A SSCTF event.
Official URL: http://lab.seclover.com/
This event's weight is subject of public voting!
SSCTF 2016 in Xi’an China and the second XCTF League , is organized by the Cloversec Lab of Xi'an Clover Information Technology Co.,Ltd. Our event format includes online contest and onsite contest. The online contest is in jeopardy format. The onsite contest will take the attack-defence format.
In October of 2014, Cloversec Company held its own information security contest, SSCTF 2014. With more than 500 teams participating. One year later, the company successfully hosted the Huashan Cup Network Security Contest of 2015 with more than 800 teams and 2000 competitors participating. Based on our practical experience in dealing with various abstruse security problems and the experience we learned in holding the contests, we are confident to present competitors with a fantastic contest which can stimulate all their potentials. In 2016, we will hold the second SSCTF Contest, which serves as the XCTF League, to improve the international influence of SSCTF.
Top 14 (Top 10 local Teams and Top 4 International Teams from the Silk Road Countries/Regions, including Central Asian, Middle East, East Europe and Western Europe) of the SSCTF 2016 Quals automatically qualify for the SSCTF 2016 Finals, will be hosted in Xi'an, China(The start city of the Silk Road) on April 2nd to 3rd, 2016.
Top 3 teams of the SSCTF 2016 Quals will win prize.
1st: 2000 CNY
2nd: 1000 CNY
3rd: 500 CNY
We will randomly choose 15 teams among the rest ones and award a RMB100 bonus for them respectively
517 teams total
|Place||Team||CTF points||Rating points|
|10||Never Stop Exploiting||3210.000||6.620|
|11||Plaid Parliament of Pwning||3110.000||6.363|
|30||oo at xx||1910.000||3.717|
|91||Snatch The Root||510.000||1.010|
|95||Capture the Swag||510.000||1.006|
|104||smoke leet everyday||410.000||0.819|
|133||Team Action Kaktus||400.000||0.783|
|135||Future Of Europe||400.000||0.782|
|153||No Internet Access||310.000||0.613|
|154||Give Me Fiv3||310.000||0.612|
|192||PENSIUN | DFCI | SUKSMA||210.000||0.422|
|252||The Bebop17 Squad||110.000||0.231|
|365||we are laji||10.000||0.041|
|405||To be number 0||10.000||0.039|
|494||Azure Assassin Alliance||10.000||0.035|
|510||Tower of Hanoi||10.000||0.035|
Next time PLEASE, don't use Chinese language in online CTF.
Is there an option to choose English? I don't understand Chinese language.
@B V @Minh Kute Our website is bilingual (English and Chinese)
We are new to SSCTF. Do we have to register our team (Create the same team) in the SSCTF site to participate this CTF.
Wow. Displaying both languages at the same time is a little ridiculous.
Non stop Code verification errors. Use a captcha like google's that people can actually read, and maybe provide a refresh option to skip the current captcha if it's not readable?
I'm SSCTF Adminitrator,Before the end of the game time, you are Has been SSCTF website can be registered, If you have any problem, please concact email@example.com,thx :)
about language problem It has been unable to change，I'm so sorry,
about captcha problem ,We changed captcha font and font size，now recognizable should be no problem
If you have any problem, please concact firstname.lastname@example.org,thx :)
If you will open a CTF to everybody then please do so with support for English (proper full support not mixing both). Also I don't think non-Chinese speaking people can use Tentent QQ for support or putting challenges on a Chinese website such as weibo is good. Not fun at all..
Files not downloadable from here (Germany), getting network errors. Please decrease rating for this contest, it's not really internationally accessible.
Do I am only person which has problem with registering? I'm finishing with: Register Faile, Invite Code Or Email Error!
Same error, again and again... "Register Faile，The Team Name Is Already In Use Or Input Email Is Error！"
Maybe next time when you guys decide to create a CTF
1.) Translate the english better can't understand half of it
2.) Registration shouldn't take 10+ minutes I can't even register because it is saying team already created ?? How .....
3.) the layout is a bit confusing.
i dont understand chinese, please use english
CTF for the Chinese team :)))
@Steve Urk3L You can try again,if the user's infomation or teamname are same the other team,Please use the different,Good Luck!
I'm not an admin but if you want to chat about this ctf please join #ssctf on freenode, thanks!
Can't get the Welcome flag unless you're a Weibo member? Oh dear.
And I can't register to weibo because my country is not in the list for the SMS check XD
Dat ... CTF ... !
Dont waste your time everybody, boycott that CTF.
I can't even download challenges. First it shows me two hours to download 0.5MB and 5 min later in interrupts. Is it only for Chinese teams? It's quite poorly organized and unfriendly for non-Chinese.
Quite disappointed with this CTF.
invitation code stopped work.
I cannot register. I am getting error messages. This CTF is not internationally friendly.
worst CTF ever.
Really worst :3
ugly ctf :S :S :S :S
Fuck a lot your language
I decided to go ahead and spend an hour of contest time expressing my opinion of this CTF
*Not the worst CTF ever. I question the motive behind comments to the contrary. I seem to remember a recent Iranian CTF that entirely lacked English or a functioning login.
*There were some good challenges. I liked the XSS and the python challenges. I actually used existing tools I had written for real life engagements on them.
*The site's user interface was the most beautiful and informative of 2016. I like the graphs and how you individually separated team member points. The layout would be obvious if the translation was much better. Pagification might be better at 25 or 50(instead of 10 teams per page). Other than that, great job.
*The challenges were alright. I felt that some were even very practical.
*You had unified flag formats. You seemed to keep cheating to a minimum(judging by the team results).
*The language was confusing, but not impossible. I only speak English and I could barely understand the site.
*some challenges didn't seem to handle the inevitable brute forcing skiddy. I would suggest black listing IPs that hammer your server.
*Your translation was... much worse than I would expect from the average skilled citizen of your nation; it is as bad as some of the clumsiest people on this comments section.
*Registration was horrible. I had trouble with registration and password recovery. I still can't change my country, but I suppose that's not a big problem. It's correct on CTFtime
*A CDN might have helped other members to participate. They should know how to use VPNs, but they shouldn't have to use them if everyone else doesn't. I doubled my normal ranking and I didn't do it through hard work and determination.
Your challenge, over all, was not a waste of time. I had fun and it was challenging. Hacking isn't meant to be easy. It was moderated fairly and communications were maintained through the notices. It's obvious that a good deal of work was put into the interface and the challenges(for the most part) were okay. It seems like you may benefit from having someone internationalize it for you. I feel like I did better in this CTF mostly because other's(Germany for one) weren't given a fair chance. I was only able to spend 5 hours on this CTF and I managed top 10%. I normally place top 20% by myself with 15 hours of work or 10% with 35+hours of work. You could also get rid of some of the challenges(Weibo). I agree with half of the comments, but people on here can be unfairly harsh. This would be 4 stars if it was entirely internationally friendly and it didn't have the Weibo challenge. There is serious room for improvement, but I feel that it would be comparatively easy to fix. Overall, it was okay. :)
the layout is unreasonable...
My detailed feedback is as follows. First, I can say I only looked at Misc10, Crypto100, Crypto200, Web100. After that, I gave up on the event. So I might have missed some good other content. My overall impression was that this CTF required a lot of guessing in general.
- The website was barely usable. I had problems reaching it at times (not unusual for CTFs I guess). The dual language setting was confusing, and the English translation was not well done. Of course you can guess what the core functionality is, but that should not be required. I don't see multiple user accounts per team as necessary. I was not able to change my account's country to something else than China, and I was not able to change the profile pic. There was no usable error message.
- The graphs of team points looked fancy, but splines are really not appropriate for this (academic nitpocking). In addition, only the top teams were listed (or I missed how to display more teams)
- Misc10 was apparently only solveable by Chinese, so the organizers gave the flag to everyone in the end. It was only 10 points, so that hardly mattered much.
- I started with Crypto 100, which looked like a solid basic crypto challenge. Python code for a byte-wise symmetric substitution/rotation algorithm was provided, together with something that might have been the plaintext, and something that might be the ciphertext (called "out"), and something that seemed to be ciphertext of the flag. In the end, this challenge was decent, the only problem was that it was unclear that a) key would have to be printable characters, and b) the plaintext provided was truncated.
- In Crypto 200, it was easy to get to almost solving the challenge (which was unrelated to cryptography and involved scripting and unzip'ing a lot of files). I did not manage to solve the challenge, because I did not find unprintable characters in the comments of one of the 5k .zip files! I would count this as stego challenge at best, and more likely as guessing.
- Web100 apparently required to trick some regex-based blacklisting of file extensions in a POST-handling server-side script. The actual content of upload did not matter. In the end, this looked a lot like guessing to me as well (trick was to use double spaces in file extension?)
The technical difficulty of the challenges seemed to be higher than, for example, HackIM --- which is good. There were severe problems with English in the challenges and on the website, which left you wondering whether you were possibly missing easy things all the time. But on top of that, there was so much guessing required in the challenges that even if you knew what you were doing technically, you (at least I) could not finish it quickly. Together with infrastructure-related problems for an international audience, my overall conclusion is probably to not participate again in 2017.
I actually thought the CTF was pretty good apart from a couple of hiccups. Here's my breakdown:
1. I live in Singapore so I might have had a slight advantage in terms of connectivity.
2. I cannot read Chinese. I actually relied a lot on Google Translate so despite being from a country that does include Chinese as one of the official languages, I do not have an advantage on that front.
My team has solved:
1. Web 200 (Can You Hit Me?)
2. Re 100
3. Crypto/Pwn 100 (HeHeDa)
4. Crypto/Pwn 200 (Chain Rule)
5. Crypto/Pwn 300 (Nonogram)
6. Crypto/Pwn 400 (Pwn1)
7. Misc 10 (Welcome) <-- A member of my team signed up for Weibo (they send to Singapore mobile numbers) and actually got it before they released the flag
8. Misc 300 (Hungry Game)
1. Most of the challenges were very technically difficult
2. The challenges were also very intellectually interesting. I learnt a lot about QR codes and Nonograms from 'Crypto 300'. Pwn1 has a very interesting premise.
3. The organisers did respond to issues very quickly. For example, it became pretty apparent early on that International players (including me) had problems with joining in the QQ chat group. The IRC channel on Freenode that was setup was very well moderated with pretty quick response times and good admin rotations.
4. Flag formats were strictly adhered to.
5. The 'guessing' comments might be not entirely deserved. Yes, there are challenges like Web 1 that requires a lot of assumptions about the underlying technology, but in contrast to a previous poster, Crypto 200 wasn't guessing at all. The challenge included very transparent clues as you progress. You weren't supposed to look for a comment within a single file in a zip, but comments for all the files within the zip. Now, I do agree that this was categorised badly though. The choice of placing it in Crypto/Pwn might have been why people were not expecting it to be a stego challenge.
1. The infrastructure did get very slow once the competition progressed. The wav file from Puzzle was a pain to download.
2. The translated English wasn't exactly very understandable. Still a lot better than HackIM's English though.
3. Some challenges in the Crypto/Pwn category might have been misclassfied. Nonogram and Chain Rule might have been better classified as MISC.
4. The web challenges would probably be better if there was an info leak vector to obtain the source code or simply provide it as part of the challenge to reduce having to make assumptions about exactly what the vulnerability is. Web 1 is a good example of something that should be simple but didn't get many solutions because it is not easy to reason about it.
5. I did not experience problems with Registration or the site but it seems like there are too many people who experienced it to ignore this point. Perhaps it has load issues?.
The CTF is far from perfect but I feel that it is still a valuable to play. I'm definitely looking forward to the solutions for everything because the challenges are interesting. I do hope the organisers make their next CTF more international friendly and provision for heavier loads. My rating for the CTF in the current state is 3.5 but I also concur that it's easily a 4-4.5 if it was a little smoother to play and reduced the need for assumptions.
Far from the worst (HackIM set the bar really high) but also not particularly good. One problem was unintelligible language and poor task description which required stegano-like stills to figure out what the authors had in mind. Confusing categories for the tasks made it even more difficult. Some tasks required psychic abilities...
For example decoding single Nonogram task gives you "b2403b96?8924408|->:id|salt:5" and you have to figure out that "id" is the command you need to send to the server to get next task and that this hash is in fact a substring of md5 hash of a single letter of the flag concatenated with the salt value. And as much as the task itself was fine (solving nonogram, decoding qrcode, bruting md5 hash) the biggest challenge was to guess what were you even supposed to do and how to communicate with the server. I know admins were trying to salvage this by posting multiple hints, but it only proves that no-one has actually tested the task before the CTF.
There were also other tasks which required a lot of guessing (like Web) before you could proceed with some actual technical work. I understand that finding the attack vector is often part of the task, but it's nice if you can somehow figure it out / predict based on some info-leak rather than just have a lucky guess. I'm not mentioning some RE tasks pretty much unsolvable for people without (surely legal) latest IDA, because this is a very common thing.
Overall, rating weight should be set to 0 or 5, I think.
Let's not exaggerate with 0, even BreakIn got 5 points ;)
Rating 5 is maximum imo. Web category was a joke
web200 == recon200. And sendemail with payload.
Web100? Check ip, and if chineese send flag?
Web400 no comment, and this challange name FlagMAN. MAN - like Man in the middle, which exist for OAuth.
Web300 partially totally guessing for url_encode needed, might weel was rot-25
Only Web500 was normally
What was Web100 ?
Web100 was http://www.wooyun.org/bugs/wooyun-2015-0125982. My 2cents:
Web100, 300 and 400 were completely blind and guessing only. I believe web300 or 400 randomly url_decoded your Github username in order to create an injection point. For web100 you had to "inject" a PHP file by bypassing a filename filter, but it would store the file as .jpg. Later admins in IRC told us that it is just a "simulation" and you simply get the flag if you bypass the filter (of course without giving out a formal notice about this on the website). The bug itself was apparently described on a famous Chinese security bug website: http://www.wooyun.org/bugs/wooyun-2015-0125982 If you don't know the bug, it's pretty much guessing only and random tampering with HTTP headers.
Crypto200 had nothing to do with crypto. Crypto100 was almost good, except they truncated the plaintext for some reason, just so it would still involve at least *some* guessing I suppose. It still ended up being kind of fun.
Misc100 was stego in a PDF document, apparently you just had to Google for PDF stego and try some of the tools until you find the right one. Misc300 was kind of fun.
I didn't end up looking into RE and pwn in detail, but I think those were OK, although people in IRC tell me that there was a *lot* of guessing involved as well.
Admins in IRC gave out significant hints in public, without adding them to the website. E.g. they mentioned that web300/400 is a MongoDB injection.
"Rating weight: 20.00" the joke...
As a Chinese, I just cant stop laughing here. Their English is ..... OK lets say it could be defined as English, perhaps Ssnglish is more appropriate. i have no reason to comment a negative word for it. After all SSCTF is the first CTF game in China for the whole world(as far as i know). i really enjoy it, though it's full of "Chinese Culture". I love misc 300 which is a really interesting game and i learned a lot from it. Frankly i was in QQ group i know because of the limited number of staff they had worked for the whole 48 hours, they dooo their best. I suppose we should give them applause and support instead of that worst or worst ever. ps : I'm not sure whether you can get my points, actually i think Chinese if much easier than your English. have a good one :)
@Z33R0 it's nothing personal against China, but people expected something more for a CTF that was scored 20. Just look at tasks from Insomnia teaser (https://ctftime.org/event/258/tasks/) which was also scored 20, or for example from last year's DefCamp Quals (https://ctftime.org/event/239/tasks/) which was worth 10. It's not hard to notice that the quality here was not the same. It would be different if the initial score was 0 or 5, then people would have different expectations.
It's so terriable. Waste time.....
@Pharisaeus Exactly ! you say it
@Pharisaeus Even Break in and HackIM received 5 weighting points....this one is definitely better than any of them...Although I do admit 20 is an overkill. As for network issues...I don't know what to say about it, since it's most likely the GFW's fault and yeah I agreed the translation was really bad. Frankly, I don't know why they decided to release it to the world, since it is a part of XCTF event, I think there are some rules they have to stick with being a part of the huge event? Having played lot of Chinese CTFs...I would say this one is a normal Chinese CTF...
@Pharisaeus Whatever I do believe they will do better next time:)
The rating weight poll disappeared despite the votes given there.
Keep up the good job, ctftime admins.