nopcode

Projects

+ acr
+ activewall
+ wistumbler2
+ mksend
+ rss2html
+ youterm
+ 0xFFFF
+ radare
+ gdvb
+ pvc
+ mesure
+ screws
> exploits

Rss2

: 20070821

Hosts

www.nopcode.org
radare.nopcode.org
cvs.nopcode.org
news.nopcode.org
blogs.nopcode.org
git.nopcode.org
pvc.nopcode.org

Blogs

+ brainstorm
+ pancake
+ pof
+ wzzx

>> pandas at defcon15
(news) ( pancake @ Tue, 18 Ago 2007 02:32:61 +0200 )

These days one of our members where into Defcon15 to participate with the panda team at the CaptureTheFlag competition.

Few months ago a group of friends participate on the kenshoto prequals, which is a prequalification wargame with different categories and complexity. After the 48h we got qualified to participate at the DefCon final on a CTF.

This time we go there without a good preparation, we are wearing cheap network switches with broken RJs, and there was a long time most of us make an exploit or so, we had to remember all this things there O:)

We are 7 and decided to split the team in 3 groups: One doing server administrative tasks, exploiting automatism scripts and working together with the other two (reversing and exploiting).

The list of rules of a CTF are:
- you have two network cables and a table
- one of the cables reaches the gateway and the other one your server
- kernel patches are not allowed/permitted
- reverse engineering applications to find bugs to exploit
- patch your services (in binary)
- sniff the trafic to find other's exploits
- exploit them and take profit
- each service per each team has a token (key file with hex number)
- you should steal tokens from other teams and overwrite them with your own
- there are private and public tokens
- keep up your services

The first day of the ctf we were maintaining the first position, this is because we were focusing our time in the easiest ones, trying to get them rapidly and be able to steal as much points as possible from the rest of teams.

The second day there was some problems with the counters and we was unable to use the three breakthrougths we do during the night, and we had to spend all the day to finally exploit another because of another team constantly overwriting its key file. So we fall into the third position.

The third day was just the half of it, and this wasn't enought time to raise from the yestedays crackdown, but we were able to maintain the position and as a final note, We were able to exploit a 3-years old bug in about two hours before the end, but...we were too nervious and didn't look at the correct terminal O:).

Finally I will like to congratulate to Kenshoto and all the teams of the CTF for this great wargame and for having such a fun in a plastic city on the middle of a desert.

Hope to get classified next year and back to the CTF..This time with a 70% more of network switches

+ pandas/blog/report
+ Kenshoto
+ 48bits
+ cutaway-security
+ news.livedoor
+ atlas.blog

* pandas is a trademark of Osu Tatakae! Sexy Pandas wargaming team.
* 'we' in this article is refered to the panda team

Dev-lists

wistumbler2
radare

Posts

( 0day advisory: reverse-xss plain attack at pans and company
( pandas at defcon15
( org.nopcode.rest
( New web style
( mesure 0.7.2 released
( rss2html 0.8.2 released!
( acr 0.5.2 released
( debian repository for nopcode software
( youterm project has been made public
( nopcode mirror at bytezero
( gdvb 0.5 released
( acr 0.5 released
( gdvb 0.4 released
( rss2html 0.8 released!
( gdvb 0.3 released