This came on my radar when a TinyCTF challenge from 2014 showed up and I ended up looking at the other challenges to see what was done. The ones that were not borrowed from TinyCTF were most documentation or forensics-related which I assume was created by the CTF organizers.
| Challenge Name | Type | Points | Flag | Details |
|---|---|---|---|---|
| Choo Choo! | Puzzle | 50 | snc 52 | Link |
| Fore! | Web | 250 | it's_a_h0le_in_0ne | Link |
| Undocumented Instruction in x86 | Puzzle | 75 | LOADALL | Link |
| BFF..or P? | Puzzle | 100 | esolangs_for_fun_and_profit | Link |
| It's OK to be a CISsy! | Puzzle | 250 | 3,8,7,4,9,5,6,1,2 | N/A |
| Hail Caesar | Crypto | 50 | ITSHAPPENING | N/A |
| Crypto for you sir! | Crypto | 100 | no_this_is_not_crypto_my_dear | Link |
| First time flag test | Crypto | 100 | hello_world | Link |
| János the Ripper | Crypto | 250 | ev3n::y0u::bru7us?! | Link |
| Movie Time! | RE | 100 | poppopret | Link |
| Ooooh! What does this button do Dexter? | RE | 250 | w4nn4_j4r_my_d3x | Link |
| Gandalf! | RE | 500 | s0me7hing_S0me7hinG_t0lki3n | Link |
| Sound Bites! | Misc | 250 | infosec_flagis_sound | Link |
The annoying aspect of this is that with 'Crypto for you sir!' it ends up being wrong when you solve it. Here is the ciphertext:
XMVZGC RGC AMG RVMG HGFGMQYCD VT VWM BYNO, NSVWDS NSGO RAO XG UWFN AF HACDGMVWF. AIRVFN AII AMG JVRRVC-XVMC, FYRBIG TVIZ ESV SAH CGQGM XGGC RVMG NSAC A RYIG TMVR NSG SVWFG ESGMG NSGO EGMG XVMC WCNYI NSG HAO FVRG IVMH JARG MVWCH NV NAZG NSGR VTT NV EAM. OVWM TIAD YF "CV NSYF YF CVN JMOBNV RO HGAM", YC IVEGMJAFG, EYNS WCHGMFJVMGF YCFNGAH VT FBAJGF, FWMMVWCHGH XO NSG WFWAI "TIAD" NAD ACH JWMIO XMAJGF. GCUVO.
When decoded it comes out as this:
BROKEN MEN ARE MORE DESERVING OF OUR PITY, THOUGH THEY MAY BE JUST AS DANGEROUS. ALMOST ALL ARE COMMON-BORN, SIMPLE FOLK WHO HAD NEVER BEEN MORE THAN A MILE FROM THE HOUSE WHERE THEY WERE BORN UNTIL THE DAY SOME LORD CAME ROUND TO TAKE THEM OFF TO WAR. YOUR FLAG IS "NO THIS IS NOT CRYPTO MY DEAR", IN LOWERCASE, WITH UNDERSCORES INSTEAD OF SPACES, SURROUNDED BY THE USUAL "FLAG" TAG AND CURLY BRACES. ENJOY.
You'd assume that based on that you'd want to use flag{no_this_is_not_crypto_my_dear} as your flag, but nope, get rid of the "flag" and curly braces as well. This lack of flag formatting behaviour repeated itself across all of the other answers that were borrowed from TinyCTF.
Now in their defence, they did say in the challenge that you are to submit it without the braces, but why not just write your own caesar cipher? Automated deciphering was used here, so why not just use a generator to create something original?
Of the 2,325 points I list above, 350 were solutions that they likely created themselves--I did not bother attempting the rest of the challenges. In the case of Choo Choo, it was literally watching a YouTube video and looking at the markings on the second train to come up with an answer. Of course, since there was inconsistencies across the flags where you either used underscores or you didn't and since there were at least three markings on the train, you pretty much stood a good chance to get it wrong because they only gave you four chances to get it right.
Actually, take away 50 more points because as I was writing this I decided to just look into Choo Choo further and it turns out to have been used for Ghost in the Shell Code. Really, could have they just looked for some other railfan video? This explains the further flag inconsistencies going on here.
In fairness, there were challenges put in place to allow for all backgrounds in information security to partake, which explains why you'd get questions like PCI-DSS questions about whether VoIP is in play in an assessment (which is asked twice) or how to order CIS controls (CISsy), but then why turn around and ask about undocumented Intel instructions to access extended memory?
Reading documentation for a CTF is not unusual but this just reeks of laziness.
At this point I would like to say that I am done covering the problems here, but then it gets worse: even the list of tools they suggest in the CTF are borrowed from AwesomeCTF without any attribution. Granted, the list is licensed in a manner where zero attribution is required, but it just goes to show the level of originality put into how things were being done by the CTF organizers. At least the rules appear to have been written by them.
But since one of the rules is to not share the flags, doesn't that mean that the CTF organizers themselves are breaking their own rules?
Also, how long did they take to put this together? The hints are baffling me.
Almost a year? Surely they could have at least changed the flags or come up with better content than whatever this was. Did they use these challenges for another event? It is my understanding that the same team ran something similar for BSides Calgary.
In full disclosure here, I was previously a conference organizer for BSides Vancouver and in 2015 I helped coordinate the first proper CTF using challenges we actually wrote ourselves with anticipated solutions for each of them. I know that it is fact that the conference organizers are again not the ones who oversaw the event (I did speak with them about the matter), so blame for the reuse of these challenges should not fall on them.
However, for the CTF organizers, why did you do this? Was this a mistake? How? If you're going to offer up a prize, put some thought and originality into your work.
No comments:
Post a Comment