Security/Hacking Team @ CMU

After winning iCTF and Codegate, PPP had already prequalified for Defcon19. Of course, we couldn’t be lamers so we also qualified through the normal prequal round (which makes us the first team to ever triple qualify for Defcon).

Our team slowly flew into Vegas from around the country to compete in the final round against many other awesome teams and friends.

Most of team PPP before the competition

Of course, we were in Vegas for a reason, so we didn’t have too much time to spend on the strip. We needed to be well rested for the CTF, after all.

Like most teams, we had two groups of people during the competition, one working downstairs on defense, and another goup holed up in a hotel room working on reversing/exploits.

Early morning preparations

When the competition began, we were given an image of our server, as well as login details for it. As a new twist this year, the competition was all based over IPv6, making it exceptionally challenging to get some of our network tools working properly on the server.

Of course, in ddtek tradition, the scoreboard and submission servers were not available until near the end of the first day, which gave everyone time to write a few exploits and get defenses up and running.

By the end of the first day, PPP was exploiting quite a few challenges and had a decent score.

Score after Day 1, PPP in a sad 4th place

After a long night of working on fixing networking tools with IPv6 and finishing exploiting a few more problems, we all got a bit of sleep to get ready for day 2.

Breakfast - the most imporant meal of the day

Despite having more exploits written and keeping our services up throughout day 2, we dropped in position quite a bit. We were told the scoreboard was inaccurately displaying data such as SLA (how well we keep our services up/defend them) wrong, and having many outages of access to servers, but there was little we could do about that. Overall it was very difficult to tell how we were doing score wise, as the only scoreboard to which we had access was the one presented by ddtek, which rarely updated and did not display any information such as for which services we were correctly getting points.

Before the second day ended, another team rooted our CTF server. To be a bit more accurate, lollersk8ters rooted ddtek’s, and therefore all contest player’s servers. Although other teams complained about the same issue, it took ddtek almost an hour to realize the problem was on their side, despite our evidence that a team must have been outside the jail. Of course the entire time, all teams were locked out of their servers. Doh!

adc from lollersk8ters, after rooting everyone's box

We later found out one to three other teams had also rooted ddtek’s servers, and therefore the servers for all other contestants.

After the second day, we had dropped all the way down into 7th place. That night we finished up exploits for all but one service, ready to go for the next day of the competition, though we weren’t sure what would happen after lollersk8ters had control over everyone’s boxes already.

The third day of the competition no scoreboard was displayed. Rumor has it that this is traditional to make the results of the CTF more suspenseful, though we never actually told why there was no scoreboard on the last day.

Although we were submitting keys for challenges, after the final placement of teams was released, it seemed scores didn’t change much if at all on the third day.

After the competition ended, PPP put its time in Vegas to good use. We hung out with a few of the other awesome teams and, of course, did other Vegas specific activities.

Definitely not hacking slot machines

Sadly, PPP came in 7th place overall. Not horrible, but certainly not as well as we would have hoped. The final list of teams is available at ddtek’s website, though it is very unfortunately lacking both raw scores as well as packet captures.

Congratulations to European Nopsled Team, who won first place, Routards in second, Hates Irony in third, and all other contestants! We had a great time competing with you and hope to do it again soon.

For those interested, Routards also had a great post on how the competition unfolded.

As you all know by now, PPP recently hosted its own CTF competition called PlaidCTF. This was a great chance for our team to take all the problems we wished we found in other competitions and force other people to solve them. We had an awesome time putting problems together for people to solve, and we’d like to think it turned out pretty well.

The competition started a little behind schedule, and we had a few hiccups during the competition. In the end, however, all but one problem (which was removed due to oversights on our part) had been pwned by at least one team, and over 400 teams had signed up to play. We tried to make our problems different from what we’ve seen in past CTF’s, and we hope that everyone who took the time to solve them learned a lot in the process.

pCTF Command and Control Center

During the 48 hour competition, we were saddened to find ourselves just as busy as when we participate in competitions ourselves. Most of the 48 hour competition was spent keeping our servers running and answering questions on IRC, with perhaps an hour here and there for sleep.

Although running our own competition was incredibly stressful, it was also a lot of fun. We ended up learning a few new techniques as players solved problems differently than we planned and we also had many stressful moments watching as teams submitted keys they had mistyped by just a few characters.

Of course, the most important part of any competition is the winners! Although all the teams did a great job, especially considering our scheduling conflict with a major holiday, Hacking for Soju, C.o.P, and SSH came out on top, winning first, second, and third place, respectively. Final scores for all teams are available here.

More information, including writeups from the top teams, can be found at http://www.plaidctf.com .

We would also appreciate feedback and ways to improve pCTF. We plan to hold the competition again next year, and we want to make it as awesome as possible, which means we need suggestions from you on how we could make it better.

Thanks for playing, and we hope to see you next year!

In case you haven’t heard, we’re hosting our own CTF competition in about one month. We’re going to have prizes sponsored by Lockheed Martin, so you should definitely sign up if you haven’t already.

Read more about it and sign up here!

You can also follow us at @pctf2011 to get the most recent news about Plaid CTF 2011.

This weekend we participated in the qualification round for one of the largest international computer security competitions, Codegate.

Hosted in Korea, Codegate 2011 attracted hundreds of teams from all around the world. The problems consisted of web vulnerabilities, forensics, cryptography, binary reversing, and some problems related to security topics that had been in the news. Sadly this meant there were almost no problems featuring binary exploitation, which is one of our strongest areas of expertise. Regardless, there were some really interesting and challenging problems for us to work on.

Sadly, as this was an international competition, it started at a really obnoxious time for those teams from America, at lovely 7am.

1337 h4x0rs (not actually taken at 7am because we were too tired to be thinking about pictures then)

We had some incredibly tough competition this year. Sutegoma, Hates Irony, Disekt, GoN, Plus, int3pids, Playtronics, and Leetmore were all beating us at one point or another over the 48 hour game. While of course it would be nice to be in first the entire time, it’s also good to have other teams around to keep us on our feet! Overall, we did not do too great in solving challenges quickly, amassing only a few breakthrough points, though Sutegoma and Leetmore were both incredibly quick at solving challenges immediately.

Damnit Leetmore, slow down so we can try solving the problems!

It was also a bit frustrating that challenges were released very slowly, which left us with no choice but to keep scratching our heads on the same problems for hours. Luckily we got a short break from the monotony of problem solving for a while to enjoy some fun moments in IRC. As the competition came to an end and the sun started to rise, our problem solving abilities unfortunately diminished greatly.

It's 1am. In 6 hours the competition ends, but those of us awake will be too busy trying to solve crypto 500 to take pictures.

With the help of caffeine and loud music, we were able to scrape a few more points through, finishing up a few more problems in the wee hours of the morning. While we managed to narrowly beat out Disekt, we still ended up in third place behind Sutegoma and Hates Irony. I guess that just means we’ll need to beat them in the final round!

All in all, we had a good time at Codegate, and we’re looking forward to meeting our new challengers, and seeing teams coming back from last year. Although having lots of diversity in the teams last year was nice as a cultural experience, having three teams form the USA in the top eight teams world wide is pretty awesome.

For what you all came here for: our write up can be found here.

I strongly recommend reading some of Leetmore’s writeups (who solved a lot of problems in ways we didn’t think about), as well as Hates Irony’s writeups.

wgsbd + Padocon

This weekend PPP decided to do something different and participate in two competitions at the same time. As our school semester just started, our team was missing a few people which hurt us a bit, but those who participated in Padocon and wgsbd had a great time!

Padocon started early, and we had a rough time with challenges for a while. There were lots of great challenges, including many deceptively simple looking binaries similar to last year. We also learned a lot when solving some of the forensic challenges.

Thinking very hard

Of course, 13 hours into Padocon, we began working on wgsbd (CTF hosted by the Spanish group Security by Default). With only 15 challenges, it seemed this competition would be fast, but that was not true at all! Many of the challenges took us quite some time to solve. The web03 problem was incredibly interesting. The page allowed command execution on the server, but limited what could be run severely. Getting around the restrictions so we could read the token involved quite a few especially convoluted web queries, such as:

cmd=eval%09read%09a%09$(set%09$(id%09$(printf%09%c%09$((9223372036854775807*2)))

$(printf%09%c%09$((9223372036854775807*2)))help);printf%09%c%09${123})%09$(printf%09

%c%09$PATH)var$(printf%09%c%09$PATH)tmp$(printf%09%c%09$PATH)a;echo%09$a

which took quite a lot of brain power and time to figure out.

Of course we were still working on Padocon challenges as well! And for a few hours we pulled ahead to the top team.

Almost half way into Padocon, sadly the scores did not stay like this

By the time we went to sleep, we were doing pretty well in both competitions. Of course, while we were dozing off, other hackers were rushing to take out place, dropping us down a few places in each competition.

After waking up and solving a few more problems, though, we were back in the running. After the 48 hour Padocon ended, we were exhausted, so we all decided to go home and get some rest. A couple days after the competition was over, we were finally awarded a few hundred points because we found and reported numerous accidental vulnerabilities in the Padocon services (we rooted a few of their machines which we weren’t supposed to… oops!). This was enough to bump us up to a final ranking of third.

Must... solve... more... karma binaries!

After a bit of rest followed by some debugging, we were able to get back to work on wgsbd shortly before it ended, coming in a comfortable third place.

All the participants in both competitions did very well, especially GoN, disekt, sur3x5f, int3pids, and painsec.

While doing more than one competition at a time seemed to hurt our scores a little bit, it was a whole lot of fun!