Sat, 24 Sept. 2016, 07:00 UTC — Sun, 25 Sept. 2016, 07:00 UTC 

On-line

Defcamp CTF Qualification event.

Format: Jeopardy Jeopardy

Official URL: http://dctf.def.camp/

This event's weight is subject of public voting!

Future weight: 14.12 

Rating weight: 14.12 

Event organizers 


D-CTF is the traditional Capture the Flag Jeopardy style competition organised during DefCamp international cyber security & hacking conference happening in Bucharest, Romania between 10th and 11th of November. The competition has two phases:
- September 24th - 25th, Online Qualification
- November 10th - 11th, The Final in Bucharest, Romania with best teams from Online Qualifications

Because challenges are inspired by real life scenarios from day-to-day challenges of industry experts and other CTF players, you have to prove the ability to develop skills and under stress. It will be fun, I promise! :-)

Prizes

Qualification Round:
- 10-15 teams will be invited to fight for supremacy in Bucharest, Romania at the D-CTF 2016 Final - free tickets for DefCamp 2016 to the finalists
- full or partial accommodation reimbursement tbc

The Final:
- 3.000 EUR cold cash
- gadgets, wearables & hardware
- trophies & more surprises to come

Scoreboard

116 teams total

PlaceTeamCTF pointsRating points
1 p4 3162.00028.240
2 LosFuzzys 1956.00015.795
3 khack40 1954.00013.432
4 dcua 1953.00012.251
5 THE 1907.00011.340
6 scryptos 1706.0009.972
7 NUSGreyhats 1652.0009.394
8 Alone 1602.0008.919
9 OpenToAll 1551.0008.495
10 magnum 1550.0008.334
11 Shellphish 1505.0008.004
12 HackingForSoju 1500.0007.875
13 Dragon Sector 1453.0007.575
14 217 1404.0007.278
15 Balsn 1400.0007.193
16 TokyoWesterns 1304.0006.706
17 depipi 1200.0006.189
18 Fourchette Bombe 1150.0005.920
19 CodiSec 1150.0005.879
20 Bits For Everyone 1150.0005.841
21 TeamAardvark 1003.0005.151
22 KITCTF 1001.0005.112
23 Bushwhackers 1000.0005.079
24 WE_0WN_Y0U 1000.0005.054
25 pdgn 1000.0005.030
26 ASIS 1000.0005.009
27 pwn.ro 950.0004.765
28 greunion 900.0004.523
29 PKTeam 900.0004.506
30 0x90r00t 800.0004.043
31 REST 754.0003.822
32 LC↯BC 701.0003.572
33 MV9rwGOf08 603.0003.121
34 Samurai 601.0003.099
35 InfoSecIITR 600.0003.083
36 distcc 600.0003.072
37 flack3r 600.0003.061
38 StraightOuttaPhila 600.0003.051
39 #NugLyf 600.0003.041
40 Sw1ssFr13nds 600.0003.032
41 _HEX_MEX 600.0003.024
42 Shielder 600.0003.016
43 p00p2016 600.0003.008
44 noraneco 600.0003.000
45 hackability 500.0002.547
46 0xb453b411 500.0002.540
47 It4l14n00b5 500.0002.533
48 dust 500.0002.527
49 RATF{Rage Against The Flag} 500.0002.521
50 x44 500.0002.515
51 yonghwi 403.0002.076
52 0xc0ffee 400.0002.058
53 Snatch The Root 400.0002.053
54 NIS 400.0002.048
55 TheGoonies 400.0002.043
56 2nit 400.0002.038
57 xSTF 302.0001.596
58 MAVISANG 300.0001.583
59 Ais3_NewHands 300.0001.579
60 Jang Seon Ung 300.0001.575
61 Security First 300.0001.571
62 data_expunged 300.0001.567
63 [TechnoPandas] 300.0001.564
64 jfhs 300.0001.560
65 igorPyan 300.0001.557
66 shakalCTF 300.0001.554
67 jackdaw 300.0001.550
68 Xatnys 300.0001.547
69 Raccoons 300.0001.544
70 Lupii băăăăăăăăăăă 300.0001.541
71 zork 300.0001.539
72 HackXore 300.0001.536
73 CTF-infinit 300.0001.533
74 invader 300.0001.530
75 UCCU 300.0001.528
76 pwn93 300.0001.525
77 RPISEC 300.0001.523
78 bi0s 300.0001.521
79 Cumbancha 300.0001.518
80 471804 203.0001.083
81 Critical Section 200.0001.067
82 Bitnuts 200.0001.065
83 Antichat 200.0001.063
84 TJUNSA 200.0001.061
85 SpyDer7 200.0001.059
86 Pandemic 200.0001.057
87 Epic Leet Team 200.0001.055
88 BHG 200.0001.054
89 objEEdump 200.0001.052
90 SystemOfAPwn 200.0001.050
91 DC21321 200.0001.048
92 dodododo 200.0001.047
93 r00ters 200.0001.045
94 WhiteCat 200.0001.043
95 b01lers 200.0001.042
96 ingsec 200.0001.040
97 c00kies@venice 200.0001.039
98 g3ol4d0 200.0001.037
99 hanto 200.0001.036
100 smoke leet everyday 200.0001.034
101 Swampers 103.0000.600
102 kakkak 103.0000.598
103 b 101.0000.588
104 pseud0randomness 100.0000.582
105 moostache 100.0000.581
106 BambooFox 100.0000.580
107 No Internet Access 100.0000.579
108 #STAG 100.0000.577
109 w0pr 100.0000.576
110 actu 100.0000.575
111 Beers4Flags 100.0000.574
112 joe 100.0000.573
113 Plaid Parliament of Pwning 100.0000.572
114 pwndevils 100.0000.570
115 interr0bang 100.0000.569
116 MrAdmin 100.0000.284
Sin__ – Sept. 26, 2016, 8:41 a.m.

Bad CTF. Some challenges were modified after we started working on them, then they announced that they were recompiled, we restarted the work, then they quietly changed them AGAIN, no announcement at all. For a reversing challenge, after 12 hours they released a hint saying "you need this: [some_url]"; well is it a hint or something required to solve? As you can imagine, after some time they gave out more of the "hint", then they changed the "hint" with something completely new. Actually this was a challenge that also appeared in Defcamp CTF in 2013 and 2015 finals (exact same task), but this time they changed something and made it unsolvable (the second hint was that they forgot to add the ciphertext to the task, the third hint was to undo the change that made it unsolvable)
Misc150 was purely guessing, until the "hint" was added no one achieved the necessary mind-reading skills to figure it out. Hint added=> instant solves. Good job... And to top it all off, exp400 was released just a few hours before the ctf ended, and the so-called "author" went to sleep. Yep, it wasn't solvable. This is a recurring theme for Defcamp CTF, "one of the most shattering and rebellious security CTF competition in the Central Eastern Europe. ". So rebellious that they don't even have working solutions for their tasks. We participated in the finals last year and it was the same story: unsolvable tasks, countless recompilations with the promise that "now i think it should work", but they didn't have exploits written and tested (why bother when you are rebellious?). I really would have liked to enjoy this CTF being Romanian myself but the quality is just horrible.


Pharisaeus – Sept. 26, 2016, 1:17 p.m.

@Sin__ while there were some technical issues, I wouldn't be that harsh.
For Rev400 if you could reach the stage 2 you would instantly realise that the ciphertext was missing (as we did) and the admins instantly added the missing data. Since no-one contacted them before we did I presume no-one got even that far (which was not an easy thing to do). The fix was marked as [UPDATE] and not as hint, and was announced. It's true the task was broken, but again it was quite obvious to spot and admin posted another update when we contacted him to clarify this. While the last part of the task was similar to the one from previous editions, the first 2 stages were new, and rather hard on their own. So while there were issues with the task (fixed by admins) the level of this task was really nice.
Misc150 was just broken, hints had nothing to do with it. Once it got fixed people got instant solves because it was that easy to solve.
As for Exp400 I don't know if it was solvable or not. We didn't manage, neither did any other team, but that doesn't mean it was impossible.

It's true, however, that admins should have solvers/exploits ready and prepared to be run against deployed tasks to confirm they are working and can be solved. At the very least there were always some admins in the IRC channel and they fixed the reported issues right away.


Sin__ – Sept. 26, 2016, 2:48 p.m.

@Pharisaeus. Ok, you are correct, it was posted as UPDATE not hint, I just rechecked. But that doesn't explain the "234" to "128" change. As I said, this task was also used in 2015 finals and 2013 quals (when some other tasks were taken from wechall sites). So i suspect the "author" just modified the number without checking for an actual solution (had he tested the task beforehand and knew for sure it is solvable he wouldn't have reverted the change right?). As for the exploit challenges, last year in the finals do you really not remember the challenges that were not solvable and were recompiled a dozen times? We asked them if they have working exploit scripts and they said they don't need any. Ok, you're talking about exp400 which may or may not be solvable (i tried even symbolically and it didn't yield anything), but what about exp100 and exp200? The initial versions were not solvable (exp100 had fortify source enable), moreover, exp200 was a task intended to be solved using ssh (it took parameters from argv) and they just dropped it into socat. For me at least, this is clearly the work of someone who doesn't know what he's doing.


Pharisaeus – Sept. 26, 2016, 3:27 p.m.

@Sin__ as I said for Re400 the last step was re-used (we even pointed this in our writeup, just linking to the previous solution), but then again we played most of CTFs this year and a lot of tasks are very similar / have identical "core" part. Also technically this was solvable even with 234, however we would require much more ciphertext for the attack, few MB at least ;)
I remember what was happening at the finals last year. In comparison this year's quals were actually a huge improvement, binaries were recompiled only once or twice! ;)
As for Exp100 and 200 as I agree with you that they should have had exploits ready and check if it still works before releasing the challenges.

I guess the biggest issue with "broken" challenges is always that you simply don't know if it's broken or you're just not good enough, and you waste time trying to find a solution, which is simply not there.


andrei – Sept. 27, 2016, 10:26 a.m.

Dear @Sin__,

I'll do my best to answer your "constructive" feedback:
- "Exp100 & Exp200 were recompiled and different" - Actually the binaries were mixed up, so you basically didn't have to start all over again. Updates were online on all the communication channels.

- "For a reversing challenge, after 12 hours they released a hint" - As Pharisaeus said previously, we haven't realised this until a team notified us. That's why we had irc & telegram support - to fix if something is broken/or crashes during competition. And we did all our best to do that.

- "this was a challenge that also appeared in Defcamp CTF in 2013 and 2015 finals" -> this was similar, agree, but why reusing/changing challenges ?

- Misc150 was guessing until at some point, totally agree

- "exp400 was released just a few hours before the ctf ended [...] it wasn't solvable" - i can tell you that you don't know how unfair is to launch a competition on the opposite timezone of the teams - this was one of the reasons we've launched the problem so late; if it's unsolvable or not, we will see, but that is just a challenge

- Summing up, Exp100+Exp200+Misc150+Exp400 were "incredibly worse" from your perspective. 4 out of 16. Moreover, 2 of 4 were "unsolvable" only in the first 2-3 hours of the competition when all shitty things are happening. What about the rest of the challenges?

- "I really would have liked to enjoy this CTF being Romanian myself but the quality is just horrible." - I'm totally agree that you are a 100% Romanian with your previous attitude. We always had better support and constructive feedback from foreign teams, comparing to local "experts" and we did literally all our best to make it better, even with limited human resources we have.

- you should know that DCTF is done because it's challenging, it's fun and usually we come up with cool challenges that overall give a great experience even though sometimes it happens to fail some of them. It would be cool to see people like you who come up and tell us that we are doing a really bad job but also offer their help to do improve next time. But is easier to throw with shit without doing anything to make it better.

To sum up, I'm totally agree with you that we shouldn't have untested challenges in the production environment and we don't have any excuses for those challenges which didn't worked as expected from the beggining, but I'm totally against this kind of "feedback" and I strongly recommend you one of the following:
1. come and help us to do it better next time
2. do not play at d-ctf if you know it's bad, you are the owner of your decisions; moreover, there are some guys behind this shitty ctf which each year voluntarily come and build everything as better as they can with their limited time & resources and is very depressing when they see this kind of feedback
3. build your own better ctf and I promise will learn from you and even support your contest


Hertz – Sept. 27, 2016, 10:46 a.m.

Mr. @Sin__,

I, personally, am very grateful for your feedback and I'm looking to find some more time and effort to invest into improving the quality of this CTF so that you will be pleased next time. You must understand that we are offering you a CTF for free and besides that, the chance to win some good cash (as you almost did in last year's final) so be grateful for what's given to you or please pick something of better quality to train and/or earn money. So, Mr. Radu (CA)ragea [hint: 10/3 = ?], I hope to see you in the final round where I can personally assure you there will be no such minor problems as the ones from the qualifying round where our resources were extremely limitated so we had to do our best as we were able to, like reusing challenges who's decryption key was just like "we love players that read writeups or have a good memory" ... so guess what, nobody was trying to hide the fact it was a slightly modified and reused problem.

Yours sincerly,
Daniel


Sin__ – Sept. 27, 2016, 12:18 p.m.

@andrei, you seem to have misunderstood me. "But is easier to throw with shit without doing anything to make it better. " throwing with shit would have been to rate this 1 and to say "it's shit, the organizers are stupid, don't ever play!". It wasn't my intention to do this, nor did I transmit this message through my comments. My frustration comes from the fact that you do not seem to learn from mistakes and feedback. As I told you last year in the finals in person: you need to have working exploit scripts PRIOR to releasing challenges (actually, multiple teams came to you and told you the same thing); and reusing challenges does not make a CTF good: it only favours the people that have had lots of experience :it discriminates against the new people in the community who get discouraged by the fact that teams already have full solutions lying around while they have to waste time and build them from zero. I will say it again: I would have liked to enjoy this CTF (Defcamp CTF 2012 was my first CTF and what got me into this community) but it doesn't seem to improve and rise to its potential. If you use the same people you will only get the same results, you should know this by now.


Sin__ – Sept. 27, 2016, 12:18 p.m.

@andrei
Now to answer your comments regarding challenges.

- "Actually the binaries were mixed up, so you basically didn't have to start all over again. Updates were online on all the communication channels." . The LAST update on exp100 and exp200 was at " Sep 24 2016 08:12:01 UTC". I redownloaded them at 08:15. After this, there was no further announcement on these tasks. Flags started pouring in when you modified them again later (for example exp100 around 10:00, you can check the first blood scores, I just did! ) So your explanation is simply not true here. Moreover, task2 was completely replaced, not just recompiled, mixed up.

- "As Pharisaeus said previously, we haven't realised this until a team notified us." Fair enough

- " this was similar, agree, but why reusing/changing challenges ? " I explained this already. I assume you as a promoter for the security scene, want more (new) people to get into this. If you give the same challenges, new people don't stand a chance.

- " this was one of the reasons we've launched the problem so late; if it's unsolvable or not, we will see, but that is just a challenge" . When I asked him regarding another challenge (Misc 100 to be exact) he said that he was still working on exp400, so your reason does not count. Whether it's unsolvable YOU should be the one to know this. Releasing a challenge that you have no solution to is an insult to the players. Seriously, you can't be of a different opinion here! If you really want to see whether it's solvable or not label as such (solution unknown) or similar.

- "What about the rest of the challenges? " I played mostly alone in this CTF, so as for the Web tasks I have no idea. I only touched the Reversing and the Exploit challenges and Misc100. (regarding Misc150 I only judged from outside, seeing the announcements and flag submissions increasing drastically from a moment on). Rev100 200 and 300 were ok. Exploit 300 was really good. On the others you already know my opinion.

- "We always had better support and constructive feedback from foreign teams". Yep, but the feedback I saw them giving you (like having working exploit scripts) you have not integrated it. So is it actually useful to spend time to give you feedback?

- "is very depressing when they see this kind of feedback" . Trust me, it is depressing for me too to see this local CTF not taking off and making it into the top CTFs.


Sin__ – Sept. 27, 2016, 12:21 p.m.

@hertz, I'm not sure what you're trying to prove by posting my full name online. Also, sending me threats as private messages will not work as well. It's just digusting. If you want to continue this childish behaviour you know where to find me.


Sin__ – Sept. 27, 2016, 12:26 p.m.

@andrei, I forgot to add: for the Web tasks the team mate who worked on them (I am fairly certain that he) has already given the author his feedback.


xrust – Sept. 27, 2016, 2:54 p.m.

always good CTF


sudhackar – Sept. 29, 2016, 7:22 p.m.

Well that escalated quickly!


msm – Sept. 30, 2016, 12:17 p.m.

http://imgur.com/gallery/8T2VUv8