CTF Anouncement - Guy Barnhart Magen

okay everyone please take a seat I want to take this time an opportunity to tell you a bit about our capture the flag event which was concluded this last Friday okay so unlike many other city of events our CTF are besides Tel Aviv CTF is a bit different we aim to host the CTF that is a full community wide in scale but we would like to give an opportunity to everybody to take part and participate in the game so when we plan the game when we planed the CTF we try to have a variety of challenges that are be fitting many different skill levels we know that we expect that only the best of the best

would reach the end the final stages of the CTF however our greatest metric to understand the success success of our CTF is how many people actually succeeded in solving the easier parts of our CTF so we designed about not about this specifically 29 different challenges and some of these chances were pretty different and unique this year and I'll mention them in a bit first I would like to say thank you and a big round of applause for our CTF team please join me here on stage CTF team yes you guys City and team so our city of team really put a long hours long night into developing the most vicious the most hateful the most

unbearably unimaginable challenges to make the life of everybody as bitter as they can and from the experience of people who shared it as you can go into the center of the screen so everybody can take a picture of you and you'll be as embarrassed as possible pleased embarrassment this way okay a big round of applause

so these are the guys and girls actually made everything happen they invested their time their effort their energy their tears the blood into making those challenges that great changes that you had the chance to play so thank you again and now continue so we had an amazing CTF this year and I well I'm a bit biased but I still think it was an amazing city of this year we had over 300 different teams participating in the game and we did something a bit differently this year which I would like to explain yeah we didn't limit the number of players on each team but we wanted to encourage people to play as a team in order to share knowledge share

information and create a more cohesive group of players among themselves so we had teams as large as 12 or 14 different people on the same team but we also had team of one person so all of them are considered teams and all of them played and they played very very well we had 29 challenges and we structured it in a way that the city have lasted 10 days and in those 10 days 19 challenges were released and they were all open to play at the same time so the logic behind that was that you get nine days not ten nine days to play all of the different there 19 challenges so when you get to

the final day the top three teams the top three teams scored the most will get access to a very special challenge that we designed called Magic Kingdom and Magic Kingdom was a bit different in the world of CTFs usually in the city f you get a challenge which is kind of like a riddle there is a specific thing to answer a specific rhythm to answer to and the solution to that riddle will get you the points so in Magic Kingdom we did something a bit different we hosted three different live as your environments including Active Directory and many other servers with a jump box for with credentials for specific three teams so that could go inside that live

environment and Kawai at that light with Marmon using whatever tools whatever they deem necessary narrator in order to make that happen and this is a bit different because we didn't give them any preconditions or any ideas where the flags are going to be hidden they had to explore the network to find the servers to find the boys necessities on those servers kind of like in a Red Team exercise and then exploit them as best they can in order to reach those flags so 19's were ordinary well kind of like ordinary CTF events but the Magic Kingdom had ten different flags in a hugely weird environment that most serious players are not used to we really took them out of their comfort

zone we had a couple of unique challenges and when I say unique I mean that in most city F that you will participate in or read about you will not find this kind of managed challenges so before we and I'll give you some more information about that our ratio we had a lot of discussions into how many points to give into what kind of challenges how to differentiate between the challenges how to make sure that the easy ones are easy and the hard ones are hard and in the end we came up with this ratio if we hear that they cried and they cried a lot that means it deserves a lot of points and if it was easy and

no tears were involved well it's only a hundred points nobody cares so most of our challenges and a high score pal a high score point because of this because it caused a lot of Tears a lot of sleepless nights and we're not sorry the first unique challenge that I want to mention here is blockchain so we had the challenge that is focused on hacking blockchain hacking etherium in order to find a race condition just like the hacks that were in the news relatively recently so that was quite a unique change you don't see that very common thank you very much Nimrod for this awesome challenge

we also had an amazing challenge made by Rory here that in order to get the flag you had to capture a file you had to dismantle it decode it into whatever it was encoded with and in the end you get a file and then he had to 3d print the file in order to get the object and on the object you would find the flag so it was absolutely awesome and crazy also special thanks to guy who could not be here with us today not me guy be and a different guy be and here we actually had a challenge that was based on a zero-day that he found which was always awesome to give people change

on something nobody ever heard of or nobody ever found so this Lua challenge in Lua bass challenge was about issues in the Lua parser that you had to exploit and I believe that a lot of people let's call it had a lot of fun with a Bowser set of challenges so a round of applause for guy he will see it on the recording later ok so here's a brief review of our challenges I'm not going to go over them one by one but we had a very large variety we had a specific challenge around the hacking dose 3.1 was a tonal three-point-three environment which you don't really see quite often today we had a translation it was called a secret

service a necessary issue in a translation service where's Daniel Daniel over there an awesome challenge that really got a lot of groups hung up for a while until they understood what the point was and and this is a specific challenge as was challenged I want to say something a bit about that so the some stuff is important challenge was conceived to be relatively easy challenge and in the initial discussions we wanted to give it a hundred points however when people actually attempted to solve the challenge we found that no one was able to solve it and then only one or two will are able to solve it and that we'd like five solve six source of

so the idea behind this challenge was that you need to enumerate all of the different cipher suites in the SSL server that was part of the challenge however if you use the wrong tool or if you actually didn't enumerate all of the possibilities you only get part of the flags which cause a lot of frustration to many many teams so Thank You Ezra for an awesome challenge and we had a very nice challenge by the mode called Buchman I'm going to refer to it later please keep that in mind I want to say something about my challenge Faiza there at the top that was an interesting challenge it came up for an idea from a different conference called

blue hat that was earlier this year and one of the talks there the tanta battle how would you go and break something we'll all you have in the API is the way to read hash pieces of memory you can't really read access the mirror itself so the vulnerability that they discuss was that there you could read memory with an arbitrary length so once you understood that you can build a lookup table and solve the entire challenge so I really loved the idea I really loved the concept I love the work that they've done so I built a challenge around that and that was a lot of fun and everybody that didn't attend blue hadn't ever

heard of this found this challenge to be a bit formidable so my apologies ok the challenge of themselves this very nice screen was one of the captures that some of the team sent us where they found a vulnerability in our server that's always nice to know when you're running a live competition that your servers are vulnerable but also we had a lot of communication with different teams where they had issues with connecting issues with understanding issues with actually conceiving who should they contact and where they should do this but also where they only solved part of the challenge and they weren't sure if they solved everything or just part of it but also we had some repeated messages with

different groups which I will not name we're six I think different members of the CTF team got the same kind of messages asking something might be wrong please check again what you're doing are you sure something is wrong and isn't wrong please check again what you're doing so in the end it was still solvable the way it is but there and we did find an issue with that challenge and we issued the fix with dust attack we issued the fix for to clarify some issue around which emulator we use I'll skip ahead because I'm running a bit out of time though there are a lot of funny things happening in the background so here you

can see one of the teams that use the emulation software in order to understand the 3d printed flag so the resolution that they got was not high enough in order to read the flag so they asked for a recommendation on an emulation software to solve the challenge so that was actually pretty funny this is a different story which was pretty funny around the challenge called Buckman so in pac-man we actually had a game called Buckman live on the server and we got a message from one of the teams that he was playing for over in an hour and he can't reach the level up challenge he can't reach that level on the game can and I

will freely translate for you I'm inside the game it's been over an hour I've been trying to reach level up I don't understand what I'm missing can I get like the e the smallest hint possible so as you can see we're pretty laughing hard and said no you're not supposed to play the game solve the challenge that was funny ok and now for the winners first of all before we begin again this year an honorable mention adam donenfeld and here i would like to move over for a small message that he prepared for us

everyone sorry for not turning up this year currently in Korea I'm kind of disappointed about myself for not being a little bit more prepared for the Magic Kingdom series it wasn't really easy to do that everyone sorry for not turning up this year currently in Korea I'm kind of disappointed about myself for being a little bit more prepared for the Magic Kingdom series it wasn't really easy to do and now for the winners third place earnest and young please send a representative to stage so we can mock him all together ey [Applause] so you I had a very large team and they ruled the game up to I think the eighth day and then other teams passing by on

the other hand they did awesome challenges and it's almost everything on the first day so hurry to them thank you second place JCPS [Music] [Applause] so JC TF is one of the most awesome teams also many intel representatives there are also hiring thank you to the JCPS team also a very very strong group thank you okay first place done okay done here won first place which means that he gets a very special portion of embarrassment for him first of all thank you very much done for single-handedly beating everybody else so first of all first place you win a switch but the most important thing you win the besides Cup

thank you you were above awesome thank you and with that I'm wrapping up everybody thank you for playing come join us next year either as challenge writer or challenge players thank you