Sat, 24 Sept. 2016, 07:00 UTC — Sun, 25 Sept. 2016, 07:00 UTC 

On-line

Defcamp CTF Qualification event.

Format: Jeopardy Jeopardy

Official URL: http://dctf.def.camp/

This event's future weight is subject of public voting!

Future weight: 14.25 

Rating weight: 14.25 

Event organizers 

D-CTF is the traditional Capture the Flag Jeopardy style competition organised during DefCamp international cyber security & hacking conference happening in Bucharest, Romania between 10th and 11th of November. The competition has two phases:
- September 24th - 25th, Online Qualification
- November 10th - 11th, The Final in Bucharest, Romania with best teams from Online Qualifications

Because challenges are inspired by real life scenarios from day-to-day challenges of industry experts and other CTF players, you have to prove the ability to develop skills and under stress. It will be fun, I promise! :-)

Prizes

Qualification Round:
- 10-15 teams will be invited to fight for supremacy in Bucharest, Romania at the D-CTF 2016 Final - free tickets for DefCamp 2016 to the finalists
- full or partial accommodation reimbursement tbc

The Final:
- 3.000 EUR cold cash
- gadgets, wearables & hardware
- trophies & more surprises to come

Scoreboard

116 teams total

PlaceTeamCTF pointsRating points
1 p4 3162.00028.500
2 LosFuzzys 1956.00015.940
3 khack40 1954.00013.556
4 dcua 1953.00012.364
5 THE 1907.00011.444
6 scryptos 1706.00010.063
7 NUSGreyhats 1652.0009.481
8 Alone 1602.0009.001
9 OpenToAll 1551.0008.573
10 magnum 1550.0008.410
11 Shellphish 1505.0008.078
12 HackingForSoju 1500.0007.947
13 Dragon Sector 1453.0007.644
14 217 1404.0007.345
15 Balsn 1400.0007.259
16 TokyoWesterns 1304.0006.767
17 depipi 1200.0006.246
18 Fourchette Bombe 1150.0005.974
19 CodiSec 1150.0005.933
20 Bits For Everyone 1150.0005.895
21 TeamAardvark 1003.0005.199
22 KITCTF 1001.0005.159
23 Bushwhackers 1000.0005.126
24 WE_0WN_Y0U 1000.0005.100
25 pdgn 1000.0005.077
26 ASIS 1000.0005.055
27 pwn.ro 950.0004.809
28 greunion 900.0004.565
29 PKTeam 900.0004.547
30 0x90r00t 800.0004.080
31 REST 754.0003.858
32 LC↯BC 701.0003.604
33 MV9rwGOf08 603.0003.149
34 Samurai 601.0003.128
35 InfoSecIITR 600.0003.111
36 distcc 600.0003.100
37 flack3r 600.0003.089
38 StraightOuttaPhila 600.0003.079
39 #NugLyf 600.0003.069
40 Sw1ssFr13nds 600.0003.060
41 _HEX_MEX 600.0003.052
42 Shielder 600.0003.043
43 p00p2016 600.0003.035
44 noraneco 600.0003.028
45 hackability 500.0002.570
46 0xb453b411 500.0002.563
47 It4l14n00b5 500.0002.557
48 dust 500.0002.550
49 RATF{Rage Against The Flag} 500.0002.544
50 x44 500.0002.538
51 yonghwi 403.0002.096
52 0xc0ffee 400.0002.077
53 Snatch The Root 400.0002.072
54 NIS 400.0002.067
55 TheGoonies 400.0002.062
56 2nit 400.0002.057
57 xSTF 302.0001.611
58 PDKT 300.0001.598
59 Ais3_NewHands 300.0001.594
60 Jang Seon Ung 300.0001.589
61 Security First 300.0001.586
62 data_expunged 300.0001.582
63 [TechnoPandas] 300.0001.578
64 jfhs 300.0001.575
65 igorPyan 300.0001.571
66 shakalCTF 300.0001.568
67 jackdaw 300.0001.565
68 Xatnys 300.0001.562
69 Raccoons 300.0001.559
70 Lupii băăăăăăăăăăă 300.0001.556
71 zork 300.0001.553
72 HackXore 300.0001.550
73 CTF-infinit 300.0001.547
74 invader 300.0001.545
75 UCCU 300.0001.542
76 pwn93 300.0001.539
77 RPISEC 300.0001.537
78 bi0s 300.0001.535
79 Cumbancha 300.0001.532
80 471804 203.0001.093
81 Critical Section 200.0001.077
82 Bitnuts 200.0001.075
83 Antichat 200.0001.073
84 TJUNSA 200.0001.071
85 SpyDer7 200.0001.069
86 Pandemic 200.0001.067
87 Epic Leet Team 200.0001.065
88 BHG 200.0001.063
89 objEEdump 200.0001.061
90 SystemOfAPwn 200.0001.060
91 DC21321 200.0001.058
92 dodododo 200.0001.056
93 r00ters 200.0001.055
94 WhiteCat 200.0001.053
95 b01lers 200.0001.051
96 ingsec 200.0001.050
97 c00kies@venice 200.0001.048
98 g3ol4d0 200.0001.047
99 hanto 200.0001.045
100 smoke leet everyday 200.0001.044
101 Swampers 103.0000.605
102 kakkak 103.0000.604
103 b 101.0000.594
104 pseud0randomness 100.0000.588
105 moostache 100.0000.586
106 BambooFox 100.0000.585
107 No Internet Access 100.0000.584
108 #STAG 100.0000.583
109 w0pr 100.0000.581
110 ACTU 100.0000.580
111 Beers4Flags 100.0000.579
112 joe 100.0000.578
113 Plaid Parliament of Pwning 100.0000.577
114 pwndevils 100.0000.576
115 interr0bang 100.0000.575
116 MrAdmin 100.0000.287
Sin__Sept. 26, 2016, 8:41 a.m.

Bad CTF. Some challenges were modified after we started working on them, then they announced that they were recompiled, we restarted the work, then they quietly changed them AGAIN, no announcement at all. For a reversing challenge, after 12 hours they released a hint saying "you need this: [some_url]"; well is it a hint or something required to solve? As you can imagine, after some time they gave out more of the "hint", then they changed the "hint" with something completely new. Actually this was a challenge that also appeared in Defcamp CTF in 2013 and 2015 finals (exact same task), but this time they changed something and made it unsolvable (the second hint was that they forgot to add the ciphertext to the task, the third hint was to undo the change that made it unsolvable)
Misc150 was purely guessing, until the "hint" was added no one achieved the necessary mind-reading skills to figure it out. Hint added=> instant solves. Good job... And to top it all off, exp400 was released just a few hours before the ctf ended, and the so-called "author" went to sleep. Yep, it wasn't solvable. This is a recurring theme for Defcamp CTF, "one of the most shattering and rebellious security CTF competition in the Central Eastern Europe. ". So rebellious that they don't even have working solutions for their tasks. We participated in the finals last year and it was the same story: unsolvable tasks, countless recompilations with the promise that "now i think it should work", but they didn't have exploits written and tested (why bother when you are rebellious?). I really would have liked to enjoy this CTF being Romanian myself but the quality is just horrible.


PharisaeusSept. 26, 2016, 1:17 p.m.

@Sin__ while there were some technical issues, I wouldn't be that harsh.
For Rev400 if you could reach the stage 2 you would instantly realise that the ciphertext was missing (as we did) and the admins instantly added the missing data. Since no-one contacted them before we did I presume no-one got even that far (which was not an easy thing to do). The fix was marked as [UPDATE] and not as hint, and was announced. It's true the task was broken, but again it was quite obvious to spot and admin posted another update when we contacted him to clarify this. While the last part of the task was similar to the one from previous editions, the first 2 stages were new, and rather hard on their own. So while there were issues with the task (fixed by admins) the level of this task was really nice.
Misc150 was just broken, hints had nothing to do with it. Once it got fixed people got instant solves because it was that easy to solve.
As for Exp400 I don't know if it was solvable or not. We didn't manage, neither did any other team, but that doesn't mean it was impossible.

It's true, however, that admins should have solvers/exploits ready and prepared to be run against deployed tasks to confirm they are working and can be solved. At the very least there were always some admins in the IRC channel and they fixed the reported issues right away.


Sin__Sept. 26, 2016, 2:48 p.m.

@Pharisaeus. Ok, you are correct, it was posted as UPDATE not hint, I just rechecked. But that doesn't explain the "234" to "128" change. As I said, this task was also used in 2015 finals and 2013 quals (when some other tasks were taken from wechall sites). So i suspect the "author" just modified the number without checking for an actual solution (had he tested the task beforehand and knew for sure it is solvable he wouldn't have reverted the change right?). As for the exploit challenges, last year in the finals do you really not remember the challenges that were not solvable and were recompiled a dozen times? We asked them if they have working exploit scripts and they said they don't need any. Ok, you're talking about exp400 which may or may not be solvable (i tried even symbolically and it didn't yield anything), but what about exp100 and exp200? The initial versions were not solvable (exp100 had fortify source enable), moreover, exp200 was a task intended to be solved using ssh (it took parameters from argv) and they just dropped it into socat. For me at least, this is clearly the work of someone who doesn't know what he's doing.


PharisaeusSept. 26, 2016, 3:27 p.m.

@Sin__ as I said for Re400 the last step was re-used (we even pointed this in our writeup, just linking to the previous solution), but then again we played most of CTFs this year and a lot of tasks are very similar / have identical "core" part. Also technically this was solvable even with 234, however we would require much more ciphertext for the attack, few MB at least ;)
I remember what was happening at the finals last year. In comparison this year's quals were actually a huge improvement, binaries were recompiled only once or twice! ;)
As for Exp100 and 200 as I agree with you that they should have had exploits ready and check if it still works before releasing the challenges.

I guess the biggest issue with "broken" challenges is always that you simply don't know if it's broken or you're just not good enough, and you waste time trying to find a solution, which is simply not there.


andreiSept. 27, 2016, 10:26 a.m.

Dear @Sin__,

I'll do my best to answer your "constructive" feedback:
- "Exp100 & Exp200 were recompiled and different" - Actually the binaries were mixed up, so you basically didn't have to start all over again. Updates were online on all the communication channels.

- "For a reversing challenge, after 12 hours they released a hint" - As Pharisaeus said previously, we haven't realised this until a team notified us. That's why we had irc & telegram support - to fix if something is broken/or crashes during competition. And we did all our best to do that.

- "this was a challenge that also appeared in Defcamp CTF in 2013 and 2015 finals" -> this was similar, agree, but why reusing/changing challenges ?

- Misc150 was guessing until at some point, totally agree

- "exp400 was released just a few hours before the ctf ended [...] it wasn't solvable" - i can tell you that you don't know how unfair is to launch a competition on the opposite timezone of the teams - this was one of the reasons we've launched the problem so late; if it's unsolvable or not, we will see, but that is just a challenge

- Summing up, Exp100+Exp200+Misc150+Exp400 were "incredibly worse" from your perspective. 4 out of 16. Moreover, 2 of 4 were "unsolvable" only in the first 2-3 hours of the competition when all shitty things are happening. What about the rest of the challenges?

- "I really would have liked to enjoy this CTF being Romanian myself but the quality is just horrible." - I'm totally agree that you are a 100% Romanian with your previous attitude. We always had better support and constructive feedback from foreign teams, comparing to local "experts" and we did literally all our best to make it better, even with limited human resources we have.

- you should know that DCTF is done because it's challenging, it's fun and usually we come up with cool challenges that overall give a great experience even though sometimes it happens to fail some of them. It would be cool to see people like you who come up and tell us that we are doing a really bad job but also offer their help to do improve next time. But is easier to throw with shit without doing anything to make it better.

To sum up, I'm totally agree with you that we shouldn't have untested challenges in the production environment and we don't have any excuses for those challenges which didn't worked as expected from the beggining, but I'm totally against this kind of "feedback" and I strongly recommend you one of the following:
1. come and help us to do it better next time
2. do not play at d-ctf if you know it's bad, you are the owner of your decisions; moreover, there are some guys behind this shitty ctf which each year voluntarily come and build everything as better as they can with their limited time & resources and is very depressing when they see this kind of feedback
3. build your own better ctf and I promise will learn from you and even support your contest


HertzSept. 27, 2016, 10:46 a.m.

Mr. @Sin__,

I, personally, am very grateful for your feedback and I'm looking to find some more time and effort to invest into improving the quality of this CTF so that you will be pleased next time. You must understand that we are offering you a CTF for free and besides that, the chance to win some good cash (as you almost did in last year's final) so be grateful for what's given to you or please pick something of better quality to train and/or earn money. So, Mr. Radu (CA)ragea [hint: 10/3 = ?], I hope to see you in the final round where I can personally assure you there will be no such minor problems as the ones from the qualifying round where our resources were extremely limitated so we had to do our best as we were able to, like reusing challenges who's decryption key was just like "we love players that read writeups or have a good memory" ... so guess what, nobody was trying to hide the fact it was a slightly modified and reused problem.

Yours sincerly,
Daniel


Sin__Sept. 27, 2016, 12:18 p.m.

@andrei, you seem to have misunderstood me. "But is easier to throw with shit without doing anything to make it better. " throwing with shit would have been to rate this 1 and to say "it's shit, the organizers are stupid, don't ever play!". It wasn't my intention to do this, nor did I transmit this message through my comments. My frustration comes from the fact that you do not seem to learn from mistakes and feedback. As I told you last year in the finals in person: you need to have working exploit scripts PRIOR to releasing challenges (actually, multiple teams came to you and told you the same thing); and reusing challenges does not make a CTF good: it only favours the people that have had lots of experience :it discriminates against the new people in the community who get discouraged by the fact that teams already have full solutions lying around while they have to waste time and build them from zero. I will say it again: I would have liked to enjoy this CTF (Defcamp CTF 2012 was my first CTF and what got me into this community) but it doesn't seem to improve and rise to its potential. If you use the same people you will only get the same results, you should know this by now.


Sin__Sept. 27, 2016, 12:18 p.m.


@andrei
Now to answer your comments regarding challenges.

- "Actually the binaries were mixed up, so you basically didn't have to start all over again. Updates were online on all the communication channels." . The LAST update on exp100 and exp200 was at " Sep 24 2016 08:12:01 UTC". I redownloaded them at 08:15. After this, there was no further announcement on these tasks. Flags started pouring in when you modified them again later (for example exp100 around 10:00, you can check the first blood scores, I just did! ) So your explanation is simply not true here. Moreover, task2 was completely replaced, not just recompiled, mixed up.

- "As Pharisaeus said previously, we haven't realised this until a team notified us." Fair enough

- " this was similar, agree, but why reusing/changing challenges ? " I explained this already. I assume you as a promoter for the security scene, want more (new) people to get into this. If you give the same challenges, new people don't stand a chance.

- " this was one of the reasons we've launched the problem so late; if it's unsolvable or not, we will see, but that is just a challenge" . When I asked him regarding another challenge (Misc 100 to be exact) he said that he was still working on exp400, so your reason does not count. Whether it's unsolvable YOU should be the one to know this. Releasing a challenge that you have no solution to is an insult to the players. Seriously, you can't be of a different opinion here! If you really want to see whether it's solvable or not label as such (solution unknown) or similar.

- "What about the rest of the challenges? " I played mostly alone in this CTF, so as for the Web tasks I have no idea. I only touched the Reversing and the Exploit challenges and Misc100. (regarding Misc150 I only judged from outside, seeing the announcements and flag submissions increasing drastically from a moment on). Rev100 200 and 300 were ok. Exploit 300 was really good. On the others you already know my opinion.

- "We always had better support and constructive feedback from foreign teams". Yep, but the feedback I saw them giving you (like having working exploit scripts) you have not integrated it. So is it actually useful to spend time to give you feedback?

- "is very depressing when they see this kind of feedback" . Trust me, it is depressing for me too to see this local CTF not taking off and making it into the top CTFs.


Sin__Sept. 27, 2016, 12:21 p.m.

@hertz, I'm not sure what you're trying to prove by posting my full name online. Also, sending me threats as private messages will not work as well. It's just digusting. If you want to continue this childish behaviour you know where to find me.


Sin__Sept. 27, 2016, 12:26 p.m.

@andrei, I forgot to add: for the Web tasks the team mate who worked on them (I am fairly certain that he) has already given the author his feedback.


xrustSept. 27, 2016, 2:54 p.m.

always good CTF


sudhackarSept. 29, 2016, 7:22 p.m.

Well that escalated quickly!


msmSept. 30, 2016, 12:17 p.m.

http://imgur.com/gallery/8T2VUv8