by Wenlei Zhu (zTrix@blue-lotus)
Last week, We represented team blue-lotus, consisting of me(zTrix), cbmixx, Aluex, Adrian, fqj and our beautiful photographer as well as translator, at Codegate CTF Finals 2014, in Seoul, South Korea. It’s really a wonderful experience.
Since we are close to Seoul, we took off at April 1st, just one day before the game.
The good part of participating CTF offline final events in South Korea is, we are familiar with the culture, and only 1 hour time zone delta cause no jetlag at all. Besides, some of us took part in Secuinside Finals 2013, which was also in Seoul. So basically, things went very smoothly.
But still we have some problems, the biggest one was language. We knew nothing about Korean, and our translator as well as photographer, always told us to communicate by ourselves, unless necessary, she wouldn’t help us. So we tried as hard as we could, using simple English words, gestures, even a little Japanese, and amazingly, Korean people could understand us!
The CTF game started at 2pm on April 2nd, and lasted 20 hours until 10 AM the next morning. All 14 teams (CLGT didn’t manage to present) were in a large Hall room, with the organizers located at a corner.
Most of the TOP CTF teams such as PPP, More Smoked Leet Chicken, dragon sector were in the competition. PPP sent the most powerful members, including the famous geohot. So even before the game, we could bet on PPP’s winning of champion without hesitation.
A total of 15 problems were released one after another. Here are the problem list.
- RPG, web, 300
- wsh, pwnable, 400
- akkka, reversing, 300
- running_danbi, mixed, 750
- graynode, reversing, 800
- TK, web, 200
- pentester, logical + pwnable, 450
- login page, web, 350
- securepack, mixed, 350
- trueman, web, 600
- fortune teller, crypto + pwnable, 650
- hexagrams, reversing, 600
- virtual terminal, pwnable, 500
- drupbox, pwnable, 400
- webboard, web, 350
So actually problems can be categoried into web (lots of SQL injection) and binary analysis (piggyback crypto, logical and pwnable elements).
From our point of view, the problems are hard and tricky, but not for PPP. At 14:55, only less than one hour from the beginning, the organizer announced first blood from PPP. After that, I can still remember they announced several first blood of PPP, especially for graynode, the problem with the highest score. Actually only PPP solved that problem thoughout the game. For us, we even didn’t get any time on opening it.
We solved several web problems, and only one binary, the pentester, by me. The bug is a tricky logic error which could be called “use before init”. A buffer malloced from heap are created each time storing the password, but without initialization, which allow us to dump the admin password byte by byte. Although the problems are marked as “Logical + Pwnable”, it turned out there was nothing “pwnable” here, just exploiting the logic error was enough to score. I used my own crafted io library zio, which was very handy, and I only took less than 10 minutes on writing exploitation code after identifying the bug.
Note that PPP got more scores than the sum of 2nd and 3rd place.
There was an interesting network session after the CTF. We met a lot of interesting people. We met some members from pwnies, they were very friendly. And their pwntools is one of our favorite tools. Thanks for such great tool! We talked with the awesome PPP members, and got some clue on how they solved those hard problems. It’s really great to meet those cool guys.
To conclude, I really appreciate this trip to South Korea participating such a great CTF. The problems were well prepared with very few defects, and the organizer provided network router, cable, switch, power socket, and even food. So we could focus on solving problems. Thank you for hosting. Looking forward to codegate CTFs in the future.