DEF CON CTF 22 Final

    From 7 to 10 August in Las Vegas (USA) was the largest conference on information security - DEF CON. The event has been held for 22 years. We participated in the final stage of the DEF CON CTF. At the conference itself, there are a lot of people. At first I heard something about 6 thousand people, then - about 15. The transitions between the halls for the reports in the afternoon were similar to the transitions in the Moscow metro. But first things first.

    Corridor an hour before the conference


    Traditionally, during the conference, information security team competitions DEF CON CTF are held. In general, this CTF consists of 2 stages: The final is held in Las Vegas, and an online qualifying round is held before it, according to the results of which the 12 best teams are selected. Last year’s winner automatically gets a place in the final, and you can also get to the final by winning one of 7 other prestigious CTFs during the year. So, our team made it to the finals, taking third place at Positive Hack Days CTF in May of this year (the winner of PHDays CTF by that time had already reached the final due to another CTF, and the int3pids team, which took second place, refused the invitation).

    The team that runs the DEF CON CTF changes every 3 years. This year, the second defcon team conductsLegitimate Business Syndicate .

    Here are such badges for all conference visitors and CTF participants:

    I can only say about the conference that it was:
    • many reports
    • many master classes
    • Social engineering village
    • Lockpick village
    • Hardware Hacking Village
    • Wireless village
    • Packet Hacking Village (with traditional Wall Of Sheep)
    • much more

    In the vendor room there was a Tesla electric car, which you could even try to hack:

    In the photo d0znpp , taken from SadieSv

    But, unfortunately, we didn’t get either reports or Tesla. because…

    Capture the flag

    The DEF CON CTF finals are held in Attack / Defense format (aka Service-based). Teams get the same server with a set of pre-installed services. The services have a certain functionality, which is constantly checked by the organizers bots. The services also contain vulnerabilities that need to be found and preferably eliminated. Exploiting vulnerabilities in services on servers of other teams, you need to get the so-called "flags". Flags are, as a rule, some kind of secret information in the context of a service. Suppose a service is a mail server. Flags are in the mailboxes created by the organizers bots. If you have learned to read other people's letters, then you can search for flags and turn them in.

    Flags are updated every round. The round lasts 5 minutes. Flags have a limited lifetime (usually 1-2 rounds). That is, if at the end of the game you read all the flags from the opponent’s server, then successfully pass only 1-2 of them. For the remaining points will not be awarded.

    When a flag is received from a vulnerable service, the teams that pass this flag receive 19 points, which are distributed evenly depending on the number of such teams. The affected team, accordingly, loses 19 points. At the beginning of the game, all teams have 2500 points.

    If your service is turned off or the functionality embedded in it is broken, the service is in the Offline status, and the SLA indicator of the team drops. SLA - the share of game time during which the service worked correctly. Usually this indicator is multiplied by the number of points to form the final score. Honestly, we did not understand exactly how the final rating at the final of DEF CON CTF was considered. The organizers did not give a clear set of rules with formulas to the teams. I believe that this is one of the defcon features, as at the PHDays CTF finals, for example, all the rules were clearly spelled out and provided to the teams a few days before the competition. There was even an excel-table, which shows the scoring for different scenarios.


    Our team is called BalalaikaCr3w . Most of our participants are students and graduates of Moscow Engineering Physics Institute, and some are MSTU. Bauman, one graduate of MIPT and one graduate of BSTU (Bryansk). In the photo, not all participants, but only those who went to DEF CON. A team formed a little over a year and a half ago. How it was formed and how it developed is a separate story, someday I will write a separate article about it, if such information can be interesting.

    At the DEF CON CTF final, the maximum number of participants in one team is 8 people. There were only 7 of us at the final, because due to financial problems or problems with obtaining a visa, several people were unable to travel.


    Accepting an invitation to participate in the finals, the first problem was obtaining a visa to the United States. It’s not easy for people in our profession to get an American visa, especially on time-tight. We received an invitation to the DEF CON CTF final in late June, we had to fly to the USA in early August, and we also had a trip to Korea for the SECUINSIDE CTF final in July. The result of visas is as follows: out of 10 attempts, 6 visas were obtained. At the same time, one visa was obtained on the second attempt, and another one only after an additional check. One of our participants from the second attempt got into an additional test and did not have time to pass it, but someone simply refused. One of the team members already had a valid visa, but it was obtained earlier only after additional verification.

    What's the catch? As soon as an officer at the embassy understands that your activity (and / or education) is related to information security (just like some other areas of science and technology critical for the state), he will send you for additional verification. Verification can last up to one year. Well, in addition to the checks, the officer can simply tell you “refused” at the end of the interview, give out some kind of explanatory note and say goodbye to you without explanation.


    The organizers of DEF CON CTF provide participants with 2 rooms for 3 nights at the Rio All-Suite Hotel & Casino, where DEF CON is held. Each room has 2 large beds and a sofa. For 30 bucks a day, you can order an extra bed like a cot (although by the way it is more comfortable than a sofa). The team pays all other expenses on their own: flights, travel, meals (even during CTF), equipment, etc.

    This is what the CTF zone looks like

    It turns out that participation in the DEF CON CTF final is the most expensive of all the finals for Russian teams. For example, budgets for trips to the Facebook CTF final in Barcelona or SECUINSIDE CTF in Seoul range from 100 to 200 thousand rubles. For a trip to DEF CON only tickets need about 450-500 thousand. Therefore, the issue of raising funds arose quite sharply for our team - after all, there are a lot of trips for the year, and most of us have just graduated from high school.


    We contacted several of the largest Russian companies involved in information security with a request to one degree or another to support our team and to offer cooperation so that the interaction would be beneficial to both parties. But, alas, someone immediately refused, someone showed interest and then refused a little more politely, and someone started in a very positive way, and then still refused. It turned out that a little support from a team of Russian hackers was of no interest to anyone. Well, yes, we are not a Formula 1 team, what information security companies can do to us.

    It's funny that in Germany the opposite is true. Volkswagen allocated $ 20 thousand to the German CTF team StratumAuhuur for a trip to the DEF CON CTF final. Indeed, what is good for the Russian is death for the German.

    However, it is worth thanking for the feasible support of some members of our team by their employers: the Active company and the FSUE GlavNIVTS . Thanks!
    If someone has a desire and opportunity to cooperate with our team, then you are welcome to write to info (at), we will not be indebted.

    Main process

    The final of DEF CON CTF is divided into 3 days. Each team is allocated:
    • several tables made up in a rectangle so that you can sit side by side. Honestly, it was a bit crowded. We saw how those who arrived in full force had to spread tables so that you could sit without hitting anyone
    • one Ethernet cable with access to the gaming network (each team has its own subnet 10.5.N.0 / 24) and the Internet
    • one outlet for connecting to the electric network (adapters for European plugs and extension cords also had to be taken with them)


    • 9:00 - commands run in the CTF zone, setup starts
    • 9:30 - teams get access to their servers
    • 10:00 - a network opens between the segments of the teams. You can connect to other people's servers and attack them
    • 20:00 - the network closes. Teams must pack and leave the CTF zone. On the third day, the network closed at 14:00 and the CTF zone could not be left, because it was afterparty

    Each new day, teams are seated at different tables in different parts of the CTF zone.

    On the first day, a scorboard with an absolute number of points was available. True, the organizers recounted it at night, because two teams (one of which ours) had a burned out memory card in the server, and while the server was being replaced, it, of course, was unavailable. On the second day, a scorboard was available, but the number of points was not displayed, only the places of teams in the ranking.

    In general, there were many fakaps from the organizers. On the second day, for example, one guy with an eccentric red haircut stupidly knocked out our server. Or not stupid. But when we complained that the server was unavailable for 15 minutes, a friend apologized and said that it was his fault, he accidentally did so. In general, for 3 days I heard 10 times that the SLA will be fixed, and the rating will be recounted.

    Some teams organized a DoS, which is prohibited by the rules, for which they received a penalty of lowering the SLA. As a result, after the final, the organizers did not post the final results for almost a week, as all counted.


    As the servers used ODROID-U3 + . Although after the competition we saw that outwardly our server was different from the others (it was changed on the first day after the memory card burned out), so it is possible that other teams had a different piece of hardware.

    Servers were installed by the organizers. Teams accessed via ssh. At the same time, there was no root access, which is another defcon chip. That is, there is no way to listen to traffic. Once every 5 minutes on sftp, the organizers upload for each team dump traffic from the team server. The delay between when the game started and when the first dump is available is 15 minutes. All IP addresses in the dump are randomized, except for addresses from the command subnet. It is impossible to determine by addresses with whom a particular connection was established (one of the teams or the organizers bot).

    Another feature - all services are given in binary form. No source, no scripts. Only binary, only hardcore. Maybe once there were exceptions, but not this time.

    The processor architecture is not announced in advance. It could be assumed last year that there will be ARM (that was the first time he was at DEF CON that year), but it only became known reliably at 9:30 on the first day.

    A total of 7 services were announced, but the organizers posted only 5 during the competition.
    At the beginning of the first day, there were 2 services on the team servers:
    • eliza: originally ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU / Linux 2.6.24, not stripped. Run on a machine on ARM in a drug-addict way through qemu-i386-aslr. Then the organizers finally decided to rebuild and uploaded: ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU / Linux 2.6.32, not stripped.
    • wdub: originally ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, for GNU / Linux 2.6.32, stripped. Later ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU / Linux 2.6.32, stripped. The service was a web server.

    A few hours later a third appeared:
    • imap: ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU / Linux 2.6.32, stripped. The service was an IMAP mail server.

    CTF zone at the end of the first day.

    Initial vulnerabilities were quite simple. For example, for the wdub service, you could read the flag with a query like this:
    GET /../../../home/wdub/flag HTTP/1.0\r\n\r\n

    And in imap, it was enough to overfill the SELECT command parameter with at least one byte. Then the LIST command worked out a directory higher than it should, and you could see all the mailboxes (LIST "" *) and messages (LIST "" * / *), and then read them using FETCH.

    Then each team received such a badge:

    firmware for it and a script for uploading firmware to the badge. All badges in the CTF zone communicate with each other over the air and send messages, including flags that the organizers fill in (as it turned out later, messages were sent in clear text).

    The goal, as in all other services: to find a vulnerability, close it at home, exploit on other people's badges, read flags and pass them. If the badge is off or in debug mode, the service is considered down, and the SLA crashes. By the end of the second day / beginning of the third, most of the teams scored on the badge, but the Routards team finished it to the end . It is a pity that they learned to drag flags only to the last round. This is really cool.
    upd : on the second day, the PPP team wrote an exploit for the badge, but because of the organizers ’mistake they were unable to get points with it:
    We would like to apologize to the two-year champions, PPP. An off-by-one error in our badger backend code made it impossible for team id 0 (PPP) to score correctly. They had a working exploit before the end of day 2, but were unable to score any points because of this.

    On the second day, another service appeared:
    • justify: ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU / Linux 2.6.32, stripped.

    The organizers promised to put all the services and other stuff like a test system in September. For those who are interested, we post the original versions of the binaries .


    Atmosphere - what you need. The lights are dim, there are quite a few extra people in the room, journalists are run a couple of times a day in sessions of 15 minutes, having previously notified all the teams about it. On large screens, the organizers constantly include all sorts of thrash clips like:

    The scoreboard was first shown on the central screen, and then a simple visualization of team attacks on each other.
    In general, time passed quickly.

    Short video shot in the last minutes of CTF:


    1Plaid parliament of pwning11263
    3Dragon sector4421
    4Reckless abandon4020
    5blue lotus3233
    6(Mostly) Men in Black Hats2594
    9[CBA] 94471519
    10Kaist gon1334
    12More Smoked Leet Chicken1248
    16[SEWorks] penthackon979
    17Balalaika cr3w937

    We finished in 17th place. This is, of course, a weak result, but let it be the starting point for our next DEF CON CTF finals. Many conclusions have been made which of our internal tools need to be finished, and which tools we are missing.

    Our more experienced compatriots More Smoked Leet Chicken (MSLC) took 12th place. I believe that the guys are also not very happy with themselves, because that year they finished in fourth.

    For the second year in a row, Americans from the Plaid Parliament of Pwning (PPP) team, who traditionally for DEF CON, play together with the famous hacker George Hotz (geohot), who is famous for his experience hacking the iPhone (the author of the first jailbreak'es and unlocks) and judicial litigation with Sony for the jailbreak of the PlayStation. Who better than him to drag on CTF, where all the tasks, except one, for binary operation under ARM. Although in July he won the SECUINSIDE CTF Final in Seoul as part of his team tomcr00se. In fairness, it is worth emphasizing that the tomcr00se team consists of one person.


    Extremely positive. Next year we will definitely try to get to the finals and will definitely go if we go. DEF CON CTF is unique. This is the longest in time, the most prestigious and, perhaps, the most complex CTF among all existing ones. I would compare it with the Olympic Games for athletes. This is the level that you need to strive for, and the victory in DEF CON CTF is the highest possible achievement.

    It was nice to see old friends and chat with new ones.

    I recommend that you follow the LegitBS website for information on the next DEF CON CTF .
    Information about the upcoming CTF and generally about all the events in the CTF world is on the main resource of all CTF TIME teams .

    Also popular now: