This post is about Sharif CERT (APA) center’s recent CTF (10 dec 2012), which is one of a kind in Iran. Most CTFs are a few days long since there are time-zone differences, but since this one is in Iran, its only a few hours long and full of pressure. Also it is fairly general purpose, with Trivia, Web Hacking, Cryptography, Steganography, Reverse Engineering and Forensics amongst it genres. There’s also the final scoreboard of the contest. As usual, team AbiusX nailed this CTF, though this was the initial round and the main round is held inside Sharif University of Technology in Tehran. APA CTF usually pisses me off, as some questions are not technical and more of a puzzle than a question – as you will see soon – and also because the guys in charge of making up questions have a very poor English (rofl). But it’s getting much better over the years and this version was perfectly acceptable, specially the parts about segmenting different teams’ flags. There were 2 trivia questions, 4 web flags, 2 reverse engineering flags and the rest each had one flag. Genre scores were 100 for trivia, 1200 for web, 200 for crypto, 600 for reverse engineering, 300 for steganography and 400 for forensics, plus bonuses for quick solvers.

The Questions

This section will describe each questions, its strengths and weaknesses and the solution to it.

I participated in the Stripe CTF Web Attacks and thus far it was the most well designed CTF I have ever encountered (and I have participated in a couple dozen). This is the second Stripe CTF, the first was exploitation based and this one was web based. Some Concepts CTF stands for Capture the Flag, its a genre of games where you have to get past enemy lines and take their flag and bring it back to your base to win a score. Usually hacking games are CTF like, you have to hack a system, find the flag (its a random string) and bring it to your home to get scores for that level. There are plenty of servers for a CTF host, since many attackers try to just break the servers instead of solving the challenges. Also every participant’s environment has to be secluded to achieve best challenge experiences, so lots of cautious programming on the host side is required. There are almost always lots of bugs on CTFs due to huge codebases, and hackers tend to hack systems in a way that the host didn’t plan of, and get the score; thus the host people have to watch the event and remove those bugs asap, and to respond to questions and feedbacks of the participants. How did I do I participated in this CTF a couple days ago, at midnight. Unfortunately my beloved uncle had just passed away and he had no sons, so I had to take care of much of funeral stuff. I only had a couple hours at midnight (at the cost of not sleeping for the funeral) to participate in this, so I did. I was able to solve 8 out of 9 challenges in almost 3 hours, and left for the funeral chores afterwards. The 8th question was a little lengthy and I returned to it after almost 30 hours (after the funeral and a brief rest) and solved it in a few hours. Below I’m going to discuss the questions and their answers (how to hack them) as an educational document.

Challenges

I’m going to copy the challenges from Stripe-CTF, then provide the solutions in a section below each of them.