Title: The Boston Key Party 2017
Date: 2017-02-27 23:00

[![my splendid css-fu for the blk]({static}/images/bkp_2017_landscape.png)](
https://bostonkey.party )

This year, like the two previous one, I had the pleasure to give a hand with the
organisation of the [Boston Key Party]( https://bostonkey.party ), a
(hopefully) fun 48 hours long [capture the flag](https://en.wikipedia.org/wiki/Capture_the_flag#Computer_security) event,
serving as a qualification for the [Defcon one](https://legitbs.net/).

Last year, [crowell](https://twitter.com/jeffreycrowell) and
[Amat](http://acez.re/) wrote a really
[good-looking scoreboard]({static}/images/BKP2015/challenges.png), but it had
some performances issues (protip: don't use ncurses on a forking server with
several thousand simultaneous users). This is why (and also because we wanted
to have more people that could easily administer the scoreboard) this year
we went with [CTFd](https://github.com/isislab/CTFd), with a (super-ghetto)
custom theme (that I wrote in a hurry, mostly based on tears and stress.).

The whole infrastructure was hosted on [AWS](
https://en.wikipedia.org/wiki/Amazon_Web_Services ):
It's cheap (the whole CTF costed us [73USD](https://twitter.com/jeffreycrowell/status/836716886943375362)), comes with a
[CDN](https://en.wikipedia.org/wiki/Amazon_CloudFront) (to palliate CTFd
asthmatic behaviour), a [WAF](https://aws.amazon.com/waf/) to
block the *DDoS* attack (proudly powered by [Wordpress
`xmlrpc.php`](https://hackerone.com/reports/96294))
that hit the scoreboard around 02am (Paris time) Saturday, and it's dead simple
to spawn new machines and to write them together.

Since I'm not über-proficient sysadmin, it was a fun opportunity to learn
stuff like "How to manage fork bombs done by a single linux user, used by
several hundred people at the same time?" Having a nice `limits.conf` will
prevent your machine from burning to the ground, but it won't prevent people
from maxing the number of processes, prevent others from logging in.
Fortunately, one just have to do something like `echo '1 * * * *   root killall
-u ctfuser -s SIGKILL --older-than 5' >> /etc/crontab` to kill processes older
than 5 minutes. Someone mumbled something about using `cgroups`, but failed to
go any further with it.

Thanks to amazon, we have some random/mildly interesting numbers about the ctf
and the players:

- 43% of the requests to our infrastructure were from the USA, 6% from Korea,
  6% from France, 4% from Japan and 4% from the Netherlands.
- We suffered from several [DDoS tentative]({static}/images/bkp_2017_dos.png).
- We served around **335**GB of data in 48h, split in 2.5M http requests and 65K https ones.
- A lot of people tried a fake flag for vimjail, found in `/tmp/flag.txt`.
- A bit less than 1300 teams registered, and something like 1000 of them scored
  at least one point.
- A bit more than 3000 wrong flags were submitted, and 2000 good ones, for our 23
  challenges. We should throttle the number of flag submission next year,
  and agree on a flag format (some challs were using `BKP{}`, others `bkp{}` or `FLAG{}`).
- Congratulations to [HITCON](http://hitcon.org/),
  [b1o0p](https://ctftime.org/team/23279/) and [PPP](http://pwning.net/)
  for ranking respectively first, second and third.

Along with ensuring that every single task was up, running correctly, and could
be managed by anyone in the team (mostly by yelling on Slack at people to get
them do document their challenges) and <del>telling random jokes in broken
English</del> doing support on irc,

I also wrote 3 different challenges:

## Solitary Confinement

A couple of weeks ago, I was discussing with [nurfed](https://twitter.com/Nurfed1),
about how we could improve a bit the <a
href="https://websec.fr/level26/index.php">26<sup>th</sup> level of
websec.fr</a>, and he mentioned
[`rbash`](https://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html),
but thought that everyone was already sitting on private escapes, since he
personally had several ones.

I wanted to check if this was true, so I did a simple challenge based on this:
escape `rbash`! In total, 30 teams managed, in 48h, to find various 0days to
escape from a `rbash` shell, in a chroot with only `rbash`, and a
`/fag/showFlag` binary (along with the required library to make those run of
course.). The fact that the challenge was in a super-small chroot killed a lot
of various exploits that would have worked otherwise. So it seems that nurfed
was wrong: not everyone had (or was willing to use) `rbash` escapes.

I was also wondering if people would be willing to *burn* their 0days in
writeups/ on irc, or would be wise enough to stack them. On the other hand,
since no one cares about `rbash` escapes, things would likely have been a bit
different with more interesting/used sandboxes.

The intended solution was `BASH_CMDS[a]=/flag/showFlag;a`
(`PATH` isn't writeable, but `BASH_CMDS` is.), but a team
[found another one](https://losfuzzys.github.io/writeup/2017/02/27/bkpctf2017-solitary-confinement/)
based `declare -n`. Someone [told me](https://twitter.com/BkPctf/status/836186790742622208)
that at least one
team([HITCON](https://david942j.blogspot.com/2017/03/write-up-boston-key-party-2017-pwn99.html))
went completely overkill and wrote a working exploit of a [use after
free](https://twitter.com/BkPctf/status/836186790742622208) in `popd` to escape
to sandbox.

Sorry nurfed about people finding your escapes, but I'm sure that you still
got working ones ;)

## Beat in a box

[![Sansa e200v2 running the challenge]({static}/images/bkp_2017_sansa.png
)]({static}/images/bkp_2017_sansa.png)

A bit more than 10 years ago (damn.) I bought a [Sansa
e200v2](https://en.wikipedia.org/wiki/Sansa_e200_series), and slapped
[Rockbox](https://www.rockbox.org/) on it, it was amazing! Now that I know some
C, I thought that it would make a great challenge to write a *crackme* plugin
for it! You can find its source code [here]({static}/files/bkp_2017_beat_in_a_box.c),
and the whole archive [here]({static}/files/bkp_2017_rockbox.tar.xz).

## Wackusensor

This one was a modified <a href="https://www.acunetix.com/vulnerability-scanner/acusensor-technology/">accusensor</a>,
worth a [complete article]({filename}/web/acusensor.md) on its own ;)

# Conclusion

We ran a [small survey](https://docs.google.com/forms/d/11NI-FCD3ZX17VfYVkoLEepYQ09su0y174o5BfRMiuvs/edit#responses)
(powered by google forms, sorry), and this is what I retain from it:

- `~60%` of the surveyed found that difficulty just right, `~40%` found it too
  hard, and `0%` too easy.
- Solitary Confinement was the most hated challenge ♥
- `~75%` of the surveyed thought that 48h is the right duration.
- `~25%` of the surveyed didn't joined the [irc](irc://irc.freenode.net/bkpctf)
  channel, and `~80%` of them wanted to have updates via the website. We should
  address this point for next year.

I have a dump of some of the challenges,
feel free to [hit me](https://dustri.org) if you forgot to download your
favourite one.

I hope that everyone enjoyed playing it as much as we enjoyed holding the
Boston Key Party, see you next year!

<!--
## Various testimonials:

> FUCK YOUR TOUGH CTF. I WONT PLAY NEXT TIME. VERY SAD

> My favorite CTF of the year, always a good time. Keep up the good work.

> I'm enjoying BKP since 2015 and it's one of my favorite CTF during the whole
> season.

> thanks for the nice CTF! BkP has always been good, looking forward to next
> year.

> Did we need an rbash 0day for Solitary Confinement?

> I enjoyed the horizontal integration that synergized the blogosphere.

> rbash is lame, if you had to make a 0day that's not a good chal
-->