Fri, 11 Dec. 2020, 15:00 UTC — Sun, 13 Dec. 2020, 15:00 UTC
An ASIS CTF Finals event.
Official URL: https://asisctf.com/
This event's future weight is subject of public voting!
349 teams total
|Place||Team||CTF points||Rating points|
|2||More Smoked Leet Chicken||3641.000||116.109|
|3||The Flat Network Society||3493.000||98.832|
|12||Epic Leet Team||1468.000||36.666|
|34||(l00p3r1n0;cat) > fs0c13ty||653.000||15.653|
|50||Yellow Lotus Attackers||370.000||9.155|
|62||Plaid Parliament of Pwning||255.000||6.511|
|106||Porg Pwn Platoon||91.000||2.639|
|148||The Few Chosen||20.000||0.982|
|197||RPCA Cyber Club||20.000||0.838|
|198||JONPIZZA IS COOL||20.000||0.835|
|252||The Pighty Mangolins||20.000||0.743|
|275||Very Nice Sir||20.000||0.714|
guys where to join for discussion and updates?
I'd rate it 30, but I'm giving -10 bonus for not listening at all to the last year's feedback (e.g. the annoying PoW). Some challenges were nice, but most of them were incredibly guessy, annoying or broken.
* Coffeehouse: It's clear that no one tested this challenge before release. They first shipped the flag instead of the challenge data, then fixed it, but it turned out that the challenge encrypted and printed only half of the flag (sic!) and only the third version was solvable.
* Crusoe: Pure guessing in "RE" category, the first version wasn't even solvable.
* baby reverse: Weird binary with a lot of fake cues, without even clear point what we are supposed to do with it + a server with a different binary hosted, with some guessing game. To make things more PITA, the server was behind an annoying PoW, for which I'll just copy my last year's feedback comment: "What's the goal in randomizing between 6 different hashing functions? Making players angry? Also, despite its PITA-ness it didn't worked as intended - it was possible to cache results (hash input wasn't required to have a given prefix) and solve it almost instantly."
*גל התקפה : Totally guessy image stego.
* Hardest challenges were released in the second half of the CTF, the easiest at the beginning, so, the first half was boring and the latter was too packed with challs.
And some nice exceptions:
* Abbott: reversing a simple custom compression, easy but nice challenge (doing it blackbox way was fun :) )
* Some pwns were nice
I have to heavily disagree with Redford's rating. There were exactly 25 challenges on the CTF. I haven't had the opportunity to look at 'Coffeehouse', 'Crusoe' and 'התקפה', but had a look at the 'baby reverse', which seemed bad indeed. We scored the first two, but I don't know the opinion about these two.
Nevertheless, I don't remember a CTF that would not have a few bad/guessy/boring challenges, and yet they still get a good score. This CTF I looked at:
* Less secure secrets - a nice medium challenge, with an unexpected solution
* More secure secrets - a very nice continuation of the previous challenge that combined a few really neat techniques
* The Real Server - this was a little bit guessy and could be presented better, but once you got past that, it was a nice challenge too
* Mask Store - an awesome challenge with three unintended solutions, which were not bad too, but two of them could be annoying, because of leaking byte-by-byte
* Amazing notes - a truly awesome challenge that introduced a very new concept (at least to CTFs) of bypassing the CSP with service workers. Surprisingly no unintended solutions that I am aware of, which for that kind of challenge is incredibly hard to achieve.
* abbott - a reverse challenge which we solved as a misc, and probably would fit better to misc than reverse, but still, you had a choice how you wanted to approach it, so it was nice
So, not only "some pwns were nice" but every single web challenge was very good, at the level of the top CTF.
> * Hardest challenges were released in the second half of the CTF, the easiest at the beginning, so, the first half was boring and the latter was too packed with challs.
I might be hallucinating, but this started to be a new trend that CTFs seem to follow the pattern of starting with easier challenges, and Dragon Sector recent CTF was no different in that matter, at least that's what our logs say about the time it took us to solve certain challenges. And I understand why one would want to do this, so teams don't get scared off early off, perhaps. But I find this comment unfair because it's how most of the recent CTFs worked like.
But for the ASIS advantage, they at least released exactly one challenge per category which entertained everyone on the team that waited for the start of the CTF, in comparison to other CTFs such as HITCON or Dragon CTF, that haven't followed the path, and I was personally bored at the start, and I know some other people too.
The CTF of course wasn't perfect and there are things that they could have improved on, e.g.:
* Admins seemed unresponsive on IRC, or always AFK when I joined
* PoWs were indeed annoying
* Some challenges were indeed bad from what I heard, but I personally haven't experienced that
I believe that rating 20 is unfair and is based on questionable arguments. 4 bad challenges out of 25, shouldn't denote such a low rating.
> Some examples:
> 4 bad challenges out of 25, shouldn't denote such a low rating.
Those were just examples, as I noted in my response. I didn't go over all existing challenges there. Almost everything we looked at was broken, so a few good webs/pwns doesn't make it a good CTF in my opinion. The overall quality was terrible, so was our experience playing it.
> Dragon Sector recent CTF was no different in that matter, at least that's what our logs say about the time it took us to solve certain challenges
We try to release hard challenges early, at least that's what we aim for. Looking at the logs, 4 hardest challs (<10 solves) were: BitmapManager, no-eeeeeeeeeeeemoji, Home Office 2, AppArmor2. BitmapManager and no-eeeeeeeeeeeemoji were available from the beginning of the CTF, and Home Office 2 and AppArmor2 after 18 hours (out of 48h duration), so I don't think it's as bad as you described it (but we intended to release Home Office 2 earlier, problems with deployment delayed it).
@terjanq I don't think the service workers bypass using CSP is a new approach to CTF at all. You might want to check out https://ctftime.org/writeup/15351 , one of the Balsn CTF 2019 challenge and also in many Chinese CTFs.
I'm disappointed with almost every challenge I looked at, including the entire crypto category.
- Coffeehouse: write a straight-forward decryption function corresponding to a block cipher, then brute force the key.
- Chloe: likewise, except you also need to know how XOR works, and writing the decryption routine is more laborious.
- Crusoe: re challenge that can be blackboxed as a substitution cipher. Most of the work was in handling the 2D ASCII-art output format. The base64 result was the flag, apparently, but the author somehow didn't realize that the first step is .tolower().
- Vote: stripped c++ pwn with heavy STL usage. Most of the work is in actually reversing the thing.
- Trio Couleurs: the crux of the challenge was implementing a DES cryptanalysis paper. That's quite time-consuming, so I would've preferred if the challenge was released earlier. As should be expected by now, a separate component of the challenge required lots of bruteforce. Considering the rest of the challenge, this did not add any difficulty whatsoever. As I've later learned, the attack in question has also appeared on 0CTF, giving an advantage to teams who happened to have a script laying around for that.
- Congruence: at first, this challenge was enticing with its mathematical purity. I was hoping for learning of an interesting solution once the CTF was over. However, the author did not share their solving script. Considering the lack of testing seen in earlier challenges, I am not sure the challenge is at all solvable anymore. As usual, an element of brute force was involved, but I'm not sure how justified it was in the context of the solution.
- Galiver: a highly nontrivial challenge, released just 6 hours before the end of the competition. The point of releasing challenges so late is beyond me.
One challenge doesn't fit this theme - Abbott was a pleasant compression reverse engineering challenge. Doable as black-box, but the binary was still there when you got stuck.