Fuzyll


Hopelessly passionate husband, engineer, hacker, gamer, artist, and tea addict.


DEFCON 25 CTF Finals

This past weekend, I had the pleasure of running the DEFCON 25 CTF Finals with the fine folks at LegitBS! This year was a landmark year for the DEFCON CTF and the last for LegitBS running it, so I wanted to make sure I wrote something down about my experience. It was stressful, but incredible, and I'm extremely happy they asked me to come on board last November.

For those not familiar with the DEFCON CTF, it's more-or-less the Olympics of hacking. It's a capture the flag (CTF) game where each team's "flags" are little text files stored on their own server. These servers are all networked together and teams need to hack into them to steal the flags (which change every round - about ~5 minutes). To do this, teams analyze network services given to them by the organizers (that's us!) to find flaws, then write exploits for them.

This year, we ran the entire game on a custom architecture designed by our very own Lightning. She took the last ~2 years to develop a 27-bit (9 bits per byte), middle-endian architecture completely from scratch. We ran all the network services for the game in her emulator (which included a debugger and a disassembler). The architecture itself, cLEMENCy, has now been open-sourced and can be found here.

My role in the CTF was primarily to write one of those network services. This was made easier by Lightning having a modified C compiler that I could leverage to cut down significantly on development time. Unfortunately, in the process of writing my service, I managed to uncover a few bugs along the way including:

  • In her modified version of ncc, using a += statement instead of a ++ statement in a for loop doesn't emit the right assembly.
  • There's a bug in clang's -O3 mode that omitted a necessary check in the cLEMENCy emulator's networking code.
  • There was a bug in the emulator we released to teams the night before the event where 9-byte-aligned (8 9-bit bytes) data would always have 1 byte (an 8-bit byte) of padding added to it before being transmitted over the network.

My service was supposed to be a custom music tracker. Unfortunately, a combination of floating-point support not making it into the compiler and my own horrible time management (thanks to 3 work trips out-of-state) meant that I only ever finished the front-end. The back-end, which was supposed to do all the signal processing using fixed-point math (my work around to let me still use the compiler) never got finished. Fortunately, the challenge still worked and was solvable. Success!

In addition to writing the service, I also had to write a poller for the it. This is a script that will exercise logic in the service to ensure teams are running it and not patching out functionality to avoid being vulnerable. I ran into an allocator bug while doing this (that, fortunately, was already being looked at by Lightning, HJ, and Sirgoon) as well as some bugs of my own. In fact, I almost wasn't able to field the service at all since it took me so long. I did manage to get everything completely stable sometime on Saturday, though.

In amongst making sure my service was working, I was also partly in charge of the entertainment while Hoju was busy fixing some of our visuals or dealing with questions from players. If you're interested in any of the songs we played during the event, he has made Spotify playlists available here (Friday) and here (Saturday). I'm responsible for most of the Drum 'n' Bass stuff on Saturday - let me know if you'd like more suggestions!

If you were a participant, I hope you enjoyed the CTF! If you weren't, make sure to check out our complete data set (including scoring database and challenge services) here. Let us know if anything seems out-of-place.