An informal review of CTF abuse (opens in new tab)

(gynvael.coldwind.pl)

53 pointstybulewicz3y ago43 comments

43 comments

25 comments · 11 top-level

Supermancho3y ago· 4 in thread

Would be nice if there was the briefest description about what CTF means here, since I expected it to be about gaming (ie Team Fortress)

https://www.enisa.europa.eu/news/enisa-news/capture-the-flag...

tester7563y ago

As far as I understand it's competitive hacking/security

which requires really solid theoretical knowledge and hands-on experience from various computer related topics like:

cryptography, reverse engineering, web, low lvl programming, operating systems, networks, protocols, etc, etc.

Top competitors tend to work at e.g Google for Project Zero or other big institutions like CERT (https://en.wikipedia.org/wiki/Computer_emergency_response_te...) or Banks

saagarjha3y ago

CTF is kind of like the security equivalent to what a cooking drama show (think Gordon Ramsey and a bunch of contestants) might be to being an actual chef.

gynvael3y ago

Sorry about that. I added a paragraph after the first one in the blog post. I didn't expect the blog post to travel beyond the CTF community.

Snetry3y ago

Its Capture the Flag but instead of gunning down enemies you have to hack a system that is vulnerable in some way

tester7563y ago· 3 in thread

What happened to author's team (Dragon Sector)?

Until 2020 they were almost always around top3 and a few times top1 teams in the world according to https://ctftime.org/

but in 2021/2022 I don't see them

Retr0id3y ago

This is a relatively common pattern in CTF (and probably, other competitive activities). Being a top-level CTF competitor takes a big time investment, both in terms of maintaining your skills, and actually competing.

It's hard for an individual to maintain that level of commitment over time, especially if their personal responsibilities increase (getting a full-time job, starting a family, etc.). Responsibilities aside, people also just get bored and/or burnt out (after a point, most challenges are just variations on something you've seen before).

For a team to stay competitive over time, they either need enough members to fill the gaps, or a sustainable influx of new members.

gynvael3y ago

Also the pandemic happened. In the later years we were playing mostly to go to offline finals. And the pandemic meant no offline finals.

2 more replies

robocat3y ago

The first comment explains why they didn’t win one competition in 2014:

  2022-07-23 18:58:31 = -ENOCHEAT

  > I also saw once a player trying to swipe a piece of paper with configuration (user/password) details of another team on an Attack&Defense style CTF. They were caught in the act and their team got some penalty for it.

  We did exactly that at the Nuit du Hack CTF finals in 2014 to snatch the win against you folks (Dragon Sector). Since there was a flag specifically designed around shoulder surfing (taped to the network switch on each team's table) we asked organizers whether swiping the config credentials was fair game, and they said it was completely fine. Absurd, but hey, I don't make the rules :)

prvit3y ago· 3 in thread

>(or rather: fun factor after a couple of years passed and folks stopped being annoyed or down right furious at the perpetrators)

Poor sports, I’ve always struggled to understand people who’d partake in hacking competitions and then get upset because someone got onto their computer and took all the flags.

PragmaticPulp3y ago

> Poor sports, I’ve always struggled to understand people who’d partake in hacking competitions and then get upset because someone got onto their computer and took all the flags.

The sport is about everyone racing to solve the same puzzles. If one team is sabotaging the puzzles in the process, it's a different kind of competition than the players expected. Frustration is warranted.

It would be like signing up for the 100m dash but then having your competitors throw obstacles into your lane. That wasn't the intent of the competition.

prvit3y ago

>it's a different kind of competition than the players expected

CTFs are (usually) hacking competitions for hackers, what else would you expect?

2 more replies

thornewolf3y ago

"Poor sports, I've always struggled to understand people who'd partake in a foot race and then get upset because someone walked out of bounds to skip part of the race"

Simply because the context is hacking does not mean that performing additional hacking outside of the context of the competition is in the same spirit. Breaking the rules isn't hacking better than another team, it's breaking the rules.

oblak3y ago· 2 in thread

I've been playing shooters for almost 30 years now, and that includes a lot of CTF on top of tons of duel and TDM. Quake, UT, TF2 (just got back to it after a decade).

That said, I have no idea what this guy is talking about. I thought he was talking about gaming but the more I read, the more confused I get. Especially the facebook part. What is going on here?

edit: thanks, Retr0id

ajolly3y ago

If you like that, HackFortress is a CTF that combined both sides, the video game playing and the hack style CTF. Looks like they're going to be back this year for defcon, I ran a team for several years.

I found it to be some of the most fun ctfs I played, partially because it was extremely time-bound. Rounds were 20 to 30 minutes each. It meant that you still had the rest of your conference time for other activities, rather than taking over your entire weekend.

Retr0id3y ago

https://ctftime.org/ctf-wtf/

znpy3y ago· 1 in thread

Dunno, many of those things are occasions for learning.

Back in like 2014 we were competing in RuCTF and some other team hacked our vulnbox and just shut down the rng, making the box effectively inaccessible via ssh and slow as molasses on tls-enabled services (besides capturing all of our flags).

It was an enlightening experience.

Now granted, ructf was pf a particularly spectacular violence… but still, it’s been an experience that has taught me a lot.

saagarjha3y ago

They’re usually occasions for the organizers to learn :)

charcircuit3y ago· 1 in thread

>However there are stories of teams going a step further and hacking home routers from random IPs located in various countries. I guess that's trading in ethics and legality for CTF points.

Is finding a single proxy in a country that hard that you need to do that? I would assume proxy lists including each country would already exist.

gynvael3y ago

Basically the first 50 countries were easy using whatever methods. The next 50 were doable. But then the struggle really began and some teams started getting desperate/creative I guess.

Note that I'm using 50 as a random example number here, not an actual measurement.

ajolly3y ago

There's been a number of in person ctfs where hacking infrastructure was fair game... And did not have static arp entries set, and I ended up mitming all the traffic to the score server.

jrockway3y ago

> There were probably multiple common logic bugs. However one that sticks out in my memory was when the submission system would first check if the team already submitted that flag (fast check in session) and if not, it would check the flag in the database (slow), award points (slow), and finally add the flag to the session (fast). Yup, that's a race condition.

How is "insert into found_flag (team_id, flag_id, found_at) values ($1, $2, now()) on conflict do nothing" slower than this 4 step race-condition-prone operation? (To get the score, "select count(1) from found_flag where team_id=$1".) You don't even need transactions for this, as long as you can't transition from found to not found somehow ("delete from found_flag where team_id=$1 and flag_id=$2").

The only problem I see with this is where validating the correct answer is expensive; without another piece of data to show that validation has started, you can overload the checker by submitting your answer before the first validation routine succeeds. But that is also easy to track, with a timeout even, and you still don't need transactions.

gwern3y ago

> The score is just a number in the database

The enemy's gate is down!

_8j503y ago

I recently learned .bashrc/history abuse is common and learned to do things locally or tunneled when possible.

xeromal3y ago

Flag taken. Flag dropped. Flag taken. Flag dropped.

j / k navigate · click thread line to collapse

43 comments

25 comments · 11 top-level

Supermancho3y ago· 4 in thread

Would be nice if there was the briefest description about what CTF means here, since I expected it to be about gaming (ie Team Fortress)

https://www.enisa.europa.eu/news/enisa-news/capture-the-flag...

tester7563y ago

As far as I understand it's competitive hacking/security

which requires really solid theoretical knowledge and hands-on experience from various computer related topics like:

cryptography, reverse engineering, web, low lvl programming, operating systems, networks, protocols, etc, etc.

Top competitors tend to work at e.g Google for Project Zero or other big institutions like CERT (https://en.wikipedia.org/wiki/Computer_emergency_response_te...) or Banks

saagarjha3y ago

CTF is kind of like the security equivalent to what a cooking drama show (think Gordon Ramsey and a bunch of contestants) might be to being an actual chef.

gynvael3y ago

Sorry about that. I added a paragraph after the first one in the blog post. I didn't expect the blog post to travel beyond the CTF community.

Snetry3y ago

Its Capture the Flag but instead of gunning down enemies you have to hack a system that is vulnerable in some way

tester7563y ago· 3 in thread

What happened to author's team (Dragon Sector)?

Until 2020 they were almost always around top3 and a few times top1 teams in the world according to https://ctftime.org/

but in 2021/2022 I don't see them

Retr0id3y ago

For a team to stay competitive over time, they either need enough members to fill the gaps, or a sustainable influx of new members.

gynvael3y ago

Also the pandemic happened. In the later years we were playing mostly to go to offline finals. And the pandemic meant no offline finals.

2 more replies

robocat3y ago

The first comment explains why they didn’t win one competition in 2014:

  2022-07-23 18:58:31 = -ENOCHEAT

  > I also saw once a player trying to swipe a piece of paper with configuration (user/password) details of another team on an Attack&Defense style CTF. They were caught in the act and their team got some penalty for it.

  We did exactly that at the Nuit du Hack CTF finals in 2014 to snatch the win against you folks (Dragon Sector). Since there was a flag specifically designed around shoulder surfing (taped to the network switch on each team's table) we asked organizers whether swiping the config credentials was fair game, and they said it was completely fine. Absurd, but hey, I don't make the rules :)

prvit3y ago· 3 in thread

>(or rather: fun factor after a couple of years passed and folks stopped being annoyed or down right furious at the perpetrators)

Poor sports, I’ve always struggled to understand people who’d partake in hacking competitions and then get upset because someone got onto their computer and took all the flags.

PragmaticPulp3y ago

> Poor sports, I’ve always struggled to understand people who’d partake in hacking competitions and then get upset because someone got onto their computer and took all the flags.

It would be like signing up for the 100m dash but then having your competitors throw obstacles into your lane. That wasn't the intent of the competition.

prvit3y ago

>it's a different kind of competition than the players expected

CTFs are (usually) hacking competitions for hackers, what else would you expect?

2 more replies

thornewolf3y ago

"Poor sports, I've always struggled to understand people who'd partake in a foot race and then get upset because someone walked out of bounds to skip part of the race"

oblak3y ago· 2 in thread

I've been playing shooters for almost 30 years now, and that includes a lot of CTF on top of tons of duel and TDM. Quake, UT, TF2 (just got back to it after a decade).

That said, I have no idea what this guy is talking about. I thought he was talking about gaming but the more I read, the more confused I get. Especially the facebook part. What is going on here?

edit: thanks, Retr0id

ajolly3y ago

Retr0id3y ago

https://ctftime.org/ctf-wtf/

znpy3y ago· 1 in thread

Dunno, many of those things are occasions for learning.

It was an enlightening experience.

Now granted, ructf was pf a particularly spectacular violence… but still, it’s been an experience that has taught me a lot.

saagarjha3y ago

They’re usually occasions for the organizers to learn :)

charcircuit3y ago· 1 in thread

>However there are stories of teams going a step further and hacking home routers from random IPs located in various countries. I guess that's trading in ethics and legality for CTF points.

Is finding a single proxy in a country that hard that you need to do that? I would assume proxy lists including each country would already exist.

gynvael3y ago

Basically the first 50 countries were easy using whatever methods. The next 50 were doable. But then the struggle really began and some teams started getting desperate/creative I guess.

Note that I'm using 50 as a random example number here, not an actual measurement.

ajolly3y ago

There's been a number of in person ctfs where hacking infrastructure was fair game... And did not have static arp entries set, and I ended up mitming all the traffic to the score server.

jrockway3y ago

gwern3y ago

> The score is just a number in the database

The enemy's gate is down!

_8j503y ago

I recently learned .bashrc/history abuse is common and learned to do things locally or tunneled when possible.

xeromal3y ago

Flag taken. Flag dropped. Flag taken. Flag dropped.

j / k navigate · click thread line to collapse