The UCSB Capture The Flag is a distributed, wide-area security exercise organized by our sister lab in Santa Barbara, whose goal is to test the security skills of students from both the attack and defense viewpoints.

As in the previous years, the UCSB iCTF contest took place on the first Friday of December (Dec 5th this year) from 08:00 to 16:00 PST (that's 17:00 to 01:00 CET) and this year saw the biggest contest to date, with 39 (!) teams from 9 countries spread across 5 continents. Kudos to the UCSB team for organizing such an epic event and making sure that everything runs smoothly and doesn't keep people from doing what they came to do, and that is have fun and HACK HACK HACK!!! :-)

This year, we participated with two separate teams, one at the Technical University of Vienna, and one for the first time at the Institute Eurecom.

The Vienna team secured a respectable fifth place, continuing its tradition of great performances from years past. The Institute Eurecom team was not as glorious as Vienna, but hey, it was a small team and 17th place out of 39 is not too bad and is above avarage ;-)

In Vienna, these were the people who made it happen:

Team Name: We_0wn_Y0u

Team Members (sorted by last name):

• ALBERT 'Leet Warlord' DENGG
• HANNO 'Neon Smurf' FALLMANN
• CLAUDIU 'Encrypted Oddity' GAVRILETE
• CLEMENS 'Dr. Burn' HLAUSCHEK
• MARTIN 'Cypher Velocity' JOERG
• MARKUS 'Hex Cypher' KAMMERSTETTER
• CHRISTOPH 'Hex Flasher' KARLBERGER
• SYLVESTER 'inukshuk' KEIL
• CLEMENS 'Gray Bios' KOLBITSCH
• MARTIN 'Circuit Maniac' KRONEGGER
• FLORIAN 'Proxy Spider' LUKAVSKY
• PAOLO 'The Italian Stallion' MILANI COMPARETTI
• ANDY 'The Magnificent' MOSER
• ARTHUR 'Zen Barcode' OBERHAUSER
• ALEXANDER 'Disco Circuit' OH
• CHRISTOPH 'Encrypted Skeleton' OTT
• THOMAS 'Radical Ghost' OTTERBEIN
• RICCARDO 'Packet Venom' PELIZZI
• CLEMENS 'Radical Seeker' PUNZENGRUBER
• KLAUS 'Blood Pirate' PURER
• DANIEL 'Disco SOLDIER' SCHEIDLE
• MARTIN 'Blue Router' SCHENK
• MICHAEL 'Stream Fiber' SCHRAMM
• GUENTHER 'Memory Override' STARNBERGER
• MARTIN 'The Postman' SZYDLOWSKI
• CHRISTIAN 'Fiber Route' WEICHSELBAUM
• GILBERT 'Uruk-hai' WONDRACEK
• CHRISTIAN 'Mr. Booter' WRESSNEGGER

In the d'Azur, these were the people who made it happen:

Team Name: La petite bourgeoisie

Team Members (sorted by last name):

• MARCO 'Hyper Enigma' BALDUZZI
• ULRICH 'The Dynamic' BAYER
• LEYLA 'bobnet' BILGE
• MANUEL 'The Pizzaman' EGELE
• ALI 'Daemon Vampire' FAWAZ
• IMAM 'Leet Warlord' HABIBI
• ANIL 'Dark Nikon' KURMUS
• PETER 'tres bon' WURZINGER

The Vienna Report

This year marked our first competition without Chris and Engin at the helm. Luckily, they trained us well before they left ;). We (the "organization triumvirate" Andy, Clemens and Martin) were able to recruit a great team composed of SecLab guys and InetSec2 students. Everybody was really motivated and people even started some advanced preparations to have the right scripts handy for the task we expected to face. On Friday noon, we sent out an expeditionary force to Billa to acquire provisions for the army of hackers we would have to sustain. Finally, around 15:00 we gathered in the TI Lab (again big thanks to Heinz Deinhart for letting us use the room) and started setting up the infrastructure. This time around we had sufficient equipment and there was no last-minute emergency hardware acquisition (TM) necessary. We even had our own WiFi AP for people who preferred to be mobile while hacking. A short panic-y moment occurred nevertheless, when around 16:00 our mainbox (acting as router for all machines) got blocked from accessing the outside network for no apparent reason. A few frantic phone calls with TU's tech staff (which were not easy to reach on a Friday afternoon ;-)) did not clear up the matter (and a later investigation was also inconclusive), but luckily network connectivity returned by itself in time for the contest.

As always, the vulnerable image was distributed a few hours before (with the decryption key to be announced at contest begin) and we were stumped by the small size of it leading to wild speculations about the content. When visiting Vienna a few months earlier, Giovanni Vigna, the mastermind behind the iCTF, promised to deliver something completely different for this year's contest. That further increased our confusion and uncertainty, although some thought that is just part of a FUD campaign to keep people on the edge. Then, around 16:30, a member of our team found the decryption key ("ucsb") by googleing the image's MD5 sum. The first reaction was "Hooray, we have an advantage now," soon followed by "Damn, why did nobody think of that earlier." But after booting the image for the first time we went back to dazed an confused. The image was FreeDOS, simply displaying (in a Hollywood-typical character-by-character manner) a confusing story including Jack Bauer, some terrorist and a bomb, and then destroying itself. Of course, people started dissecting the image to find out what the @%&$ was going on. Soon we realized that the image must be a hoax and at the same time we received the e-mail from Giovanni outlining the real goal of the contest.

As promised, the contest was completely unlike any other one before. Instead of having your own server to protect, each team got a whole network to attack, hosted on UCSB machines. There were no flags to be captured and submitted, instead, the task was to penetrate the network and to reach the machine controlling the bomb. Initially, the teams had only access to the terrorist organization's web portal ("Softerror.com"). Our team was pretty quick in finding a way to upload and execute PHP code through the web site, but it took us a while to completely 0wn the machine. By then the structure of the network became apparent to us - the other machines were only reachable through the web server and we had to own each machine in turn to get to the next one.

That's where the trouble started. A quick nmap revealed that there were two more machines, one hosting another web site and one with a binary service. Of course everyone opened remote shells on the first web server to get to the other ones, and that almost killed it. And, since with the different infrastructure a new rule came into effect: "if you screw up your target, your target STAYS SCREWED," we almost flew out of the competition. Luckily, we managed to recover and set up forwards an proxies for everyone to keep the load at a reasonable level.

Besides the main task of finding the bomb, there also was a series of challenges to solve, to receive points that could be redeemed for hints how to own the vulnerable services on the network. There were four categories: Trivia, Binary, Forensics and Reverse Engineering and a Functional Programming bonus challenge. We managed to solve almost all challenges, save for Forensics 500, RevEng 500 and the bonus challenge.

Since we were stuck on both fronts (i.e. servers) for a while we invested some of the points to get hints how to get the level one password on the "financial" web server. This proved to be a sound investment, since after that we were able to hack the remaining three levels rather quickly. Around 12:15 we had finally root access on that server and started scanning for the bomb server. The binary service, on the other hand was "one step from completion (TM)" all the time. Later we learned, to our dismay, that the format string exploit we had was just one character off from the real thing. Damn!

The Bomb server (and service) was found pretty quickly. There was a control interface accessible through the network, and it even had a "disarm" command, but of course that didn't work. As the clock was ticking away towards 01:00, when the bomb was set to explode, we figured out we need to obtain the "firmware" for the bomb and patch it. We set our L337 binary H4X0R5 to the task but time was running out and the task was not easy. In the end, after three attempts with the patched firmware which didn't yield the desired result, we watched the lovely ASCII-art mushroom cloud as the bomb detonated.

So, in the end, we have failed Jack Bauer (and whatever city was obliterated by that bomb :-)) but still had a lot of fun competing. The score we earned pinned us at the fifth position, but since we did not defuse the bomb (a requirement for winning the game) we were not sure what our actual position was (any team managing that would be ahead of us). Later we learned that only one team (Kudos ENOFLAG, also for pwning absolutely everything and having the high score) managed to prevent a nuclear disaster, hence our fifth place stands and we are happy about it. Check out the scoreboard (PDF) for more details. The complete description, the vulnerable server images and all the challenges and solutions can be found at the CTF main site.

Like every year, incredible amounts of pizza and soft & energy drinks were consumed, and after we cleaned up the mess the party was far from over. We decided to celebrate at Pointers, but they were closing down and didn't let us in. So we went to 4 Bells and when they closed to Kiosk where the waiter brought us beer even before we had a chance to sit down :-). And even after that place closed, some guys kept partying at Clemens' place (Kudos Manu for not killing them ;-)). Yes, that's how we CTF here in Vienna!

The d'Azur Report

For the d'Azur folks, it was the first time that they participated. Participation for the class was optional so we had about three Eurecom students taking part. The rest were iSecLab Ph.D. people and visiting students from Vienna (old faces that we all know). We were lucky that Chris was visiting Eurecom by chance and joined in the fun. So, in a way, it was like the old times... only a little smaller and the weather being a little better :-)

This time, we had Davide on board. He had been at UCSB before and was always on the iCTF organization side. This time, he had a chance to join in the fun and work on the hacking part ;-)

We were completely taken by surprise by the new form of the CTF. We knew that our team was going to be small, so this time, we had some preparations that would have probably helped us to get a decent position. The "treasure hunt" type of CTF was fun, but did not work in our favor. Also, we made some strategical mistakes in using our points to buy hints that did not really help ;-)

Considering the size of the team, we managed to hack quite a bunch of services and solved challenges. If the pointing system had been a little different, we would have made it among the top 10 teams. Oh well, it was fun, it was different. We shall see what will happen next year ;-)

Summary

In the end, the only thing left to say is thank you UCSB for a great contest, we had a great time and we are looking forward to iCTF '09.