How a Single Zero Wrecked My First Cybersecurity CTF (and What It Taught Me About Threat Hunting)
Did you ever spent two days losing your mind over a single flag in a CTF, only to realize the problem was… an extra zero?
Yeah... that was me.
This is the story of how I almost completed my first Threat Hunt Capture the Flag, how I made a (completely) noob mistake that cost me the win, and what I learned (the hard way) about chasing perfection in cybersecurity.
The CTF: High Stakes, High Pressure
This wasn’t just a random playground challenge. This was a serious, community-driven Threat Hunt CTF in the Cyber Range Skool community, put together by some extremely competent people like Joshua Balondo, Trevino Parker, and especially Josh Madakor. Huge thanks to all of them!
The challenge simulated a full real-world cyber attack, with multiple flags representing stages of the attack chain, from initial compromise to persistence.
The tools were solid:
- 🛡️ Microsoft Defender for Endpoint
- 📡 Microsoft Sentinel
- 🔎 Log Analytics
- Or whatever else you could bring, as long as you backed it with data.
And the prizes? Not bad at all:
- 🥇 1st Place: $250
- 🥈 2nd Place: $125
- 🥉 3rd Place: $75
- Plus 3x $50 random draw prizes for accurate submissions.
The challenge ran for one week. One shot. No resets.
Meanwhile, I was:
- Working a dead-end full-time job
- Grinding for the CompTIA Network+
- Trying to get my driver’s license
And I thought:
"Why not? Let’s give it a shot, it will be fun!"
The Challenge: Flag 8, The Timestamp From Hell
This was the coolest I’ve felt in a long time. If you don’t know, there’s a really big difference between platforms like TryHackMe or even HTB, and something like this.
Almost everything in those platforms is a closed system exercise—it’s planned, contained, and a completely linear experience.
This? This was far from it.
It was a live environment with live malware and real logs.
Imagine spending your life doing airsoft, and then someone hands you a real firearm and says:
"Hey! Go there, do this, and don’t mess it up!"
It’s a special mix of adrenaline and anxiety.
The flags were challenging, but not impossible. The tools were there, and anyone with the right approach could figure it out.
Everything was fine… until I hit Flag 8.
The task?
Submit a timestamp.
That’s it. A timestamp.
Should have been easy, right?
WRONG.
I tried every format under the sun:
yyyy-mm-ddThh:mm:ss.fffffffZ
yyyy-mm-dd hh:mm:ss UTC
YYYY-MM-DDTHH:MM:SSZ
YYYY-MM-DD HH:MM:SS
MM/DD/YYYY HH:MM:SS AM/PM
UNIX_TIMESTAMP
Day, DD Mon YYYY HH:MM:SS +0000
Nothing worked.
Rabbit Hole: The Two Days of Madness
In my incredible ignorance, I thought maybe I was hunting the wrong event.
Maybe there was a malware compilation?
A credential-stealing attack?
A brute force attempt?
I didn’t know. So I dove deep. Really deep.
I checked all the logs from:
DeviceProcessEventsDeviceNetworkEventsDeviceFileEventsDeviceLogonEvents- Even
DeviceImageLoadEvents(yes, I read a day’s worth of every single ******* DLL loading log. vaultcli.dll, I hate you with all my heart).
I have a 678-line KQL query named “Threat Hunt Madness by shoganaich.”
(If you want to see what a CTF-induced breakdown looks like, check it out at the end of the page.)
Two days. Staring at logs and tables. I was starting to give up.
Me, 10 minutes into staring at DLL loading logs: "I have made a huge mistake."
Ah Yes... The Punchline: A Single Zero
After two days of reading logs in my free time, the CTF competition ended, and the answers were revealed…
I finally saw it.
The correct flag?
2025-05-07T02:00:36.794406Z
One of my main submissions and top suspects?
2025-05-07T02:00:36.7944060Z
That’s right. You are seeing it right. One extra zero. That was it.
All that stress, all that effort, all those lost hours, all because I was too precise for my own good.
I had added an extend command in my query to always include a TimestampFormatted field, like this:
DeviceProcessEvents
| where DeviceName == "anthony-001"
| where Timestamp >= datetime(2025-05-07T00:59:07.8881755Z)
| extend TimestampFormatted = strcat(format_datetime(Timestamp, 'yyyy-MM-dd'), "T", format_datetime(Timestamp, 'HH:mm:ss.fffffff'), "Z")
| order by Timestamp asc
The Lessons Learned the Hard Way
Here’s what I learned:
- Don’t overthink it. If the tool gives you an answer, use it and move on.
- Perfectionism can wreck you in cybersecurity. Get the data, confirm it, and move on.
- Capture the Flag competitions can (and will) humble you fast. That’s a feature, not a bug.
- The Cyber Range community is 🔥. Huge thanks to Josh, Trevino, Joshua, and everyone who helped along the way.
- Oh, and if you ever see a vaultcli.dll log… run.
My Notes
If you want to see the notes I made during the CTF, here they are:
👉 Victor’s CTF Notes
If you’re curious (or feeling masochistic), here’s the KQL Madness: https://github.com/shoganaich/th-kqlmadness
Thanks for reading, and remember: there’s always a dino in the logs.
What do you think about it? Have something to share? All comments are welcome!