Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- There were strange flag submits at the end of CTF. It is unusual when team which according to ctftime archives https://ctftime.org/team/1787 never placed top10 of any CTF wins by mass flag submits in last 5 minutes, in competition where known good teams like p4, ASIS or Bushwhackers play.
- After several rounds of debates with orgs that it may be not 100% legit, we managed to receive flag submission logs to analyse ourself. We found several signs of flag sharing, by analysis of time correlation and structure of flag submits.
- Last 10 minutes submits:
- 1102 [2017-08-27 16:50:53] badfirmware Foren100
- 1103 [2017-08-27 16:51:44] hackthissite Joy30
- 1104 [2017-08-27 16:54:05] khack40 Stego200
- 1105 [2017-08-27 16:55:03] \u706b\u8f66\u8dd1\u5f97\u5feb\uff0c\u5168\u9760\u6885\u795e\u5e26 Joy10
- 1106 [2017-08-27 16:56:16] sec0d Misc150
- 1107 [2017-08-27 16:56:16] Legion of Dumb Reverse250
- 1108 [2017-08-27 16:56:27] sec0d Crypt200
- 1109 [2017-08-27 16:56:32] \u706b\u8f66\u8dd1\u5f97\u5feb\uff0c\u5168\u9760\u6885\u795e\u5e26 Foren150
- 1110 [2017-08-27 16:57:27] ASIS Joy10
- where '\u706b...' is https://ctftime.org/team/19216 . Group of teams submits flags in 1 minute interval, it is usually normal to keep flag till the end of CTF and submit in last minute to distract others. But for doing this, you need to be sure that flag is correct -- you will not have time to fix it. This is not the case of Misc150 task, flag in it doesn't have usual h4ck1t{} form, and is not cleanly readable (stego-like task with labyrinth). It is OK to submit such flag in last minutes if you are sure that it is correct, like already verified by other team.
- Lets look at Misc150 task more:
- 660 [2017-08-26 14:26:34] 1064CBread Misc150
- 678 [2017-08-26 15:39:05] kybguru Misc150
- 865 [2017-08-27 00:15:11] p4 Misc150
- 1006 [2017-08-27 13:03:13] InSecurity Misc150
- 1106 [2017-08-27 16:56:16] sec0d Misc150
- there are not much solutions of it, because of buggy implementation and bad uptime. First two teams did not played on 2nd day, but last two teams combined with previous 1 minute interval:
- 974 [2017-08-27 09:44:34] khack40 Foren100
- 975 [2017-08-27 09:45:14] khack40 Web100
- 976 [2017-08-27 09:46:50] khack40 Joy50
- 977 [2017-08-27 09:47:49] khack40 Foren150
- 1005 [2017-08-27 12:57:58] InSecurity Crypt300
- 1006 [2017-08-27 13:03:13] InSecurity Misc150
- 1038 [2017-08-27 14:37:14] sec0d Crypt300
- 1043 [2017-08-27 14:53:19] sec0d Crypt150
- 1059 [2017-08-27 15:30:34] sec0d Stego200
- 1063 [2017-08-27 15:34:10] sec0d Foren200
- 1069 [2017-08-27 15:50:10] InSecurity Crypt200
- 1099 [2017-08-27 16:43:42] InSecurity Joy30
- 1104 [2017-08-27 16:54:05] khack40 Stego200
- 1106 [2017-08-27 16:56:16] sec0d Misc150
- 1108 [2017-08-27 16:56:27] sec0d Crypt200
- we have problem of not only last 5 minutes -- 4 flags in 3 minutes (974-977), groups of 2 flags in 5 minutes (1005-1006, 1059-1063). You can not solve it by yourself in such interval (Crypt300 for example requires implementation of modified playfair256-pcbc and heavy guessing), and to CTF end there is 7 hours (so it is not flag holding).
- There are also other ridiculous examples -- WildWest team, not previously registered on CTFtime:
- 1025 [2017-08-27 14:16:03] WildWest PWN250
- 1026 [2017-08-27 14:16:46] WildWest Crypt200
- 1027 [2017-08-27 14:17:40] WildWest Crypt150
- 1028 [2017-08-27 14:17:59] WildWest Reverse300
- 1029 [2017-08-27 14:18:16] WildWest Reverse250
- 1030 [2017-08-27 14:19:30] WildWest Reverse150
- 1031 [2017-08-27 14:19:52] WildWest Reverse200
- 1032 [2017-08-27 14:20:44] WildWest PWN200
- 1033 [2017-08-27 14:23:51] WildWest PWN150
- 9 flag submits (all they "solved") in 7 minutes, 3 hours before CTF end, gets #10, qualified for onsite.
- This information was send to orgs before publishing, with suggestions to do more investigation on web server logs and wrong flag submissions. We received reply that everything is fine, and no future analysis is needed.
- After all, you can do anything with your event as organizer. But if you accept cheating in such ridiculous forms, don't pretend that your event is respectful CTF.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement