No time to sleep for the hacker teams that enrolled in the latest edition of DefCamp Capture the Flag! Over the past weekend, from 5th to 7th of December, one of the most shattering and rebellious security CTF competitions in Central Eastern Europe took place on the educational platform CyberEDU.ro.
Almost 400 teams from 70 countries embraced the challenge and registered for the competition. The hacking activity started from the first minute of the competition as all hackers were eager for some action and to get their place on the leaderboard.
Let’s see how things look on the leaderboard!
Yes, we definitely see some familiar team names on the leaderboard and we are happy to see teams who develop over the years and worked hard to overcome their own results.
First of all, congrats for the 0x90r00t team participating from France, they played at D-CTF last year as well and they managed to score the 5th place in the Finals. Now, they secured first place! Well done, guys!
WreckTheLine from Romania is also a team who played D-CTF last year and the year before last aaaaand this year too. They walked to the top quite steadily, one place per year and it’s amazing! Great job, team! Don’t forget to train hard on CyberEDU.ro and make sure you will reach the first place in 2021.
2018 – 4th place
2019 – 3rd place
2020 – 2nd place 💯
Kudos to @DefCampRO @cyberedu_ro and Congrats to @0x90r00t for taking first place. pic.twitter.com/iNEgt3fAZp
— WreckTheLine (@WreckTheLine) December 7, 2020
In third place, we have NOAR team from Korea, also loyal players of D-CTF over the years. They scored 6th place last year but now, they managed to secure 3rd place. Nicely played, team!
noxFort team from Israel is another team who fought hard for a place in the top and they reached the 4th place. They are born winners and they don’t give up easily, that’s for sure. Once they saw the 3rd place secured by another team, they send us a great write-up to make sure they will definitely score one of the Best Write-up prizes. That’s a pretty good strategy, team!
And let’s see the final winners!
Top 10 winners:
First 10 teams based on the total number of points that submitted write-ups in time.
- 0x90r00t (France)
- WreckTheLine (Romania)
- NOAR (Korea)
- noxFort (Israel)
- bootplug (Norway)
- MadrHacks (Italy)
- skateboarding dog (Australia)
- RootMeUpBeforeYouGoGo (France)
- CodWer (Romania)
- PwnHub (Romania)
Teams that wrote best write-ups, taking one of top 50 positions at the end of the event.
1. noxFort (Israel)
2. WreckTheLine (Romania)
3. bootplug (Norway)
Below are 3 lucky teams that solved only warm-up/entry level challenges.
1. L10n5 (India)
2. FER (Croatia)
3. CNTV Squad (Romania)
Lucky next stars:
Below are 3 lucky next stars that solved at least 2 challenges that are not warm-up/entry level, each solve is counted as 1 chance, more solves means more chances in the raffle.
Other interesting facts & figures from the D-CTF 2020.
- Almost 400 teams, from 70 countries
- The first flag was sent after only 02:36 minutes from since the competition kick-off by Team Aardvark (Romania)
- Over 7.7k wrong attempts for submitting flags
- Total correct flags submitted – over 1.5k
- The organisers proposed 26 challenges, of various difficulties, starting from challenges easy to be solved by newcomers but also exercises proposed for experts.
How can each challenge from #DCTF20 be solved?
Almost all challenges are now available for free in the CyberEDU.ro Educational Archive. Below you can see what players had to do in this 48-hours hacking marathon.
syntax-check: level – medium; category – web
The teams had to abuse a vulnerability called XML External Entities (XXE) injection and use PHP filters to exfiltrate files. Moreover, they had to bypass some restrictions and find a good filter to extract the flag file.
bro64: level – Easy; category – Cryptography
Teams had to connect to the server and decrypt the encoded message with a cypher called ChaCha20.
darkmagic: level – Medium; category – Pwn
Teams received a binary file that contained a format string vulnerability which could be exploited to leak information. Moreover, the binary had another vulnerability called stack based buffer overflow, allowing players to control the flow of the program. They had to leak the stack canary and overwrite the value of stack canary (in order to bypass __stack_chk_fail). Since the loop runs only one time, they also need to overwrite the stack variable that counts how many times the loop runs. Finally, players could align the stack and then jump into the getshell() command which spawned a shell.
bazooka: level – Easy; category – Pwn
Teams received a binary file that contained a vulnerability in the function called vuln() which could be abused by sending at least 112 bytes. Moreover, the binary had a helper gadget in order to perform stack manipulation which could be used craft a payload that enabled players to spawn a shell.
am-I-crazy: level – Medium; category – Web
Teams received the source code of a web application that contained an input limited to 15 characters which could be used to run a payload.
http-for-pros: level – Hard; category – Web
Teams received access to a web application that contained a vulnerability called Server Side Template Injection (SSTI). Moreover, the application performed various checks in order to filter potential injections. The goal was to bypass blacklist using other GET request arguments and string concatenation in order to execute shell commands.
secret-reverse: level – Medium; category – Reverse, Cryptography
Players received a binary file that opens up a file message.txt and prints out the encoded version of it.
The goal was to find some input that once encoded, it becomes the predefined value provided by the organisers.
strippedGO: level – Medium; category – Reverse, Cryptography
Players received a binary written in Go and the goal was to find the flag by opening the file in a Static/Dynamic Code Analyser, recover symbols and search for strings.
inorder: level – Hard; category – Side Channel Attack, Programming
Players received access to the source code of an application that had several functions which allowed teams to add values in Binary Search Tree (BST). The application was searching in the tree for the flag and the goal was to find a way to leak the flag.
The flag could be leaked by abusing a side channel attack controlling the input of the BST. You could craft the inputs in such a way that searches would become slow. By performing a binary search using this time-based vulnerability, the players could recover character-by-character the flag.
Another approach was to abuse a segmentation fault (which works only on linux), that prevents the recursion depth to go over ~15,000 recursive calls. The binary search can be used to retrieve the flag but instead of following the time it takes for the application to close, we follow if the application throws a segmentation fault at the end. When this happens, it means that the actual flag character is smaller than the character tested and when it doesn’t throw segfault, it’s either the correct character or we need to look for a higher char.
cross-me: level – Medium; category – Web
Teams received access to a web application that contained a cross site scripting vulnerability which could be exploited by bypassing 4 regex filters.
spy-agency: level – Medium; category – Forensics, Reverse, Mobile, Misc
Teams received a windows memory dump that can be opened with Volatility and the goal was to find an Android Package (APK) file that was downloaded by the user, find the coordinates of the picture and apply some basic steganography in order to recover the flag.
kalf-game: level – Medium; category – Reverse
Players received a snake binary game written in Rust that contained the flag hidden inside. Their goal was to find the registry which must be patched in order to exfiltrate the flag.
t3am_vi3w3r: level – Medium; category – Forensics, Networking
Players received a packet capture (pcap) that could be opened with Wireshark. The dump contained a Virtual Network Computing (VNC) stream. The flag was in the conversation.
dumb-discord: level – Medium; category – Web, Reverse, Misc
Players received the .pyc file of a Discord bot written in Python which could be invited in private channels. The goal was to trick the bot to print the command /getflag.
pirate-crawler: level – Hard; category – Web
Players received access to a web application that contained several vulnerabilities, including Arbitrary File Read which could be discovered after applying fuzzing and enumeration techniques. This allowed teams to leak the source code which leaked a Samba (SMB) API. Players had to find the username and brute force the password of this service and finally leak the flag.
notor: level – Hard; category – Web, Network, Forensics, Misc
Teams were presented a packet capture (pcap) which contained records about activity of a user including a link to a webshell on a public server. This could be obtained after performing an enumeration tehnique.
Once on the server, the webshell could be used to enumerate local network assets. Players had to find another server with some network tools and execute a port knocking sequence to open the communication on the HTTP server. This HTTP server gave the attacker access to valuable data including the flag.
qr-mania: level – Medium; category – Network, Misc, Programming, Image Manipulation
Players were presented with a packet capture (pcap) that contained 69 images with malformed QR codes, each image containing a letter from the flag. Players had to write a script in order to recover the flag.
broken-login: level – Easy; category – Misc, Programming, Brute Force
Players had to find weak authentication vulnerabilities such as user enumeration and then bypass the authentication by finding the user’s password.
environ: level – Hard; category – Web
Players received a link to a laravel web application that had a /backup folder with the actual git repository freely available.
They had to recover the files, leak the .env file which contains AES IV/KEY, create a php chain payload for Laravel using a disclosed custom middleware as a gadget, cipher the payload with the leaked IV/KEY and encode it in base64, send the payload to /decode/[PAYLOAD] and obtain a Remote Code Execution vulnerability.
hunting-into-the-wild: level – Medium; category – Forensics, Networking, Malware, ELK
Players received access to an Elastic Stack (ELK & Kibana) database that contained various logs from several systems that was supposedly infected with an Advanced Persistent Threat (APT). In order to answer the questions, players had to know about various concepts such as: elastic search, kibana, mimikatz, winlogbeats, mitre attack framework, windows native tools used by APTs to leverage access while staying stealth, how to filter logs etc.
alien-inclusion: level – Entry Level; category – Web
Players received a basic web application that had a parameter which could be abused by an attacker in order to perform an Arbitrary File Read vulnerability. They could include the file of their choice via POST[‘start’] parameter.
stug-reference: level – Entry Level; category – Steganography
Players received an image containing a flag.txt file hidden which could be recovered using steghide.
basic-coms: level – Entry Level; category – Forensics
Players received a Packet Capture (pcap) file. They could find the HTTP exchange and read the flag in the HTTP request important parameter.
yopass-go: level – Entry level; category – Reverse
Players received a binary file that leaked the flag when a function like “strings” was applied.
why-xor: level – Entry Level; category – Cryptography
Players received the source code for a web application has an obfuscated code with xor encoding.
You can take your pick and try solving these challenges here.
Last but not least, we take this opportunity to thank our partners Orange, Bit Sentinel and Cegeka for supporting us to keep organizing DefCamp Capture the Flag for you every year. We hope you enjoyed the competition and we will meet again for future editions. In the meantime, keep your skills sharp on CyberEDU.