Competing in the BSides Canberra 2023 CTF

Introduction

This was my first year attending the BSides Canberra conference and competing in the Capture the Flag (CTF) competition run by Cybears. While our team worked across all the competition categories, I’d like to tell you about some of the fun miscellaneous challenges I worked on during the competition.

The CTF took place between Thursday 28th and Saturday 30th of September. BSides Canberra is Australia’s largest technical security conference. Several CTF competitions were running during the event at the National Convention Centre. These included the Wireless CTF, HuntIR by the ACSC Digital Forensics Incident Response team, Black Bag by Redacted Infosec, the Locksport Competition, and of course the main Cybears CTF.

The CTF was a 29 hour competition containing 44 challenges. These challenges were broken down into various categories including badge (firmware/hardware), cryptography, miscellaneous, ppc (professional programming challenges), pwn (binary exploitation), reverse engineering, and web challenges. For each category there was a variety of challenges at various difficulty levels, especially within the badge and the miscellaneous categories.

Skateboarding Roomba

I participated as a member of the Skateboarding Roomba team. This team was a merger of the Skateboarding Dog team and the French Roomba team. With the CTF officially beginning at 10am on the Friday, our team got to work quickly by collecting their badges early on the Wednesday and scouted the convention centre looking for flags. Within 25 minutes, we had the badge firmware dumped and our first flag!

The BSides Canberra badge was an electronic badge called bpod containing both the snake and tetris games. These games also had online scoreboards which set off an arms race for creative names and highest scores. By working to reverse engineer the score submission mechanism on the badge, it was possible to submit our own custom names and device IDs, taking over the leaderboards.

With my teammates collecting 8 flags before the competition officially started, we were feeling confident when the CTF began at 10am on Friday. The competition room was packed with people from all over Oceania. Working at the same table as my teammates let me collaborate much easier compared to when we play online together. For example, it was much easier to collaborate on debugging challenges and brainstorming the logic puzzles. Because of this, I found the CTF much more engaging as it was easier for us to communicate our ideas with each other.

Challenge Writeups

In this section, I will describe some of my favourite miscellaneous challenges that I worked on during the competition.

Shall We Play A Game? [MISC – 100 points]

“The Decepticoms plan to send out a “fake” map from bumblebears transponder. Bumblebear knows the grid coordinates of the energon, but can only change one cell in the map without arousing suspicion. Help bumblebear (and the cybears recipient Pandamonium) recover the location of the energon cache.”

Solution

The description of this logic puzzle appears to describe a checksum problem, and looking at the provided source code of the server, the board appears to be 16×1:

#define SIDELENGTH 16
#define BOARDSIZE (SIDELENGTH*SIDELENGTH)

Reminded of the chessboard problem on 3Blue1Brown and the solution on Stand-up Maths, I spent some time searching the internet for solutions that represent the board in binary and came across a writeup. I then used Approach B in the article as the implementation for the solution:

function Bumblebear1(board, treasure)
    local value = 127
    for i = 1,#board do
        if board[i] == 0 then
            value = value~(i-1)
        end
    end
    return value~treasure
end

function Pandamonium1(board)
    local value = 0
    for i = 1,#board do
        if board[i] == 0 then
            value = value~(i-1)
        end
    end
    return value
end

Shall We Play A Game II? [MISC – 200 points]

“You and 99 of your cybear companions have been imprisoned by the evil AI. Being a perfectly logical being, the AI gives you a chance to escape.

The AI gives each cybear an ID from one to one hundred. Next, the AI randomly places cards with everyone’s ID on them into one hundred identical looking boxes. The AI will bring the prisoners in one by one. They each have fifty attempts to find their own ID card.

Everyone must find their own card to survive, if any one fails, everyone is immediately destroyed.
Help your fellow cybear companions to develop a strategy to escape!”

Solution

Reading the description of this challenge, this logic puzzle seemed surprisingly familiar, and I remembered the solution from watching several YouTube videos by VSauce and minutephysics covering the solution way back in high school.

In order to find the cycle of boxes containing your ID, you start by opening the same numbered box as your id, and use the ID in the box in order to determine your next guess.

The solution ends up being extremely simple using the template:

    if round == 0 then
        return id      
    end
    return responses[round]

Sourdough [MISC – 100 points]

“While many in lockdown were developing a sourdough starter, this crusty old Cybear started a bread (board) project of a different kind – This one is not for EAT(ER)ing.

Can you rise to the challenge, slice the right bites and bring home the dough? You may kneed to do some research or your answers will be toast.”

The challenge description for sourdough has two words in brackets, hinting that the challenge is based on the Ben Eater breadboard instruction set. The challenge is to implement modulo with a limited amount of memory. In order to implement modulo, the value was saved in a register before subtracting and breaking out of the loop (if the zero flag is set). Then the register value was restored and output. An issue we got caught with was not realising that the JPC command was inverted, and will jump if there is no carry bit set, as opposed to the usual behaviour!

LDA 14
STA 13
SUB 15
JPC 1
LDA 13
OUT 0
HLT 0
13: 0
14: 10
15: 3

Conclusion

In the end, our Skateboarding Roomba team won 1st place on the scoreboard! Team Grassroots Indirection came 2nd, and team Emu Exploit placed 3rd.

I focused on solving the miscellaneous challenges this year. Next year my strategy will be to focus on the web and reverse engineering challenges first. The variety of miscellaneous challenges was very refreshing and fun to play. This was a departure from the usual CTF competitions where there is only a handful of miscellaneous challenges at most. I highly recommend checking them out and playing with the challenges at home as they are all available for download from the Cybears gitlab repository.

Scoreboard

References and Writeups