Microcorruption Embedded CTF

January 18, 2014 by Eric Evenchick 14 Comments

The folks at Matasano Security and Square have teamed up to build an online capture the flag (CTF) competition. The Microcorruption CTF focuses on embedded security and challenges players to reverse engineer a fictional “Lockitall LockIT Pro” lock system.

Each level places you in a debugging environment with a disassembly listing, live memory view, register view, and debugging console. You can set breakpoints, step through code, and modify registers like in a real debugging environment. Your goal is to figure out how to bypass the lock to collect bearer bonds.

While the device and motive may be fictional, the assembly is actual MSP430 code. The debugger is similar to GDB connected to a remote target using OpenOCD. There’s even a manual (PDF) to help you get up to speed with writing MSP430 code for the device.

This CTF looks like a great introduction to embedded security, and doesn’t require buying real hardware. It even includes a full tutorial to get you started.

Binary Reversing Comic

July 14, 2009 by Zach Banks 26 Comments

b300

Last month, in preparation for Defcon 17, the qualifiers were held for capture the flag, one of Defcon’s most well known events. One participant, [mongii], did a writeup on how to solve problem B300. The challenge was to find the decryption key used by a program that had several twists that hindered debugging. After grappling with self-modifying code and junk instructions, the team was finally able to find the answer. This win helped Sapheads place in the top 10. Over at xchng.info, they are collecting solutions to the other problems. Sadly, they’re not all in comic form.

Defcon Calls For New CTF Organizer

January 14, 2009 by Strom Carlson 6 Comments

Kenshoto, organizer of the official Defcon Capture the Flag contest for the last four years, has stepped down from the position, and thus Defcon is looking for a new organizer for the event. If you’re highly competent, and maybe a little crazy, this might be your chance to step in and run one of the most well-known and prestigious hacking contests in the world. Please understand that the staff is looking for someone who wants to take ownership of the contest and make something new, unique, and challenging, and that Kenshoto has left extremely huge shoes to fill. Merely offering to replicate the existing contest and keep things mostly unchanged isn’t going to cut it.

If you’re up to the challenge, check out Dark Tangent’s post on the Defcon forums (which, for some odd reason, sounds strikingly like his 2005 post calling for a CTF organizer), where he comprehensively lays out what the staff is looking for in a new event organizer. If it jives well with you, get in touch with the Defcon staff, and maybe we’ll be covering your contest later this year.

25C3: CTF Dominated By Iphone-dev Team, HackMii

December 30, 2008 by Eliot 4 Comments

25c3ctf

While we had been excited about 25C3’s CTF competition, we couldn’t even venture a guess as to who would win. It seems the iphone-dev team weren’t satisfied to just give an amazing talk. They teamed up with the Wii hackers from HackMii to win the competition. You can see their progress during the eight hour competition above in red. It’s impressive to see hardware hackers jumping over to network security AND completely killing at it.

25C3 International Capture The Flag

December 23, 2008 by Eliot 5 Comments

Capture the Flag (CTF) is a long running tradition at hacker conventions. It pits teams of security researchers against each other on the same network. Every team gets an identical virtual machine image. The VM has a set of custom written services that are known to be vulnerable. The teams work to secure their image while simultaneously exploiting services on the machines of other teams. A scoring server monitors the match as it progresses and awards points to teams for keeping their services up and also for stealing data from their competitors.

The Chaos Communication Congress in Berlin December 27-30, 2008 will host a CTF competition. Most CTF matches are done head to head in the same room. While 25C3 will have local teams, it will also be wide open for international teams to compete remotely. Remote teams will host their own images on a VPN with the other competitors. Now is a good time to register and familiarize yourself with the scoring system. It will certainly be interesting to see how this competition plays out now that teams that can’t make the trip can still compete.

DefCon CTF Qualifier Results

June 2, 2008 by Eliot No comments

Kenshoto held qualifiers for the DefCon‘s Capture the Flag competition last weekend. The top seven finishers: Routards, Pandas with Gambas, Guard@MyLan0, Shellphish, Taekwon-V, WOWHACKER, PLUS, and last year’s winners, 1@stPlace, will be invited to participate in the final this August in Las Vegas.

The qualification started Friday night at 10PM EDT with an email (Subject: M0rt4g3 y0ur /14gr4 up 2 3 1nch3$) being sent to all 451 registered teams. Connecting to the game server displayed a Jeopardy style score board. The five available categories were Binary Leetness, Forensics, Real World, Potent Pwnables, and Trivia, with point values from 100 to 500. Only one question was opened to start. The first team to answer that was allowed to select the next question to open and then any team could try to answer it. Participants were warned about the difficulty of the 500 level questions and the entire Real World category. At the end of everything, four questions still remained locked at the end.

If you’re interested in what type of questions the contest had, check out the write up on NOPSR.US, which has all the files and solutions. Non-qualifiers can still participate in DC949’s OpenCTF.

DefCon CTF 2008 Qualifier

May 14, 2008 by Eliot 1 Comment

Kenshoto is back again to run the Capture the Flag competition at DefCon. CTF is a multiteam competition featuring creative attack and defense of servers and lasts the entirety of DefCon. Unreleased exploits are often seen during the competition. As in previous years, Kenshoto will be narrowing the field with a qualification round. Quals will start the evening of May 30th and run for 48 hours. NOPS-R-US has a solution guide for the previous two years so you can get some idea of what you’re getting yourself into. They’ve even got a couple write ups for last year’s final. The competition should prove entertaining even if you don’t make the final cut.

[via Midnight Research Lab]