Capture The Root 2009
As you friends probably already checked at DDTEK, we finally did 5th place in this year’s Defcon CTF. Let us explain why.
This year’s contest has been interesting but weird, really really weird. The contest started after a long delay and the teams had an usb key with the binaries almost two hours before the system started to work (later we discovered some of those bins were not the same that the ones running on the servers). Once the whole thing started, the teams were scoring without knowing the real points scored by any of the teams and with a limited view of the services’ SLA (only a reduced number of the complete set of services were reported, and that caused some teams to close any service not listed in the SLA status information).
This first day we had another good start, scoring a nice amount of points and reaching the first position (at least when we finally had a scoring table), but soon Routards and VedaGodz showed up with their great potential. Due to some teams closing their services not listed in the SLA table, we stopped to score some vital points and other teams finally recovered the distance we earned at the beginning.
This is what happened first day and most of the second one too. We were comfortable in top 3 with Routards and VedaGodz, and also Song of Freedom was on top during part of the second day. The surprise was to see that Sk3wl was scoring only a few points and they were lastplace at the end of the second day. But before that, at some time in saturday’s evening, first Routards and later VedaGodz got 0days/breakthroughs so they left us behind in third position. The distance was only about 400-600 points so there was no reason to worry… or there was??
The third day…… The last four hours of competition were completely crazy. It seems that on saturday’s evening (second day), some teams found a way to get root on the servers due to a permission misconfiguration and it seems they used it to score a few points to stay on top. The DDTEK staff was aware of the problem and was trying to solve it, but during this last part of the competition some other teams realized about what was happening and started to steal flags from all services without needing to exploit them. As far as we know (because they told us ;D), some of the top scoring teams were doing it, and in the middle of all this chaos, the korean team PLUS got another breakthrough and we were pushed onto the 6th position. We tried to recover but it was too late and the contest was out of (our) control.
And that’s how the contest finished, without a clear result (DDTEK staff wanted to thrill us so the score was not public during the last 2 hours) and leading to a surprising award ceremony where some Sk3wl members showed up as part of DDTEK.
In short, it was a quite interesting contest with some things to improve (we believe that with more time they will do it better) and our team offered a nice and quick start but a not so good end, similar as how psifertex described us in his Defcon talk. Despite the 5th place we’re happy with our performance. Why? Because we choosed to use a new management system and it worked quite well, the new captain was far more involved than the old one xDD and remember that we were the smallest team in the final round.
And of course, congratulations to Team Awesome/VedaGodz. Well done guys, well done ^_^
사랑해요~~ Sexy Pandas !!
as you said on last sentence
the younger is the better +_+
good job parki,
but I’m always fan of TORA ♡
Remeber, little frog is “チア-ガ―ル” for Lovely Pandas whatever you did.
Comment by woos — August 7, 2009 @ 03:48
good job, tora.
Eres muy hermoso!
Hasta la vista
Adios
-Secret-
Comment by Secret-Wowhacker — August 7, 2009 @ 04:56
sexy pandas are so so sexy.
re; the root privilege escalation bug,
Almost all of the binaries were self responsible for dropping privileges. That combined with service-uid owned home directories allowed an attacker to remove the binary and replace it with a patched version that would spawn a root shell.
many lols, wish we had caught this classic mistake.
<3
loller von skater
Comment by adc — August 7, 2009 @ 05:35
Hola! (annyong! ^-^)
I miss un hombre atractivo, TORA!
Comment by Chloe — August 7, 2009 @ 09:13
give my kiss to the sexiest ero’s leg.
I hope you have a good surgery, good luck to you.
even if I’m fan of tora, but my mind forward to you. XDDDDD
Comment by sexy woos — August 7, 2009 @ 10:19
hey ero ~~ kill the woos xDDDDD
unfair competition
Comment by force — August 7, 2009 @ 16:55
The VedaGodz didn’t know about the perms issue. Shellphish told us about it in the last ten mins but we were never able to take advantage of it. That was probably how Routards caught up to us so quickly.
As an aside, I can’t remember who it was but awesome work on mymqld you got further than I did and I should be publishing some write ups soon for those interested.
Comment by Hj — August 7, 2009 @ 17:49
hola!
This post is very clear to explain last Defcon CTF.
Well done sexys!
Comment by Acuros — August 7, 2009 @ 19:36
Hahaha, thanks friends for such kind words ^_^
@adc: we also wish we realized about it a couple of hours before we did xDD
@Hj: Shellphish told us they were the first to notice, I remember that. But we included VedaGodz in the list because a couple of teams told us Vedaz rooted them. Maybe it was any other team, but it’s hard to proof it now ;D Anyways if they want to be out of that list (is that really a problem?) we’ll delete them.
@Chloe: xDDDD i love u too :*
Thanks again, it’s been nice to see you all in Vegas!
Comment by Tora — August 7, 2009 @ 22:19
ItOt should be pretty easy to show who did and who ddnt have root once DDTEK releases the raw score data. Anybody who gets a whole cluster of keys across multiple services all of the sudden had root. Veda definitely didn’t have it, but if somebody else did, more power to them for finding it. (You can be sure ddtek will get that right next year!)
I hope I didn’t jinx you guys with that bio! You have a great team, I think that’s very obvious. Maybe more sleep and ration out energy drinks next time?
Best of luck next year. I’m hoping to see Kenshoto back as participants, 1@stplace, and maybe even some of the ex-sk3wl folks not on ddtek. We’ll see…
Comment by psifertex — August 8, 2009 @ 07:10
Tora,
It would be sweet if you would remove us from the root list. We joked with a few teams that we had root, but we never actually succeeded. It only matters to us as an issue of pride. Winning with root is one thing; winning without root while your closest competition has it is something completely different.
Every team that played us was great. The level of competition at this CTF is unbelievable. I hope to see you guys at the CTF next year. If anybody cares Team Awesome/VedaGodz will be doing writeups about the binaries/general Defcon experience soon.
Comment by Gynophage — August 10, 2009 @ 14:56
Okay guys, in order to keep everybody happy we removed the names of the teams from the root thing. If Team Awesome managed to social engineer other teams, our kudos, we just added information based on what friends from other teams told us. As a side note I agree with psifertex, any team that discovered and exploited the bug deserves an special recognition. But it makes no sense to be adding and removing names from the post, that’s why we decided to remove them all.
I hope nobody got hurt ;P and we’ll be waiting for those writeups.
C ya mates!
Comment by Tora — August 10, 2009 @ 21:32
Gynophage, It will be clear who abused of the rootage on the stats from ddtek. Also, if you knew about this the day before, why didn’t you tell the organization? Anyway this “root” can be also considered as part of the game this year, so it doesn’t matter that much.
Comment by dreyer — August 11, 2009 @ 13:12
Tora,
Although I didn’t participate in Defcon 2009,
I’d like to meet you some time.
PS. Sorry I’m late,
you did well on Defcon 2009, Sexy Pandas.
I hope you get a better score next time.
Comment by reverseh4ck — September 16, 2009 @ 15:30