A DEF CON CTF Qualifier event.
Official URL: http://oooverflow.io/
This event's weight is subject of public voting!
all dressed up and nowhere to go
unprofessional organization, there is no menu on the registration form that allows you to log in and save your password right away. they can not reset the password. bottomless communication - they got the message "Note: Please only register a single account per team." while there is a blockage and it is impossible to register more than one account, and the communication itself suggests as if it were possible. crowell dug me out of irc when I asked if he was kidding that I should register under a different team name. never again.
and two more things, I'm just starting the game, but it was the first registration form that forced me to modify KeePass's rules just because someone frivolous invented super-secure passwords up to 72 characters in ctf. Providing in a clear way the address of the irc server also outgrew the organizers, but you must necessarily try to translate through the next useless pages. I hope that although creating tasks comes out much better than communicating. have a good time.
Status: timestamp is too recent?????
cancerous proofs of work everywhere
food was good
A good event - enough entry-level challenges that I didn't feel completely stumped, and some really cool challenges that I'm interested to see the writeups for!
In their "philosophy" they write about "Intellectually Rewarding Challenges" and "State-of-the-art Challenges" and then you get tasks like "bruteforce million user agents to get a flag"...
Entry-level challenge does not mean to copy challenges of other CTFs! The `easy pisy` challenge was so lame for DEFCON! We'd already seen a couple of times in previous CTFs. In your philosophy you'd promised to design novel challenges!
I would leave a review, but your timestamp is too recent.
where are you legitbs
too many guessing, terrible challenges. Was it really "DEF CON"?
super duper kimchi oriental salad ;)
terrible challenges, the defcon has gone....
IMHO several challenges involved too much guessing, which are extremely frustrating and time-wasting, should not have appeared in a "DEFCON CTF".
wasn't really fair, i had to think about things other than intel ISA pwnables. often i had to guess because i didn't understand what the challenge was hinting at.
also they reused other CTF challenges OBVIOUSLY for example in several challenges you had to exploit memory corruption (booooring)
too much blind / guessing
We liked that there were noob-friendly challenges, so even noob teams hadn't felt completely stomped.
Even if user-agent brute-force wasn't really that rewarding, (Mozilla 10 - 50). In the end, answer was obvious tho:),
80/100 (complaints about guessing are right)
sbva => guessing paroxysm ?
I was confused when I see the kimchi guessing problems...
geckome) Even kimchi hackers use mstsc instead of that webapp haha
I have mixed feelings about this CTF. Some challenges were really great, but a lot of others required guessing or were really unrewarding. The whole CTF seemed like the organizers enjoyed bullying players...
Some examples of things which were IMO especially bad:
- Proofs of work *everywhere*, even for not-resource-heavy tasks. Broken scoreboard PoW ("timestamp is too recent").
- The deadline for write-ups was 24h from the CTF end. This was announced only on IRC and Twitter, without mailing it to teams, so you might have missed this if you went to sleep right after the end. This wasn't mentioned before the CTF, it's not even in the rules!
- The challenges descriptions were removed right after the CTF end (the 24h deadline for write-ups was not enough to make our lives hard?).
- Some hints were published *only* on Twitter, which was spammed with tons of less interesting posts, so it was easy to miss them.
- "PHP Eval White-List" was totally broken (the organizers deployed wrong code to the chall server) and they have never fixed it (nor acknowledged the issue AFAIK).
- Guessing challs:
- BitFlipper - that coredump sending was totally illogical. We saw the message about sending coredumps, but how could anyone expect that it scans all files in the directory and parses ELF headers looking for e_type==ET_CORE?
- ghettohackers - do we really need such challenges...?
- geckome - 100% pain, 0% fun
- "surprise, your flag is in another castle" challs:
- BitFlipper - after spending 15h to dump the flag file, instead of the flag you received a message that there's a filter in between which looks for it and removes it from your output, so you had to start from the beginning.
- babypwn1805 - the server loaded a random libc on every run, which you could learn about only after writing the exploit which didn't take this into account.
- Inconsistent flag prefixes.
- Scoreboard with very bad UX. Hard to see which challs you've already solved, the whole challs page occupies 4 screens, no way to reset you password and many more of such little annoyances.
Ok, enough ranting for today :)
It looks like was not the only one who did not like the PoWs...
When we asked organizers why there is too much binary exploitation challenges they answered that it is time to learn pwn. Finally seems that they have also to learn Web, Crypto and For stuffs based on the quality of challenges we saw in those categories.
challenges variety was the big mess...
Gosh!! Please, drop web next time or make it more challenging. The webs like gecko* were not related to anything security, and were unrealistic to real world scenario. They should have been brute-guessing along with BitFlipper and Ghetto Hackers -- non-realistic, non-security related stuff. It feels to me that not enough testing /review for the challenge has been done. Nobody can let this 4 challenges pass through and make it for DEF CON CTF Quals. Even, Webs are better in the worst rated CTF on ctftime. Anyways, many challenges were good.
Mixed feelings :
Shitload of great binary foo in many places and generally good CTF!
Getting everything right when running a CTF is really hard.
The organizers did a very good job and we don't agree with the hate in the comments.
But lots unnecessary guessing in challenges: ghettohackers, geckome, www (handing out wrong hashes instead of the binary).
php eval offered the wrong binary as a download, but it was anyhow totally broken.
I found sbva really unrewarding.
babypwn1805 finding the flag after exploitation was really uncool.
Maybe a better quality control instead of publishing philosophies would help.
Please stick with one flag format!
PoW was not a problem for us, but could be removed on the scoreboard if you check timestamps anyhow?
Totally awesome scoreboard design otherwise.
Announcements via Twitter only could easily be missed.
The infrastructure was very stable and worked well for us.
We enjoyed it a huge lot! :)
Am I the only one who had a problem with entering the correct password on the registration form? Have you seen any guidance regarding password requirements, except the strange length for the password up to 72 chars?
Have you seen any comment on why password reset is turned off? Any comment regarding the lack of a login menu? is it intuitive for you that the control panel and menu can be found on scoreboard subdomain?
Is it intuitive to look at the scoreboard few days before the competition starts?