Capture The Fun: Cyber Sea Game 2017

After Cyber Jawara

Me and my team are fortunate enough to be selected to represent Indonesia in Cyber Sea Game 2017 as part of the 1st place prize. It's a CTF event held by partnership between Japan and ASEAN countries (I think, I'm not sure). The winner of the event will be sent to SECCON 2017 as guest team. To be honest, the competition is a bit shady to me. There's no official website nor place to get information and the prize is too good to be true (it's very hard to pass SECCON quals). We only know that the event will be held in Thailand from Indonesian officials. As a good guy, I believe what the official said to me and practice for the game.

Call me skeptical, but I really thought that we will not win. Part of it because my teammates, V, says that Singapore and Vietnam team are pretty strong. Since he's our best member, I'm scared af to the point that I thought I'll just practice to make sure I'm not regretting it later without thinking the possibilities of winning.

Preparing for Cyber Sea Game 2017

As I was recently graduated, I had a ton of time to practice. But, even after graduating, I'm none of the wiser. Instead, I put half of my time playing some MMO game. Well, it's still half a ton of time to practice. Neato! I wasn't sure to ask my other teammates to practice together because I'm so bad and I'm afraid the intelligence among us is distributed (i.e. they become more stupid) because of me. So instead, I did what the loners do when they do things. Practicing alone.

I've always liked cryptography (mathematically, not technically) and binary exploitation. So that's what I practiced most of the time. Cryptography is quite hard to practice because usually cryptography exploitation in CTF events involves edge cases in the formula or has some gimmicky usage. So I just read some cool ctf writeups for cryptography to get the sense of what a cryptosystem could do, which part of the system are the weak links, etc. In constrat, binary exploitation is easier to practice because there are many wargames to practice on. I decide to just continue working through pwnable.kr challenges. The problems are unique for their own category so I won't be too familiar with the techniques, but it also means I could catch up (in term of knowledge) my teammate which specialize in binary exploitation.

Some days before the competition, suddenly there was an email from Japan side regarding registered participants. It appeared that they don't accommodate coaches, but the maximum of participants in a team is actually 4 persons. So after some short period of shocks, we need to search one more member. So we asked the only person that we know we could-ask-to-fill-in-without-causing-too-much-drama. The problem-setter for Cyber Jawara. He accepted. We informed the officials. Yay.

Then, we went to Thailand (and skip to the contest right away)!

The Cyber Sea Game 2017

The contest was held in a meeting room (I think, I forgot) in Swissôtel Le Concorde. They created a local network platform which requires you to connect through an ethernet cable they provided and you can use Wi-Fi to browse the internet. I wonder why they limit local connection from the internet though. Maybe to prevent DOS? I'm not sure. They gave us time to setup the network and see if we had any problem, which unfortunately I had.

I learned that my network manager by default don't let me use both ethernet and Wi-Fi. I think there's a way to do it but I got no time so I just disconnect the ethernet when I want to browse the internet and connect to the ethernet when I want to submit flag.

Then, the contest begin. They give some problems. I don't remember the others, but they only give 2 crypto problems with 200 and 250 points, and 1 pwn problems with 300 points. Of course they'll give high point pwn problems first. So I decide to tackle the lowest crypto problems first. Seems like lady luck still hates me even after the network problem, and now I got a technical crypto problem involving digital certificate. Great. V solved a reverse engineering problem which give us 50 points. But then, Vietnam team got 160~ points. Cool. After two hours, I only able to extract some garbage message (which I think will be decrypted by some means) and extract the upper-level certificate. I don't actually understand what they do. Meanwhile, the Thailand team that already solve it, which give them 250~ points. Fortunately, on the brink of my despair, it was lunch time! After having so much fun munching tasty food, we go back to contest site. The first two hour, with only 50 points.

The second part of the contest begin, and then they released many problems altogether. In total, there were 30 problems available to solve. They actually released a 50 point crypto. An original cryptosystem. With only math logic. Finally! That problem is actually my savior because it gives me the momentum that I need to solve other challenges. After solving other crypto problems, my teammates start to ask for help so we start working together on some weird challenges. One of the weird problems is a binary data file with a picture showing the hexdump result of the binary. The problem name is called md5, which is quite weird. We only realized that we need to take each line of the hexdump as md5 hexes and look it up in md5 databases. Sadly, we recovered the flag about 10 seconds (!!!) after the contest is over.

Now the moment of truth is, the winner annoucement. While we managed to rack good amount of points, we were pretty nervous about the result as the scoreboard is frozen and we were on 3rd place on last update. To make it worse, Singapore team, who were at 2nd place, also yelling "Yesss" quite loudly near the end of the contest with a 400 point problem update to have 1 team solve. That means they got 400 points + 80 bonus points. Sigh. My teammates already lose hope because the only way for us to winning this is to have the other teams not getting too much points and Singapore team not getting any other points beside the 400 points problem. I still hoped to win because it's still probable point-wise. Maybe another miracle will happen to us.

And it did happen. Again.

We won by 20 points difference from Singapore team.

All of a sudden, all the weight from my shoulders disappeared and I see my teammates shocked and smiling happily. We actually won our first international CTF event. Winning also make us the guest team that will be sent to SECCON 2017. THE SECCON. After the event, we went to our room and rest. The next day, we took the flight home while being proud of our achievement (well, at least I did).

Overall, I'm very happy and thankful for my very skilled teammates, my friend (whom always remind me to practice), and Indonesian officials that made all of this possible.

Notes

For (successfully recovered) writeups, you can find it here. Some problems that I solved are not here because either it wasn't purely my work or some of the problem files cannot be found in my laptop.