The scoring structure is such that attack points are earned for every team that they score against in a given 5 minute round, and defense points are earned when no team attacks them in a round (where at least one successful attack was launched).Īttacks may be launched directly against a team, in which case the network data will show evidence of the attack, or in "stealth" for full anonymity, but only half the points. Competitors can earn points for these in two ways they score by attacking other teams and by preventing teams from attacking them. ![]() The most well known of these are Attack/Defense (A/D) challenges. This game was not much different from previous years, but to save you the trouble of looking at another writeup, I'll summarize the structure here.ĭEF CON CTF takes place over three days and includes two different types of challenges. With that said, it is helpful to understand the competition that they ran before discussing what happened during it. Out of consideration for their hard work, and all of the new ideas that they've brought to the table, after I finish my retrospective I would like to take a moment to discuss their legacy and what future organizers can learn from their tenure (as viewed by a competitor). For the past four years, the CTF has been led by the Order of the Overflow, who have announced that this year's competition has been their last. Often considered the World Finals (or "Olympics") of Hacking, teams qualify for it either by winning other notable competitions, or by placing high enough in its dedicated qualifier round.Īs a consequence of the competition's longevity, and the onerous burden of running it, the organizing team ends up changing every couple of years. Torn between the two choices, we opted this year for a middle ground: all of us together, but in a house 300 miles away.ĭEF CON CTF is one of the most well known security competitions in the world. For the rest of us who were still a bit nervous about large crowds, the infrastructure would be hosted online and accessible from anywhere in the world. ![]() For those who wanted it, space was reserved on the game floor to hack amidst the other teams that came to Vegas. Much like the rest of the world, DEF CON CTF returned this year in a hybrid online/in-person format. Using numeric keys for forms is not that unusual of a practice, and it means that when using express-fileupload, the programmer cannot trust that a key is on req.files itself.įortunately, this is an easy fix, both for express-fileupload (which should replace instance = instance || with instance = instance || Object.create(null) ) as well as the user (who can install middleware that explicitly sets req.files to Object.create(null)).Īll-in-all this is not a high impact bug, but it could have allowed RWDN to omit an intentional bug without impacting the problem's solvability, all while making it that much more "real". Yet, in order to exploit the prototype pollution, all we needed to do was access a file whose name was an integer greater than zero. Obviously in this instance the impact stems in part from the decision to control the file access via query parameters. ![]() OriginalĪs an added bonus, no crash means that we get to see the generated file name without having to compute the hash ourselves for part 2! Broader implications Props to them for a really clever problem, and it goes to show that even the best security experts can slip up from time to time. The author, got back to me to let me know that this was actually the intended solution, and the other more obvious one was just a normal, everyday bug. Let's discuss what the bug is, and why it could be a problem for "real world" applications. However, I found that there was an alternate bypass that would have worked even if their code was correct. The intended solution involved a bug in one of their middleware handlers that was designed incorrectly and allowed attackers to bypass a crucial check. Although I ended up not spending much time on this year's RWCTF, I did (with the help of my awesome teammates) solve one problem: RWDN.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |