Open in app

Sign in

Write

Sign in

Faraday CTF at Ekoparty 2018 challenge

Faraday News
Faraday
Published in
3 min readJul 15, 2019

Another year, another ekoparty passed, where we launched a new CTF with some changes with respect to last year’s version (have you read it?).

This time, we decided to leave behind the Jeopardy style and change to another one, similar to ‘HackTheBox’, with real machines containing the challenges.

These machines contain the different flags in a ‘.txt’ format:

— The first flag, which belongs to a normal OS user.
— The second flag, which belongs to the root OS user.

Obviously, the challenges varied with respect to their difficulty, starting from regular web application challenges, to reversing, exploiting and crypto.

The prizes
This time, we were giving out these prizes:

1 — Nintendo Switch
2 — Portable TP-Link router and an Arduino with a Wi-Fi module.
3 — An Arduino with a Wi-Fi module and a T-shirt.

The challenges
We started playing some CTFs this past years and found that the Jeopardy style is not our favorite, so we decided to change it for our CTF. We tried to innovate with something different, implementing a scenario very similar to a pentest, where the objectives were clear:

  • Every challenge will be based on a real world vulnerability.
  • We will deploy different challenges, where users could demonstrate all their skills on web applications, OS security, reversing and crypto.
  • As a way to demonstrate their knowledge and technique to solve each challenge, the users must send us a writeup.
  • Something really important to keep in mind, is that the challenges are unique machines, all users who are participating must erase all trace in order to not facilitate their solution to other people.

The following list shows the name of each machine, with the different challenges on them:

ChallengeSeverityUser VulnerabilityRoot VulnerabilityPICHONAITOREASYFirewall Bypass + File UploadSudo without passwordPOLAKEASYSerialization + Command InjectionProcess hijackingEZEMEDIUMFile Disclosure + SSRFBuffer OverflowMARTAMEDIUMPadding Oracle + LFILinux Wildcard InjectionFRUTISHITAHARDRace Condition + File UploadServer Side Template InjectionSSSHARDBrainfuckBuffer Overflow + Crypto
Teams
This year we had many more teams playing than last year: 45 teams were registered, of which 15 were active.

The first positions were:
- SecSignal
- FzFz
- 3xG

Although, for reasons beyond our control, the following happened:

The FzFz team notified that they could not collect the prize, so they left their position to the next competitor.
Amnesia team, placed 4th (and because of that last fact, now 3rd) did not send us the writeup, so they lost their position and RLTEAM (who was 5th) was now the 3rd (they sent the writeup).

So, with this changes, the winners were:
- SecSignal
- 3xG
- RLTEAM

Finally, we want to thank user ‘L’ who found a bug on our platform and decided to report it without taking advantage of it. We grant him within the CTF, a mention and an extra flag for his attitude.

We are very happy with the CTF we did this year, and want to thank all those who came with questions, played it and/or helped us with the organization. We hope you enjoyed it, as much or more as we did!

We are coming back next year!
Are you?

Faraday Team

https://www.faradaysec.com
https://forum.faradaysec.com/
https://www.faradaysec.com/ideas
https://github.com/infobyte/faraday
https://twitter.com/faradaysec

Ekoparty
English
Faraday

--

--

Faraday News
Faraday

Written by Faraday News

26 Followers
Editor for

Collaborative Penetration Test and Vulnerability Management

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams