API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 29th, 2017
675
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.03 KB | None | 0 0
raw download clone embed print report
  1. There were strange flag submits at the end of CTF. It is unusual when team which according to ctftime archives https://ctftime.org/team/1787 never placed top10 of any CTF wins by mass flag submits in last 5 minutes, in competition where known good teams like p4, ASIS or Bushwhackers play.
  2. After several rounds of debates with orgs that it may be not 100% legit, we managed to receive flag submission logs to analyse ourself. We found several signs of flag sharing, by analysis of time correlation and structure of flag submits.
  3. Last 10 minutes submits:
  4.  
  5. 1102 [2017-08-27 16:50:53] badfirmware Foren100
  6. 1103 [2017-08-27 16:51:44] hackthissite Joy30
  7. 1104 [2017-08-27 16:54:05] khack40 Stego200
  8. 1105 [2017-08-27 16:55:03] \u706b\u8f66\u8dd1\u5f97\u5feb\uff0c\u5168\u9760\u6885\u795e\u5e26 Joy10
  9. 1106 [2017-08-27 16:56:16] sec0d Misc150
  10. 1107 [2017-08-27 16:56:16] Legion of Dumb Reverse250
  11. 1108 [2017-08-27 16:56:27] sec0d Crypt200
  12. 1109 [2017-08-27 16:56:32] \u706b\u8f66\u8dd1\u5f97\u5feb\uff0c\u5168\u9760\u6885\u795e\u5e26 Foren150
  13. 1110 [2017-08-27 16:57:27] ASIS Joy10
  14.  
  15. where '\u706b...' is https://ctftime.org/team/19216 . Group of teams submits flags in 1 minute interval, it is usually normal to keep flag till the end of CTF and submit in last minute to distract others. But for doing this, you need to be sure that flag is correct -- you will not have time to fix it. This is not the case of Misc150 task, flag in it doesn't have usual h4ck1t{} form, and is not cleanly readable (stego-like task with labyrinth). It is OK to submit such flag in last minutes if you are sure that it is correct, like already verified by other team.
  16. Lets look at Misc150 task more:
  17.  
  18. 660 [2017-08-26 14:26:34] 1064CBread Misc150
  19. 678 [2017-08-26 15:39:05] kybguru Misc150
  20. 865 [2017-08-27 00:15:11] p4 Misc150
  21. 1006 [2017-08-27 13:03:13] InSecurity Misc150
  22. 1106 [2017-08-27 16:56:16] sec0d Misc150
  23.  
  24. there are not much solutions of it, because of buggy implementation and bad uptime. First two teams did not played on 2nd day, but last two teams combined with previous 1 minute interval:
  25.  
  26. 974 [2017-08-27 09:44:34] khack40 Foren100
  27. 975 [2017-08-27 09:45:14] khack40 Web100
  28. 976 [2017-08-27 09:46:50] khack40 Joy50
  29. 977 [2017-08-27 09:47:49] khack40 Foren150
  30.  
  31. 1005 [2017-08-27 12:57:58] InSecurity Crypt300
  32. 1006 [2017-08-27 13:03:13] InSecurity Misc150
  33.  
  34. 1038 [2017-08-27 14:37:14] sec0d Crypt300
  35. 1043 [2017-08-27 14:53:19] sec0d Crypt150
  36.  
  37. 1059 [2017-08-27 15:30:34] sec0d Stego200
  38. 1063 [2017-08-27 15:34:10] sec0d Foren200
  39.  
  40. 1069 [2017-08-27 15:50:10] InSecurity Crypt200
  41. 1099 [2017-08-27 16:43:42] InSecurity Joy30
  42.  
  43. 1104 [2017-08-27 16:54:05] khack40 Stego200
  44. 1106 [2017-08-27 16:56:16] sec0d Misc150
  45. 1108 [2017-08-27 16:56:27] sec0d Crypt200
  46.  
  47. we have problem of not only last 5 minutes -- 4 flags in 3 minutes (974-977), groups of 2 flags in 5 minutes (1005-1006, 1059-1063). You can not solve it by yourself in such interval (Crypt300 for example requires implementation of modified playfair256-pcbc and heavy guessing), and to CTF end there is 7 hours (so it is not flag holding).
  48.  
  49. There are also other ridiculous examples -- WildWest team, not previously registered on CTFtime:
  50.  
  51. 1025 [2017-08-27 14:16:03] WildWest PWN250
  52. 1026 [2017-08-27 14:16:46] WildWest Crypt200
  53. 1027 [2017-08-27 14:17:40] WildWest Crypt150
  54. 1028 [2017-08-27 14:17:59] WildWest Reverse300
  55. 1029 [2017-08-27 14:18:16] WildWest Reverse250
  56. 1030 [2017-08-27 14:19:30] WildWest Reverse150
  57. 1031 [2017-08-27 14:19:52] WildWest Reverse200
  58. 1032 [2017-08-27 14:20:44] WildWest PWN200
  59. 1033 [2017-08-27 14:23:51] WildWest PWN150
  60.  
  61. 9 flag submits (all they "solved") in 7 minutes, 3 hours before CTF end, gets #10, qualified for onsite.
  62.  
  63. This information was send to orgs before publishing, with suggestions to do more investigation on web server logs and wrong flag submissions. We received reply that everything is fine, and no future analysis is needed.
  64. After all, you can do anything with your event as organizer. But if you accept cheating in such ridiculous forms, don't pretend that your event is respectful CTF.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!