[HN Gopher] An informal review of CTF abuse
___________________________________________________________________
An informal review of CTF abuse
Author : tybulewicz
Score : 33 points
Date : 2022-07-23 17:37 UTC (5 hours ago)
(HTM) web link (gynvael.coldwind.pl)
(TXT) w3m dump (gynvael.coldwind.pl)
| oblak wrote:
| I've been playing shooters for almost 30 years now, and that
| includes a lot of CTF on top of tons of duel and TDM. Quake, UT,
| TF2 (just got back to it after a decade).
|
| That said, I have no idea what this guy is talking about. I
| thought he was talking about gaming but the more I read, the more
| confused I get. Especially the facebook part. What is going on
| here?
|
| edit: thanks, Retr0id
| Retr0id wrote:
| https://ctftime.org/ctf-wtf/
| ajolly wrote:
| If you like that, HackFortress is a CTF that combined both
| sides, the video game playing and the hack style CTF. Looks
| like they're going to be back this year for defcon, I ran a
| team for several years.
|
| I found it to be some of the most fun ctfs I played, partially
| because it was extremely time-bound. Rounds were 20 to 30
| minutes each. It meant that you still had the rest of your
| conference time for other activities, rather than taking over
| your entire weekend.
| gwern wrote:
| > The score is just a number in the database
|
| The enemy's gate is down!
| tester756 wrote:
| What happened to author's team (Dragon Sector)?
|
| Until 2020 they were almost always around top3 and a few times
| top1 teams in the world according to https://ctftime.org/
|
| but in 2021/2022 I don't see them
| Retr0id wrote:
| This is a relatively common pattern in CTF (and probably, other
| competitive activities). Being a top-level CTF competitor takes
| a big time investment, both in terms of maintaining your
| skills, and actually competing.
|
| It's hard for an individual to maintain that level of
| commitment over time, especially if their personal
| responsibilities increase (getting a full-time job, starting a
| family, etc.). Responsibilities aside, people also just get
| bored and/or burnt out (after a point, most challenges are just
| variations on something you've seen before).
|
| For a team to stay competitive over time, they either need
| enough members to fill the gaps, or a sustainable influx of new
| members.
| gynvael wrote:
| Also the pandemic happened. In the later years we were
| playing mostly to go to offline finals. And the pandemic
| meant no offline finals.
| tester756 wrote:
| Imma use that opportunity and ask
|
| Are skills of military/state-level actors comparable with
| CTF people?
|
| Or they're mostly focused on different things, so it's
| tricky to compare those things?
|
| I'm asking because it feels like at the end of the day all
| of those groups search for 0days
| ajolly wrote:
| Also a lot of the time they are they can be the same
| people. Just one set of targets for your day job, one set
| of targets for fun at the CTF. (and the ctf challenges
| are probably easier)!
| gynvael wrote:
| There is some overlap, but only some.
|
| In general CTF problems are limited in the sense that
| they need to be solvable withing the tournament time
| frame (usually 48h), and also the process is simpler -
| you don't have to be quiet, you grab the flag and that's
| it; no need to think beyond that point (i.e. no need to
| worry about backdooring, C2, hiding the traffic, lateral
| movement, detection, etc).
|
| Also CTF problems might be super specific, to the extent
| of being unlikely to be encountered in a real world. The
| real world is a bit different - a lot of systems have
| same old boring issues. On the flip side when dealing
| with 0-days in stuff like modern browsers you are likely
| to exceed the level of complexity of even top CTF pwn
| challenges - mostly due to the aforementioned time
| constrain in CTFs.
|
| That said, a lot of technical skills would be
| transferable between both areas. Regardless which way one
| would switch, there would still be a decent amount of
| learning (e.g. learning the CTF metagame, learning to
| think beyond getting a shell).
| tester756 wrote:
| Thank you
| robocat wrote:
| The first comment explains why they didn't win one competition
| in 2014: 2022-07-23 18:58:31 = -ENOCHEAT
| > I also saw once a player trying to swipe a piece of paper
| with configuration (user/password) details of another team on
| an Attack&Defense style CTF. They were caught in the act and
| their team got some penalty for it. We did exactly
| that at the Nuit du Hack CTF finals in 2014 to snatch the win
| against you folks (Dragon Sector). Since there was a flag
| specifically designed around shoulder surfing (taped to the
| network switch on each team's table) we asked organizers
| whether swiping the config credentials was fair game, and they
| said it was completely fine. Absurd, but hey, I don't make the
| rules :)
| charcircuit wrote:
| >However there are stories of teams going a step further and
| hacking home routers from random IPs located in various
| countries. I guess that's trading in ethics and legality for CTF
| points.
|
| Is finding a single proxy in a country that hard that you need to
| do that? I would assume proxy lists including each country would
| already exist.
| gynvael wrote:
| Basically the first 50 countries were easy using whatever
| methods. The next 50 were doable. But then the struggle really
| began and some teams started getting desperate/creative I
| guess.
|
| Note that I'm using 50 as a random example number here, not an
| actual measurement.
| ajolly wrote:
| There's been a number of in person ctfs where hacking
| infrastructure was fair game... And did not have static arp
| entries set, and I ended up mitming all the traffic to the score
| server.
| Supermancho wrote:
| Would be nice if there was the briefest description about what
| CTF means here, since I expected it to be about gaming (ie Team
| Fortress)
|
| https://www.enisa.europa.eu/news/enisa-news/capture-the-flag...
| tester756 wrote:
| As far as I understand it's competitive hacking/security
|
| which requires really solid theoretical knowledge and hands-on
| experience from various computer related topics like:
|
| cryptography, reverse engineering, web, low lvl programming,
| operating systems, networks, protocols, etc, etc.
|
| Top competitors tend to work at e.g Google for Project Zero or
| other big institutions like CERT (https://en.wikipedia.org/wiki
| /Computer_emergency_response_te...) or Banks
| Snetry wrote:
| Its Capture the Flag but instead of gunning down enemies you
| have to hack a system that is vulnerable in some way
| gynvael wrote:
| Sorry about that. I added a paragraph after the first one in
| the blog post. I didn't expect the blog post to travel beyond
| the CTF community.
| mrcartmeneses wrote:
| Retr0id wrote:
| https://ctftime.org/ctf-wtf/
| znpy wrote:
| Dunno, many of those things are occasions for learning.
|
| Back in like 2014 we were competing in RuCTF and some other team
| hacked our vulnbox and just shut down the rng, making the box
| effectively inaccessible via ssh and slow as molasses on tls-
| enabled services (besides capturing all of our flags).
|
| It was an enlightening experience.
|
| Now granted, ructf was pf a particularly spectacular violence...
| but still, it's been an experience that has taught me a lot.
| jrockway wrote:
| > There were probably multiple common logic bugs. However one
| that sticks out in my memory was when the submission system would
| first check if the team already submitted that flag (fast check
| in session) and if not, it would check the flag in the database
| (slow), award points (slow), and finally add the flag to the
| session (fast). Yup, that's a race condition.
|
| How is "insert into found_flag (team_id, flag_id, found_at)
| values ($1, $2, now()) on conflict do nothing" slower than this 4
| step race-condition-prone operation? (To get the score, "select
| count(1) from found_flag where team_id=$1".) You don't even need
| transactions for this, as long as you can't transition from found
| to not found somehow ("delete from found_flag where team_id=$1
| and flag_id=$2").
|
| The only problem I see with this is where validating the correct
| answer is expensive; without another piece of data to show that
| validation has started, you can overload the checker by
| submitting your answer before the first validation routine
| succeeds. But that is also easy to track, with a timeout even,
| and you still don't need transactions.
| prvit wrote:
| >(or rather: fun factor after a couple of years passed and folks
| stopped being annoyed or down right furious at the perpetrators)
|
| Poor sports, I've always struggled to understand people who'd
| partake in hacking competitions and then get upset because
| someone got onto their computer and took all the flags.
| thornewolf wrote:
| "Poor sports, I've always struggled to understand people who'd
| partake in a foot race and then get upset because someone
| walked out of bounds to skip part of the race"
|
| Simply because the context is hacking does not mean that
| performing additional hacking outside of the context of the
| competition is in the same spirit. Breaking the rules isn't
| hacking better than another team, it's breaking the rules.
| PragmaticPulp wrote:
| > Poor sports, I've always struggled to understand people who'd
| partake in hacking competitions and then get upset because
| someone got onto their computer and took all the flags.
|
| The sport is about everyone racing to solve the same puzzles.
| If one team is sabotaging the puzzles in the process, it's a
| different kind of competition than the players expected.
| Frustration is warranted.
|
| It would be like signing up for the 100m dash but then having
| your competitors throw obstacles into your lane. That wasn't
| the intent of the competition.
| prvit wrote:
| >it's a different kind of competition than the players
| expected
|
| CTFs are (usually) hacking competitions for hackers, what
| else would you expect?
| PeterisP wrote:
| It's like saying in biathlon (skiing+shooting) how can you
| arrive at the finish second if you have a working gun?
|
| Rules are rules, there's a clearly defined scope of where
| the fighting happens and where it does not.
___________________________________________________________________
(page generated 2022-07-23 23:00 UTC)