This year, Kenshoto hosted the 2007 DefCon Capture-the-Flag Qualifications round, starting the evening of June 1st.

The Underminers (secretly Team 1@stPlace: @tlas, drb, fury, jrod, mezzendo, plato, psifertex, shiruken, wrffr), while having an automatic spot in 2007 CTF, decided to play along with quals because it always kicks so much ass. We hope our write-ups on this site will help anyone interested in practicing or learning more for future CTF adventures.

Please send any errors, corrections, ideas, or flames to Doc Brown. (Thanks to Luwenth, sk3wlm4st3r, Squires, and RacerX for updates, and additional giant thanks to sk3wlm4st3r for the BinLeet 500 walk-through, adc for the Pwnage 400 walk-through, and to RacerX for the Pwnage 500 walk-through.) Huge thanks to Kenshoto for letting us distribute the Web Hacking and Pwnage 100 server sources. Any links below marked "Kenshoto Source" were given out after the quals, but they're handy for recreating the services locally now that their servers are offline.

Kenshoto sent official instructions, but the short version is: find a secret key associated with each challenge. Below is the list of challenges, broken down by category, along with the key that that was recovered once the challenge was solved so you can check your work. Questions were made available by having the team with the highest score select a new question to work on, forcing a certain level of serialization. For challenges that require a running server instance (e.g. Web, Pwnables, and some Binary Leetness) you'll use the server at *.allyourboxarebelongto.us. These services may or may not be available, depending on Kenshoto's infrastructure. If there is source available, you can run your own copy.

• 100: ____ the planet
  (Key is: hack)
• 200: what OS did kenshoto run for CTF 2006?
  (Key is: Solaris)
• 300: Who founded the zine TAP?
  (Key is: Abbie Hoffman)
• 400: What is the name of the command used to add a user to a OSX box?
  (Key is: niutil)
• 500: Implement the linked piece of C code in one assembly instruction. (submit answers in \x11\x22\x33 bytecode format)
  (Key is: \x0f\xbd\xd8)

Read the Trivia walk-through.

• 100: Who has placed an order for the "Focus" midget? Original URL
  Kenshoto Source - run your own server
  (Key is: Grant Chambers)
• 200: Domokun has always known best... Original URL
  Kenshoto Source - run your own server
  (Key is: DomoKillsCatsForKenShoto)
• 300: Pwn it to get a key Original URL
  Kenshoto Source - run your own server
  (Key is: somanymidgestsolittletime)
• 400: Pwn it Original URL
  Kenshoto Source - run your own server
  (Key is: FalcorHasBigEars)
• 500: How much does it really cost to sell out? (submit only the decimal part) Original URL
  Kenshoto Source - run your own server
  (Key is: 838283023)

Read the Web Hacking walk-through.

• 100: What is the name of the city where this image was taken? (and no, the image is NOT photoshoped) Files
  (Key is: Bernardston)
• 200: Kenshoto Counter-Intuition Enforcement discovered this binary... We think it's more than it "appears"... Files
  (Key is: IDYLWOOD GRILL)
• 300: We ganked this filesystem image from Dr. Kenneth Shoto's pwn gibson... Files
  (Key is: in the other file)
• 400: Totally unbreakable infinity bit file encryption, oh noes! What ever will the spooks do? Files
  (Key is: infinitybitfromsupercipher)
• 500: This is a physical memory image from a running target system. What is the (userland) virtual address of the string "forensics challenge" in the process foo.exe (answer in 0xf000baa4 notation) Files
  (Key is: 0x00407034)

Read the Forensics walk-through.

• 100: Use the provided client to gain access to the HD-DVD movie library... Files
  (Key is: oh nine eff nine)
• 200: There might be a key in there... somewhere... Files
  (Key is: saved eip, ftw!)
• 300: What algorithm[s] does this binary *implement*? (For the key, the algorithm with the longer name comes first. If you think it implements "foo" and "gazonk", the key is "gazonkfoo") Files
  (Key is: blowfishbzip2)
• 400: SymMcKasTrend AV Buzzword Monitoring Center discovered the following malware and don't know what to do with it... It's running on quals07.allyourboxarebelongto.us... Files
  (Key is: who's there? URMOMLOLZ!)
• 500: There can be only one!!1one! Feed this a stray cat to produce the key... Files
  (Key is: rotten decryption hurts!)

Read the Binary Leetness walk-through.

• 100: A critical MovieOS World Domination Control server is running on quals07.allyourboxarebelongto.us:1234. Pwn it!
  Kenshoto Source - run your own server
  (Key is: ooh baby, brute me harder)
• 200: Oh my god... it's full of mac! The provided binary is running on omgmac.allyourboxarebelongto.us:1984. Pwn it! Files
  (Key is: one more thing...)
• 300: missing this question... Files
  (Key is: ViAgR@ 4 ur shellcode)
• 400: So, like, we wrote this admin app... The provided binary is running on quals07.allyourboxarebelongto.us:4455, Pwn it! Files
  (Key is: luwenth got some last night)
• 500: heh... yea... have fun with this... The provided binary is running on quals07.allyourboxarebelongto.us:12345. Pwn it! Files
  (Key is: jerry was a racecar driver)

Read the Potent Pwnables walk-through.

The walk-throughs are not finished; we're still waiting on Kenshoto to give us all the pwnage. In the meantime, here are some plots of scores, based on the raw scoring data: