A Break In event.
Official URL: https://felicity.iiit.ac.in/threads/breakin/
Event Details are on the event page.
Event Details are on the event page.
147 teams total
|Place||Team||CTF points||Rating points|
|1||Snatch The Root||1491.000||10.000|
|57||Tower of Hanoi||220.000||0.825|
|70||At Least We're Pretty||200.000||0.742|
|79||The DHARMA Initiative||120.000||0.466|
This is a 12 hour event, starting from 23 Jan. 2016, 1830 hours UTC — 24 Jan. 2016, 0630 hours UTC.
The timing here is wrong.
The contest has ended.
Bad designed tasks! and poor quality challenges.
Very poorly designed steganography-only tasks.
tasks tagged with reverse engineering have nothing to do with software reverse engineering
I liked 'knock knock' task, but most challenges could be described as Yet Another "Guess-Me" Stegano
This year organisation level was pretty similar to the 2015 one. There were some really annoying and guessing challenges (the same as year ago), but we noticed also some valuable tasks, which provide a lot of fun while solving them.
I think, that BreakIn 2016 deserves the same number of rating-points as its last year edition: 5, or maybe 10 - yeah, 10 is the max., which I'd give. Anyway, 0 points it's definitely unfair to Orgs, who put a lot of effort in preparing this CTF.
As a part of the organizing force, I would like to thank all the participants who came for Break In '16. This is the third ever Break In. We are still improving. We would do more to improve upon the question quality for Break In '17, and hope to impress you with better quality questions the next time.
Once again, thank you for coming, and we are sorry if we could not meet your expectations.
@msm, I am the author of "Knock Knock". I am glad you liked it. :)
@Ahmed Abd El-Mawgood, The questions were tagged #reverse. We had no binary reverse engineering questions in Break In '16. The distinction was very vague, I agree. Break In '17 will try to be better.
We were able to solve all the tasks during CTF, so I guess our opinion will be pretty objective. Yes, there was guessing involved, however not all tasks were designed in guess-what-to-do style. Some security-related skills (not only stegano) were required. What was perfect (and what other, smaller CTFs are missing quite often) was support - available all the time (it was 12h CTF, but still). Tasks were also up and running all the time, or (like "Bots are awesome") were rebooted pretty quickly in case of fuckup. The only weak point I see, was the scoreboard, that they managed to fully fix somewhere close to the end.
I enjoyed few challenges, like "Bots...", "Ethernet...", or mentioned by @msm "Knock, knock". Last year, there were some smaller CTFs with similar guess-fun ratio and usually they got 5 rating points, so I would do the same here.
Tasks and organization is very different from what it was previous years. Previously 'reversing' was actually about RE of ELF binaries, and guessing amount was controllable. But now all tasks were about guessing, no RE/pwn/web, just stego and recon. Something wrong happened after BreakIn 2015. They did not send prize to the winning team in 2015, and task level become worse. Rating weight 0 is more than enough for it, Saturday night wasted without any gain.
Can't relate to prizes from 2015, but: as I mentioned, we went over all the tasks and by "went over", I mean solved them. Yes, there was guessing and luck needed, but for me there was some sort of forensic, networking, IRC/misc, one web was also released during the game (the one with <style></style>). Not all CTFs cover all main categories. For example I can understand why organizers avoid pwn, or more complicated web tasks, as they're expensive (in terms of infrastructure) and more prone to fuckups. For this kind of tasks you have bigger CTFs with more seasoned organizers and >20 points. If you say 0, then you discourage new people from creating CTFs, that's why I say 5 (which afaik is the minimum here).
This CTF featured almost only the most hated categories of tasks -> Stegano, Recon and Guessing, but I think we should not judge it by the categories featured but rather by the "content".
While there were some really bad tasks (like the one with flag being some gibberish string, which we actually tried to "decode" for quite a while, since it looked nothing like a reasonable flag) there were also a couple of "normal" tasks which could appear on any CTF:
- knock knock was definitely a real net-sec type of task
- the stegano with reversed, flipped and sped-up audio was quite standard, so was the stegano with message hidden in low bits of colours
- esoteric languages with Piet and Malbolge was a doable Recon, so was the one with IRC-Bot
Oh come on, post/look writeups of these "content-full" and "real net-sec" tasks. The level of this CTF is much lower than US high-school CTFs like PicoCTF/sCTF/TJCTF/HSCTF/EasyCTF, which don't even have entries on ctftime not saying rating weight. This time BreakIn is complete bullsh*t, 0 is a right rating weight for it.
I only played for 10 minutes because my team didn't notice the corrections to the time in the comments to the CTF.
Anyway, I tried find_the_idiot and got the cracked password (dragon1) from the /etc/shadow within minutes but it was not apparent that that was a flag. I mean they dropped an entire linux filesystem structure so it would make sense if the user owned a file or something and it reused the password to encrypt some other file or something. That would definitely seem in line with a decent forensics challenge. But nope. dragon1 was the flag. Seriously?
Judging from the comments it seems like the other challenges were more or less in the same calibre.
PPP's guidelines to running a CTF should be mandatory reading for any CTF organiser (https://github.com/pwning/docs/blob/master/suggestions-for-running-a-ctf.markdown). I'd advise the organisers to make their challenge writers read it and familiarise themselves with high quality CTFs before jumping headfirst into their own.
It would be nice to see a scoreboard from the organizers and ranking changed to 5 points for taking effort to play it and organize it. Otherwise it looks that it would be discouraging for the organizers and the participating teams.
Personally I found it quite niche and perfect for puzzle lovers, but that's also why I wouldn't rank it higher than 5.
What a shitstorm it is, yay! Lemme put a few cents in.
Being listed on the ctftime.org is kind of a 'prize' for CTFs' Organizers.
They put some effort in creating a contest and sacrificed their time while running a CTF. They put some valuable (or less valuable - but still measuarable worthy) input into CTF scene. Rating-weight, which is assigned to their event allows to estimate how good/bad CTF was.
From the organization perspective - the CTF was really well prepared. I wish other events looked like that one. Admins were available on their IRC all the time. Moreover, even other ways of contact were easily accesible (e-mails' responses were extremely fast). There were no blackouts, all the challenges were up the whole time.
The second thing - challenges complexity. Yeah - I agree, there was some guessing required. But these were just a few challenges. There were also some easy challenges indeed. But guys, it's not Defcon, to have all sophisticated challenges. If it was, it would be given 90 rating points. This was less sophisticated, but still entertaining CTF, which deserves 5-10 rating points. Definitely not 0.
Mykola - please, stop acting like a child, who didn't win this time and keep yelling, that this CTF should have 0 rating-weight. Your team (dcua), solved just 2-3 challenges, how the hell can you even speak about challenges level, if you hadn't solved even 1/4 of them.
Speaking of "US high-school" CTFs, nah - they ain't listed here 'cos they are usually for individual players/got restrictions (like you must be in highschool, to take part in). That's the reason - not their difficulty/compexity of challenges' level.
Btw, you found some writeups for their challenges - nice!. 'cos it means, that people enjoyed their CTF. What would be a point of making CTF writeups for not-entertaining challenges?
The same Amon - you "only played for 10 minutes" and keep talking how bad this CTF was?
Michał and I solved all the challenges. Pharisaeus and msm solved almost all the challenges. Looks like we both have better insights in compexity level, then most shit-storming users here, who hadn't solved even 25% of all challenges.
To sum it up - if ctftime.org really wants to have some non-negligible contribution, to the CTF scene - they should definitely encourage new teams to create more and more CTFs. And by encouraging, I mean, estimate CTFs to more than 0 points. Giving 0 points to this CTF, would be just insulting - especially, that there were some really good challenges + organization level was pretty close to being perfect.
str str, I understand your desire to get max rating weight to ctf your team won, and I personally would like to give you 90.0 rating weight and CTFtime world TOP-10 place if I could.
But lets return to the facts -- this ctf is bullshit. Almost all solutions are available in writeups or were discussed in IRC channel. Some of them are available here https://ctftime.org/event/288/tasks/ . If you know any other tasks that have better level than mentioned, please share.
US high-school ctfs above allow participation of all teams, not only high-schools. There are separate scoreboards, for HS and non-HS teams. Team limits are not the reason -- see CSAW Finals and iCTF also have them (first is for USA and Canada, second for univ. only), but they have entries and rating weight here.
I think anyone -- both teams and orgs -- should earn rating weight, not to beg for it. Example of 5.0 points CTFs -- https://ctftime.org/event/176, https://ctftime.org/event/200 . This one is too far from them, and not deserve rating weight.
str str, I did look at the write ups. Hence my recommendation for the authors to read the PPP guidelines.
@Amon Narwhal, @Mykola Ilin,
I speak on behalf of the organizing team. I do in fact believe that we have sufficient, and sufficiently qualified questions to earn this contest 5.0 points. We are still a growing team, and we had no support nor relation from the team which conducted break in last year (as evidenced by the change in the team from "BreakIn" to "learners"). This was in effect our first CTF event. We are still in the process of improving and the feedback here will be used to make the contest next year better.
I would appeal to you to consider score of 5.0.
@Amon Narwhal, the writeups for the the questions were not complete at the time. Please review based on the completed writups which are provided now. A few questions, in particular "Knock Knock" and "Ethernet Patched Transmission", I believe, are fairly decent questions. We would also read the PPP guidelines before BreakIn '17.