Guy Barnhart Magen - CTF Anouncement

okay hi everyone both here and at home and thank you very much for all the time and effort you spend to stay with us throughout the day so today I want to talk about the city F that we've had earlier this week we've set the CD F for Sunday and Monday for a very specific reason unlike previous years we've decided to make the CD F more global and more appealing in our online community which we are all experiencing today due to the co viet 19 crisis this crisis affects everyone everybody's life is changed my own life has changed and it touches everyone he touched member of the CTF team he touched members of the family so everybody knows someone was

affected by the Covenant in one way or another on the other hand a lot of people are staying home which allowed them an opportunity to participate in the city F and we reached some pretty amazing results this year first and foremost I want to thank our very wonderful sponsors the hack the Box hack the box company that provided us with the city of sponsorship and while they're not very well known here in this world I did want to present some numbers to help people get more familiar with them they're a platform that help people measure up their security skills play around with different kinds of CDF's challenges and boxes and overall a very fun experience if you're into that sort

of thing and being the organizer of the CTF I am and I can recommend everyone else try them out so usually I start the city of talk with some statistics to give us a sense of how our CDF went this year in previous years we had roughly 130 users playing the CTF with around 40 to 20 to 40 active teams we grew over time but this year really blew us out blow us out both by the capacity of the team to create interesting challenges but also by the number of users that were actually there we had 20 challenges 20 interesting challenges spending different kind of domains from cryptography to forensics to web application security to doing web

assembly and other types of challenges we had an enormous amount of users over 5000 IP addresses translating into 1367 registered users to our web to our competition obviously users competing teams but even here 793 teams registered to the CDF and the statistic which I find most compelling is that 125 people solved at least teams more specifically solved at least one challenge and that means that at least 125 teams were engaged in our CTF trying to work through our challenges they only had 48 hours to do so another thing that was pretty amazing was the distribution of people where did people connect to our services to play at the CDF I ran under the assumption that most people will

come from Israel because besides Tel Aviv is obviously a local event however which you can see from this nice graphic that's not true we had people from all over the world competing in our CPF the most amazing part was that Israel wasn't even number one it's number four preceding preceded by United Kingdom United States Singapore and then by Netherlands Oman France Japan Italy and South Korea and translating to over 1300 people connecting to our CTF from 5000 different IP addresses amazing we provided the one or several of the challenges as downloaded the local offline challenges for you and we we've seen two point and terabyte of data downloaded from our servers exactly and this is all ruies fault so next time

when were you tells you no I just said I just need an s3 link to upload a couple of challenges it would be fine don't believe him more than that we had around 30 percent correct solves which is also very interesting to me because one of the most interesting thing interesting things about this correct solves is obviously answers which are wrong and we'll get back to that later unlike previous years we had two challenges that remain unsolved which is why we keep the city s running right now and all the way through Sunday to give people the opportunity to keep trying against these unsolved challenges the two challenges are jailbreak and capella and we will

get back to them as well so like every CTF year a lot of funny things happen throughout the CTF even though it was limited only to two days and not two weeks like previous years the first thing that I want to share is that I think a day before the launch of the CTF which means to be somewhere on the night between Friday and Saturday a tommy'll site and a couple of other people decided that we want to make a last-minute challenge and they did something hilarious which was a a an interpreter based on emojis so in order to solve the challenge you had to understand how the code was written how it was translated into emojis and to

solve the challenge itself providing an online interpreter to try out your code they finished that challenge at 5:30 a.m. on Saturday morning and we launched on Sunday for those who are not reading Hebrew I will try to translate some of the notes and messages that we received throughout the CTF some of them are from very busy people who were somewhat fazed by the hardness of the challenges and offering their opinions about everyone's personal hygiene Parenthood and other issues their health has come up several times in these messages or lack of health from what left from trying these challenges 48 hours straight and also we got a lot of interesting submissions of flags such as do you have

a heart or I cannot get / where people really you could see the desperation in their attempts trying any kind of length flag to make it work I think that this was the most amusing one that you need to enable JavaScript around this app was used as a flag in one of our challenges obviously it was incorrect another amusing thing at least in my opinion was that we were reached out because one of the overly sized challenges that it's a bit unfair that you can't really do those challenges over a mobile connection and when we try to understand why well it's because it's over 5g the byte in size and my opinion here is not that five gigabyte is a bit

much but who does a CTF over a mobile connection that sounds absolutely insane to me more than that some people were misled by our false flags and false breadcrumbs along the way and they found themselves spending hours solving the wrong thing well they already had the correct solution when they started out again quality trolling one of the challenges one of the more interesting challenge was actually based on a sort of zero day the emoji challenge which I mentioned earlier had an issue with the socket and once the CTF was over Tomer were one of the designers of the challenge actually submitted the pull request to fix that issue where he also found that beer actually

is the solution to everything because it makes the exception handling misfire another thing was that we were got a lot of compliments like there's a special place in hell for the person that made the target that's probably true and the rs3 bucket also thinks the same person also we actually had someone that was able to solve Kjellberg past past the CTF deadline and that's pretty amazing and everybody thought that was a really good experience in jailbreak you had to free a Groucho Marx out of prison the interesting thing about that challenge it was it based on based on a unknown known for nobility that is if you actually read the documentation for AWS Cognito you would know that these kind of

shenanigans were possible obviously nobody really nobody really reads the documentation therefore they didn't know that such bypass was possible so in the modes levees challenge you had to break route remarks out of prison by using a vulnerability in AWS kognito we had amazing graphics this year also an upgrade for previous years I would like to thank Vela for providing us with his wonderful graphics and also a funny story one of the CTF members had a dream at the end of the CTF people came to his and the other people who wrote that challenge and burned down the houses and then the guy that burned down their houses was sent to prison he yelled at them at the camera and says hahaha now I

will be broken out of prison cloud cloud they tell me and scene so we thought that was pretty funny thing to share and then someone I will not name names actually went ahead and created a nice clip based on the very famous Hitler losing his bananas about the city of challenge and how unsolvable it is again that was pretty funny so I would like to first and foremost before anything else thank the CTF team so a lot of good people helped and worked on these 20 challenges we actually had more in the pipeline but we didn't use them and that is La Vie new mode Ezra Tamil guy back missile multi yaha Oh Mel the route out of Daniel Vella and

Joey so thank all of you clapping please so just to skim through a couple of the people who wrote the challenges so we had any more than Otto on jailbreak we had an important Tommy on vampires and can you bite us up too we had Mike mihail Tommy and our two own emoji what an important reaction web proxy and web proxy nightmare we had Tommy on bases 32 and docker manager Tommy and Danielle on buglar a tamil and villa on certified app and Vera and Yvonne back to the 90s a small note this was a very funny snake game that you had to disassemble the web assembly behind it to solve the challenge very funny

we had a guy writing capella myself doing crypto stream for en la vie doing ego hostel more with less check yourself so you won't wreck yourself and the target and finally my me file with snap a stand snake face - and with that I'd like to go ahead and announce our winners stand by we are waiting for the first place people are rushing for the trophy first and foremost 33rd place Houston we got pond with two hundred and nine twenty nine hundred points so I asked all of the team to send us some pictures of them doing the challenges and doing sharing some funny things that happened while they were doing the challenges and they told us that they had a lot of

mishaps and all of things that they missed and in their internal whatsapp groups while they were solving this and I think that's pretty speaks for itself so I'll keep it moment on screen so you can all see and observe their prize is one hundred and fifty US dollars and five hack the book vouchers for three months and now second place we class a forty one hundred and fifty points and I asked them to share their images they said it's a bit outdated but that's what they use I will not disagree again they had a lot of issues trying to solve these challenges but they solved all of the those challenges to actually get to 40 50 points they get three hundred

dollars and five had half the box voucher is valid for six months and finally our winners everybody can see our outrageously exaggerated trophy and when I envision that trophy originally my only requirement was that it would be so large and ludicrous that when people send me images pictures from their cubicle with that standing it will actually overshadow their cubicle however this year that probably won't happen so I want to see this is a traveling trophy in everybody's homes so we can see who actually put it where so the JTTF team winners of the first place with 4,500 points and the city a CTF team actually worked very very hard very diligently both on the challenge in themselves as well as

doing information campaigns against CTF writers somewhat unsuccessfully but much trolling ensued buglar caused a lot of desperation among the teams and that was actually pretty funny to watch and their prize is four hundred and fifty US dollars and five hectare box vouchers valid for 12 months and with that I want to thank everyone who was involved with making this a great city of event our CTF sponsor is hacked box our CTF writing team the infrastructure people behind the backs actually making this happen and scale from the expected amount of 300 users to almost 1500 users and Amazon for providing us with so much bandwidth for so much money so thank you everyone and keep it up