Hello reader, in this reading, you will find the story of a team who won a competition in the last 5 minutes. You will be reading the story of best regional team in the whole country. This is Goktug Ekinci. I wanted to write about my experience at NCAE Cyber Games.
Broadly, what is NCAE Cyber Games
NCAE Cyber Games is an ethical hacking competition with three teams: red, black, and blue. Red team is the attacker team that attacks the servers and machines blue team need to defend. Black team manages the required services, machines, and servers. They neither attack nor defend. Competitors are the blue team. You are given an environment with various different servers and a network topology, and you are asked to bring everything up and maintain it as much as you can. The catch is, the environment is initially zero setup, constantly under attack, and some of the machines in your space are already compromised. The competition takes a whole day, from 10:30 AM to 6 PM. Everything is free to use including LLMs, search engines, scripts, and much more, except paid tools. Bringing servers up earns you points at each score check. The team with the most points wins.
Cyber Games 2025
To understand what we did differently in this year, I need to tell a little bit about the past year's experience.
In 2025, our advisor recommended us getting into this competition. We hardly formed a team, and nobody knew what we were against. We barely studied and didn't have any preparation for the competition. Preparation and scripts are important for the competition because you need to automate a lot of things. We met up only once or twice, only after seeing the network topology we are against at the midnight before the competition.
In the competition day, we split up for capture the flags (CTF) and infrastructure. I have yet to mention CTFs, but these are challenges that are given by the competition that you need to complete to get points. They can be related to coding, reverse engineering, or even related to the infrastructure side. We had a lot of fun, we solved 20-22 CTFs out of 30, and we were able to keep the certain infrastructure components up for a while. I learned a lot, I set up the router from ground zero, connected the gateway, internal network and external network. I also tried to help with the web server, but our efforts were not enough. We ended up in the 4th place with a close margin. We were happy with the result, and we were ironically also happy we didn't get invited to the invitationals, because everyone's schedule was already packed. After having so much fun and learning a lot of things, I personally decided to attend the competition again, and I wanted to win it.
2026
Our team
I am member of a research lab as I am a Doctoral student. There are other master's or Ph.D. students in the lab. We attended this competition last year forming a team from the lab of 6 people, where the max of 10 people are allowed in each team. Knowing from the last year, we needed more people. After talking to my advisor, I formed a team of 10 with 4 second-year cyber games attenders. This makes a team of half PhDs half masters, and one undergrad student. Team was ready, but people weren't.
Competition in detail, and how did we prepare
After the 2025 experience, I knew we needed to prepare a lot more. More important than anything else, we needed to take this competition seriously. Once it's taken seriously, studying and preparation is just details. I started talking to people from the previous semester. Forming the team was a cumbersome process, let's just skip it, but I was able to find people who are interested in the competition and have the time to prepare.
Experience sharing, and what to expect
From the previous competition, we had a lot to share with the new members. We talked about what things we did wrong, and how can we do better.
For example, in the last year's competition, we focused too much on the passwords of the machines. On competition day, you are given machines with default usernames and passwords alongside with all the other users either benign or malicious in the sytems. We created a shared sheets to document the passwords we were going to use for the machines. Since we didn't know what kind of attacks to expect, we assumed that the attackers might try to crack the passwords, and wanted to use strong passwords. This created two problems. First, we had a hard time remembering and entering those passwords, and second, we locked ourselves out of a machine that worth a lot of points. We had to ask the black team to reset the machine. (Yes you can ask help from the black or red team, but they might try to bargain with you :)) Another problem was we didn't realize they changed the "change password command" linkage in linux (passwd) to a different one, this script was actually changing the password, but also sending them to the red team. We realized that towards noon when they shared all of our passwords in Discord. This single compromise was a huge lesson to learn what kind of attacks to expect.
This and few other things as we could remember were shared with the new members. Even though the information is valuable, people still don't exactly know what to face until they are in the competition day. Another note taken from previous year was to bring the machines up as soon as possible with a healthy configuration with BACKUPS, because no matter what you do, especially towards the end of the day, you will be compromised one way or another. So, you need to be able to bring the machines up as soon as possible, and have a backup plan for when you get compromised.
Studying and preparation
In the Wednesday before the competition, network topology and scoring criteria is announced. 
.
Looking at the topology, there is 5 services need configuration and setup. These are Router, Shell/SMB server, web server, database, and dns server. It is decided that we need at least one people for each of these machines. In addition, 4 of these machines are already compromised even before start. I got the router. Its setup is important because the machines need internet, and internal connection between machines to do many things. Other servers have huge points that we definitely need to win. We also distributed them to people and also left some people for CTFs. Schedule's of people is important because infrastructure works need studying prior to the competition. CTFs are a little bit more flexible. They are directed puzzles and problems. Experience is more important than studying, and earning experience in couple weeks is unrealistic. Thus, we tried to give CTFs to people who will have a cramped schedule. At that point, everyone knew what they were going to do.
After the divison of tasks, first plan is to come up with a plan of backup and quick recovery. Some of the machines need sequence of commands to be up and running. Thus, you know what to do when you need to bring the machines up and there are constant, non-changing parts as well. What does this mean? This means you need either scripts, or a way to write all of the commands fast, but the system doesn't let you copy and paste. It is avaliable on some machines through Spice, but not on all. Plus, it is not guarenteed to work in the competition day. The machines you see on the tutorial environments are not the same as the ones in the competition. Second way is to build scripts, but how you are going to transfer those scripts into the machines you have is a good question.
While the other people worked on the backup and scripts, I focused on solving copy and pasting. There must've been a way to do it because we can write to the machines manually through our keyboard, but cannot paste it. Then I thought of using libraries that can simulate keyboard inputs such as pyautogui's typewrite. Using the library, I was able to create a generic script that typewrites whatever you put inside quickly to the window you clicked. This enabled us to configure any machine within seconds. For example, router. Router needs to have the ip addresses assigned to its interfaces, and several other settings to be adjusted. Also, this works as a backup as well. If you lose all the configuration, you can basically run the script again to get the configuration you want in around 30 seconds.
I shared the script with other team members so that they can create their own scripts for their services. Dns server, database, and SMB server might have needed constant configurations. Copy paste was also working with this script as well. Scripts writes the commands or text you write very fast to the machines. We could use it to copy and paste large texts to the machines. It can also be used to transfer files to the machines because you cannot ssh into the machines from your local in the competition. The scripts can be found here.
For the CTFs, at first we assigned 4 people to them. In last year's competition, CTFs worth around 40% of the points available. Then, the points are announced alongside with the topology, and we saw that the CTF's worth is a lot less than past year. This meant we need to shift more people to infrastucture side rather than 4-5 people working on the CTFs.
Competition Day
In the competition day, we showed up in our research lab. Communication is important and being together face to face is advantageous. It was 10:30 AM, and competition started.
Morning
In the first hour, we went better than I expected. Router was up, database was up, SMB was mostly up, and web server was also mostly up. We had some latency in DNS, but that was because my team mate Will was working on a more robust solution that will save us a lot of points at the end. Around 12-1, we were first in the infrastructure points, but we were a bit behind on the CTF side. Best teams had solved 2-3 questions more than us, which is approximately 300-400 points. This much points are very hard to gain by infrastructure. Then, something we got behind because we lost SMB and DNS. Plus, website certificate was not getting ready yet too. This immediately put us in disadvantage compared to top teams in the competition. Once we almost fixed up everything, lunch break came in.
The Turning Point
Lunch break helped us a lot by resting mentally and physically, but not for all of us. Our CTF people was working on the problems even in the lunch, and one of the infrastructure support people decided to help CTF team, and only thing he did was to try a different LLM for help, which worked out perfectly. Suddenly, they were able to solve 2-3 more questions and we were at the lead.
Once afternoon started, we knew a lot more attacks yet to come. General treatment is to increase the load of attacks towards the end of the day. We needed to harden the systems. Then, William change the whole fate of the games for us. He was having too much trouble in the DNS server, then he decided to move the DNS server to one of the internal machines. Normally, those internal machines are there to test your internal network, solve few CTFs, or any other task you might need. He copied the needed files to internal machine 2, changed the ip address of internal machine to the DNS server's so that when scoring server pings dns server, it reaches internal kali instead of DNS server itself. On top of all of these, he containerized the whole system. This changed the whole thing.
Red team wasn't able to understand what's going on until 4:12PM. Once they did, black team congratulated us for making them add a new rule for the next year. I think this is the biggest compliment in an ethical hacking competition. Still, it didn't matter they realized it as well. You can see it from the topology, DNS server is compromised, but internal kali machines are not. This meant even though they had a lot of ways to get into the compromised machines, they only had SSH to reach to the internal machines, which didn't work well for them thanks to our undisclosed solutions. Containerizing and moving server suddenly made Will completely free, and he started helping Andrew to do the same thing for SMB server as well. While they were working on those, we were restarting or rebooting some of the compromised machines, and reconfiguring them. Our services was shutting down, as a temporary solution we were just quickly reconfiguring it.
Meanwhile, our CTF team earned the 100% of the points that can be earned from CTFs. Black team gave teams a new type of challenge called the inject challenge. They moved to that, while we were containerizing everything. Web server wasn't able to work because our certificate was expired and there were not any more time left for that. Something bad happened following that. We lost our router. Losing router means you lose the web server as well, and external dns as well. We were locked out, we weren't able to log into the machine. It was clear that they had changed our password. We had only one chance. Bargaining with the black team.
During the competition you can bargain with the organizers on something such as a server or a solution. What they want in return is a dancing video. You literally post dancing videos in the public channel in the discord server and they give you what you want. We tried to use the vidoe we took in the past year's competition. I forgot to delete the metadata of the video file, they realized it and didn't give us the router back. We were not ashamed to take a video, but we didn't have time to take one. We would gladly dance, and we did after that. We took the dancing video twice because in the first one, white board was in the video. Yes, that whiteboard where all of our passwords were written. I realized it before I sent the video luckily, and we shot a clean one. After the video, 30 minutes before the end, they gave us the new password. I logged in, I found the backup I took. I restored the router, and router rebooted. After the reboot, I was again not able to login to the router. I suddenly felt a disappointment becuase we lost it again. I didn't even know if the restoring worked. Then I checked the scoreboard, there was a green upward arrow instead of a red downward arrow in the router column. I checked our closest competitor, almost all of their servers were down including everyone, but us. Thanks to moving the servers and containerizing them.
Final Push
20 minutes left, we are at the second position by more than 60-70 points. CTF team's job is done. Every point is taken. We can only earn more points from infrastructure. Everyone's servers are down. Ours is up, we are getting there, but I am not happy yet because some other teams still can get more points from CTF challenges, which is a sudden point earn. They can get far away. That's why we still work on the database to bring that up to get few more points in the last second maybe if it affects. We couldn't bring it up, but we were almost 200 points away from the second team when the time was up.
Everyone was so thrilled. Little happy shoutings in the lab (At least nobody was in the department that day, spring break). In the closing ceremony, we were announced as the winners, organizers congratulated us for the near 7000 points (6997), asked us what made the difference. We told the container and service moving story. After the ceremony ended, we discussed what happened in the competition for about 1 hours more to finish the adrenaline in our bodies. Everybody head home waiting for the invitation to the invitationals at the end.
Invitationals (or hope of invitationals)
This competition we won was the regional competition. Northeast 2 to be specific. There are 11 more competitions like this. NCAE organization selects 12 teams from these 12 events and invite them for a final round, invitationals. This time, the competition is held face to face, in Tampa, Florida. The teams there are best of the best, and they are competing in a similar environment.
Winning a regional doesn't guarenteee your invitation to the final round. It definitely is the most important factor, but they also check other factors as room for development, interesting solutions during the regionals, and several more. Everybody in our team was sure that we were going to get invited, which wasn't an absurd expectation. We won our event, we used a lot of different approach, few interesting ones as well. They even told us they are going to add new rules because of us. Our regional was competetive, 4-5 teams were at the top competing until the last minute. Thus we can eliminate the odd that coincidently we end up in a less competitive regional.
After the announcement, we learned that we didn't get invited. General factors were repeated for not getting the invitation as an explanation. After hearing that, we were curious about the other teams and how they performed. I went to the scoreboard site we used in the competition, I saw an id for our competition. I thought to reach to the other competition results by queryin the backend the website were using. After roaming in the developer console and network logs of the site. I found out they are using GraphQL, discovering the structure with few queries, I was able to retreive the all competitions that had been done in history. I checked the events of our year, and I found out that: We scored the HIGHEST point among all the universities and organizations attended the games. I mean, number 1. Not a single team scored higher than us.
Knowing that even hurt us more, but it was what it was. We weren't invited and getting stuck to questions and reasons were not helping us. I was always hoping this team would be the pioneer of a ethical hacking club/organization/group in our university. A person can join NCAE cyber games only twice, but there are other competitions as well. Plus, this year's students can teach other people and we might have an NCAE or Ethical Hacking culture. I don't know what happens in the future, but I know that we took a huge step towards that direction.
