I participated in the Stripe CTF Web Attacks and thus far it was the most well designed CTF I have ever encountered (and I have participated in a couple dozen). This is the second Stripe CTF, the first was exploitation based and this one was web based. Some Concepts CTF stands for Capture the Flag, its a genre of games where you have to get past enemy lines and take their flag and bring it back to your base to win a score. Usually hacking games are CTF like, you have to hack a system, find the flag (its a random string) and bring it to your home to get scores for that level. There are plenty of servers for a CTF host, since many attackers try to just break the servers instead of solving the challenges. Also every participant’s environment has to be secluded to achieve best challenge experiences, so lots of cautious programming on the host side is required. There are almost always lots of bugs on CTFs due to huge codebases, and hackers tend to hack systems in a way that the host didn’t plan of, and get the score; thus the host people have to watch the event and remove those bugs asap, and to respond to questions and feedbacks of the participants. How did I do I participated in this CTF a couple days ago, at midnight. Unfortunately my beloved uncle had just passed away and he had no sons, so I had to take care of much of funeral stuff. I only had a couple hours at midnight (at the cost of not sleeping for the funeral) to participate in this, so I did. I was able to solve 8 out of 9 challenges in almost 3 hours, and left for the funeral chores afterwards. The 8th question was a little lengthy and I returned to it after almost 30 hours (after the funeral and a brief rest) and solved it in a few hours. Below I’m going to discuss the questions and their answers (how to hack them) as an educational document.

Challenges

I’m going to copy the challenges from Stripe-CTF, then provide the solutions in a section below each of them.

Bloating is one of the most fatal horrors that can happen to a piece of software. It is when you have a nice working software that everyone loves, and then you start adding odd crazy features into the software that nobody but you (who spent numerous hours thinking how you could reach perfection in your software) needs or uses. It might seem not very likely but believe me, if you don’t shackle your thoughts, you’ll definitely bloat it. For example, consider Apple TextEdit, which is somewhat a counterpart of Notepad on Mac OS X. TextEdit was a very powerful tool, yet simple enough for taking a few notes. It could open MS Word documents and other RTF-like formatted documents, as well as pure ASCII text files and it would automatically recognize the encoding and save with the appropriate encoding, all without the need to go through application preferences. Now they have added Versions and a lot of other magical stuff to TextEdit (as well as many fundamental OS X apps such as Preview), and it takes ages (in comparison to a nerd’s typing speed) for it to open, save, close and behave. Personally I haven’t used Versions once in this whole year I’ve been having OS X 10.7 Lion, and I don’t think everybody else has, that’s why most people hate Versions (dare Google it!). Another case would be Mozilla Thunderbird, which is a magnificent piece of software, but I strongly doubt that anyone unfamiliar with the mechanics of modern EMailing protocols could cope with it. Thunderbird is a strong Mail client capable of almost anything, but I bet half of my blog readers won’t be able to start checking their mail with it. It wasn’t like that in the first few versions, but the developers got involved in the software so deep they could only see the world as an EMailing infrastructure, and anyone has to know whats the difference between IMAP and POP3 to drive in their world.

How to prevent it

They say that people use 20% of a software’s features 80% of their time, so bloating will just make this percentage look uglier. The best method to prevent bloating AFAIK is to go agile, this way you would only implement what your customer needs and uses, and if they didn’t like it, you would either change it or dump it.