The Great Indian GCCS CTF Challenge

Disclaimer: The images and certificates are too blurred to be disturbing, The names on the certificates are imaginary, it has absolutely no bloody relationship with living or dead (Because of Typos and govt. just won't correct it, I wish they ask for taxes from the imaginary man they created in the next financial year)

Warning: My Name is Nipun Jaswal ( Pronounced as JAS - WAAL) its not Jayaswal/ Jaiswal or whatever the hell you write. I am a Chandravashi Rajput and you can find more info on it here: https://en.wikipedia.org/wiki/Jaswal I hope this clears the confusion.

Hello guys, this post describes my experience with the GCCS CTF challenge held on 20-21st Nov 2017 at JW Marriot, Aerocity, New Delhi.

So Basically, there were two rounds of the CTF challenge, an online one and the other on-site at the premises itself. I along with two of my friends( Deepankar Arora, Harsh Daftary) participated in the CTF event for the very first time in our lives. Having conducted an endless number of pentests and finding gigs of vulnerabilities worldwide, we thought of it as a new challenge and wanted to win this.

The online qualifier was just like any other CTFs - Jeopardy style and we came sixth (6th) in the overall results and were selected for the final CTFs.
GCCS CTF Qualifiers 2017

Despite registering with the correct name, MyGov Blog listed my name with a typo, to which I mailed a couple of times, NO RESPONSE. I tweeted the same, NO RESPONSE. I wish they make typos while collecting the tax and I will no longer have to submit it.

Here starts the big picture, we reached JW Marriot, checked-in and were asked to be ready by 6:30-7 A.M in the morning and were taken to NCIIPC office for the CTF challenge. There were three teams in the rooms and for some unknown shitty reasons, one team had to be shifted to another room(Conference room). Eventually, we were selected to shift to the other room.

Describing the room, a very well built, nice and spacious room with a huge LED right in front displaying live scores. The room had everything which included a 4th class (the next level to third class) internet connectivity.

Speaking of the rules:
  • A team is only allowed one laptop with limited network connectivity to the challenges.
  • Other laptops can be used to connect to the internet
  • Mobiles had to be kept outside.
  • Infrastructure should be dealt with care, No DOS, DDOS attacks etc.


What we actually got:
  • A fully clogged internet connectivity, even Google took ages to load
  • A room with absolutely dumb Wi-Fi connectivity where when we changed our sitting positions, some random guy came in started telling us " You broke rule number two #2"


And now the CTF starts:
We were tasked with three tasks which were quite easy frankly. However, the way it was designed, only one of the teams could have done it. BECAUSE the designers forgot to remove the hardcoded MAC addresses from the tasks. Anyhow, one of the question's hint said "The FLAG is switch's MAC address":
  • The teams who did that task successfully were the same teams whose hardcoded values were kept in the challenge
  • The winning teams could see two routers but the other two could only see one 
  • Clearly, a design failure here. Another thing, a SWITCH's MAC address isn't the same as ROUTER's MAC address and is generally interpreter in XXXX.XXXX.XXXX format.


There's one more challenge we did and that was to download a file whose description said "Read Rule Number five" the file said rule number 5 is important. So we entered "5" and that was the flag.

To summarise,  we had the following four-five flags:
1. Open the DOC file --> "Rule 5 is important" ---> Enter "5" as a flag ---> Done
2. Connect to the Kali Machine[Provided] --> Open Wireshark --> Get the Router's MAC [Only if you are on the system whose router's value was hardcoded] --> Done
3. Connect to the Kali Machine --> grep on the backups inside  /var/backups which had an IP in response [DHCP DISCOVER].

So technically, only one team was to win this due to the flawed challenge. We went back to the hotel unhappily and unsatisfied. Later, at the dinner, we met someone higher in the authority and she spoke to us in a very humble and helpful manner. We explained her everything about what happened at NCIIPC. Later, around 11-11:30 we got another mail saying that the CTF will happen again tomorrow morning. We were quite happy to hear this and started preparing.

Next Morning, we were taken again to the NCIIPC and as soon as we reached the metro station, we were told to get back to the hotel since the challenge would now be conducted in the hotel itself. So we took the metro back to Aerocity :/

So, now we have been provided with a Boot2Root kinda challenge which was quite well created and we started kicking the hell out of the challenge.
Wasting Time @ CTF with Deepankar Arora and Harsh Daftary
We knew some folks will trick, and we started our MITM detectors and found out that a number of systems were trying a MITM attack. However, the challenge was remotely hosted so we switched onto our Airtel 4G. The challenge went down a couple of times and we reported the same. However, what reply we got back was shocking:

"Some guy over the speakerphone said, only this team is facing a problem, we can certify that everything is good at our end"

Response to this arrogant reply was quite simple:
1. We were on 4G, there is absolutely no way to track us from a JW internet
2. We used our VPNs and connected from an Amsterdam IP address, again, no way to track us
3. There was no CTF style portal, anyone on earth could have been connected to the IP address, again no way to track us

Moreover, here's the proof:
Only we had a problem?? Ahhh... Doesnt look like bruv :P
Got You :P, Don't lie atleast
Within 1-1:30 hours of the challenge, we managed to gain limited access to the machine and demonstrated the same to the organizers. Having the access, we called one of the organizers and told him that the CTF is being played globally with a lot of different IPs from various countries. To which the organizer said, CTF is now open globally, WHAT? Really? Then why the f*** are we in the finals and sitting in JW Marriot?

Now one of the other team started playing dirty and they removed our access and deleted the challenge itself. We reported this and were asked to prepare a report. We sent our report by mail and were not selected to be the winners despite being the first or second ones to gain access.

I have no regrets about losing this one. I will still be happy losing 1000 more like these because the way everything was conducted and that too on a global level, it is heartbreaking. Frankly, if this is the kind of challenges or conduct our govt. is looking forward to. I believe we would never be recognized a giant globally in the cyberspace.

Adding salt to injury, they provided the certificate of participation which was in so much high resolution, that the pixels almost got randomized and looked like a cheap [again fourth grade] copies. I mean even a half-blind with photoshop skills can create a better-looking certificate. 


They never learned from their mistakes and again made a typo in my name. To which I simply rejected this third-grade certificate and chose not to have one. We played another CTF after a few days called TUCTF with 900 teams, we came 180 something, but this was much more satisfying and at least 92929323939293 times better than the circus we had at GCCS 17.

Meanwhile, i love my country and have been trying to help in whatever way possible. I would urge the govt. to take more initiatives like these but surely in a more organized manner. I am a professional, my team at GCCS were all my work mates and elite of their fields. But, there were students in the participating teams as well. I dont know what impression does it leave on them. My nation is zillion times better at producing such events but i am afraid this just wasn't the day.

4 comments:

  1. Can totally relate. The contest was broken to a level one cannot mess up intentionally. But I don't think writing a blog post about it would change anything, since the people reading it already know the truth. Some other initiative needs to be taken up by someone to get the message across the right authorities, and anyone else in the future who might want to organise this kind of thing. Because on the prize distribution day also, when I met people from NCIIPC, they were very proud about organizing this competition and that everything went 'well'. Now, since some people would say any kind bullshit when they are getting the prize, the negative comments remained unheard.

    ReplyDelete
    Replies
    1. Hi Palash, the question is who is the right authority?

      Delete
  2. Totally agreed man. I think I can also provide some insight here. So we were the first team to gain a local shell in the boot2root vm (same can be confirmed by the logs). So technically we should be winners. But in the final result sheet, even we are declared as runners up. WTF. So they have considered day 1 result also. Or maybe the judges got a bit biased or something with the report evaluation . We will never know what actually went down, but I would hardly call this a CTF.

    ReplyDelete
    Replies
    1. Yeap, I know it wasn't. See the idea behind this post is to let them know what they did and improve on it.. if they want to

      Delete

Powered by Blogger.