Vulnerable boxes were LXC containers with Ubuntu and Linux 3.8 kernel on ODROID-U2 boards (ARMv7 CPU). ARMv7 means you can't debug on your SheevaPlug (ARMv5) or RaspberryPi (ARMv6) so either you have an ARMv7 handy (e.g. Chromebook) or you need to use QEMU.
We were given 6 binaries (4 on the first day, 2 on the second day) so it's doable by a team of 8 people (the limit) and hopefully doesn't benefit larger teams. We didn't have root, but a user ctf with sudo access to users running the binaries, which were run by xinetd, so the teams didn't have to keep a server running. Binaries had one or multiple vulnerabilities, and some of them had bugs which were patched during the CTF.
The nice part is that the OS had ASLR and NX enabled, and some binaries were PIE. Finally stepping up the game!
Monday, August 12, 2013
New organizers this year: LegitBS, 8 people including members of Samurai (last year's winners).
In short, they did really good. Great game, good challenges, always on time and most of the things working.
Tuesday, September 4, 2012
Well, that was hell of a game.
Lollers would have bet that DDTEK would screw this up but guess what... After herding all year long, they invoked their sheep for rescue to save their bad ass' smelly screwing power reputation.
They ruled it! Special Kudos for running a game of 20 teams x 8 individuals so smoothly. This was a big "first time ever" for the "Capture the Flag" exercise. Not to tell that there wasn't some fuck up but DDTEK were back with good binaries quality, much harder and pretty well thought compared to last year. Almost no problem all game long except the traditional "We R in Late..."
Monday, August 6, 2012
semem: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, for FreeBSD 9.0 (900044), stripped
This service listens on port 6941 on interface em1 on the first ipv6 address found. For every connection, a child is forked, privileges are dropped to the semem user and this user home is used for the chroot.
Monday, June 4, 2012
Connect to the given host and port, with the provided password.
The problem is as follow:
Here come 100000 uint16_t, please tell me how to sort them into
ascending order by sending me pairs of indicies to exchange, one
per line, in the format: <index1>:<index2>
For example to exchange elements 123 and 9821 you should send:
Valid indicies are in the range 0..99999 inclusive. Send a blank
line when you are done. If you correctly sort the array in
sufficiently few moves I will give you a key!
You have about 10 seconds to finish, and a 5 minute wait between
We have a jpeg file and its __MACOSX AppleDouble encoded Macintosh friend:
The second file tells us that the jpeg comes from http://ircimages.com/ircimages/1/1/115e0ba3c3d72647fcb9a53ae90e47a6.jpg
Execute photorec on the memory dump:
$ photorec for400/memory.dmp
Scan for Intel/Whole Disk/Other
During the recovery, notice some gpg files recovered:
$ find . -name "*.gpg"
$ file ./recup_dir.5/f1459128.gpg
./recup_dir.5/f1459128.gpg: PGP key security ring
This seems very good!