How we prepared the qualification stage of CTFZone-2020

November 30 – December 1 passed the qualification stage of the CTFZone tournament, which registered 1043 teams from around the world. According to our data, problems were solved even in Zimbabwe (26 unique IPs). Digging deeper, it was a university team from the city of Bulawayo.

This year CTFZone became the qualifying stage of the DEF CON CTF, so the team that wins the final (it will be held at OFFZONE April 16-17, 2020) will go to the tournament in Las Vegas. In order for the lucky ones to have time to get visas, the conference dates were even moved to an earlier date.

DEF CON CTF is the oldest and most reputable security competition for many teams. The winners are not given a palm branch, but even without it everything is going well. Now in the world there are only 6 tournaments through which you can qualify for the DEF CON CTF.

Geography of participants CTFZone

About the concept

In the international CTF movement, it so happened that teams from different regions specialize in certain areas. For example, historically, Russians are better at solving the web, while Asian and American teams are stronger at PWN. On the same DEF CON, almost all tasks are binaries. Perhaps that is why recently American and Asian teams have performed better there. We at CTFZone are trying to show that CTF is not only PWN, but also many other interesting categories: web, cryptography, reverse, OSINT, forensics, PPC.


In the tasks on the web, the authors – during working hours, penetration testing experts – tried to transfer vulnerabilities from real projects. For example, in task Web shop The popular library python-markdown2 was used, where our expert a few weeks before the competition found a zero-day vulnerability to bypass the XSS filter. During the CTF, however, each of the four deciding teams found its own version of this vulnerability, which makes us think about the quality of filtering in the library.

For assignment Web card We used the zero-day vulnerability in the standard Java XML validation class. It was discovered when testing a real Web Application Firewall, so we invited participants to bypass WAF, which we developed specifically for the task. The detailed version of the wrightup will be later.

Well, task Emeraldrush showed how over the past year GitLab and Github have become similar – the Ruby vulnerabilities on which they are both written. One of them is based on CVE-2018-18649 (there is, however, no open access exploit for it), the second is recently discovered and published on the HackerOne platform (for a description, see the article). Of course, the developers were notified of both these and all other web vulnerabilities before the competition, in accordance with the principles of Responsible Disclosure.


In turn, the cryptotask development team took as a basis not only the bugs constantly encountered in CTF related to RSA implementation, but also the sensational attacks of recent years. For example, in the task OCB2 it was necessary to deal with the attack on the symmetric encryption system of the same name, for the discovery of which the Crypto conference was given the Best Paper Award.

And in task NTRU it was necessary to study the attack on an asymmetric system on lattices. This incident was described back in September, but finding and reading the relevant article was not enough. The author of the problem himself encountered problems when it turned out that the publication took the most convenient case for description, which did not work with the parameters selected in the final task. I had to redo the algorithm! Interestingly, one of the participants (Alexei Udovenko from the LC / BC team) solved the problem without an article, having come up with a slightly different solution method, built on the same principle.


Well, the most tricky category on our CTF was forensics. Everyone is used to thinking that such tasks are solved using three utilities: foremost, volatility and strings. But we had different tasks – for example, an unusual task In-the-shadows, for the solution of which it was necessary to deal with the technique described here. Details will also be released at the district committee later.

About training

Direct preparation for CTFZone qualification consisted of several main stages (gathering a project team, developing tasks, testing and deploying infrastructure, launching a rocket into space) and many auxiliary ones (searching for inspiration, establishing communication, tormenting and doubting, depression, overcoming the existential crisis).

Three months before the start of the general meeting, the dates were chosen – December 7 and 8. The team came to the conclusion that nothing would have time, but still got down to business. And seven days later, these unrealistic deadlines were shifted a week earlier, as the selected dates and all the following have already taken other CTFs. All that remained was to smile, grit your teeth and work with tripled energy. There was no turning back; development of the startanul.

As a result, the task was more than usual – 30 pieces. Each task is unique, but does not live long: 3 months of preparation and only 36 hours of flight. But what! The leading CTF’s of the world will touch the buttons that you carefully painted on the front end – they will immerse themselves in your idea and give you a personal feedback. This is a great experience and an opportunity to talk about your work with a large community. After all, often with the vulnerabilities that are laid in the tasks, some kind of story is connected. Some tasks were so tough that no one could figure them out. By the end of the qualification of unresolved problems, two remained: Popular forensic and Web card.

About infrastructure

The organization of the tournament infrastructure could be approached in different ways. For example, in the old fashioned way, cut virtual machines for task developers and give them access there. In this situation, each developer becomes a satisfied administrator of the localhost, everything works as he wants, and it remains only to provide network connectivity. It is clear, however, that there is no talk of any replication and fault tolerance in this case. The one responsible for our infrastructure just failed one of the CTFs at ZeroNights in 2016, and this time, taught by bitter experience, decided to do things differently.

We decided for a long time where we will live, and in the end we decided to turn around in the cloud. The reasons are clear: competitions for hackers, so it’s better to break Google, and there were already ready-made developments in the zashnik. The main tool for creating the platform was Terraform, which allows you to describe the infrastructure in the form of code in a declarative format, and takes care of all the other gestures. That is, for example, you do not need to think about how to go to the Google API and tell him how many and which virtual machines you want to deploy.
It was also necessary to decide how to launch tasks. We were very lucky that all the developers were already able to write tasks in Docker. This is such a hype containerizer that allows you to pack a service with all the dependencies in an isolated environment that does not change between restarts. There are not many ways to work with Docker: these are mainly orchestrators like Compose and k8s. To do everything beautifully, that is, to implement Wishlist with balancing, cues, fault tolerance and other enterprises, the choice of the orchestra was obvious – Kubernetes.

Here, however, there was some misunderstanding between the creator of the infrastructure and the developers. Pentesters are a special caste of the IT world: they are partly like administrators, networkers, and know how to database, and are oriented in programming. In general, not people, but Swiss knives. They are extremely extraordinary and ambitious, but, unfortunately, when it was decided to write Helm for each task, I somehow forgot that pentesters are still not professional admins. This led to a small war, during which it was necessary to explain why certain decisions are forcibly taken and restrictions are set.

The guys had no experience writing Helm, but they all knew how to write Compose. You yourself understand that between the local Compose and the Helm-chart there is a gap in a few weeks or even months of studying the material. This was the first bell that hinted that there were some problems (where would CTF be without them, especially when the team and admin are new almost every time).

Due to lack of time, it was not possible to automate everything – some things had to be passed on to the shoulders of the developers themselves. Pentesters had to sit in meetings, where they were told how to write helms, while they themselves, apparently, cursed this devoepsation on what the light stands. But, in spite of everything, we succeeded – all the tasks were described and packaged in Helm charts, monitoring was configured in the form of Grafana and Prometheus. The moment of truth has arrived.

And here, to everyone's relief, it turned out that the resulting infrastructure is very easy to manage. When everything was described and deployed on Google, we conducted a briefing for those on duty. There were ten of them, and everyone did a great job: they lifted the fallen, collected and rolled out the corrected version into a cube.

About the finalists

As a result, 10 star teams were selected for the finals. Why stellar? The fact is that 6 out of 10 teams are in the top ten world championships at CTFtime, and the other four are a little behind the top ten, but also in the top.

The main feature of the tournament was that the most fierce struggle was not for a place in the first three, but for the tenth line. It was important for the participants to get into the finals, and there the situation will be reset to zero, and the distribution of seats that we have based on the results of the qualifying competitions can change a lot.

CTFZone 2019 Quals Finalists Final Standings

What's next?

Further it will be possible to exhale a little, then to take a deep breath again and begin preparations for the final. It will be held in Attack / Defense format, and this is a completely different story. Someone may ask: why is this all? The question is good, but there is probably no logical answer to it. It’s just that if at least for 5 seconds you can really get high on what is happening, feel alive and see which team you are a part of, then it’s not in vain!

Similar Posts

Leave a Reply