RedTeam

While the planned CTF at the hack.lu this year did not take place, HackerJoe had a nice surprise for everyone when he announced on Saturday that he spontaneously set up a CTF. Actually, it rather was a wargame consisting of 7 stages, with the one completing stage 7 first being the winner. We of course participated as one of 8 teams and we used the time until the speakers dinner to complete the introduction stage and most of the first stage.
After the dinner we finished the first and second stage leading to an account that upon login changed the terminal background to black and displayed the flag. We then rather quickly found that before that a base64 encoded FreeBSD executable was displayed black on black and the terminal was cleared and the scrollback erased.
There the fun began, it took us a bit to get a pfSense image one of us had running in a VM and the file transfered to it. Having all we’d need at first, we went off to our hostel. While 2 of us went to bed, Claus and I went on to reverse engineer the executable finding out the protocol it expects to communicate with and finding a buffer overflow in it. At that point, at about 2:30 AM, eager to verify our findings, we decided to go back to the conference and continue hacking.
When we arrived, team “bisounours” was the only other team still there and soon after our arrival they completed stage 3. We were able to confirm our findings, found the executable being reachable on port 666 of the game server and got to the bufferoverflow. But as we had no FreeBSD shell code handy and there was no internet connectivity anymore, we were not able to proceed and decided to at least sleep 3 hours this night. :)
When we came back to the conference in the morning, it turned out that team “bisounours” has been hacking all night and meanwhile was on top of the scoreboard, shown as having completed stage 7 at an obviously tampered with time. It later turned out, that they indeed found a way to bypass stages which was then fixed.
We grabbed the needed shell code and continued working on stage 3, completing it in the morning. We then found a local root exploit and by this another way to bypass further stages and thus finishing second.
With the scoreboard being sorted by time of completion, and the time of team “bisounours” being obviously faked, we at first planned to tweak our time also a bit, but during the lunch break I had the idea that we could as well add another new 8th stage and have only us complete it. :)
So after lunch we tweaked the scoreboard database and script a bit to achieve this: hacklu2006_score.html
After this some other lower scoring team unfortunately started vandalizing the gameserver.
Nontheless the wargame was great fun, a big thank you to HackerJoe for running it, and congratulations to the winners team “bisounours”.