DefCon CTF 2007 Qualifications
This year, Kenshoto
hosted the 2007
round, starting the evening of June 1st.
The Underminers (secretly Team 1@stPlace: @tlas, drb, fury, jrod,
mezzendo, plato, psifertex, shiruken, wrffr), while having an automatic
spot in 2007 CTF, decided to play along with quals because it always
kicks so much ass. We hope our write-ups on this site will help anyone
interested in practicing or learning more for future CTF adventures.
Please send any errors, corrections, ideas, or flames to
(Thanks to Luwenth, sk3wlm4st3r, Squires, and RacerX for updates, and
additional giant thanks to sk3wlm4st3r for the BinLeet 500 walk-through, adc for the Pwnage 400 walk-through, and
to RacerX for the Pwnage 500 walk-through.)
Huge thanks to Kenshoto for letting us distribute the Web Hacking and
Pwnage 100 server
sources. Any links below marked "Kenshoto Source" were given out after
the quals, but they're handy for recreating the services locally now that
their servers are offline.
Kenshoto sent official instructions
the short version is: find a secret key associated with each challenge.
Below is the list of challenges, broken down by category, along with the
key that that was recovered once the challenge was solved so you can check
your work. Questions were made available by having the team with the highest
score select a new question to work on, forcing a certain level of serialization.
For challenges that require
a running server instance (e.g. Web, Pwnables, and some Binary Leetness)
you'll use the server at *.allyourboxarebelongto.us. These services
may or may not be available, depending on Kenshoto's infrastructure. If
there is source available, you can run your own copy.
- 100: ____ the planet
(Key is: hack)
- 200: what OS did kenshoto run for CTF 2006?
(Key is: Solaris)
- 300: Who founded the zine TAP?
(Key is: Abbie Hoffman)
- 400: What is the name of the command used to add a user to a OSX box?
(Key is: niutil)
- 500: Implement the linked piece of C code in one assembly instruction. (submit answers in \x11\x22\x33 bytecode format)
(Key is: \x0f\xbd\xd8)
Read the Trivia walk-through
- 100: What is the name of the city where this image was taken? (and no, the image is NOT photoshoped)
(Key is: Bernardston)
- 200: Kenshoto Counter-Intuition Enforcement discovered this binary... We think it's more than it "appears"...
(Key is: IDYLWOOD GRILL)
- 300: We ganked this filesystem image from Dr. Kenneth Shoto's pwn gibson...
(Key is: in the other file)
- 400: Totally unbreakable infinity bit file encryption, oh noes! What ever will the spooks do?
(Key is: infinitybitfromsupercipher)
- 500: This is a physical memory image from a running target system. What is the (userland) virtual address of the string "forensics challenge" in the process foo.exe (answer in 0xf000baa4 notation)
(Key is: 0x00407034)
Read the Forensics walk-through
- 100: Use the provided client to gain access to the HD-DVD movie library...
(Key is: oh nine eff nine)
- 200: There might be a key in there... somewhere...
(Key is: saved eip, ftw!)
- 300: What algorithm[s] does this binary *implement*? (For the key, the algorithm with the longer name comes first. If you think it implements "foo" and "gazonk", the key is "gazonkfoo")
(Key is: blowfishbzip2)
- 400: SymMcKasTrend AV Buzzword Monitoring Center discovered the following malware and don't know what to do with it... It's running on quals07.allyourboxarebelongto.us...
(Key is: who's there? URMOMLOLZ!)
- 500: There can be only one!!1one! Feed this a stray cat to produce the key...
(Key is: rotten decryption hurts!)
Read the Binary Leetness walk-through
- 100: A critical MovieOS World Domination Control server is running on quals07.allyourboxarebelongto.us:1234. Pwn it!
Kenshoto Source - run your own server
(Key is: ooh baby, brute me harder)
- 200: Oh my god... it's full of mac! The provided binary is running on omgmac.allyourboxarebelongto.us:1984. Pwn it!
(Key is: one more thing...)
- 300: missing this question...
(Key is: ViAgR@ 4 ur shellcode)
- 400: So, like, we wrote this admin app... The provided binary is running on quals07.allyourboxarebelongto.us:4455, Pwn it!
(Key is: luwenth got some last night)
- 500: heh... yea... have fun with this... The provided binary is running on quals07.allyourboxarebelongto.us:12345. Pwn it!
(Key is: jerry was a racecar driver)
Read the Potent Pwnables walk-through
The walk-throughs are not finished; we're still waiting on Kenshoto to give us all the pwnage. In the meantime, here are some plots of scores, based on the raw scoring data