Defcon 22 CTF - Badger

Teams were given special CTF badges during the middle of the first day of the CTF:

The badges communicate through an RF link and can send messages to each other. The messages consist in a text (limited to 113 then 200 characters) and an image.

Two serial ports over USB are available, the upper one which is undocumented, and the lower one to load the program.

The main components on the badge are:

• FPGA: Xilinx Spartan 6 XC6SLX9
• RF IC: likely a Semtech SX1272 @868MHz, (inscriptions read 1272 1342 W2H617 00)
• Flash: 4 Mbits ST 25PE40
• SRAM: 1(?) Mbits Microchip 23LCV
• Serial: 2x RS232 over USB Prolific PL2303
• A color LCD screen

Inspecting the badge

When connecting to the upper serial port, we are greeted with:

Application Core v1.0
openMSP430 core by Oliver Girard
p.s. I modded the core to make data executable -sirgoon

Defcon 22 QUALS - Dosfun4u

The challenge's abstract is succinct but quite accurate:

dosfun4u
Welcome to DOS, this is going to suck.

We are given a tar.gz archive containing a bochs configuration file, bochsrc, and a raw disk image, dosfun4u.img.

Defcon 21 CTF - Binaries and environment

Vulnerable boxes were LXC containers with Ubuntu and Linux 3.8 kernel on ODROID-U2 boards (ARMv7 CPU). ARMv7 means you can't debug on your SheevaPlug (ARMv5) or RaspberryPi (ARMv6) so either you have an ARMv7 handy (e.g. Chromebook) or you need to use QEMU.

We were given 6 binaries (4 on the first day, 2 on the second day) so it's doable by a team of 8 people (the limit) and hopefully doesn't benefit larger teams. We didn't have root, but a user ctf with sudo access to users running the binaries, which were run by xinetd, so the teams didn't have to keep a server running. Binaries had one or multiple vulnerabilities, and some of them had bugs which were patched during the CTF.

The nice part is that the OS had ASLR and NX enabled, and some binaries were PIE. Finally stepping up the game!

Defcon 21 CTF

And here we are again in Vegas this year for Defcon 21 CTF!

New organizers this year: LegitBS, 8 people including members of Samurai (last year's winners).

In short, they did really good. Great game, good challenges, always on time and most of the things working.

Defcon 20 CTF - CTF Inside

Well, that was hell of a game.

Lollers would have bet that DDTEK would screw this up but guess what... After herding all year long, they invoked their sheep for rescue to save their bad ass' smelly screwing power reputation.

They ruled it! Special Kudos for running a game of 20 teams x 8 individuals so smoothly. This was a big "first time ever" for the "Capture the Flag" exercise. Not to tell that there wasn't some fuck up but DDTEK were back with good binaries quality, much harder and pretty well thought compared to last year. Almost no problem all game long except the traditional "We R in Late..."

Defcon 20 CTF - Semem

semem: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), 
statically linked, for FreeBSD 9.0 (900044), stripped

This service listens on port 6941 on interface em1 on the first ipv6 address found. For every connection, a child is forked, privileges are dropped to the semem user and this user home is used for the chroot.

Defcon 20 QUALS - urandom 300

Connect to the given host and port, with the provided password.

The problem is as follow:

  Here come 100000 uint16_t, please tell me how to sort them into
  ascending order by sending me pairs of indicies to exchange, one
  per line, in the format: <index1>:<index2>
  For example to exchange elements 123 and 9821 you should send:
  123:9821
  Valid indicies are in the range 0..99999 inclusive. Send a blank
  line when you are done. If you correctly sort the array in
  sufficiently few moves I will give you a key!
  You have about 10 seconds to finish, and a 5 minute wait between
  successive connections.