DEF CON 22 CTF Final
7 to 10 August in Las Vegas (USA) hosted the largest conference on information security — DEF CON. The event has been held for 22 years. We participated in the final stage of the DEF CON CTF. At the conference a lot of people. First, I heard something about 6 thousand people, then about 15. The corridors to the reports was similar to the transitions in the Moscow metro. But about all under the order.

the Corridor for an hour before the start of the conference
Traditionally, the conferences are held team competitions in information security DEF CON CTF. In General, the CTF consists of 2 stages: In the Las Vegas finals, and before him is carried out the selection online the tour, which selected the 12 best teams. The last year winner automatically gets a place in the finals, and the finals can get, winning one of 7 other prestigious CTF during the year. So, our team got to the finals, finishing in third place at Positive Hack Days CTF in may of this year (the winner of the PHDays CTF had already passed to the final at the expense of another CTF, and team int3pids, runner-up, refused the invitation).
The team that holds the DEF CON CTF is changed every 3 years. This year my second Defcon conducted by a team of Legitimate Business Syndicate.
Here are the badges given to all conference visitors and participants of CTF:

About the conference itself I can only say that it was:
the
In the hall for the vendors stood a Tesla electric car that could even try to hack:

the photo d0znpp taken from SadieSv
But neither the reports nor the Tesla, we, unfortunately, missed. as...
The final DEF CON CTF is held in the format Attack/Defense (he is Service-based). The teams receive identical servers with preinstalled set of services. In the services laid down certain functionality, which is constantly verified by the bots of the organizers. Also in the services inherent vulnerabilities that need to find and it is desirable to eliminate. Exploiting vulnerabilities in the services on the servers of other teams, you need to obtain the so-called "flags". Flags is usually some secret information in the context of the service. For example, a service mail server. The flags are in the mailboxes created bots of the organizers. If you learned to read other people's letters, you can look for the flags and take them.
The flags are updated each round. The round lasts 5 minutes. Flags have a limited life time (usually 1-2 rounds). That is, if you are at the end of the game reads all the flags from the server of the opponent, the scoring pass, only 1-2 of them. For the other points will not be credited.
When the vulnerable service received the flag, team, pass this flag, you get 19 points, which are distributed equally depending on the number of teams. The injured, so losing 19 points. In the beginning, all teams have 2500 points.
If your service is turned off or the underlying functionality is broken, the service is in the Offline status, and the team falls indicator SLA. SLA — the percentage of playing time for which the services operate correctly. Usually this figure is multiplied by the number of points to form the final score. To be honest, as it was considered the final rating on the DEF CON CTF finals we did not understand. A clear set of rules with formulas the organizers, the teams were not given. I believe that is one of the chips Defcon, because the finals of PHDays CTF, for example, all the rules were clearly spelled out and provided to teams a few days before the competition. Even had an excel spreadsheet illustrating the calculation for different scenarios.

Our team is called BalalaikaCr3w. Most of our participants — students and graduates of MEPhI, part — MGTU im. Bauman, a graduate of MIPT and one graduate of the Baltic state technical University (Bryansk). The photo is all the participants, but only those who went to DEF CON. The team was formed just over a year and a half ago. How formed and how it developed is another story, someday I will write a separate article about it, if such information could be interesting.
At the DEF CON CTF finals, the maximum number of participants for one team is 8 people. We are in the final was only 7, because due to financial problems or problems with obtaining a visa a few people were unable to travel.
Accepting the invitation to participate in the finals, the first problem was getting a visa to the United States. The people in our profession to obtain a U.S. visa is not straightforward, especially in a short timeframe. Invitation to DEF CON CTF finals we got at the end of June, to fly in the U.S. had at the beginning of August, and we still have a trip to Korea for SECUINSIDE CTF finals in July. The result of the following visas: from 10 attempts was obtained 6 visas. One received visa after a second attempt, and another one just after additional review. One of our participants at the second attempt caught on additional verification and did not have time to go through it, and someone just refused. One of the team members already had a valid visa, but it is obtained only after further verification.
What's the catch? As soon as the officer at the Embassy understands that your work (or education) is associated with information security (exactly like with some other critically important for the state of fields of science and technology), he sends you for additional testing. Verification may take up to one year. Well, in addition to inspections, the officer may simply say you "denied" at the end of the interview, to give some explanatory paper and to say good bye without any explanation.
The organizers of the DEF CON CTF will provide the participants with 2 rooms for 3 nights at the Rio All-Suite Hotel & Casino, where DEF CON. Each room has 2 large beds and sofa. For 30 bucks a day, you can order an extra bed like a clamshell (although it is way more comfortable couch). All other expenses of the team responsible for the cost of: flights, travel, meals (even during CTF), equipment, etc.

Here is the CTF area
It turns out that the participation in the final DEF CON CTF is the most expensive of all of the finals for the Russian teams. For example, the budgets of trips to the finals Facebook CTF in Barcelona or SECUINSIDE CTF in Seoul range from 100 to 200 thousand rubles. For the trip to DEF CON just the ticket you need about 450-500 thousand. Therefore the question of raising funds rose sharply enough for our team — after all trips in a year a lot, and most of us have just finished College.
We looked at a few of the biggest Russian companies engaged in information security, asking in one way or another to support our team with the offer of cooperation, that cooperation was beneficial to both parties. But, alas, someone refused, someone showed interest and then backed a little more politely, and someone started in a very positive way, and then still refused. It turned out that a small support team of Russian hackers are not interesting. Yeah, we're not a team of Formula 1, some of us can be the use of security companies.
It's funny that in Germany it is the opposite. Volkswagen has earmarked the German CTF team StratumAuhuur 20 thousand dollars for a trip to the final DEF CON CTF. Here, truly, that the Russian well, the German death.
However, we should be grateful for the support of some members of our team by their employers: "Aktiv" and FSUE "Glavnivc". Thank you!

The final DEF CON CTF is divided into 3 days. Each comade selected:
the
the
Each new day, the teams put different tables in different parts of the CTF area.
The first day was available skorbord absolute number of points. However at night, the organizers of it counted, because the two teams (one of which is ours) burned the memory card in the server and until the server was replaced, of course he was unavailable. On the second day skorbord was available, but the number of points was not displayed, only the teams ' positions in the ranking.
Generally fakapov the organizers were many. On the second day, for example, one eccentric guy with red hair stupid knocked out our server. Or not stupid. But when we complained that the server for 15 minutes is not available, the fellow apologized and said it was his fault, he accidentally did. In General, I'm for 3 days 10 times heard that the SLA will be corrected, and the rating is recalculated.
Some teams arranged DoS, which is prohibited by the rules, for which they received punishment in the form of lowering the rate of SLA. In the end, after the finals, the organizers almost a week had not posted the final results, because it all counted.
As servers have used ODROID-U3+. Although after the competition we saw that apparently our server is different from the others (because was changed the first day after burn memory card), so it is possible that other teams were another piece of hardware.
Servers were installed by the organizers. The team received ssh access. While root access was not, that is another thing Defcon. That is, traffic to listen. Every 5 minutes on the sftp organizers spread for each team the traffic dump from the server team. The delay between when the game started, and when available the first dump is 15 minutes. All IP addresses in the dump are randomized except for the addresses from the subnet of the team. To determine with whom specifically was established a connection (one of the teams or the organizers of the bot).
Another feature — all the services are given in binary form. No sources, no scripts. Only binary, only hardcore. Maybe once there have been exceptions, but not this time.
The processor architecture is not pre-advertised. It was possible last year to suggest that will ARM (in that year he was at DEF CON for the first time), but it it became known only at 9:30 the first day.
Only stated 7, but the organizers during the competition posted only 5.
At the beginning of the first day on the servers of the teams had 2 services:
the
Article based on information from habrahabr.ru

the Corridor for an hour before the start of the conference
DEF CON CTF
Traditionally, the conferences are held team competitions in information security DEF CON CTF. In General, the CTF consists of 2 stages: In the Las Vegas finals, and before him is carried out the selection online the tour, which selected the 12 best teams. The last year winner automatically gets a place in the finals, and the finals can get, winning one of 7 other prestigious CTF during the year. So, our team got to the finals, finishing in third place at Positive Hack Days CTF in may of this year (the winner of the PHDays CTF had already passed to the final at the expense of another CTF, and team int3pids, runner-up, refused the invitation).
The team that holds the DEF CON CTF is changed every 3 years. This year my second Defcon conducted by a team of Legitimate Business Syndicate.
Here are the badges given to all conference visitors and participants of CTF:

About the conference itself I can only say that it was:
the
-
the
- reports the
- a lot of master classes the
- Social Engineering Village the
- Lockpick Village the
- Hardware Hacking Village the
- Wireless Village the
- Packet Hacking Village (with its traditional Wall Of Sheep) the
- much more
In the hall for the vendors stood a Tesla electric car that could even try to hack:

the photo d0znpp taken from SadieSv
But neither the reports nor the Tesla, we, unfortunately, missed. as...
Capture The Flag
The final DEF CON CTF is held in the format Attack/Defense (he is Service-based). The teams receive identical servers with preinstalled set of services. In the services laid down certain functionality, which is constantly verified by the bots of the organizers. Also in the services inherent vulnerabilities that need to find and it is desirable to eliminate. Exploiting vulnerabilities in the services on the servers of other teams, you need to obtain the so-called "flags". Flags is usually some secret information in the context of the service. For example, a service mail server. The flags are in the mailboxes created bots of the organizers. If you learned to read other people's letters, you can look for the flags and take them.
The flags are updated each round. The round lasts 5 minutes. Flags have a limited life time (usually 1-2 rounds). That is, if you are at the end of the game reads all the flags from the server of the opponent, the scoring pass, only 1-2 of them. For the other points will not be credited.
When the vulnerable service received the flag, team, pass this flag, you get 19 points, which are distributed equally depending on the number of teams. The injured, so losing 19 points. In the beginning, all teams have 2500 points.
If your service is turned off or the underlying functionality is broken, the service is in the Offline status, and the team falls indicator SLA. SLA — the percentage of playing time for which the services operate correctly. Usually this figure is multiplied by the number of points to form the final score. To be honest, as it was considered the final rating on the DEF CON CTF finals we did not understand. A clear set of rules with formulas the organizers, the teams were not given. I believe that is one of the chips Defcon, because the finals of PHDays CTF, for example, all the rules were clearly spelled out and provided to teams a few days before the competition. Even had an excel spreadsheet illustrating the calculation for different scenarios.
Command
Our team is called BalalaikaCr3w. Most of our participants — students and graduates of MEPhI, part — MGTU im. Bauman, a graduate of MIPT and one graduate of the Baltic state technical University (Bryansk). The photo is all the participants, but only those who went to DEF CON. The team was formed just over a year and a half ago. How formed and how it developed is another story, someday I will write a separate article about it, if such information could be interesting.
At the DEF CON CTF finals, the maximum number of participants for one team is 8 people. We are in the final was only 7, because due to financial problems or problems with obtaining a visa a few people were unable to travel.
Visa
Accepting the invitation to participate in the finals, the first problem was getting a visa to the United States. The people in our profession to obtain a U.S. visa is not straightforward, especially in a short timeframe. Invitation to DEF CON CTF finals we got at the end of June, to fly in the U.S. had at the beginning of August, and we still have a trip to Korea for SECUINSIDE CTF finals in July. The result of the following visas: from 10 attempts was obtained 6 visas. One received visa after a second attempt, and another one just after additional review. One of our participants at the second attempt caught on additional verification and did not have time to go through it, and someone just refused. One of the team members already had a valid visa, but it is obtained only after further verification.
What's the catch? As soon as the officer at the Embassy understands that your work (or education) is associated with information security (exactly like with some other critically important for the state of fields of science and technology), he sends you for additional testing. Verification may take up to one year. Well, in addition to inspections, the officer may simply say you "denied" at the end of the interview, to give some explanatory paper and to say good bye without any explanation.
The organizers of the DEF CON CTF will provide the participants with 2 rooms for 3 nights at the Rio All-Suite Hotel & Casino, where DEF CON. Each room has 2 large beds and sofa. For 30 bucks a day, you can order an extra bed like a clamshell (although it is way more comfortable couch). All other expenses of the team responsible for the cost of: flights, travel, meals (even during CTF), equipment, etc.
Here is the CTF area
It turns out that the participation in the final DEF CON CTF is the most expensive of all of the finals for the Russian teams. For example, the budgets of trips to the finals Facebook CTF in Barcelona or SECUINSIDE CTF in Seoul range from 100 to 200 thousand rubles. For the trip to DEF CON just the ticket you need about 450-500 thousand. Therefore the question of raising funds rose sharply enough for our team — after all trips in a year a lot, and most of us have just finished College.
Sponsorship
We looked at a few of the biggest Russian companies engaged in information security, asking in one way or another to support our team with the offer of cooperation, that cooperation was beneficial to both parties. But, alas, someone refused, someone showed interest and then backed a little more politely, and someone started in a very positive way, and then still refused. It turned out that a small support team of Russian hackers are not interesting. Yeah, we're not a team of Formula 1, some of us can be the use of security companies.
It's funny that in Germany it is the opposite. Volkswagen has earmarked the German CTF team StratumAuhuur 20 thousand dollars for a trip to the final DEF CON CTF. Here, truly, that the Russian well, the German death.
However, we should be grateful for the support of some members of our team by their employers: "Aktiv" and FSUE "Glavnivc". Thank you!
Basic process
The final DEF CON CTF is divided into 3 days. Each comade selected:
the
- single Ethernet cable with access to the gaming network (each team has its own subnet 10.5.N.0/24) and the Internet the
- one socket for connection to mains (adapter for the European plugs and extension cords also had to carry with them)
a few tables, compiled by the rectangle to be able to sit. Honestly, it was a bit crowded. We have seen how those who came in full force, had to push the tables so you can sit without hurting anyone the
Schedule:
the
-
the
- 9:00 — teams start in the CTF zone, starts setup the
- 9:30 — teams get access to their servers the
- 10:00 — open network segments between the teams. You can connect to other servers and attack them the
- 20:00 — the network is closed. Teams must pack up and leave the CTF area. On the third day network closed at 14:00 and CTF zone could not leave, because it was the afterparty
Each new day, the teams put different tables in different parts of the CTF area.
The first day was available skorbord absolute number of points. However at night, the organizers of it counted, because the two teams (one of which is ours) burned the memory card in the server and until the server was replaced, of course he was unavailable. On the second day skorbord was available, but the number of points was not displayed, only the teams ' positions in the ranking.
Generally fakapov the organizers were many. On the second day, for example, one eccentric guy with red hair stupid knocked out our server. Or not stupid. But when we complained that the server for 15 minutes is not available, the fellow apologized and said it was his fault, he accidentally did. In General, I'm for 3 days 10 times heard that the SLA will be corrected, and the rating is recalculated.
Some teams arranged DoS, which is prohibited by the rules, for which they received punishment in the form of lowering the rate of SLA. In the end, after the finals, the organizers almost a week had not posted the final results, because it all counted.
Tasks
As servers have used ODROID-U3+. Although after the competition we saw that apparently our server is different from the others (because was changed the first day after burn memory card), so it is possible that other teams were another piece of hardware.
Servers were installed by the organizers. The team received ssh access. While root access was not, that is another thing Defcon. That is, traffic to listen. Every 5 minutes on the sftp organizers spread for each team the traffic dump from the server team. The delay between when the game started, and when available the first dump is 15 minutes. All IP addresses in the dump are randomized except for the addresses from the subnet of the team. To determine with whom specifically was established a connection (one of the teams or the organizers of the bot).
Another feature — all the services are given in binary form. No sources, no scripts. Only binary, only hardcore. Maybe once there have been exceptions, but not this time.
The processor architecture is not pre-advertised. It was possible last year to suggest that will ARM (in that year he was at DEF CON for the first time), but it it became known only at 9:30 the first day.
Only stated 7, but the organizers during the competition posted only 5.
At the beginning of the first day on the servers of the teams had 2 services:
the
-
the
- eliza: originally ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped. Run the machine on ARM
addictusing qemu-i386-aslr. Then the organizers decided to rebuild and filled: ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, not stripped.
the - wdub: the original ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, for GNU/Linux 2.6.32, stripped. Later ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped. The service consists of a web server. A few hours later, a third:
- imap: ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped. The service consists of an IMAP mail server.
- justify: ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped.
- DJ Snake & Lil Jon — Turn Down for What the
- Major Lazer — Bubble Butt the
- many Lonely Island the
- many Die Antwoord the
- other weird videos and songs and even rap from the Geohota while he dragged behind PPP!
the
-
the
CTF area at the end of the first day
The initial vulnerability was quite simple. For example, for a service wdub could read the flag request, like this:
GET /../../../home/wdub/flag HTTP/1.0\r\n\r\n
And imap was enough for at least one byte to overflow the parameter of the SELECT command. Then the LIST command worked on the directory higher than it should, and you could see all the boxes (LIST "" *) and message (LIST"" */*) and then read them using FETCH.
Then each team got here this badge:

firmware to it and a script to fill the firmware on the badge. All badges in the CTF area communicate with each other via radio and forward messages, including flags, are covered by the organizers (as it turned out, messages were sent in the clear).
The goal, as in all other services: find the vulnerability, shut it down, to remember proekspluatirovat on other people's badges to read the flags and take them. If the badge is disabled or in debug mode, the service is considered down, and the SLA falls. By the end of the second day/beginning of the third, most teams have scored on the tag, but the Routards finished it to the end. It is a pity that they have learned to drag the flags to only the last round. This is really cool.
upd: team PPP on the second day wrote an exploit for a badge, but because of an error of the organizers to obtain points with the help of it they failed:
We would like to apologize to the two-year champions, PPP. An off-by-one error in our badger backend code made it impossible for team id 0 (PPP) to score correctly. They had a working exploit before the end of day 2, but were unable to score any points because of this.
On the second day there is another service:
the
-
the
The organizers promised to put all the services and other stuff supposedly checking system in September. For those who are interested, spread the original version of the binaries.
Atmosphere
The atmosphere — that is necessary. The light dimmed, the extra people in the room quite a few journalists run a couple times a day sessions of 15 minutes, to pre-notify all commands. On the big screen the organisers will always include all sorts of treshovye clips like:
the
-
the
On the Central screen first showed the scoreboard, and then a simple visualization attacks commands at each other.
In General, the time passed quickly.
A small video shot in the last minute CTF:
Results
Place | Team | Score |
---|---|---|
1 | Plaid Parliament of Pwning | 11263 |
2 | HITCON | 7833 |
3 | Dragon Sector | 4421 |
4 | Reckless Abandon | 4020 |
5 | blue lotus | 3233 |
6 | (Mostly) Men in Black Hats | 2594 |
7 | raon_ASRT | 2281 |
8 | StratumAuhuur | 1529 |
9 | [CBA]9447 | 1519 |
10 | KAIST GoN | 1334 |
11 | Routards | 1262 |
12 | More Smoked Leet Chicken | 1248 |
13 | Binja | 1153 |
14 | CodeRed | 997 |
15 | w3stormz | 987 |
16 | [SEWorks]penthackon | 979 |
17 | BalalaikaCr3w | 937 |
18 | Gallopsled | 921 |
19 | shellphish | 899 |
20 | HackingForChiMac |
We finished in 17th place. This, of course, a weak result, but he will be the starting point for our next DEF CON CTF finals. Made a lot of conclusions, some of our internal tools need to be finished, and what tools we are missing.
Our more experienced compatriots More Smoked Leet Chicken (MSLC) was ranked 12th. I believe that guys are also not very happy, because in that year they finished fourth.
Win second year in a row the Americans from the team Plaid Parliament of Pwning (PPP), which traditionally DEF CON perform together with the famous Hotcom hacker George (geohot), known for his experience hacking the iPhone (the author of the first jailbreak s and unlock's) and litigation with Sony for jailbreaking the PlayStation. Who better than him to drag on CTF, where all jobs except one binary operation by the ARM. Although in July he composed his komad tomcr00se won the SECUINSIDE CTF finals in Seoul. In fairness it should be emphasized that the tomcr00se team consists of one person.
Experience
Exclusively positive. Next year we will definitely try to go to the finals and definitely will go, if you go through. DEF CON CTF unique. This is the longest, most prestigious and perhaps the most complicated among all the existing CTF. I would compare it with the Olympic games for athletes. This is the level for which to strive, and win DEF CON CTF is the highest of all possible achievements.

It was nice to see old friends and network with new ones.
For information about the following DEF CON CTF recommend to follow on LegitBS.
Information about upcoming CTF and do all the events in the CTF world the main resource of all the teams CTF TIME.
Комментарии
Отправить комментарий