Following the Blackhat conference, I participated to Defcon CTF finals as part of the 0daysober team which qualified in 10th position last June. This event is organized by Legit BS for the last 2 years.
Principle
In order to participate to the finals you have to either win a qualifying event (PlaidCTF, Boston Key Party, GitS, …) or finish in the top 10 teams during Defcon CTF qualifier, which was 0daysober case this year. Unlike the official qualifier which is in jeopardy style with challenges in categories such as pwnables, reverse, misc, babys-first and coding, the finals are in the true Capture The Flag mode with only pwnables.
Each team is given access to the similar set of hosts running challenges opened gradually through the 3 days of the CTF. Those hosts are only accessible during the day (10am – 7pm) , meaning that teams have to continue to work on the challenges offline at night (after a beer-break :)). This last point can however be more complicated when challenges require connectivity to a server, like irkd or hackermud this year.
As this is a CTF teams have to find vulnerabilities in the services to both attack other teams and also patch them to prevent its flags to be stolen by others. Teams can score points on services every 5 minutes by submitting stolen flags to the organisers system. For each flag per service per team successfully exploited a team wins points. Scoring is also impacted when a team is successfully attacked or when its services are not available. As such, it is not possible to “patch” services by preventing connections.
Every 15 minutes the organisers were releasing the network traffic that was directed at each team network in the form of PCAP files.
Challenges
Traditionally Defcon CTF finals challenges were 32-bit binaries running on FreeBSD. This has since evolved and services are now running on multiple architectures and OSes. The first one that was available was running on Linux x64 which is quite standard. Then came Linux services on MIPS (running on a Ci20 board) and AArch64. After joking on releasing a challenge running on Sparc, the organisers finally opened a challenge on Windows…IoT. That was quite a surprise and although we were more or less prepared to handle Windows challenges, the ARM one was not at all expected. Also, this challenge required a RaspberryPie2 if you wanted to debug your exploit on the side.
Each services had various types of vulnerabilities (buffer overflow, integer overflow, string format bug, …) and sometimes required to exploit other vulnerabilities like memory leak or off-by-one to be fully exploited and bypass protections such as ASLR and DEP. Some challenges also required to first reverse engineer the encrypted protocol it was using in order to understand how to reach the vulnerable code.
One of the challenge was quite different as it was limited to the first 4 teams that solved the AArch64 one and was in a sudden-death mode (only first player to solve it gets the points). As we were part of those 4, one of our team member participated in a livectf which consisted in exploiting another AArch64 binary but requiring a ROP exploit this time. Although quite close, PPP went for the win and gained 1000 points. This special event was filmed and should be soon available online on Youtube/Twitch.
Team
During these Defcon finals we were 8 on-site, each focussing on a specific task such as reverse engineering, exploit writing, binaries patching, monitoring and PCAP analysis to reverse other teams exploits. We were also helped by remote elite reverser/pwner during those 3 days.
For me it was a first at Defcon CTF but some team members already played the finals last year under the w3stormz name.
Conclusion
For a first experience at the Defcon finals it was quite a success since we ended-up at the third place, right behind PPP (second) and DEFKOR (first). The winning team, DEFKOR, is really ahead in the game and looked untouchable during the event, as well as during other CTF during this year.
Having created challenges for CTF events before, I can imagine the work that Legit BS had to do so everything went smoothly during these finals. Big thanks to them for organising it!
Kudelski Security Research 