Last week was the hacker con palooza in Chicago with both THOTCON and BSidesChicago (or is it SecureChicago now?). I won’t go on too long with my list of issues from this weekend (there was quite a bit, but obviously I’m a bit biased and have more visibility than others), but there was one major BSidesChicago event that made a lot of us Chicago technical folk double facepalm in shame as it being a representation of the Chicago crews.
You guessed right. The CTF.
Don’t get me wrong, I appreciate the effort by individuals to donate their time and resources to provide an experience for people. It takes a HUGE amount of effort to build one out (from developing the challenges, creating the environment, and protecting it from certain attacks while allowing others). I also get there’s also really no single right way to do a CTF – They’re all different with different formats, targets, and goals. But there’s some definite wrong ways to do one.
Why this lengthy public post instead of a private email? Frankly, there’s a large amount of the hacker “community” giving gold stars and trophies to everyone as participation awards. I’ll rant more about this in a later to clarify more, but if we dont start holding each other to a higher standard, we’ll soon end up with mediocrity all around.
So the WTF!?! Moments…
I took an interest in the CTF before the day of BSidesChicago as I haven’t had much free time to do any reversing or crypto for fun and wanted to see what was being displayed as a representation of the Chicago community. A few weeks before the conference, I noticed this as the only paragraph describing their CTF:
Hacker Drama. It has nuclear potential to destroy an entire afternoon for everyone. From tweet insult battles, to blog posts, to podcasts, hacker drama can DDoS productivity for all security people. You are being recruited into the BSides Joint Task Force to stop a rogue agent who is bent on creating an immense amount of Hacker Drama…….
…….The BSides Joint Task Force needs your help! Don’t let this rogue agent destroy the emotional happiness of the security community! Your community needs you!
I can’t even make this shit up. Day of BSidesChicago, it continues on their registration portal…
WE HAVE RECEIVED INFORMATION THAT A ROGUE AGENT HAS BEEN UTILIZING RESOURCES FROM BSIDES CHICAGO AND BSIDES DETROIT IN AN EFFORT TO CREATE AN IMMENSE AMOUNT OF HACKER DRAMA FOR THE INFORMATION SECURITY COMMUNITY. WE BELIEVE THAT THIS ROGUE AGENT MAY BE A HIGH RANKING OFFICIAL WITHIN THE ORGANIZATION. IT IS POSSIBLE THAT THERE IS MORE THAN ONE ROGUE AGENT, BUT OUR INFORMATION SO FAR IS POINTING TO A SINGLE AGENT WORKING ALONE.
For those of us who have been in the community / scene / industry for some time, we’ve seen our fair share of unnecessary “Hacker Drama” bullshit. With that said, our community is no more plagued by this than any other group of like minded individuals who are passionate about what they do. But seriously, we’re making this a theme of a CTF? That doesn’t shine greatly on the Chicago hacker community as a whole. In fact, it makes us look like a bunch of pussies.
I’m going to work on the assumption they were serious with their theme based on the various wording. If you think it’s benign and a stupid point to bring up, feel free to skip this rant.
I’m extremely curious as to what their definition is of “Hacker Drama”. I honestly can’t tell if the organizers are serious or are joking with this theme. From the wording, it really seems like they’re serious. If it’s a joke, I honestly don’t get what’s funny or satirical about it.
With the theme being about a “rogue agent” amongst a group of like minded individuals using the theme of hacker drama makes the definition appear to be “someone who doesn’t agree with us”, “you’re either with us, or against us”, and “you shouldn’t say speak your mind in fear of causing drama”. This is compounded by the idea that the goal of the CTF is concerned about preventing the destruction of “the emotional happiness of the security community”. Really!?!? The security community is happy feel good fun time? And “DDoS productivity for all security people”. Really!??! Productivity is what we’re concerned about now??? And we’re not going to reference what this rogue agent has done and speek in over generalities so people can draw their own conclusions. REALLY. IS it just me or is this the biggest form of creating drama?
But let me guess. It’s a fictional theme designed to hit close to home to the community to spark discussion and thought, right? It’s the same bullshit as the cop out of posting some crazy ass shit and at the end trying to justify it by saying “I appreciate everyone’s input and value the fact that this started a discussion”. No. You were wrong and everyone called you out. That’s what happened.
Sure. There’s overboard in criticism and trolling, but if someone’s not super warm, fuzzy, and super positive, they’re causing drama?
If by being critical of someone or something in an attempt to push them to reach a certain level of standard we hold each other in the community to destroys their emotional happiness, (a) grow up, and (b) I will proudly declare myself as a Rogue Agent and will announce it from the roof top. Again, I’ll have a post later about the “give everyone a gold star for mediocrity” pattern we’re starting to slip into.
Again, I could be over analyzing the theme, but I’ve had a large number of people i’ve talked to look at it and go “wat?”.
A Required Non-Disclosure Agreement
Register an account for the competition, and you’re presented with the following:
By completing the registration process, you agree to not disclose any information about the challenges or information contained in this site to any public forum, mailing list, phone tree, bulletin board, semaphore competition or any other public forum nor to any person not registered with this site. Consider this an NDA on all content contained within.
Yeah… good luck having *any* enforceability with that statement. Legal or even on a warm-fuzzy level…
So the BSidesChicago and Detroit Crew doesn’t want anyone talking about their small, free, public, and open registration CTF. So if someone wanted to share their experience with others (i.e. walkthrus) and the skills or tools they needed, nope! Verboten. Talk about your experience with it? Sure, as long as you don’t reference ANY details regarding the challenges (such as type, points, results, anything). Better speak in vague generalities that provide no valuable detail whatsoever.
Thanks BSidesChicago/Detroit CTF – there goes the hacker spirit of making knowledge open and free.
Honestly, I can’t think of a single credible CTF that tries to enforce the NDA “keep this secret” bullshit. The only reason the weak ones seem to do this is because they don’t feel confident in coming up with enough unique challenges to keep their sponsor-funded projects moving forward. Example: National Cyber League. A college defensive competition (spun off of various CCDC regions) that posted this b.s. in their agreement for colleges AND RED TEAM MEMBERS:
Whether feedback is positive or negative, participants are forbidden from publishing, posting on the internet, or publicly communicating details of the competition other than what is available at www.nationalcyberleague.org. They are also forbidden from publishing, posting on the internet, or publicly communicating assessments of the NCL Pilot, nor assessments of the performance of any team, nor speculations concerning different possible outcomes. Institutions that fail to adhere to this rule may be refused participation in future competitions.
Someone’s afraid of review and criticism.
But I digress – the point is, one of the key points of hacker ethic is freedom of information. Seems BSidesChicago and BSidesDetroit don’t believe in this as much as they say they do…
What’s the goal of any hacking competition? That’s right. To break or bypass the rules that were put in place. Whether it’s the rules of access control, crypto, or binary obfuscation, the goal is to break rules. So placing a large number of rules in place makes it seem you didn’t consider the security of the competition at all and are going to be broken. Plus, if you’re going to put rules in place to govern a competition, they better be realistic.
Let’s look at these rules that raised major WTF moments.
MUST NOT ATTEMPT TO HACK CTF SERVER OR APPLICATION! You will be penalized and/or disqualified!
Let’s look at the webapp challenge:
So notice some key things here. The scoreboard and list of challenges is located at ctf.securechicago.org. Let’s click the link of the URL we’re supposed to hack by following the “here” link:
Still ctf.securechicago.org…. And I’m supposed to attempt to hack this or addendum.php? Any attempt to solve this challenge would be a direct violation of the rules! Oh no! Looks like I can’t complete this challenge as I “will be penalized and/or disqualified!”. And seriously – if people are tinkering with the score board and find issues, you should be rewarding them with bonus points, not penalizing them! Don’t you want to improve the system? Haven’t you ever heard about the successes of bug bounty programs? The only time I’d recommend someone being drop kicked is if their fucking with the ctf system was causing any kind of DOS. That’s just a dick move.
And to add to that:
Physical attacks are NOT in scope. DO NOT attempt them or you will be removed from event!
Looking at the score board, there were a few lock picking challenges. A quick screenshot of the scoreboard shows:
So the category is physical. And lock picking would be considered an attack in pretty much anyones definition. Another rule violation for following their challenges! *facepalm*
If you were worried about people physically going after your on-site hardware (i.e. walking over to the server and screwing with it), maybe you need to better physically secure your server.
Any attempt at cheating of ANY form will not be tolerated
Isn’t hacking cheating system controls, designs, and crypto algorithms? What’s the definition of cheating? But let’s go beyond that and see how they actually penalized people for “cheating”. Look at one of the first challenges screen shot below:
Again, I re quote it: “Take risks. Throw caution and wisdom out the window. Just start answering these things.” The attached file to the challenge was a pcap of a FTP transfer containing a pdf file. Being easy, I reconstructed the PDF, and it contained basically 15 words. Nothing in the meta data. Tried the various words, nothing. So threw caution to the wind like I was advised and looked at the source code of the challenge page. In the HTML source was:
<div style="visibility: hidden">Look_What_I_Found</div>
So hey, why not throw caution to the wind and submit that as a flag. I kid you not. The response i got back was:
Did you read the rulez? No cheatz for u! -100 points!
Um, WAT!?!?. I just lost 100 points for looking at the HTML source of the challenge and submitting it, and THAT’S CLASSIFIED AS CHEATING?!???!?! The flags followed no single format (some were hex, some where alpha/num/sym, some were case sensitive, some lcase), and yet I’m cheating for trying something in html source?
I had to double check to make sure i wasn’t insane. I created another account from a different source IP and session to see if it was a rate issue of the previous submissions. NOPE. First submission and viola. -100 points. Cheater. You looked at HTML source and tried a flag when there was no flag format!
To make matters worse, it marked the challenge as complete and it hid the submission (granted, you could hack it to resubmit the right one, but ermergerd rule violation)
To put things in perspective, first place got 180 points and second place had 110 points. Yup. 0 way you can win if you tried that once. Dicks.
DO NOT sniff wireless traffic period
…Really? You’re going to tell people “don’t sniff the wifi”. Here’s a protip: Don’t make it sniffable! If someone uses clear text to search for stuff or submit their entries when SSL is provided, then it’s their own damn fault. And how are you going to police this? Shoulder surf everyone in the CTF?
So as much as I rant, it wasn’t all bad, but the majority of people won’t see the challenges… since again… we’re not allowed to talk about them.
You know what. Fuck it. Enjoy kids.
Here’s the details on the challenges. I dare them to try to issue a takedown for this info as they’ll become the laughing stock of the security community. Sorry they weren’t in HTML and are just PNGs. I was only able to stick around BSidesChicago for a few minutes and pulled the downloads and ScreenShots as fast as I could. Missing is the “Lost Keys” challenge as I accidentally didn’t pull it.
Diverse Set of Challenges
While I wish they had more active exploitation challenges, there was a sufficient spread of challenges. Crypto, reversing, pcap analysis, and forensics provided a good spread for people to look at. However, they didn’t list what the point values were for any of the challenges, so it was impossible to actually game it like a game.
Quick to Respond to Scoreboard Vulns
So the scoreboard was riddled with vulnerabilities including the ability to pull the source info from the web accessible .git folder (props to @thekos for that one), CSRF on submissions (including the cheat one to cause other teams to get negative points), ssl but cookies weren’t set for secure, PHPSESSID not regenerating at login, and numerous logic flaws (including the ability to resubmit results numerous times to increase points and submit after the competition closed). Any time someone *cough* took advantage of these, they were quick to detect and respond to them and patch the ones that were being exploited.
Wrapping it Up
Like I first said, I fully understand the amount of work required to create a CTF. My issue hasn’t been with the challenges I had time to look at, but everything around them. And all those surrounding issues give the Chicago hacker community a shitty image. Derp.