← Back to Recruiter Hub
NCL OSINT Cryptography CTF

NCL Spring 2024
First CTF Tournament

Eduardo competed in the National Cyber League Spring 2024 individual tournament against 457 teams, placing 56th. His first competitive CTF. Nine challenge categories, limited tooling knowledge, and hardware not yet pushed to its limits. What he lacked in preparation he made up for in effort, and what he walked away with changed the trajectory of how he studies cybersecurity.

Event National Cyber League · Spring 2024
Placement 56th / 457 Teams
Format Individual · 9 Categories · Multi-Difficulty
Strong Categories OSINT · Cryptography

Skills Applied

What This Tournament Touched

OSINT
Google Dorking
Cryptography
Hash Identification
CyberChef
Metadata Analysis
Cipher Decoding
Research Under Pressure
Problem Decomposition
Resource Constraints

Tournament Format

The Arena

NCL challenges span nine categories. Each category has its own challenge set with Easy, Medium, and Hard tiers. You compete across all nine simultaneously.

Intelligence Gathering

OSINT

Using publicly available sources, including search engines, social media, and public repositories, to gather intelligence and answer challenge questions. One of my strongest categories. Knowing how to find information that was not meant to be found is a foundational security skill.

Encoding & Ciphers

Cryptography

Identifying encryption techniques, solving ciphers, and decrypting encoded messages. Challenges ranged from classic substitution ciphers to modern encoding schemes. This was the category where I spent the most time and had the most success. CyberChef was my primary tool throughout.

Hash Recovery

Password Cracking

Identifying hash types and recovering the original plaintext. This category exposed a hardware limitation I had not anticipated. Password cracking at scale requires GPU acceleration, and at the time I was running everything on CPU. I fell back to online hash databases, which worked for some challenges but was far from the right approach.

Detection

Log Analysis

Analyzing system, web, and firewall logs to detect malicious activity and reconstruct events. This category was harder than expected without prior structured exposure to log formats. A category that went onto my study list immediately after the tournament.

Reconnaissance

Scanning & Enumeration

Using tools like Nmap to discover services, identify open ports, and surface vulnerabilities. I had limited hands-on experience with enumeration workflows at this point. I understood the concept but lacked the speed and confidence that comes from repetition.

Packet Analysis

Network Traffic Analysis

Analyzing PCAP files in Wireshark to detect malicious traffic patterns. Another category that was beyond my current tooling fluency at the time. I could open the files but did not yet have the filter knowledge to work efficiently under a time constraint.

Methodology

How He Approached It

01

Triage the Categories

When the tournament opened, Eduardo reviewed all nine categories before committing time to any single one. The goal was to identify where he had the highest chance of success and allocate time accordingly. OSINT and Cryptography were the obvious starting points. The categories he had no framework for, like Exploitation and Network Traffic Analysis, he moved to the bottom of the queue rather than burning time on walls he could not climb yet.

02

OSINT: Following the Trail

OSINT challenges provided data and asked for something to be found. That might mean tracking down a location from image metadata, tracing a username across platforms, or pulling information from public records. Eduardo used Google search operators and image metadata tools. At the time he had not yet learned reverse image lookup workflows, which cost him on some challenges that should have been straightforward. He found flags here, but left points on the table.

03

Cryptography: CyberChef as Home Base

Cryptography challenges typically provided an encrypted or encoded string and asked for the plaintext. Eduardo used CyberChef to test encoding types, work through cipher chains, and identify patterns. This was the category where he felt most in control. Being able to recognize encoding formats, stack transformations in CyberChef, and test hypotheses quickly made this the most productive category in the tournament.

04

Password Cracking: The Hardware Wall

Password cracking challenges provided hash values and asked for the original passwords. Eduardo identified hash types and turned to online hash databases, entering values and hoping for a match. This worked on some simple hashes. What he did not know yet was that the correct approach was Hashcat with a wordlist like rockyou.txt, run locally with GPU acceleration. His hardware at the time could not support that at speed. Running Hashcat on CPU alone made even basic wordlist attacks impractically slow. This category demonstrated that tooling and hardware are part of the skill set, not separate from it.

05

Knowing When to Move On

One of the harder lessons from this tournament was recognizing when a challenge was outside current capability and cutting losses rather than sinking an hour into something that could not be solved yet. That judgment, knowing when to stay and when to redirect, matters as much in a real SOC environment as it does in a timed competition. Eduardo did not do this well at first, but got better at it as the tournament progressed.

Honest Reflection

What He Got Wrong

A writeup that only covers wins is not useful. Here is what Eduardo did inefficiently and what changed because of it.

01

Using Databases Instead of Cracking

Submitting hash values to online lookup databases is not the same skill as cracking them. The databases only contain pre-computed common passwords. Anything with a strong or unique plaintext returns nothing. Eduardo was working around the problem instead of solving it. After the tournament he set up Hashcat properly and practiced running wordlist and rule-based attacks locally. That gap is closed.

02

Not Knowing Google Dorking Operators

Eduardo was searching in plain text during OSINT challenges. Knowing operators like site:, filetype:, inurl:, and intitle: narrows results from thousands of pages to exactly what you need. He was spending five minutes finding what a well-formed dork could surface in seconds. Precision searching is now part of his standard OSINT toolkit.

03

Skipping Reverse Image Lookup

Several OSINT challenges involved images with embedded context clues. Eduardo was reading metadata but not running the images through reverse lookup tools to find their origin, associated accounts, or location data. This is a standard OSINT technique he simply had not practiced yet. That changed immediately after this tournament.

Lessons Learned

Key Takeaways

Confidence is not competence. This tournament made the gap between the two very clear, and that clarity was the most valuable result.
Hardware is part of the skill set. GPU limitations are a real constraint in password cracking. Knowing your environment's ceiling is part of operational planning.
Workarounds are not skills. Using hash lookup databases is not the same as cracking. Knowing the difference matters when the databases come up empty.
Search precision is a weapon. Unstructured searching wastes time that timed competitions do not give back. Dorking operators belong in every OSINT workflow.
CTF collaboration accelerates learning faster than solo study. Watching how others approached problems I could not solve compressed months of learning into hours.
Placing 56th out of 457 teams in his first CTF, without knowing most of the tooling, confirmed that Eduardo's fundamentals were solid. The rest is buildable.

Want to talk through the details?

Eduardo can walk through his methodology, what he has built on since, and how these skills apply to your open roles.

Book a 30-Min Call Back to Recruiter Hub