Defcon CTF o DDTek 2009-Present o Defcon 20 CTF Quals o Challenges Solving o CTF Deathmatch Final CTF (offense & defense) o Defco 2

Web KCON Blue-Lotus Defcon 20 CTF NISL Blue-Lotus @ 1

Defcon CTF o 1996 16 DDTek 2009-Present o Defcon 20 CTF Quals o Challenges Solving o 10 + 10 CTF Deathmatch Final CTF (offense & defense) o Defco 2

Defcon CTF o o o o o o o Grag bag Urandom Binary l33tness Pwnables Forensics 100-500 4

Blue-Lotus o (NISL@TU) o 2010 12 ictf 10 disket UGA Prof. Kang Li : 35/72 o ictf 11 23/87 Metasploit 5

Defcon CTF 6

CTF 6.2 8:30am [Blue-lotus] & [Blue-Lotus] [Syclover] 9

0.01h o Grab Bag 100: Hack the planet_ o 2006: Hack the o 2007: the planet o 2008: Hack planet o 2011:. o 2012: Hack the planet_ G100 Writeup: http://netsec.ccert.edu.cn/blog/2012/06/04/693 10

0.01h (Hack the planet -Hacker) 11

0.5h -, 200, 1 o Urandom 100: How many developers;) did it take to secure Windows 8? o Google Windows 8 - Win8 60-70 1-100 o - 152 Slow Down?!! o Why 152? ( developers ) U100 Writeup: http://netsec.ccert.edu.cn/blog/2012/06/05/719 12

p100 o p100: MIPS fuzz Qemu + Linux-mips ASLR o o binary write() o MIPS jmp esp ASLR P100 Writeup: http://netsec.ccert.edu.cn/blog/2012/06/04/709 13

b100 o Binary l33tness 100: binary recover my key mac.h sshd ssh Google: skynet ssh backdoor mac.h xor 0xff Key Key?!!! B100 Writeup: http://wcf1987.iteye.com/blog/1550530 14

b100 (con d) o key key Key Key?!!! 15

b100 insight-?/fish: key Ali: crypt () Air 40./john /root/ Desktop/ hash.txt 16

f100 o Linux find the key o 1.c.x o Writeup blkls -s f100: sleuthkit Slack space: F100 Writeup: http://sysexit.wordpress.com/2012/06/03/defcon -20-ctf-prequals-2012-forensics-300-writeup/#comments 17

- f200 o Forensic 200: recover the key WinHex 7 JPG Google Map stegdetect -ddtek 4 F200 F200 Writeup: http://netsec.ccert.edu.cn/blog/2012/06/15/769 18

f200 3D 19

开饭了开饭了 Fish:等我搞定b200,再

b200 o key o File: FreeBSD 32-bit IDA Pro -> -> Nop Callback() Key Sorry B200 Writeup: http://netsec.ccert.edu.cn/blog/2012/06/17/779 21

b200 o Callback( ) o 4 4 o 4 o o Easy 22

b200 string string crypt() string? 23

b200 o crypt() Hash o Rijndeal (AES) S-Box AES-based MAC?! side-channel collision attack known-message scenario time and memory complexity 24

b200 o Fish v5.key[0] = 0x14B62D86u - Tangle Hash Function!!! Google Tangle Hash collision 25

b200 o o key 437f085141d357c5d28850d5119aacb5 26

p200 o FreeBSD exploit o buffer? Kelwin: 10 = 0A, buffer protection, protectio 27

p200 o o Zhugejw: Kelwin: index, protectiolycan, shellcode sp+228h sp+224h sp+220h sp+21ch sp+1ch sp Ret-add Ret-add Ret-add protection ox02 index ox00 ox0b buffer shellcode ox02 ox0c P200 Writeup: http://netsec.ccert.edu.cn/blog/2012/06/04/699 28

700 (3x ) :5/10 :700/1600 1 :9/10 1 :1400/1600 : 1 :6x+/5xx :3x/5xx : binary : forensic : grab bag 29

-g (g200) o MACOS jpeg o Diff DNS o Scapy DNS IP o dig -t ptr 13.12.11.10.in-addr.arpa @140.197.217.85 -b ::#31337 o DNS dan.kaminsky.kung.fu. G200 Writeup: http://netsec.ccert.edu.cn/blog/2012/06/05/719 30

-g (g300) o PIN o 10 This is semi-real. o o Balance: $92387409 825702370 12935.32 G300 Writeup: http://netsec.ccert.edu.cn/blog/2012/06/09/760 31

2 15pm- 18. Bluelotus:1200 32

-p (p300) o FreeBSD exploit o o o o ptr[] ptr[] 33

-p (p300) o ptr[] 4 INT o Shellcode o P300 Writeup: http://netsec.ccert.edu.cn/blog/2012/06/04/715 34

-f (f300) o Strings D-Link DIR-815 Firmware Firmware o Binwalk squashfs + lzma o firmware-mod-kit./extract-ng.sh /root/desktop/ makefirmware/f300 rootfs /home/dlink/key.txt F300 Writeup: http://insight-labs.org/?p=371 35

-g (g400) o Gb400: What is Jeff Moss checking account balance? SQL 36

-g (g400) o union select table_name,column_name,'c','d',1,'f from information_schema.columns Customer: union select email,password,username,lastname,id,firstnam e from customer o No Jeff Moss s account??? Jeff Moss = Dark Tangnet o Dark Tangnet key = 0.00 G400 Writeup: http://netsec.ccert.edu.cn/blog/2012/06/09/762 37

2 20:30pm - Two teams prequalified: European Nopslead team leetmore 11. Bluelotus:2200 38

u300 o Stanford o 10 uint16_t 10 o NOI o Amazo U300 Writeup: http://netsec.ccert.edu.cn/blog/2012/06/04/690 39

b300 o Pcap 1 TCP 10 ( ) o EXE x86 PE? OpenVMS/Alpha! Alpha +OpenVMS License o IDAPro key Dword ( xor ) XXX7tXXXX o What time is leet? [insight]littlefather: 1337?, l337? L337?! L337tmnow! B300 Writeup: http://insight-labs.org/?p=368 40

b400 o (FreeBSD x64) Gdb IDAPro -> 0-63 key o Fish N, N>8 Fish à B400 Writeup: http://netsec.ccert.edu.cn/blog/2012/06/05/749 41

p400 Kelwin: p400 exploit Shellcode Bobo: 0xXXXX Kelwin:YES 400 P400 Writeup: http://netsec.ccert.edu.cn/blog/2012/06/05/723 42

-f400 o Windows HBGary say waht? HBGray VS. Anonymous strings, grep PGP PGP PGP key o PGP Volatility : pgp.exe /gpg-agent.exe -> key(time!) key ID: EC1B51DB, key ID o Writeup: dump RSA Photorec 43

6.4 8:30am :14/24 :3600/7000 :19/5xx 1 : 4900/7000 : 3900 (12) : binary, 1000/1500 : forensic, 300/1500 key : f400 19. Bluelotus:3600 44

Rank Team Name Country 1 Hates Irony 2 PPP CMU, 3? 4 sutegoma2 5 shellphish UCSB, 6 TwoSixNine? 9 our name sucks 10 ACME Pharm NW, 11 WOWHACKER- PLUS 12 Routards CTF Team Name Country DC19 PhDays (etc) European Nopslead Team More Smoked Leet Chicken NCCDC Team Hillarious UW, octf Team Vand? RuCTFE 0ldEur0pe HitB A SiBears TSU Codegat e Nuit du Hack Ebay slot KAIST GoN HackerDom CashCOW?!? CTF URFU, 45

o & : o key f100&f200 brainstorm o defcon CTF 46

CTF (ctftime.org) Bluelotus: 75/1152 78.733 47

CTF o Codegate(2 /4 ) 2 PlaidCTF(4 ) CMU $2K ictf(12 ) UCSB $2K Hack.lu(10 ) GiTS(1 ) shmooco o : Defcon CTF(6 /7 ) 48

o Blue-Lotus CTF Defcon CTF o Blue-Lotus Chaos Club, Web, o defcon ctf Let s trade hintsj, just kidding 49

CTF o http://t.cn/zw2mxma o o o o o o o o Defcon 20 CTF http://repo.shell-storm.org/ctf/defcon-20-quals/ Blue-Lotus writeup http://hi.baidu.com/casperkid/item/3aaa7d26a08b8e4146996289 writeup http://devpsc.blogspot.jp/2012/06/defcon-20-quals-writeup-collection.html http://d.hatena.ne.jp/kango/20120604/1338815574 https://sites.google.com/site/ctfcentralorg/home/defcon-20-ctf-quals CTF http://ctftime.org/ CTF http://ctf.forgottensec.com/wiki/index.php?title=main_page http://captf.com/practice-ctf/ ctf http://captf.com/ CTF http://www.wechall.net/sites.php http://www.securitywizardry.com/index.php/products/forensic-solutions.html 50

Thanks @ Q&A CasperKid :