[HN Gopher] An informal review of CTF abuse ___________________________________________________________________ An informal review of CTF abuse Author : tybulewicz Score : 33 points Date : 2022-07-23 17:37 UTC (5 hours ago) (HTM) web link (gynvael.coldwind.pl) (TXT) w3m dump (gynvael.coldwind.pl) | oblak wrote: | I've been playing shooters for almost 30 years now, and that | includes a lot of CTF on top of tons of duel and TDM. Quake, UT, | TF2 (just got back to it after a decade). | | That said, I have no idea what this guy is talking about. I | thought he was talking about gaming but the more I read, the more | confused I get. Especially the facebook part. What is going on | here? | | edit: thanks, Retr0id | Retr0id wrote: | https://ctftime.org/ctf-wtf/ | ajolly wrote: | If you like that, HackFortress is a CTF that combined both | sides, the video game playing and the hack style CTF. Looks | like they're going to be back this year for defcon, I ran a | team for several years. | | I found it to be some of the most fun ctfs I played, partially | because it was extremely time-bound. Rounds were 20 to 30 | minutes each. It meant that you still had the rest of your | conference time for other activities, rather than taking over | your entire weekend. | gwern wrote: | > The score is just a number in the database | | The enemy's gate is down! | tester756 wrote: | What happened to author's team (Dragon Sector)? | | Until 2020 they were almost always around top3 and a few times | top1 teams in the world according to https://ctftime.org/ | | but in 2021/2022 I don't see them | Retr0id wrote: | This is a relatively common pattern in CTF (and probably, other | competitive activities). Being a top-level CTF competitor takes | a big time investment, both in terms of maintaining your | skills, and actually competing. | | It's hard for an individual to maintain that level of | commitment over time, especially if their personal | responsibilities increase (getting a full-time job, starting a | family, etc.). Responsibilities aside, people also just get | bored and/or burnt out (after a point, most challenges are just | variations on something you've seen before). | | For a team to stay competitive over time, they either need | enough members to fill the gaps, or a sustainable influx of new | members. | gynvael wrote: | Also the pandemic happened. In the later years we were | playing mostly to go to offline finals. And the pandemic | meant no offline finals. | tester756 wrote: | Imma use that opportunity and ask | | Are skills of military/state-level actors comparable with | CTF people? | | Or they're mostly focused on different things, so it's | tricky to compare those things? | | I'm asking because it feels like at the end of the day all | of those groups search for 0days | ajolly wrote: | Also a lot of the time they are they can be the same | people. Just one set of targets for your day job, one set | of targets for fun at the CTF. (and the ctf challenges | are probably easier)! | gynvael wrote: | There is some overlap, but only some. | | In general CTF problems are limited in the sense that | they need to be solvable withing the tournament time | frame (usually 48h), and also the process is simpler - | you don't have to be quiet, you grab the flag and that's | it; no need to think beyond that point (i.e. no need to | worry about backdooring, C2, hiding the traffic, lateral | movement, detection, etc). | | Also CTF problems might be super specific, to the extent | of being unlikely to be encountered in a real world. The | real world is a bit different - a lot of systems have | same old boring issues. On the flip side when dealing | with 0-days in stuff like modern browsers you are likely | to exceed the level of complexity of even top CTF pwn | challenges - mostly due to the aforementioned time | constrain in CTFs. | | That said, a lot of technical skills would be | transferable between both areas. Regardless which way one | would switch, there would still be a decent amount of | learning (e.g. learning the CTF metagame, learning to | think beyond getting a shell). | tester756 wrote: | Thank you | robocat wrote: | The first comment explains why they didn't win one competition | in 2014: 2022-07-23 18:58:31 = -ENOCHEAT | > I also saw once a player trying to swipe a piece of paper | with configuration (user/password) details of another team on | an Attack&Defense style CTF. They were caught in the act and | their team got some penalty for it. We did exactly | that at the Nuit du Hack CTF finals in 2014 to snatch the win | against you folks (Dragon Sector). Since there was a flag | specifically designed around shoulder surfing (taped to the | network switch on each team's table) we asked organizers | whether swiping the config credentials was fair game, and they | said it was completely fine. Absurd, but hey, I don't make the | rules :) | charcircuit wrote: | >However there are stories of teams going a step further and | hacking home routers from random IPs located in various | countries. I guess that's trading in ethics and legality for CTF | points. | | Is finding a single proxy in a country that hard that you need to | do that? I would assume proxy lists including each country would | already exist. | gynvael wrote: | Basically the first 50 countries were easy using whatever | methods. The next 50 were doable. But then the struggle really | began and some teams started getting desperate/creative I | guess. | | Note that I'm using 50 as a random example number here, not an | actual measurement. | ajolly wrote: | There's been a number of in person ctfs where hacking | infrastructure was fair game... And did not have static arp | entries set, and I ended up mitming all the traffic to the score | server. | Supermancho wrote: | Would be nice if there was the briefest description about what | CTF means here, since I expected it to be about gaming (ie Team | Fortress) | | https://www.enisa.europa.eu/news/enisa-news/capture-the-flag... | tester756 wrote: | As far as I understand it's competitive hacking/security | | which requires really solid theoretical knowledge and hands-on | experience from various computer related topics like: | | cryptography, reverse engineering, web, low lvl programming, | operating systems, networks, protocols, etc, etc. | | Top competitors tend to work at e.g Google for Project Zero or | other big institutions like CERT (https://en.wikipedia.org/wiki | /Computer_emergency_response_te...) or Banks | Snetry wrote: | Its Capture the Flag but instead of gunning down enemies you | have to hack a system that is vulnerable in some way | gynvael wrote: | Sorry about that. I added a paragraph after the first one in | the blog post. I didn't expect the blog post to travel beyond | the CTF community. | mrcartmeneses wrote: | Retr0id wrote: | https://ctftime.org/ctf-wtf/ | znpy wrote: | Dunno, many of those things are occasions for learning. | | Back in like 2014 we were competing in RuCTF and some other team | hacked our vulnbox and just shut down the rng, making the box | effectively inaccessible via ssh and slow as molasses on tls- | enabled services (besides capturing all of our flags). | | It was an enlightening experience. | | Now granted, ructf was pf a particularly spectacular violence... | but still, it's been an experience that has taught me a lot. | jrockway wrote: | > There were probably multiple common logic bugs. However one | that sticks out in my memory was when the submission system would | first check if the team already submitted that flag (fast check | in session) and if not, it would check the flag in the database | (slow), award points (slow), and finally add the flag to the | session (fast). Yup, that's a race condition. | | How is "insert into found_flag (team_id, flag_id, found_at) | values ($1, $2, now()) on conflict do nothing" slower than this 4 | step race-condition-prone operation? (To get the score, "select | count(1) from found_flag where team_id=$1".) You don't even need | transactions for this, as long as you can't transition from found | to not found somehow ("delete from found_flag where team_id=$1 | and flag_id=$2"). | | The only problem I see with this is where validating the correct | answer is expensive; without another piece of data to show that | validation has started, you can overload the checker by | submitting your answer before the first validation routine | succeeds. But that is also easy to track, with a timeout even, | and you still don't need transactions. | prvit wrote: | >(or rather: fun factor after a couple of years passed and folks | stopped being annoyed or down right furious at the perpetrators) | | Poor sports, I've always struggled to understand people who'd | partake in hacking competitions and then get upset because | someone got onto their computer and took all the flags. | thornewolf wrote: | "Poor sports, I've always struggled to understand people who'd | partake in a foot race and then get upset because someone | walked out of bounds to skip part of the race" | | Simply because the context is hacking does not mean that | performing additional hacking outside of the context of the | competition is in the same spirit. Breaking the rules isn't | hacking better than another team, it's breaking the rules. | PragmaticPulp wrote: | > Poor sports, I've always struggled to understand people who'd | partake in hacking competitions and then get upset because | someone got onto their computer and took all the flags. | | The sport is about everyone racing to solve the same puzzles. | If one team is sabotaging the puzzles in the process, it's a | different kind of competition than the players expected. | Frustration is warranted. | | It would be like signing up for the 100m dash but then having | your competitors throw obstacles into your lane. That wasn't | the intent of the competition. | prvit wrote: | >it's a different kind of competition than the players | expected | | CTFs are (usually) hacking competitions for hackers, what | else would you expect? | PeterisP wrote: | It's like saying in biathlon (skiing+shooting) how can you | arrive at the finish second if you have a working gun? | | Rules are rules, there's a clearly defined scope of where | the fighting happens and where it does not. ___________________________________________________________________ (page generated 2022-07-23 23:00 UTC)