Players encountered a CSRF-style token and had to tamper with it. With tools like Burp Suite’s bit flipper, players noticed differing error responses—classic signs of a padding oracle vulnerability.

Once decrypted, the plaintext revealed a FEN (Forsyth-Edwards Notation) string representing a chessboard. If a square had a piece, it was a 1; empty squares were 0. The resulting binary string formed the code needed to solve the challenge.

Pro tip? Even ChatGPT can help you decode that FEN string (and recognize it in the first place).

Thanks for playing!

We appreciate everyone who took part in Fetch the Flag CTF 2025. Your enthusiasm, problem-solving skills, and dedication were truly impressive. Whether you were solving CTFs for the first time or are a seasoned participant sharing challenge write-ups in our Discord, we hope the experience was both educational and rewarding.

Continue your learning journey by joining our AI Live Hack on April 3. In the meantime, check out this Snyk blog and Discord community for more write-ups, tips, and events.