Wednesday, August 10, 2011

Defcon 19 CTF - CTF Inside

ddtek ran their third contest since they took over the CTF's organization: "Binjitsu III" (or as the scoreboard had it "binjutsu" ;)

This edition was located for the first time at the Rio and ddtek teased us with an authentication passphrase related to the casino switch.

Organizing such an event represents a heavy workload as there are in fact two separate contests to run: the quals - online - and the CTF itself - in Vegas. Although not perfect in all aspects, ddtek is doing quite a good job at making this happen. Thanks to them.

We are involved in the CTF since five years and, as such, followed the global evolution over the years.
Good news are that teams are turning international and skills are going up:
  • the Danes (well, mostly): European Nopsled - who rocked the contest: congratz guys!
  • the Spaniards: int3pids (formerly known as Sexy Pandas with Gambas) - very much feared reversing power and one of the very few teams that pass the quals every year.
  • the Japanese: sutegoma2 - joining the contest for the first time. Welcome Ninjas!
  • the Russians: IV - also here for the first time and finished 4th, a very good result. Oh, and nicely played on the defense, you're lucky the polling sucked ;)
  • the Koreans: PLUS@Postech - GON are out this year, so are WOWHACKER. Alliances show their limits ;-)
  • and the all-over-the-world team lollersk8ers did a good job with only 5 players. Did you really have no services running since the beginning?

Many US teams were there as usual, some of them with ex-members of previous winners 1@stplace/vedagodz:
  • ACME Pharm: too busy contemplating your black badge?
  • Hates Irony: less sex doll^Wsheep, tshirts and stickers and more reversing ;)
  • velociROPtors: you should be ashamed of using the word ROP.
  • Plaid Parliament of Pwning: you know how to win challenge CTF but you cry your mommies now! j/k well done guys for a first edition, expecting high from you next year ;)
  • shellphish: defcon13 winners and still strong in finals!

As usual, the game was slow to start. Long after being seated, we were handed the binaries, the VM image (really?) and credentials for our VM and scoring.

A few hours later... We had access to our VM and traces of our first opponents. It wasn't long before the first exploits started being ready, we pwned, stole keys, submitted them... & NOoo... THE !@#$ SUBMISSION SERVER IS DOWN. And keys are expiring :( we were told "don't worry Routards, it is the same thing for all teams, don't be too fast!" lolz.
Many teams, not just us, had 0day/breakthrough and could have scored first blood during this period, but were unable to.

A few hours later... We could actually score.

A few more hours later... There was a scoreboard for all to see! Well, not strictly all, only for the teams that weren't behind it... Moreover, it was annoying: slowly displaying many charts (interesting though) while all you want right now is the current score. Why not displaying a box with all team's score on every slide? Or better, set up a Web interface where everyone can see any of these information. Also, hiding the name of the services does not add any value to the game. Finally, please leave the scoreboard the entire competition: as Roman said, "non-blind game supports fair-play & helps to detect errors".

No really, this time it felt like things took *way* too long to kick off. Figuring out our subnet isn't actually all that fun. Figuring out how to start a given service, whether it drops its privileges or not. Figuring out if a typo in the unix account "tomato" is intentional or not. Figuring out why forgetu had to run under the "fu" account while the binary was using "forgetu". Figuring out why sandy was in bin/ instead of sbin/ and why the patched binary was periodically rewritten by the original, vulnerable one... That's not really part of CTF or in any way "fun".

The submission server was often down. Because of that, we lost a large number of keys: server replying "key expired" when back online. Knowing the SLA of the submission server could be of interest :) And having to stand up and walk to the help desk to explain the same problem again and again is rather tiring... ddtek does not monitor its own services?
It also seems we have been penalized by denial of access to the submission server for some weird reasons (we were working too fast for the ddtek architecture...).

Also, it's been 3 years now and the system displaying the availability of the services is still not working: all services are shown as down but they are not (so far as we remember, only 2 services were shown as up this year). Totally useless! Even more useless that some teams managed to host their services on another machine without breaking their SLA... isn't supposed to be detected?!

Now about the binaries: last year CTF was rather chaotic (hardly playable) but with an overall very good binaries' quality. This year, too many binaries consisted in format string exploitation: shortcuts ddtek? :P However, IPv6 was a nice surprise and brought all the necessary spice to the contest to make it enjoyable.

Special greetings to lollerSkaters who got root on several jails (if not all). They nicely kickbanned us from our jail but we quickly regained access thanks to root's authorized_keys being automagically re-written. Kudos to ddtek for that! Unfortunately, that root didn't let them win the contest due to a catastrophic SLA. It's kinda hard to believe that they failed at configuring IPv6... so wtf happened guys?

Routards will not communicate on matters such as 0day and jail-breaking-out-of as this is serious business.

Compared to the kenshoto's years, the CTF lacks animation. The original breakthrough concept was great: being fast was rewarded, it was putting pressure on other teams, applause were a tradition. Killing the show in the name of a supposed better scoring system sucks. By the way, not taking breakthroughs into account definitely sux too. Also, ddtek should have more presence. Yes, that includes helping people during the game, guessing games are no fun and pointless.

The mentioned better scoring system in action

What about the end of the CTF? Well, which end? A few words when pulling off the cables without warning (and without having restored the submission server down for over an hour...) and announcing the name of the winner at the ceremony are not enough. This is a total disrespect for all the other teams, no anecdotes or details about the 3 intense days: lollersk8ters pwnage was barely mentioned along with Routards "eternal seconds" (4 years in a row... dammit!). Bring back Invisigoth!

For a lot of people, the CTF is supposed to be the Hacking world's championship, far more attention should be brought to the closing ceremony. Kenshoto have been doing it really well in the past.

Finally, where are the in-game graphs? logs of the points earned? most owned service? most owned team? rank changes? breakthroughs? and pcaps! Everybody is expecting more data.

Enjoy the write ups.

Routards / Eternal Seconds


  1. adc here from the lollerskaterz dropping from roflcopters!. This is a really nice blog post! I hope other teams get a chance to see this and post their thoughts.

    I'd like to mention my views, which may differ from those of my team mates.

    To start off, many greets and thanx to ddtek for all their hard work and volunteer time.

    DDTEK: Part of your fun factor has always been the columbo maneuvers. You're experimenting with us. Can't tell if you're slacking or working really hard, aware or unaware, playing or not playing :-). This might work better if you had a storyline.

    RE SLA: this blog post summed it up. Shipped broken services, service binary overwrites, and no reliable way to get service status. I believe we had pretty poor SLA. It was somewhere above 0 though :-D. We'd need some feedback to figure it all out. Some game logs would be ideal.

    There are two additional things that were left out. First, some of the SLA checks coming from the server were broken, and binaries had to be patched to match the incoming requests.

    Second, the SLA checks failed to incorporate the actual keys for the 3rd year in a row. This means that for a team, the most rational thing is to copy all of their services out into a VM, or a VM for each service. With no keys.

    The only gotcha is you need to hash your real game server and constantly monitor for secret ddtek updates.

    shout outz to

  2. Oh, P.S.

    At least 2 teams turned in flags for cleaner? Anyone else :P?

  3. good post. greets to you guys on your efforts.

  4. Great post guys! This type of post CTF summary has been missing ever since Kenshoto left...Maybe a group effort between ddtek and others for the big 20 year anniversary?

  5. GTF defcon logo looks just awesome!


Note: Only a member of this blog may post a comment.