Security Ripcord

One of the best parts of wandering around DefCon was periodically sliding through the Capture the Flag room. As I stated in my original Defcon 15 post, Invisigoth of Kenshoto was kind enough to field a few questions and shed a little light on what was happening.

When I first walked into the room it was a bustle of activity. Teams were setting up their systems and their networks. Their equipment hosted a wide variety of computer systems. As I looked around at the different systems the teams were running I could see Windows, Linux, OS X (and possibly BSD but I couldn’t be certain) running on all different types of hardware: Dell, Apple, Alienware, IBM (Levono), HP, Sony, and more. It was already late in the morning so I had wandered in right at the end of their allotted setup time. Invisigoth made an announcement that the teams would be limited to eight team members working at one time and then, a few minutes later, announced the commencement.

Although the scoreboard was running at this point there had not been a lot of noise in the room up until the beginning. With the announcement of the start of the contest I was looking up at a projection of the scoreboard on one of the walls of the room. It showed each team, the number of overwrites, steals, and breakthroughs, and the level of service operation. This screen also flashed through several other statistic screens that compared the teams according to each category. A scrolling text area across the bottom of the screen also provided update information, in this case, the beginning of the competition. What happened next, however, got me to laugh out loud. With the start of the competition the technomusic started and two additional video screens lighted up. Comics, music videos, and other very distracting videos began to entertain the crowd as it filtered through the room and added its own noise contributed via talking, laughing, and applause.

After the start of the competition I asked Invisigoth a little bit about the teams. He was very proud of the fact that approximately 160 teams participated in the pre-qualification round and from that field the eight teams that came out on top provided representation from around the world. Although I did not get a complete breakdown I do know that team “Song of Freedom” were from Korea and team “Osu, Tatakae, Sexy Pandas!” were from Spain. It was about this time, 20 to 25 minutes in, that “Osu, Tatakae, Sexy Panda!” drew first blood. They scored the first breakthrough and quickly followed it with several steals and overwrites. When this happened I looked over at the area where last years winners “l@stplace” were located to see their reaction. I don’t even think that any of them looked up at the score board. Looking around the room I was very impress to see that no more than one or two of the other team’s members were looking up at the board either. In a room full of noise and disruption these teams were hard at work attempting to crush the other teams while keeping their services up and running.

April Dudash of The Independent Florida Alligator described the team objectives in her article “the H@cker Elite: UF engineers compete in Vegas“.

Teams were awarded points for service level, steals, overwrites and breakthroughs, or being one of the first three teams to exploit a particular service. Penalties were given if teams tried anything inappropriate, like illegal-hacking moves or real-life physical violence.

Basically, Kenshoto gave each team a server with twenty services running on them. They used the information they had from these servers to compromise the servers owned by their opponents while at the same time protected the availability of their own services. Uptime played a critical role in the outcome of the game. To better understand the objective, however, here is some of the information provided in a competition flier distributed by Kenshoto.

STEAL – Breaking into a service and getting read access to a secret token. Submit your steal for a point.
OVERWRITE – Breaking in with write access and overwriting the target’s key with yours. Each overwrite will trigger a point.
BREAKTHRU – First team to expliot a new vuln gets mad bonus (auto-scored and scaled for difficulty). Later teams get points, but the value drops exponentially.
SLA – Percentage of time that your services have been up (we have a polling monkey that checks every few minutes). This scales your final score.
PENALTIES – Seriously? You’re reading the definition for ‘penalty’?!?! While you’re at it: there is no Santa Claus.

One of the times that I spoke with Invisigoth I asked him about the services. At first he just smiled at me. The sort of, “Well, kid, get a team and get to the finals and you’ll find out” kind of smile. Relenting only a little, he told me that there were three levels of services: Easy, Hard, and (of course) Kenshoto. The pinnacle process, meaning the one they deemed the most difficult, was named “Manshetwa.” As he described it to me I was quickly confused. So, if I completely botch this description I hope that they forgive me or, at least, correct me in the comments. Manshetwa was a binary program within a program. Actually it was three programs running inside of a parent program that acted like a custom virtual machine. (BTW, all of the services are custom for this contest.) The parent program monitored the three processes and also attached to each of them as a debugger so that no team could attached another debugger to any of the programs. The programs acted, in conjunction, as a service. One of the programs accepted input from the network on a specific port. After accepting the information this program decrypted the input and sent the information to the second program. The second program used this input to generate some custom assembly code which it passed to the third process. After accepting the assembly code the third process ran the code. A little fuzzy? It is to me as well. I don’t have any more answers than that because Invisigoth had other duties as required and to this point I had taken enough of his time. I can only assume that if the third program runs the correct code the team sending the information accomplished a Breakthru. Of course, this service was designed to be almost impossible to exploit. In fact, Invisigoth looked at this service as a time killer. Any team who assigned an individual to work on this service in order to benefit from the massive amounts of points associated with it were merely wasting man power. He mentioned how @tlas, the team leader for l@stplace, had specifically forbade his binary analysis expert from even looking at the service for this very reason.

In the end, out of eight teams from around the world, team l@stplace repeated their victory. The whole team was awarded another DefCon Black Badge and Leather Jacket. You can read what @tlas had to say about it in his post “Play it again, Sam.” He also links to several of his team member sites so you should check out their comments as well.

When it was all said and done I was very happy I spent a little extra time in the CTF area. Invisigoth was more than helpful basically because the competition ran fairly smoothly and because he appeared to be having a great time. I also enjoyed watching the professionalism and drive of all of the teams involved and it made me long for working with a team of elite and dedicated individuals again. I am hoping that I can get a few of the Security Catalyst Community interested in the CTF next year. After our success with the Mystery Box challenge I don’t think that will be very hard. The hardest part will be getting them to pick between the two.

Go forth and do good things,
Cutaway

DefCon15, @tlas, l@stplace, Kenshoto, CTF, WarGamez, Invisigoth, Security Ripcord

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.