Capture The Fun: Cyber Jawara 2017
This post is part 1 of the "Capture The Fun" series:
After a long time urging to write a (not-so-random) story in my blog, finally I had the time to actually write some things. For my debut on my own blog, the first thing to write that comes to mind is my Capture the Flag (CTF) story. We start right when I'm done with competitive programming and start focusing for CTF (and struggling to graduate from my university). Let's start with a bit of introduction of my history in CTF events.
Introduction
Me and my team have had quite a long time of history in CTF events. One of my friend, V, just happened to ask me to form a new CTF team with N (which is my friend too). At the time, I'm still excited learning Linux because I just recently learned to use it. I thought I can learn things about Linux there so why not? I accepted it and we form a new CTF team. Neat.
It was hard for us to learn things because there was no established CTF team in my university. Luckily for me, my two friend were pretty knowledgeable right off the bat. Apparently, V already doing reverse engineering since middle/high-school and N has done system administrator thingies. So I tried to learn things from them to catch up.
I won't talk much about things that had happened around this time. Mainly because I was focused more on doing competitive programming much more than CTF. But then I was also struggling to graduate and I can't give too much focus on CTF. So it wasn't until my next CTF competition that I learned I really need to catch up with people.
The Dawn Age
At some point in July, my team participate in CTF event called Computer Festival. It was a (supposed-to-be) nation-wide free-for-all CTF event. That means this event does not restrict participants by maximum age nor academic status (I think there's still restriction for minimum age). This is also the first event with my new temmate, J, which replace N.
It was on this event that I realized things cannot stay like this if I want to go with these people. I need to be able to contribute. At that time, my only merit is I can create shell-script quite fast to automate exploitation, which is quite useful for attack and defense style. But you can't get more points without the ability to exploit things. We ended up in 2nd place for this event, mostly because V is very skilled. I know I should increase the intensity for learning, especially because the winning team (let's call it Team US) have had beaten us more than I could count for.
The 1st through 3rd place of the event is invited to participate in Cyber Jawara, an annual nation-wide CTF event. I decided that I will learn more about cryptography and binary exploitation so I can contribute things there. With cryptography usually not included as on-site problems, I should pump up my binary exploitation skill. Searching for resources to learn binary exploitation, I tumbled upon pwnable.kr. I spent my time until right before Cyber Jawara by preparing my graduation and do some pwnable.kr problems.
Then, the day had come.
Cyber Jawara 2017
The contest were split into 2 phase. The first phase is reverse engineering and forensic, and the second phase is web and binary exploitation. The first phase had 30% weight with jeopardy-style so we only need to solve the problems given to us. The second phase had 70% weight and we need to defend ourself from other team attacks by patching the service. No cryptography, I knew it. So the only chance for me to contribute is binary exploitation problems. I'm also quite lucky because the higher weight phase requires some automation that I can contribute at the very least.
For the first phase, no one in my team really understand forensic and their tools so we try to rack points from reverse engineering. Apparently, one of the problem require us to solve constraint satisfiability. This can be done with Z3. But none of us know how to use it. So we were behind in term of points at this phase. I think we were behind by ~300 points.
For the second phase, V was racking up points from web problems. Me and J attempt the binary exploitation problem. J attempted the 300 points pwn, while I just tried to lessen their burden by doing 50 and 150 points pwn. The 50 points pwn is just a backdoor by putting some weird bytes before the payload so it's quite easy. I still took my time though because I'm slow when it comes to reading the application logic. I patched the binary by nop-ing the backdoor check then moved on to 150 points pwn. The 150 points pwn is pwning a python service + shell. Great, it's NOT a BINARY exploitation. Well, at least I can solve it. It's kinda upsetting that the result of me practicing hours at pwnable.kr won't be seen here but I'm quite happy to contribute. I patched the 150 points pwn by making sure the python service is not pwnable and moved on to help J with 300 points.
At this point, V start asked for my help with automation and finding exploitation. He ended up
finding them all by himself and I just help with the automation though. There was a weird 100
points web problem that perplexed me and V. Apparently, it use a framework which you can access
it's debugging console by going requesting /console
. Great, I missed reading the console part
when I'm looking through the framework source code. Meanwhile, J had solved the problem and he
needs a bit of time to patch it. We don't know if he'll made it in time. We were only winning
the second phase by 90 points. Yes, if we calculate it right, we're still behind in term of
total points (90x0.7 - 300x0.3). The good news is, J just finished patched the binary that he
solved 3 minutes near the end of the contest. V and J already hoped that at least we get the 2nd
place. I was still hoping for the X factor like binary-patching and writeups. Maybe there will
be a miracle...
And it did happen.
We actually won the by measly amount of 50 or so points. Mind you, the total point is 3030 points so it's a pretty slim difference. I don't know what's the cause but I'm happy anyway. I learned just how a small contribution could bring big impact to the table. We suspect that it's because J had the time to patched it and we got more points for it. If J doesn't start doing the 300 points pwn right away, I'm pretty sure the result will be different.
In the end, I'm a bit upset that my contribution is still low but at least I made an impact there. At this point I had the momentum to keep learning for CTF events and will ride on it to keep contributing. Still, it was great pleasure to finally beat Team US after all this time.
Notes
This post is made 2 months after the event so I didn't recall some minutiae like phase weights and problem points. I try to write it as accurate as possible to make the reader aware what I felt and why I felt that way.
We wrote the writeups, but we haven't published it yet. Since it's a hassle to convert between Google Docs and Markdown, I'm not gonna do it. If you want to read the writeup you can contact me and maybe I can just dump the PDF version for you.