Fri, 20 March 2020, 00:30 UTC — Mon, 30 March 2020, 00:30 UTC 


TAMUctf event.

Format: Jeopardy Jeopardy

Official URL:

This event's weight is subject of public voting!

Rating weight: 41.50 

Event organizers 

Thursday March 19th 7:30 PM CST to Sunday March 29th 7:30 PM CST.

Texas A&M University CTF event.

This CTF is geared more towards university and high school students.

With two challenges submitted by TwoSix labs!


TBA - TAMU Students Only

K_lash – March 16, 2020, 7:11 a.m.

tamuctf website's not opening up

Drientje – March 18, 2020, 7:33 p.m.

Website down ?

bl4nk_5h3ll – March 19, 2020, 8:24 p.m.

checkout the naughty list

Redford – March 30, 2020, 12:47 a.m.

Unfortunately, there were a lot of issues with this CTF:

* The challenges leaked before the CTF (lol). See AFAIK the challenges *were not* replaced, so some teams had unfair advantage.
* TOC_TO_WHO challenge: Hardcore pwn, which turned out to be just wrong binary accidentally uploaded by orgas (the description linked to a totally different version of the challenge than the hosted one). This fail decided about at least top1-2 in the CTF. The challenge was fixed after "only" a few days of asking orgas (by multiple teams) whether they are sure they hosted the correct binary...
* People on Discord say that there was also another challenge with wrong binary uploaded (but I haven't looked at this task myself).
* Crypto category was mostly guessing (e.g. challenges containing just one number and no description).
* 652ahs (crypto): "simulated" timing attack, which was a total nonsense. No hint that this is a timing attack + a TCP server which just asks questions and you need to answer correctly. There was really no reason to expect a timing attack to work there, this server just checked yes/no answers. Why would it process correct ones 0.5s slower? I guess the orgas just put time.sleep(0.5) in the code artificially to have a "side channel" challenge.
* "geography" task: The flag was the answer to a question "what do you see there" + GPS coords and there was no specification how to format the answer (casing, spaces, dashes, etc.). Guessing/bruteforcing this was annoying.
* The challenges I solved were pretty standard and not too original/interesting. That's probably ok for an entry-level CTF, but definitely not worth 41.50 CTFtime weight (as it has this year).

XeR – March 30, 2020, 8:58 a.m.

I agree 100% with Redford and theKidOfArcrania.

Good points :

The network/pentest category was uncommon and enjoyable. Only one person could
connect to the VPN at a time though. We solved this with a bit a socat magic.

The organisers were quite reactive : we killed our VM twice, and they rebooted
it in the blink of an eye.

Bad points :

Some challenges leaked before the start of the CTF.

TOC_TO_WHO was released with a wrong binary. They fixed it after a few days.
A handful of teams quickly solved it. They changed their mind and removed it.
I'm extra sore because we lost 2 places. Huge respects to spotless for
blackboxing it.

Talking about that, giving away a different binary is not fun. Calling the
challenge "TROLL" does not make it okay. If you give a binary, it has to be the

2 cryptos were just big numbers. No description, no indication. Just a title and
a big number.

Some challenges were quite guessy. Nothing insurmountable.

In conclusion this is a high-school/university students level CTF. And it's
okay. Every CTF does not have to be super hardcore, I would feel insecure.

As for the score, I think this CTF deserves a solid 25-30. Rating this CTF 41.5
or 62.25 is crazy.

CTFtime voters being what they are, I'm voting 1. I will upgrade my vote later
if needed.

terjanq – March 30, 2020, 9:29 a.m.

I agree with Redford, theKidOfArcrania and XeR on all of the points they made. From my side, I might add that we enjoyed pentest challenges and that admins were responsive and helpful which is really nice. Despite the helpfulness of admins, we were misled that the binary was exploitable so we focused on exploiting something that had no chance to work, and because of that, we lost the 1st place that we potentially could have otherwise. I also don't believe that the resolution of the obvious mistake by admins was fair to all the teams, not even closely fair. Basically 1st team got one bonus point for guessing the solution before it was fixed to make them keep the 1st spot, which favored the guessing as a winning factor. My team was not even asked by the admins what do feel is an optimal solution, only the other team had a chance to have their voice. No offense to the winning team since they are victims of the situation as others, maybe not in the resulting score though ;) Their victory is legitimate and there is no doubt about it.

I would rate the pentest challenges at 30-40, maybe more, but other challenges are rather 15. I understand that the ctf is not designed for the top teams but rather for beginners and high school teams in particular, but the question I ask myself is: What is the value in the guessy challenges, what did people learn from these kinds of challenges that didn't even have a description? I expect from CTFs like this to not be the hardest CTFs out there but to at least have a decent learning factor which previous editions definitely seemed to have and the current didn't.

Rodbert – March 30, 2020, 10:26 a.m.

Why this CTF has any points at all?

First, on 17 march description was:
`This event participation is restricted to academic teams only! No global rating points.`
so my team rejected playing this contest. Surprisingly shortly before CTF start (or shortly after, I'm not sure), it changed.

Second, this contest lasted longer than 5 days and according to rules here
it should have 0 points.

Third, this CTF was somehow hidden, you cannot find it on the main ctftime page when it was active - I guess due to bug with the format change.

adrianoribeiro – March 30, 2020, 12:56 p.m.

Great event for teams that are starting in the CTF world. Some challenges were great, but some others were terribly badly done. A lot of guesswork, a chall Geography example, boring and meaningless challenge. The event is ten days long, and I think it's an exaggeration for the level of challenges, where 3 days would be more than enough, even for beginner teams. The feeling we have is that they made more than 40 challenges to meet the 10 days, but several of these challenges were developed without much care in a hurry.