title: SecuRT 2015 Retrospective
author: depierre
published: 2015-03-16
categories: Security
keywords: security, ctf, challenges, securt, tous, pirates


[SecuRT](http://tous-pirates.fr/) third edition took place last Saturday in
[Montbéliard](https://en.wikipedia.org/wiki/Montb%C3%A9liard). It is a special event that tries to raise awareness
about security in computer sciences among students. During the first edition, I participated to their CTF, with
[jvoisin](https://dustri.org/) and [rboissat](https://chroot-me.in/) under the name of
[HackGyver](http://www.hackgyver.fr/), where we finished first!

![SecuRT 2015 CTF](/static/images/securt2k15/event.jpg)

Since last year, we decided to organize the challenges for their competition and last week-end, we provided more than
40 different challenges. Now that the event is over, I wanted to review some details here.

<!---summary-->

I will **only** speak about the part [futex](http://remchp.com/), jvoisin and I contributed to. The fact that the
communication about the event was incomplete, that the website is ugly or that the new name is lame will not be
covered.

# The Bad

### Unsecure Setup

I want to thanks the participants! Because they were nice enough to not break the setup.

We had set up three different virtual machines for the CTF. One for the exploits, one for the web challenges and one
for the scoreboard. It could have been enough for such small competition except that we had some web challenges that
were hazardous.

+ One was a path traversal vulnerability. The objective was to read ``config.php`` in the web directory using [php
  filter](https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/).
+ Another one was to upload a PHP backdoor via a [MIME-type attack](https://pentestlab.wordpress.com/tag/mime-type/).

In both cases, the **students could have read the flags from the other web challenges without even reading the
subjects.**  
We knew that. We did not do anything against that. We sucked.

Next year, we will configure one VM for each hazardous challenge (we will need better hardware though) for better
isolation.

### Broken challenges

**More than 40 different challenges were provided for the CTF**. Truth be told, most of them were written in the past
two weeks.

We spent some times to test each of them and we noted a couple of things to update right before starting for the CTF.
Of course we forgot some of them...

+ With the MIME-type challenge, the challenger should have recovered the source code (available in ``/robots.txt``) in
  order to know how the files were renamed (``md5(date('Y-m-d H:i') . $filename)``). But we forgot to forbid the
  directory listing in the upload directory. The challenger only had to get the list and access his backdoor.
+ For the exploit challenges, we decided to make them easier by adding an unused function that would read the
  ``flag.txt`` file for them. Hence, in order to exploit the binary, you only had to override the ``EIP`` with the
  offset of that function.
+ In one of the challenges, we called the unused function in the main just to be sure that everything was working fine.
  And of course, we forgot to remove it... Therefore the exploit was **run the binary, read the flag** SO hard!

Another aspect that bothered me is that some challenges could be solved using automated tools only. Script kiddies
would have been able to solve some challenges like the SQLi using [sqlmap](http://sqlmap.org/), the Format String one
thanks to [RedSpin](https://www.redspin.com/blog/labs/2009/11/25/automatic-format-string-exploitation/) and others...
But we thought that because the participants are mostly beginners, it would not be a problem. IMO next year, we should
think about that and make it hard for these tools to work.

### Gap between challengers

There was 8 teams that participated to the CTF and **most of them never did anything related to security**. I tried my
best to help the beginners, giving them advices, showing them some tools, being their [rubber
duck](https://en.wikipedia.org/wiki/Rubber_duck_debugging) and some times spoiling a little bit too much :p

I was glad that most of the Web and SQLi challenges were validated but still surprised that the Reverse Engineering
category was not even checked...

![Validation of the challenges](/static/images/securt2k15/challenges_validation.png)

The RE category had the most challenges and some were really simple. I know that the participants most probably never
tried some reverse stuff but come on...

+ The first challenge was the most obvious one that we could have prepared for beginners **run strings and validate**.
  Only 3 teams validated it...
+ The second challenge I think was easy is the Android APK. There was no real difficulty **run dex2jar, use jd-gui,
  rot13 the flag**. Plus, it's not like reversing a ``rot13`` in ASM, this is Java meaning that it is easy to read.
+ In the misc category, the Telnet pcap challenge was validated only 4 times...

### Lame challenges

Last point I want to cover is that some challenges were lame... With more that 40 challenges, it is hard to have each
of them being fun and interesting.

+ A web challenge consisted in bypassing a broken authentication system that was using ``==`` instead of ``===`` when
  comparing the passwords. A couple of days before the event, we decided to reduce the points for the challenge and to
  give the source code but we forgot the last one. It made the challenge a pure **guess and die** not really fun.
+ A misc pcap challenge I thought would be funny was actually pretty lame because of one detail. **When creating a misc
  challenge, avoid using junks.** I thought that without the junk network exchanges, the challenge would have been too
  obvious but in that was a bad idea. Instead, it made it super annoying and nobody focused on it at all...
+ The crypto challenges were sooooo lame... But in our defense, none of us (except jvoisin that was busy with the
  [Boston Key Party](https://dustri.org/b/boston-key-party-2015.html)) are lame with crypto stuff. We still wanted to
  provide some challenges but they were not really interesting, IMO.

# The Good

### Most challenges were validated

To be precise, we provided 44 challenges for this third SecuRT edition. Among them, 32 challenges were validated at
least once, which makes it ~73%!

![Details of the validated challenges](/static/images/securt2k15/details_challenge_validation.png)

As explained earlier, most of the validated challenges were the web and the SQLi ones. Being come the crypto and the
lock-picking ones. As seen last year, the lock-picking ones were really appreciated by the challengers; it is always
fun to have the opportunity to unlock some real locks :)

### Good duration

A few days before the event, we asked to have 7 hours allocated for the CTF instead of 4. With 40 challenges, we really
thought that 4 hours would not be enough and we were right. First we asked for 12 hours but we were afraid to lose the
challengers' focus before the end and we were right again.

IMO 7 hours was almost perfect. On the dark side, we saw a lot of people leaving early but I think that was because
we should have extended the duration way earlier. People already had plans for the evening. On the bright side, most of
the challenges were validated and the ones who stayed said that they had fun.

I hope that next year, we will do what has been said during event, meaning **two days for the SecuRT**:

+ Fist day for the conferences, the open forums, the workshop, etc.
+ Second day for the CTF. 12 hours or 24 hours with the corresponding logistic behind (beds, food, transports).

I am waiting to see what can be done!

### People had fun

Walking around during and after the CTF, I feel that the challengers had fun. I realized that most of them had a hard
time just to validate the first web challenge but with some little help, they felt like pwning some stuff :p

I am quite sure that we indeed raised awareness among them, especially with some challenges seen in the wild not so
long ago. In my opinion, the SecuRT CTF went fine.

# Scoreboard

![SecuRT 2015 Scoreboard](/static/images/securt2k15/securt_2015_scoreboard.png)

+ The two members of HackGyver, kiwhacks and xarkes (not part of the organisation so no cheats here) arrived first so
  good job to them!
+ A **huge GG for the only member of the team RT** to have stayed until the end of the CTF! He was a real beginner but
  never gave up! He is the real winner of the CTF here :)

**Thanks to all participants!** We hope to see you next year for even better challenges! Feel free to stop by the
hackerspace :p