A Pwn2Win CTF event.
Official URL: https://www.pwn2win.party/?lang=en
This event's weight is subject of public voting!
Brazilian Thematic CTF, organized by ELT members. Jeopardy, involving subjects like physics, eletronics and math, in addition to the traditional categories.
1º Place - 1100.00 BRL converted to BTC (*) + Max. 10 t-shirts + Certificates
2º Place - 700.00 BRL converted to BTC (*) + Max. 10 t-shirts + Certificates
3º Place - 400.00 BRL converted to BTC (*) + Max. 10 t-shirts + Certificates
Special Prize: 200.00 BRL converted to BTC for the first one to conclude the Attack Step.
(*) Converted to BTC by MercadoBitcoin rates at the working day just before the CTF opens.
The personalized certificates are just like "medals" from the event.
521 teams total
|Place||Team||CTF points||Rating points|
|10||Capture the Swag||780.000||9.367|
|18||Bits For Everyone||545.000||6.253|
|19||Just Hit the Core||535.000||6.100|
|22||Pão de Batãta||495.000||5.578|
|33||La Compagnie Créole||370.000||4.094|
|47||Snatch The Root||300.000||3.253|
|53||smoke leet everyday||260.000||2.828|
|85||Kung Pao Chicken||160.000||1.743|
|100||BigBang Hack Team||130.000||1.425|
|105||Plaid Parliament of Pwning||130.000||1.416|
|109||I'm not Freddie Mercury||130.000||1.409|
|117||Errei o botãp||105.000||1.161|
|127||Jimmy Jam and the Hoagies||85.000||0.959|
|130||The DHARMA Initiative||85.000||0.955|
|137||Shikata ga nai||80.000||0.901|
|143||Northport C0d3 Br34k3rs||65.000||0.753|
|145||11-Digit Prime Number||65.000||0.751|
|190||Up the Second||40.000||0.483|
|199||At Least We're Pretty||40.000||0.478|
|209||it's only smells||30.000||0.379|
|213||Hello Team Name||30.000||0.378|
|222||Valley of the Lone Wolves||30.000||0.374|
|231||L337 Script Kiddies||20.000||0.276|
|237||Hybrids of Steel||20.000||0.274|
|247||Azure Assassin Alliance||20.000||0.270|
|294||Own the World||10.000||0.163|
|303||we are the 1%||10.000||0.161|
|395||Kole and Associates||0.000||0.000|
|409||3squ4dr40 cl4ss3 β||0.000||0.000|
|419||Internet Cafe Legends||0.000||0.000|
|427||Pereira Security Team||0.000||0.000|
|438||Baile de Favela||0.000||0.000|
|448||Delusions of Grandeur||0.000||0.000|
|472||French Toast Mafia||0.000||0.000|
|494||Bring On The Fyre||0.000||0.000|
The countdown on your site does not handle different TZ very well :)
I though that this whole CTF thing is to have fun and learn something but apparently some people (like @solarwind from dcua) take this a bit too seriously, and try to help their team by abusing the new score voting system. They won Volga so Volga score to max, they didn't do so well on Pwn2Win? Score to min. Great logic guys, very mature of you! It seems some people need to grow up a bit to be given that kind of "power".
I guess the idea of voting was there to help fixing appropriate score for the CTF using post-ctf feedback, but some teams apparently need to abuse this to help their team get better position in ctftime ranking. My advice: "try harder" during the CTF, and you won't need to cheat by downvoting CTFs you didn't win.
Pharisaeus, if you think anyone should vote in the way you want it -- you are wrong. Current voting system is made for everyone have a voice, and all voices are equal. Why I voted that way I clearly stated in comment.
You can vote in a way you want. If you don't agree with me -- vote different score.
To everyone who think that can shut up others or force them to obey by insulting or assaulting them -- that is not working here. We have rights for free speech and equality, and will use them anytime we want.
Dear Pwn2Win organizers and other newly registered users on the voting page: your votes worth nothing, because only last year's TOP50 teams' vote count.
Your CTF was not good at all. I am saying this after we finished #5 on your CTF and we were #5 on CTFtime last year. I also personally played on ~70-80 CTFs (and on multiple prestigious finals) so I think I can say I / we have some CTF experience.
What you are doing here is a disgrace to the CTF scene. I mean: smearing dcua's name? Really? Please go and do a reality check. You are talking about the current leader team on CTFtime... Also you are upvoting your own CTF on the voting. That looks legit to you?
Your challenges were boring, no innovation whatsoever and almost every challenge were stego-like "Find out what we thought". The crypto challenge did not even responded if I send in a newline character (and you said it was intentional). A lot of challenge had nothing to do with real security.
Next time please make less challenges (nobody wants to solve ~80 of them) but make them better. Play on other CTFs and learn how a good challenge look like. Quality before quantity please.
@KT read the rules -> "Team members of last years top 50 and teams scored > 0 points can vote". This means any votes from the participating teams count, not only from the "top teams". I don't think teams who can't vote can even enter the "poll", so any votes there count. I guess the organisers exaggerated there and went out of place attacking dcua, but at the same time they must have invested a lot of effort into this (with good results!) so it's understandable to get angry when someone votes you to 1 (because they didn't win, since they focused on a different CTFs at the same time...)
@solarwind I understand that everyone has a vote, and I'm ok with that. I just naively thought that we're all adults here and will use the votes to set proper score for mis-graded competitions. And you voted this CTF at 5 and then 1 point, which means lower than HackIM or BreakIn which were 5, while it was on entirely different level. So now I'm not sure if we played a different CTF, or maybe you simply want to lower the points awarded to the teams that were higher than you... Anyway, it's your vote, you can do whatever you want with it.
As for the accusation that the CTF had some non-security oriented tasks -> it was clearly written from the beginning. There were 2 more CTFs going on at the same time so anyone could have picked another one (I doubt you can fully man 3 CTFs at the same time) if the theme of this one was not to your taste.
Pharisaeus, about Breakin and Hackim -- if you review my comments in that topics, I was voting for 0 in first and 5 in second. Breakin this year had tasks of very low quality, anyone interested can check orgs writeups for all tasks on github. Hackim had pwnables and web of higher level than Pwn2Win, has a good progress in fixing cheating (~25 teams from TOP-30 banned), and orgs there not allowed themselfs to insult players.
I understand your desire to manipulate rating weight in more favorable way for you, that is exactly why voting system was created. Voting system is preventing any single biased team to occupy it. Other teams have the same rights as you have.
I lead dcua right from the creation in 2012 year, played in ~300 competitions, and some people here were playing long before that -- have 10+ years experience of international CTFs. It is possible we may have an idea what good CTFs are too.
@solarwind judging by the votes (excluding of course votes from organisers themselves) it seems as if you're the only one trying to "manipulate rating weight in more favourable way for you" ;)
I might not have played as much as you did, but I can also spot a good and a bad CTF. While this one was neither perfect nor the level of Insomnia or 0CTF, it was still not a 1-point CTF.
And since you voted 10p for Securinets one can only wonder if you really think it was that much better, or maybe it's just that there were no top teams above you... :)
@solarwind Just to remind you, you or someone on your team gave a very positive feedback from the event on the form. But in voting time, do it? Really unfortunate, only gives us reason to suspect of their intentions.
@Pharisaues Thank you for the support! <3 Poland (true hackers!!!)
@solarwind HackIM had web of higher level than Pwn2Win? hahahahahah
Bathing and Grooming: https://github.com/epicleet/write-ups-2016/tree/pwn2win-ctf-2016/pwn2win-ctf-2016/web/bathing-and-grooming-400
Free Web Access: https://github.com/p4-team/ctf/tree/master/2016-03-26-pwn2win/free_web_access
Facebug, Command and Control Server, etc etc
Pwn2Win have an Attack Step involving Kernel Exploit Development.
Try Harder guy, don't cry!
2 Pharisaeus -- I will vote in a way I feel apropriate. This thing is called democracy. I have the same rights to vote as anyone else, and will use it in a way I think is right. If you dont agree with me -- you can try to influence me or others by arguments, but please do not try to limit my right to vote.
2 Álisson Bertochi -- we don't usually do feedback in any forms, if it doesn't give additional points for ctf. I can ensure you it was not me filling any of your forms. I'm representing official team position -- your CTF is worth what it was openly voted here.
About quality of your tasks -- see above message from KT, and try also looking on tasks from HackIm. I was aware of writeups you mentioned. Forcing ppl to code MD5 in SQL is stupid, this tests coding skills, not infosec. Kernel exploit development is not that innovative as you may think -- CSAW finals are doing it regularly, on recent chinese CTFs were tasks about it, I also know CTF (eCSI 2015) where windows kernel exploitation was used.
Really, people -- stop trying to challenge basic priniciples of democracy, deny the right to vote for someone you don't like or who have different opinion. Democracy is a bad system for sure, but others are worse.
The bad example of democracy is mentioned Securinets CTF scoring. The situation with cheating there is the same as was on HackIm 2016, but orgs are actively supporting locals and almost no foreign teams participated there to do objective voting. Any vote will be overvoted by that local teams, and I don't see any way how it can be fixed there without limiting the vote rights I'm standing for. My vote and comment there are sarcasm, ofcourse Securinets don't deserve 10 points if any at all.
@solarwind - "Forcing ppl to code MD5 in SQL is stupid, this tests coding skills, not infosec". A team solved the task by a different way, you could have done too, "thinking outside the box" (hackers do that!!). It was a challenge that involves cryptography.
Our Kernel Exploitation was ARM-based.
My request is: do not try to belittle the work of others teams.
The day you do a better event, we turn to talk.
To conclude, as you said, your voting criterion is based on sarcasm, and not real quality.
I saw SQL MD5 implementation 'Bathing and Grooming' in your intended solution -- so you seems was thinking that coding MD5 in SQL is good challenge. How others solved it is different question, it is not related to quality of your tasks -- that who found innovative way for otherwise stupid task is good and deserves respect, not your work.
ARM based kernel exploitation -- pwnable.kr towelroot challenge exists for like a year.
I'm not trying to belittle your work, I'm showing you that there are alot of other good work exists, better ctfs and good teams are available. I looked into profiles and past CTF results of all teams involved into Pwn2Win organization ("CTF-BR"), and think that your and your team opinion about own coolness may be exaggerated. But you can continue to think that you are "true hackers" and others are "jokers" if you wish.
We are not bloodsuckers, while you are trying to win ALL CTFs from the Earth (but never created one), we are creating challenges that you can not solve (and we have no time to play). Sorry, "Top 1". =D
Hi there ;)
Well, the discussion seems to be getting pretty personal. Is there any reason to continue it btw?
IMO it's worth looking at the public voting as an experiment. My guess is that kyprizel, at some point, will do some math and check what kind of correlation is between how teams vote and how good did they do on a CTF, and decide whether to keep this system, or go back to the old way, or try something else. Afair when this whole idea was discussed back in 2014, the gaming-the-system* problem was already considered. Also, it's only natural for humans to feel more positive about CTFs they did well in, and more pessimistic about the ones they didn't do well in - this isn't deliberate gaming-a-system, but it's there.
* <wink> also, hackers gaming a system?! how could that be! http://giphy.com/gifs/PFwKHjOcIoVUc </wink>
Maybe a solution lies elsewhere? Maybe instead of voting on score each team could fill a survey saying whether they encountered problems with tasks, whether the CTF website was working and admins were responsive. Maybe prizes should be taken into consideration as well, and whether it's a "major CTF" (i.e. DEF CON CTF qualifier). Maybe based on such surveys it kyprizel could decide on the score?
Or maybe there is another, better solution :)
Anyway, all I'm saying that it's probably worth more to discuss the system, than each others votes ;)
2 Álisson Bertochi -- creating challenges that no one can solve is easy,
$ openssl rand -base64 33 | tee flag.txt | sha256sum
If you have no time to play, or otherwise suck on ctfs -- show respect to those who suck less. You tried to create CTF -- thats great, and we showed you respect by spending our time playing it. It was strange to see that org team members are insulting us on voting page.
Thank you Gynvael (<3 Poland), I will end the discussion here.
@Mykola I think Alisson already made clear why he got angry about your vote (good feedback -- of course, not yours -- in the form received from dcua versus your vote), so you can have a idea on what he had in mind when he offended you. But of course there was no reason for us to take your opinion personally, and I sincerely apologize for this. I'm also not implying that was your fault nor trying to make excuses: of course it was *our fault*. I'm just humbly asking for empathy. I always admired dcua because you had the effort to participate in Pwn2Win 2 years ago, when it was Portuguese-only. You took the effort to use Google Translate and play the CTF even when it was at its very early stages and didn't figure in ctftime. I hope that you may be able to forgive this episode and take part in future editions of the event.
Now taking a stand in defense of our CTF, *of course* we are not saying it was the best CTF in the world. Please, we are not even close to that. There are lots of things we can improve in the CTF, and we are very grateful for every single feedback we had. Even though we are new in the scene, we put our best effort on the CTF and tried to innovate at least a little. Our Kernel Exploitation task may not be a big deal, but we tried to make it fun by making it resemble a device driver in an embedded ARM architecture. With Timekeeper's Lock we tried to bring one of the first FPGA-based reverse engineering tasks in a complex but solvable problem (Dragon Sector almost solved it, but had some bad luck with members getting ill during the CTF). Bathing and Grooming was more about coding than infosec, but for hacking sometimes you need to code fast some very complex payload.
The CTF had its infrastructure deficiencies, challenges which required guessing, lack of more binary exploitation problems, and many other issues, but we tried to minimize this by being responsive in the IRC channel and by publishing hints. Wouldn't it be worse if we published no hints? I'm not asking anyone to change their vote, but I believe that for a CTF which is going international for the first time, we did pretty well.
Finally, I would like to thank all teams who played our CTF and for all comments criticizing us and giving feedback. I hope to see you again in the next edition.
I would also like to say that we had no intention to manipulate our own score by voting in our own CTF. We only did so because it is said that only votes from top50 teams and from participants with score>0 are computed. Our team is not listed as participant, and is not top50. "Tecland Core" is listed as a player, but we are not registered as members of this team in ctftime, and also it had negative score (we used it for testing purposes during the CTF). Therefore we used the voting comments only as "right of reply" to comments criticizing the competition.
Hey , just a tiny addendum here :
About the complaint of too many PPC and Phys challenges . In Brazil CTF culture isn't disseminated , but the Programming marathons are the main College event of the courses of Computer Science and Engineering . So we wanted to bring more people that were not familiar nor known about the existence of CTFs , thus fomenting the CTF scene in Brazil . With that in mind , we've added PPC and Phys challenges in order to make the people coming from Programing events not feel so lost .
Sorry about all the mess and
thanks for all the feed back , we hope we can improve in the future (:
We are glad to announce Dragon Sector was the first team to solve the Attack Step (which stayed available post-CTF)