iCTF09 – UCSB's International Capture the Flag Competition
As a member of the Security Lab at UCSB I had the privilege to help create and run this year’s iCTF Hacking Competition. The six-year-old competition was very unique this year. Unlike CTFs seen before in which teams try to protect their services whilst attacking other teams’ services, our competition had teams deliver drive-by downloads to users for the purpose of stealing money from the users’ bank accounts.
In order to deliver drive-by downloads, the teams had to bring users to their webpage by boosting their search result on the search server for desired search terms. The users’ browsing pattern was they would search for a random word from a news site and then visit one of the resulting pages chosen according a Pareto distribution, meaning the top search result would have the highest probability of being picked with the last result the lowest.
The challenge there was to figure out how to boost the search results for particular keywords, unfortunately most of the teams simply duplicated the news site; this definitely was the safest strategy though slightly disappointing to me as I wrote the search engine code. I can claim that neither the search engine, nor the index server broke during the competition. The crawler had a few issues with some team’s pages, which I quickly fixed. I have made the search engine code available that was used in iCTF09.
In addition to writing the search engine, I wrote three challenges for the competition. The first challenge I wrote was called “The Difference”, or Forensics 4. The only information people were given was the title and the following image. The first step to solve this challenge is recognizing the image is the xkcd comic “The Difference“.
After downloading the original image one should notice the two files are different sizes with the original being 32KB and my image 46K. At this point a pixel-by-pixel comparison is required which reveals that 60 of the pixels differ and the values of the differing pixels are always larger in my image. This is where “The Difference” first comes into play by subtracting the value in my image from that of the original.
Doing so produces the results shown in the_difference_values.txt. Each line contains the difference value and the index of the pixel. The values in this list range from 33 to 41 with exceptions 10, 12 and 15. Additionally the numbers appear in groups of three where last number in the group is sometimes larger. After a bit of pondering the realization sets in that ASCII lowercase values range from 97 to 122 with space being 32 and hyphen 45. It should hit you like a ton of bricks that you need to sum the groups of three together and then convert the number to its ASCII value.
The string “sixty-four seventeen” now appears and you think you’ve solved the challenge, but no, it’s not quite done. This is where “The Difference” comes back into play in that you have to subtract these two numbers to get forty-seven. There were 596 submissions for this challenge of which 2 were correct. I’ve made the source to both generate and verify this challenge available.
The second challenge I wrote had 75 submissions and 0 correct solutions. This challenge was one of the Trivia 3 problems that had a text file and the following blurb associated with it:
Rummaging through the attic one afternoon Sally found a notebook which on the cover read ‘What happened in 95?’. On one of the pages she found the following two paragraphs of text which appeared as gibberish to her. She copied the two paragraphs down as best she could, however there were forty-five characters which she couldn’t make out from the first paragraph, which she simply neglected. What are those 45 characters?
The concept behind this problem is a one-time pad, where a completely random sequence of characters the same length as the original text is generated and then XORed with the original text to create the cipher text. At this point the original text can be discarded and recovered by XORing the cipher text with the one-time pad.
The challenge to this problem is finding where the 45 missing characters go, and what they are. One additional difficulty is figuring out that the ASCII values need to be subtracted by 95 prior to XORing so the numbers being XORed fit within 32 bits. This can be discovered by taking the min value that appears in the paragraphs which is 95 corresponding to ‘_’ and additionally the max value that appears which is 126 corresponding to ‘~’. The ’95′ that appears in the blurb was to hint at this.
Finding the places where the characters should go requires XORing the current one-time pad with the cipher text. Plain text English with no punctuation or spaces will result at the beginning of the output until nonsense text is output. This is the point in which a character needs to be added to the one-time pad. This process needs to be repeated for all 45 characters.
At this point, XORing the one-time pad character with the desired character will result in the missing character. The solution is the concatenation of all the missing characters. This is “sdnalsilennahcehtdnuoradnuofebnacsehcnarbidun” which is “nudibranchescanbefoundaroundthechannelislands” reversed.
I’ve made the code to generate this challenge available. You’ll notice it loops until the one-time pad contains the characters of the solution. The original text is a passage from Joyce’s Dubliners that contains the oldest reference I know of to the phrase, “how goes it“. I did not write a solution for this problem.
The third and final problem I wrote was called 0xDEAFBABE or Trivia 2. A binary file (renamed to include .mid to resolve content type issues) was provided which the program file correctly informs that it is a midi audio file. By playing the file one hears about one note a second. Many teams tried to figure out what the notes were as they would be on a musical scale, such as c sharp or b flat, however that was a bit over thinking it. The solution was simply to print the ASCII character that corresponds to each midi note number. These numbers range from 0 to 127, thus they’re perfect for text. The solution to this was “does this not sound super cool?” There were 207 submissions of which 21 were correct. I have made my source to generate and verify this challenge available.
If you competed in the iCTF and attempted or completed any of these challenges let me know what you thought and how long you spent on them. I recall someone in the chat yesterday saying they were losing their sanity trying to solve “The Difference”; that gave me a good laugh 
Related Entries
Comments
Comment from guest
Time December 6, 2009 at 11:05 am
And big thanks for the challenge, it was very interesting!
Comment from Bryce Boe
Time December 6, 2009 at 11:09 am
guest- If I’m not mistaken, the flags had to be submitted through the vuln boxes as the teams did not have network access to the submission machine.
Pingback from http://62.141.37.41/blog » Blog Archive » UCSB iCTF 2009 – pwnd by CInsects
Time December 8, 2009 at 3:22 am
[...] Weiterführende Links: [12] Über die Gewinner des UCSB iCTF 2008 [13] Einer der Veranstalter schreibt über seinen Beitrag. [...]
Comment from rohit
Time December 15, 2009 at 8:43 am
I wish the question for the side challenge ‘the difference’ could have been more clear.
Comment from Saiph =)
Time December 17, 2009 at 10:24 pm
Diesen Veranstalter glaube ich ist sehr nett =)
ich liebe es sein Blog zu lesen!
….great post. Your challenges are really original. Just out of curiosity, how many teams came up with the string “sixty-four seventeen” and were just missing the subtraction?
I think I also have a bit of a difficulty understanding the difference task. I’m going to write what I understood the teams should do: OK, so teams were given two images, I assume they first read the header of the image to know if the image that was given to them was in RGB format, or YUV, or RGBA. (This isn’t actually that simple I think, because for example with jpg the format specification I think is compressed) Did the teams figure out the format or did everyone assume it was a vector of 3 per pixel? (knowing the format could be very important, because if it’s RGBA you would have a vector of 4 for each pixel instead of a vector of 3. ) So after they knew the format, and considering it was presented in a vector of 3 values: (x,y,z) they needed to subtract the x from image 1, from the x from image two, and do the same for the Y and Z value of the images. They obtained then a vector ( differenceX,differenceY,differenceZ), they then needed to add: differenceX+differenceY+difference Z=overallPixelDifference.
They then got the ascii value of that pixelDifference. And they did the same for all of the pixels of the image, and had as a result the string, with which they then needed to obtain the last difference of 64-17.
Is this correct??
Also, are there these kinds of competition for forensic analysis? Do you think it is more important for companies to give support to forensic analysis, ways in which attacks can be prevented or repaired, rather than investing money in ways to attack an infrastructure?
wow my comment is super long…¬¬ I need to l work on keeping it short and simple. That will be my new year’s resolution!
Comment from Bryce Boe
Time December 19, 2009 at 2:34 am
@rohit- The difference definitely could have been a clearer, but figuring it out was intended to be half the challenge.
@Saiph- I think both the teams that got it right submitted “sixty-four seventeen” prior to submitting the correct answer. I don’t believe anyone only got to “sixty-four seventeen”.
Regarding figuring out what type of file it is was pretty trivial. First they were given it as “the_difference.png” which, although it could be misleading, should allow one to quickly confirm it is indeed a png. Any good security person will start by using the handy file command which for this file tells:
the_difference.png: PNG image, 393 x 740, 8-bit grayscale, non-interlaced.
I’ll admit when I originally wrote the generator script I assumed it was a RGB png image which is why there are groupings of three pixels. I meant to distribute the single character evenly across a single pixel by adjusting the red, green, and blue in equal parts, which my code was meant to do. However as it’s a greyscale image the result was modifying three adjacent pixels; oh well.
I think if you take a look at the solution code along with the difference values it should be pretty clear how to get the ASCII values.
Regarding your last few questions, I’m not really sure, thus I don’t have an answer for you, sorry.
Thanks for the comment, even if it’s not short and simple 
Comment from Mike
Time January 4, 2010 at 3:38 pm
Have any of your colleagues at UCSB posted the solutions to the challenges they created? If so, please post links to their solutions here… I’m very anxious to find out what the answers were.
Thanks.
Comment from Bryce Boe
Time January 4, 2010 at 3:43 pm
@Mike – I don’t believe there have been any write-ups by my colleagues. Are there particular challenges you would like solutions to?
Comment from Mike
Time January 4, 2010 at 3:49 pm
@Bryce – Well, all of them eventually, but especially the other four forensics questions. There were a total of five, weren’t there?
Comment from Bruce
Time May 19, 2010 at 6:09 am
I wish the question for the side challenge ‘the difference’ could have been more clear.
Comment from guest
Time December 6, 2009 at 11:01 am
why flags were not accepted?
is it b/c of bad user-agent or they had to be submited not from the team network, but vuln boxes? or that were old flags?