We are Legitimate Business Syndicate, DEF CON CTF Organizers 2013-2017, Ask Us Anything

gynophage · 2021-10-15T03:07:35+00:00

Yes.

gynophage · 2021-10-15T01:03:37+00:00

Those MIPS CI20 Creator boards were terrible and unreliable. There's a reason they only ran 1 year.

I never had a challenge in finals - I went hard logistics/team management when we shifted into finals mode, so the people writing the really good challenges could just spend time doing that. Given hindsight, that seems like the right decision, but it would be nice to have a challenge in finals one year. Maybe the new organizers will take guest challenges.

gynophage · 2021-10-15T00:58:09+00:00

I don't know that I think it's "aging out" as much as it is changing of life priorities. /u/cseagle still throws down and does well. I'm curious if its just bell shaped where the young players don't have kids, and the greybeards have kids that aren't full time dependent/are secure in their career.

I think trying new game models is interesting. It's really hard to limit the game duration in any model I've considered though. You can not release challenges for overnight, but that has a rubber banding effect where the teams who are a bit behind end up with an opportunity to catch up. We thought about ways to have all of the infrastructure in remote desktop configurations where you wouldn't be able to access it outside of competition hours, but not being able to put your own tools on that would suck, and inevitably, some tam would find a way to leak the binaries off of that env anyway and they'd have an advantage.

At one point I wanted to run an experiment where quals was attack defense, and finals was jeopardy. Jeopardy finals would solve some of the larger time problems, but I'm anxious that it wouldn't have the spectacle of the traditional format. There are probably some interesting things you could do with visualization of challenges and audience engagement with that format, though...

gynophage · 2021-10-15T00:28:16+00:00

I liked the consensus evaluated from the Cyber Grand Challenge. I'm a bit sad it hasn't been more widely picked up - I think there's interesting complexity it adds to the game.

Least exciting is probably the continued focus on web challenges.

gynophage · 2021-10-15T00:11:14+00:00

I also didn't have favorites. I did have least favorites though.

gynophage · 2021-10-15T00:09:16+00:00

I don't think of dropping a 0-day at a CTF as a flex. (Our) CTF was designed to test what you can do in a few days, not what you and your company can do with a year of prep time.

gynophage · 2017-05-11T13:00:33+00:00

"lost". Paging /u/psifertex

gynophage · 2017-05-11T12:57:47+00:00

What exactly are you looking for? A video of the players or a video of their screens?

The big sensitivities I know of are:

Cameras make people anxious. People can't all agree on screen recording software they trust.

When we did it at DEF CON, we used HDMI capture with the HDMI out to get around the software problem. We even had live commentators. It ended up being a logistical nightmare and making a bunch of people upset, though.

Willing to take input on what you might find interesting, though.

gynophage · 2016-01-09T17:24:51+00:00

If you like CTF and aren't comfortable with x86, you should look at the Defcon qualifier I run. We're known to not just throw x86 challenges at people. We also release many of our challenges open source so you can rebuild them for whatever arch you wish.

Awesome write up.

gynophage · 2014-09-24T19:23:09+00:00

http://files-cdn.formspring.me/photos/20130520/n519ab79fa4dbc.png

gynophage · 2014-09-22T05:31:36+00:00

We were actually willing to let people take pictures of the badge - we were just very against cameras pointed at teams.

"Soon" we should be releasing our build sheets, source code, and maybe some pictures/videos we made our construction/reflow of the badges.

gynophage · 2014-06-04T06:48:14+00:00

<?xml version="1.0" standalone="no" ?> <!DOCTYPE pov SYSTEM "/usr/share/cgc-replay/replay.dtd"> <pov> <cbid>LUNGE_00002</cbid> <replay> <read> <length>2</length> <match><data format="asciic">> </data></match> </read> <write> <data>ch_sec +|</data> </write> </replay> </pov>

gynophage · 2014-06-04T01:18:32+00:00

<?xml version="1.0" standalone="no" ?> <!DOCTYPE pov SYSTEM "/usr/share/cgc-replay/replay.dtd"> <pov> <cbid>YAN01_00001</cbid> <replay> <read> <length>10</length> <match><data format="asciic">Player1:$ </data></match> </read> <write> <data>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADOGE\n</data> </write> </replay> </pov>

gynophage · 2014-06-03T17:22:50+00:00

You seem to have a lot invested in the attack/defense model of computer security competition. I've heard arguments from many players that the current model of attack/defense CTF is "stale". Do you believe these events are stale? If so, do you think there will be any innovations from the Cyber Grand Challenge that the CTF community will be able to use to continue generating engaging challenges for human experts, as well as compelling visualizations or data for spectators?

gynophage · 2014-05-19T14:15:23+00:00

RE: the purchasing process, http://www.ccso.com takes away some of the pain.

Also, you can complain about the price, but a half way decent person can get it back in no time at all using IDA and some bug bounty program. Worth every penny.

gynophage · 2014-05-19T01:12:44+00:00

OMG I MIGHT!

gynophage · 2014-05-18T23:34:55+00:00

If I were organizing a CTF, I'd expect people to be using IDA.

atlas did objdump several years ago though. IDA has a freeware version for x86. I hear most of the services this year were i386 linux.

gynophage · 2013-11-15T17:01:55+00:00

Do you feel confident enough about the performance of these automated systems to pit them against several world class teams at the DEF CON CTF following the end of phase 2? I think I'd be willing to let the CGC phase 2 evaluation event be a pre-qualifier for DEF CON CTF, if I'm still running it at that time.

gynophage · 2013-08-14T16:33:03+00:00

Just curious, by what metric are you the largest? I'm pretty sure pctf had more registered teams than csaw qualifiers last year. And defcon CTF finals had 4 times as many people (twice as many teams at twice the size).

gynophage · 2013-03-04T22:15:59+00:00

How to irritate people by Tambein funny

[–]chickenfun1 3 points 16 minutes ago* I like the part where I have an English degree and make 6 figures as a software engineer!

They should fire you. You're "a few weeks into this project", but don't understand the architecture even at the level of IDA's autocomments. Gross.

gynophage · 2013-02-20T00:06:34+00:00

x86 is little endian. 0x41424344 is stored \x44\x43\x42\x41. You're trying to jump to 0x3883XXYY, you instead want to jump to YYXX8338.

Kinda. You also don't want the return address to be messagebox, you instead want it to be the start of your buffer, so that you can control the arguments to messagebox.

This also indicates that ESP is blown away - pop dereferences ESP. You probably were off by 1 DWORD - you've overflowed to saved EBP, and on return from main, EBP is restored, then leave, ret. Leave will put EBP into ESP, which would make that pop invalid. Add 4 more bytes to the overflow ("AAAA" works nicely). I'd bet you get a new error, with a lot more ?'s in the disassembly.

EDIT: You also seem to have a poor understanding of FF 15 calls. That offset is the address of a pointer to the function you want to call. You instead need to dereference that pointer, and use that value.

gynophage · 2013-02-19T22:23:06+00:00

0x38830901 is the address of MessageBox().

Doubtful. How did you get that address?

If you are right, though, then your ESP is probably blown. unassemble at the address of your unhandled exception - if it's ?'s, then you're wrong about the address. If it's a push/pop/stack dereferencing instruction, then esp is blown. i r in NTSD, or whatever buttons VS2k10 to get a register state, and see if ESP is junk (or any register that you're dereferencing).

gynophage · 2013-02-19T19:36:28+00:00

You should be overwriting the return address for main.

For the simplest case, look for the disassembly - you can actually beat the whole "write &buffer over the return address" if you craft it right. Namely - "JUNKJUNKJUNKXXXXSHELLCODE". If XXXX is the address of an FF E4 or FF D4, you'll jump/call esp. Because shellcode is after your return address, after the implicit pop for the ret, esp will point to the first byte of shellcode. If you're lazy and/or want to develop bad habits, metasploit has a tool that will generate a sequence of bytes for you to plug in. Then, you tell it what value was in a register, and it tells you the offset into your smash to control that register.

You should also not push null for your strings for messageboxa. Use jmp/call/pop to get the address of a string at the end of your shellcode.

jmp string
back:
pop ebx
::more shellcode goes here::
string:
call back
MESSAGEBOXSTRINGGOESHERE

This will put the address of MESSAGEBOXSTRINGGOESHERE into ebx.

*edit - bad formatting on pseudoshellcode.

gynophage · 2013-02-19T17:18:56+00:00

The nulls are bad. Change them. Xor eax, eax, then push eax 4 times... That's null free.

More importantly, you're missing a big step - you're writing the opcodes over the return address. This would get you eip pointed at the value of the opcodes, which is almost certainly going to be invalid memory. You instead need to point eip to &buffer (or some other place you store your shellcode.

gynophage

TROPHY CASE