Offensive Thinking

HAR 2009 CTF

Posted: 2009-08-15

Hacking At Random 2009 is happening right now and yesterday was the CTF. We played remotely from Aachen and I must say, well, I’ve seen better. Independently from the fact that our team could’ve done better, I found the whole CTF to be more confusing than anything else. To be fair, part of my confusion may have come from sleep deprivation, as I had a full (although slow) work day behind me and we played from 10:00pm to 06:00am…

The CTF was in the classic “get a VMWare image with vulnerable services, patch your own image as good as you can to defend yourself and exploit all the other teams” style. First of all, the vulnerable services on the image made the impression of having been mixed together at random without any structure. It’s fine to obscure things in a CTF to make it harder for the teams to figure out the vulnerabilities, but this was just plain confusing. I spend most of the time trying to understand what the hell I was supposed to defend and exploit.

Then, there’s the thing with the GoVM. Never heard of that one before, but apparently it’s a Virtual Machine to run services on, written by one of the organisers especially for CTFs. Which meant that in many places you had some basic code structures (written e.g. in Python) which put stuff in a magic blackbox and out came some more stuff. This added at least to my confusion because it was absolutely impossible to figure out how exactly the services worked. It’s fine to give me a binary challenge where all I get is the compiled code for something and I have to figure out what it does, but this whole GoVM thing just added a layer of obscurity you can’t break through in the limited time you have in a CTF.

In addition, some of the services weren’t activated from the beginning, but went online during the game (which was announced in the IRC channel). With some services, this meant you didn’t know if something was broken on your side or just not active at the moment. And speaking of broken: you were supposed to fix some non-working services during the game. There’s nothing more exciting than figuring out in a CTF why the PHP version on the image and the MySQL database do not work together. Yay. Another thing that I saw in previous CTFs is this newfangled idea that people have fun writing advisories, so you get points for writing those up and sending them to the organisers. Nothing more exciting than writing fake advisories for fake services. As far as I remember, we got 0 points in the advisory category because no one bothered :).

The organisers also had numerous problems with their setup, ranging from teams not being able to connect to services which needed to be patched during the game so they functioned properly, up to the point where the CTF was aborted at 06:00am and a winner was announced because they had some heavy issues with the scoreboard and their VPN server not working properly anymore.

Ok, this was much ranting and I feel slightly better now (sleeping also helps ;)), but regardless of my ramblings above I want to make one point clear: I know that setting up a CTF is a lot of work and getting everything to work is a major PITA. I never organised one myself, but I know people who did and it’s far from easy to do this properly. I didn’t pay for anything and had fun for free, because some enthusiastic people set these CTFs up in their spare time. I really respect and appreciate the time and work that is put into this. My rantings should therefore be seen as constructive criticism for the next time. And I still had fun, if only for the comments in IRC and the yelling going on in our team ;).