Cyberlympics 2018 — Finals
Wherein the team travels to Atlanta to open a padlock without touching it.
Recently, our illustrious pentesting leader Jeremy Goldstein wrote of our road to the 2018 Cyberlympics. Although I can’t confess to be the biggest fan of the competition’s name, the prospect of travelling to the US for some good old fashioned face-to-face CTF action had the team champing at the (most significant) bit. We’d be facing off against 13 teams from around the world, comprising representatives from Australia, Europe, Africa, Asia, North America and South America, with the previous year’s winners, Hack.ERS, qualifying automatically to compete as the 13th team.
Our objective was relatively simple: hack everything, acquire arbitrary cyber points, …, profit. Having fortified our spirits the day before with a balanced diet of escape rooms, bouldering and Southern comfort food, we were ready and waiting at 9am to commence the hacks. First curve ball — rather than receiving instructions for connecting to a challenge network, finding problems and submitting flags, we received a box. In our box we found a dossier of network diagrams and building plans, a magazine, a Bluetooth dongle, a UV light and a whole lot of shredded paper. Game on.
Credit should go here to the organisers of the games; the challenges were interesting right out of the box (hah!) We reassembled our shredding and found our first “t0k3n” (Cyberlympics speak for “flag”), we scanned the dossier with the UV light and discovered that one page in particular bore the nigh invisible marks of a printer machine identification code (MIC). If you haven’t heard about MICs I highly recommend looking them up. Basically, printers leave steganographic marks on printouts that allow them to be tied back to the precise printer they were printed on, including the time and date! After messing with online MIC decoders, we resorted to manual decoding and at last retrieved the time, date and printer model number associated with the printout — this was the flag.
Challenge two saw us attempting to open a Bluetooth padlock armed with a packet capture showing various association and unlock commands. The device addresses in the capture had been nullified so it was more complex than simply replaying the commands to the lock (not to say we didn’t try that!) To our surprise, only two teams (ourselves and Team Nx) eventually solved this challenge. If the organisers had intended for this to serve as the gateway to the digital challenges it was too difficult; after about an hour of contending with the padlock, all teams were given access to the rest of the scoreboard.
Once the scoreboard opened the pace picked up significantly. For the next five hours we ran a gauntlet of binary reverse engineering (which in classic Cyberlympics style, involved at least one “classic crypto” style challenge), malware forensics, web and network exploitation. To mix things up, the organisers had two unlucky participants from each team compete in a 15-minute lock-picking race. Turns out I’m particularly inept at lock-picking, for this I can only apologise to my teammates, if I’d made it through a couple of locks, we could have placed second.
The rest of the day saw us butting our heads against the wall of ambiguous flags, some of which required submitting again and again until we worked out the correct capitalisation, whitespace etc. Fending off network connectivity gremlins, a sporadic inability to submit flags, and occasional inability to open encrypted challenge archives. We spent several hours tumbling down the rabbit hole of reversing a classic crypto binary only to discover that the “encrypted” string we were trying to crack was Rot-9 and that we just hadn’t seen it in our initial attempts to brute-force the answer four hours previous. Such is life. Always check your reasoning and double-check your answers. Although that’s easy to say when you don’t have the pressure of a live CTF to contend with.
At the close of competition, we were left with somewhat of a cliff hanger; the scoreboard wouldn’t be finalised until the next morning and no one knew how many points the Bluetooth lock would be worth, nor if there were any bonuses for getting the dossier and lock problems first (which had been hinted at). It was with no small amount of relief then that we heard our team announced as placing third. Weary, relieved and already eager for a rematch, we took the stage as the first Australian team to place in the Cyberlympics. First and second place couldn’t have been better deserved; Sector C and Team NX were both teams of exceptional calibre and we were proud to share the podium with them.
After celebratory pancakes, shakes and three pints of coffee, it was time for that glorious 20 hour flight home. RIP lower back. Adios Cyberlympics. Until next time!
T.
p.s. Check out Josh’s blog for a writeup on the DNS covert tunnel challenge!
Tom is a principal penetration tester at TSS specialising in red teaming.
TSS is a specialist cyber security company providing penetration testing, security assurance consulting and managed security services. More information is available at our website https://www.tsscyber.com.au.
