 and welcome to live CTF. This is our audio check for our live stream. Hopefully you guys can hear us. Let us know in the chat if you can. I'm CypherTex or Jordan. I'm going to be one of the commentators this weekend and with me is Carl. Hi, I'm Carl or Zeta2. We'll be commenting here with Jordan and yeah, glad to be here. Okay, we've put a lot of work in. This has been a lot of stress, but we're starting. I think everything's working. We're looking forward to seeing the team's compete. Before we get into the meat of it, let's talk a little bit about the history, what this event is, what we're doing, what we're hoping to see from the teams. Live CTF as a concept has existed for quite some time. Hey, triple six, we see you in there in the chat. Yeah, definitely let us know if you're doing this. We have to bring the camera in if we get too many jokes just behind us. It is DEF CON, so we're going to get that. Live CTF has been around as a name. GeoHot started several years ago. It was streaming on Twitch and did a couple of these kind of like live, playing capture flight challenges and wanted other people to see him doing it and kind of interact sort of early live streaming stuff. There was a couple of different, I guess, experiments or attempts. I did one a couple years ago at DEF CON finals where I messed up the audio and it wasn't live and recorded it and it was it was a bit of a bummer. So like we've had a couple examples of that and then you also were running pony racing, right? Yeah, exactly. So a couple years ago we did for a year. We run a monthly live CTF show on YouTube where we had four contestants trying to solve the same challenge head-to-head and like doing commentary on top of that. It was pretty popular, actually. A lot of people like it's a lot of work though. I think people don't, they underestimate how hard it is to kind of get it. So let's talk a little bit about like the kind of what it is and we talk about live CTF, right? Obviously capture the flag. We're talking about a hacking challenges. There's a variety of different, you know, CTF out there with different scoreboard and structure and so when we say live CTF we're specifically saying a small group of people going head-to-head on the exact same challenge and in particular we're watching them. We want to see what they're doing. That's what makes live CTF really interesting. Yeah. And this is exciting because we're bringing live CTF to DEF CON CTF finals. So certainly one of the premier capture the flag contests is DEF CON CTF. It's one of the, I think it is the oldest. Certainly continually running capture the flag event. This is DEF CON 30. I think, I mean they've had DEF CON CTF. I came in DEF CON 9 21 years ago and there was, the CTF was already an established thing. Like it's been around for many years and the idea is that we are going to have all the the teams that are here they're playing DEF CON CTF. So to be clear the CTF as a whole is going on around us. Nautilus Institute is running the DEF CON CTF. We are like a little side piece in kind of inside of that, right? And so this is a part of the whole event. If the teams do well here it will add to their score for the final event. We're trying to add some like a little bit of twist a little bit spice to the competition like bring that excitement and also to make this accessible to the viewers and see a little bit of what's going on like the minds and computers of these participants. Usually if you've ever been to DEF CON before and you've walked through the CTF room nobody wants you to look what they're doing because competitors will cheat and finally one another and it's it's you know so they're all kind of like closed in and it's not really spectator friendly. Last couple years teams have worked on cool visualizations and so we've got one kind of going on over here. There's a 3D visualization from Nautilus that's tracking their scoreboard. AR if you're talking about the DEF CON CTF scoreboard unfortunately no I don't actually think we've asked Nautilus there is no public scoreboard right now for the main event. We can give you updates throughout the event right now. So actually at the end of this broadcast before we we turn over to our next one if we had a little bit of time we'll actually let you know what the latest scores are. Otherwise find a friend who's at DEF CON and haven't come in here and take a picture. I don't know if yeah what the plan is on their scoreboard. The live CTF portion you'll see when we go back to like our kind of intermission screens you'll see the brackets. So what live CTF is going to be yeah actually Karl what do you tell them about like the structure of like what that bracket is and how that's going to work. Yeah exactly so we're playing this as a traditional single elimination knockout tournament. So there will be so we have 16 teams in the in the DEF CON CTF so we're starting with the round of 16 today we will have four matches and then we'll continue tomorrow. So yeah the teams there will be one player from each team sitting at these tables behind us with one computer. They are not allowed to communicate with their teammates they will be wearing like earmuffs to block out our commentary and they both get the same CTF challenge at same time and the first one to solve it wins. The other team is eliminated the winners advance to the next round and in the end we will have a winner of this tournament and then. And each round like like gets them points right. Yeah exactly so the depending on how far they make it in this tournament this will then add to their scores of the whole DEF CON CTF. I mean the DEF CON CTF is an attack defense CTF so you have like different aspects of the scoring you typically have like for attacking and for defending and stuff so this will be like another dimension to the scoring of this event. Yeah in fact that actually informed kind of how the points were worked as Nautilus and we were talking about kind of the design of the game. The goal is we want this to be something teams take seriously we want them to send their best person we want them to really want to win and do well because it will benefit them in the game but also not disrupt the whole game if one team does well here and another team does well and you know like we don't like to throw it off too much right yeah kind of finding that balance is it's tricky I like what Nautilus has done I think it's gonna gonna get us that and the other thing to point out is the teams we are gonna have a lot of work we have a lot of work cut out for us we're gonna have 15 total matches throughout the next three days today tomorrow and sunday but the teams have a maximum of four events that they're in right because there's only four rounds to go from 16 to 8 to 4 to 2 to 1 and so the teams are out at most four hours for if they get first or second place yeah and in fact the teams that like don't get any points they're done and gone and they can go back to the focusing the other events so we hope to not like disrupt too much of the normal flow of what of what teams are doing yeah we hope with the the teams like we have we've talked a little bit to the teams and we've heard uh like some people they find this uh you know a bit nervous like being live on camera it's stressful it is so so but we still like hope to make this like an enjoyable experience for both the participant and for all of all of you viewers as well yeah one of the game we said earlier you know Defconn is is not accessible to a large extent you have to already be in the ctf community you have to already be very active to even compete at the qualification round to make it here and so we're hoping by having challenges here that are a little bit more accessible you'll be able to follow along you'll be able to see kind of what they're doing on a smaller scale and so speaking of that let's talk a little about the challenges themselves and how they differ maybe from the challenges that are going to be happening for the rest of the ctf right so i mean normally in a ctf a challenge can i mean the you can have varying difficulty of your challenges right but especially in a top tier competition such as Defconn you typically have pretty difficult challenges it can take many hours to exploit these systems but we are aiming to have matches here of about like 30 to 45 minutes which means that that also kind of puts some constraints on the difficulty of our challenges they cannot be too difficult so we have had to like try to find that balance between you know not so trivial it's like five minutes you run one thing and you're done yeah but also it can't take too long so hopefully we got it right we'll find out as the weekend progresses yeah and if we don't like if the matches are like if they go too long we have a sudden death round thing where we have prepared some very simple challenges that we will then switch out so we will stop the normal challenge they will get this sudden death challenge instead and then it's really about those are five minutes to be like very very straightforward and easy yeah hopefully we don't have to use them but if we do they're there and they're ready with the idea that whether it's those or the normal ones the fastest team wins first person to solve it ends the ends that particular round and we set up for the next round and start all over so in terms of the type of challenges now like the Defconn qualification rounds you often have a mixture of web and forensics and now all these different other things finals though tends to be focused more on poning right yeah poning reversing like that low level stuff yeah and so we've mirrored that as well so if the teams were a little nervous about like well wait a minute i don't do a lot of web app sec don't worry we are keeping things in line in part because we want this to be representative of what the teams are doing now like a little baby challenges very similar to the style of challenge if not the same difficulty that they're doing the final event so you can get a sense of kind of what's going on at home as we follow along and speaking of following along if you are in chat we are we are watching it we're keeping an eye on it we're happy to answer questions as we progress throughout the day thanks earlier for the question about the scoreboard so just a quick update i'm looking at the scoreboard right now currently there's only a couple hundred points separating first from last so they're all started around 1600 points it looks like this is going to be a zero-sum game and so actually we want to later strange we might bring on one of the the nautilus folks and talk more about it if we have if we have time yeah and so we'll learn more about how they're doing it but zero-sum game where teams lose points and then they go to other teams they gain it so in other words if i get exploited by another team i lose some points of my in the form of my slay because i didn't have a secure service and they gain some points that they've sort of taken from me yeah and so yeah on the topic of like bringing in other people as well so we will be on commentary throughout the weekend but we're also hoping to bring in some other commentators some remote commentators as well so yeah hopefully there'll be a little bit of a mix here as well on the commentator assuming we can figure out the logistics and the streaming and everything is uh the connectivity guys are working for us we are going to yeah we will bring in a couple of folks that you will probably recognize if you do any online we don't want to like promise yet until it works out but we have some folks that i think you'll be excited to hear from and we're looking forward to having uh join the commentary um and so keep an eye on that that'll probably be uh in tomorrow yeah we have a question chat here about whether each round will have the same challenge or each match would be unique so uh each match will have a unique challenge and this is because because of course we are broadcasting this so all the teams can watch uh the other matches and uh in fact that might be like a good idea to get like a feel for the type of challenges we are going for uh so definitely we couldn't have the same uh challenges for each match because then you could just copy the solution of the previous yeah the only way to do that would have been to sort of sequester and take all the people in any given round into a room not let them out and let them one at a time and that just was we weren't going to waste people's time yeah so instead we wasted our time and we made a lot more challenges it would have been a lot easier if we only had to make four challenges uh but by making 15 challenges yes different teams will get different challenges we have actually told each team though the name of the challenge which is sometimes actually a pretty good hint yes of what kind of challenge it is the category whether it's uh reversing or a ponible today we have all ponibles and we have a mix of x86 and x64 binaries i think it was one x86 32 bit the rest are all 34 64 bit so that's the the challenges we've got i love seeing the team hype keep up you know cheering on your favorite teams that's exactly what we want to see yeah um and so picking up favorite teams so maybe we should just mention like a little bit about how they ended up here uh as well because i said we're here at the Defconn finals with the 16 teams they had to qualify uh early this year i think was back in may or april uh in uh really tough uh qualifiers um absolutely so uh yeah the top 16 well actually you have uh the winner of last year are pre-qualified for the Defconn so in in this case it really was just the top six team because it happened to be yes because that team was also playing the qualifiers i think officially that the previous team didn't this year as it was a clean break when i talked to nautilus they said actually it turned normally the team who won the previous year automatically gets a buy they weren't sure about that in the end it didn't matter oh okay because the previous team qualified anyways but they were kind of treating it as a sort of fresh break so actually what you're going to see in our bracket uh which which actually we could pull up the bracket now when we can take a look at it you'll see the way the seeding has worked is the team who scored first place in the qualification event uh is battling against the 16th place team from the qualification event right and so throughout uh these events that's just kind of how we split things up we chose a random order for which match uh happens when and uh we're going to be putting again these kind of random challenges out so you'll see where your favorite teams are and kind of who they're battling as they make it through uh through the rounds here uh the weekend again we're going to do four so round one will take us down from the field of 16 to a field of eight and we're going to do half of that round today so we've got four rounds today tomorrow morning uh pacific time at 10 a.m we're going to do the second uh sorry the next uh four rounds uh and at that point we'll be in a round two sorry matches now we're gonna I gotta be careful so just to be clear we have four rounds and each round will have the number of competitors and then we're gonna have 15 matches yes we had language I'll probably get it wrong you know we'll correct each other if we do it um but that's the that's the plan for uh for this whole this whole event so uh scoreboard update maybe or we give anything else what do we need um yeah I think um we're uh that's uh where we at right now with uh as I said like pretty tight I mean the Defcon CTF just kicked off uh was like a few hours ago almost four hours ago yeah so um it's still early early days yeah the teams are within percentages of each other so but if you want to root on your favorite team we'll do the top three so we have water paddler in first with 16 282 points maple mallard magistrates or as I plan to call them uh the mighty ducks yes because that name is really long we're gonna have to come up with my name for a lot of these teams uh and in third place is straw hat uh in time with actually I have to tie for a second sorry um mm and straw hat uh and and mm well there's a lot of history in all these teams we're gonna talk more later we're gonna talk about like the split of them many of these teams actually I think almost all of them are actually conglomerate teams there's several teams have come together again speaks to the nature this is like the the hardest biggest competition that several kind of elite teams come together to form a team to compete here multiple different collaboration teams here just to give an example you have sour cloud which is like a collection of all the german uh CTF teams uh which they already have like really good uh CTF teams yeah but then they they you know bond together this tells a little bit about like just how fierce the competition is at this event yeah so we're gonna we're gonna look forward for those we've got nine minutes until first round let's go ahead and go back to our intermission we're gonna bring up our next uh two teams get them set cross your fingers for the challenge I'm really looking forward to seeing what the teams do and we'll see you all in about nine minutes we are back I hope we'll find out uh we're we are gonna count us in we have our first two teams uh PTB WTL and Shelfish battling in our first round of live CTF uh we've got the screens up they're here behind us we're gonna count them in in five four three two one it's live they're refreshing the page round of applause for live CTF okay so now we'll watch them we'll see and make sure this is working we're gonna go ahead and bring up both their screens and you can get a little sense of the layout that we're gonna be using uh for for the event where you can actually see see what they're what they're doing yeah right so uh I see I love the full screen terminals right right first thing we see yes uh they've got a binary we told them it's a Poneble binary what was the name of this particular challenge it's uh uh sis call me maybe right sis call me maybe so we've got like a little meme reference uh call me call me maybe uh we've also got a competitor webcam which has just got the laptops you can't really see a whole lot of that we'll probably uh not use that particular view yeah um but we can see uh we've got Ida up and going we've got uh terminals okay so let's take a deep breath we can already see pretty straightforward in fact we've even got some symbols here right on this particular binaries yes um and let's let's uh we've got on the left we've got um we have a pomade bytes uh the the ptb ptl uh here and we have shellfish uh on this side on the right both using Ida for their uh disassembly uh I was hoping for I did see bingeer running I noticed bingeel was actually running yeah I think they're prepared knowing a binge developer was one of the the organizers like in case there's something terrible that binge it is better out we should we should leave it up yes you see it's a pretty small program here you can see on the uh shellfish uh there you could get a glance of the the code where um it's a program it's reading in some uh commands uh sorry so arguments to whatever sis call you want to make and yeah then from then you can do this how many times you want and then you from there you want to get code execution so so the vulnerability is is there this is actually more of a shell coding exercise than uh a um uh like a you don't have to find the vulnerability it literally will just run whatever sis call you want and it's up to you to provide a series of sis calls so like can't I just like exec vee and run bash like immediately like what you know is that not a valid solution uh yeah I mean almost except that you know to call a exec you need a string of the of the program you're executing so they first need to get that string into memory somehow uh but then it should be just smooth sailing from there yeah and it's kind of ironic that like that we give them full sis calls but they don't have the ability to just run shell code right so because they don't have actual shell code little things like just put some bytes directly a new piece of memory is maybe a little bit trickier and so they're not going to be able to do that um let's talk about what they're what what's their goal what are they trying to do here to show that they've won right so the the goal of this challenge and most of the challenge actually is to gain code execution on the remote system and once you have that there is a small program running uh sitting there that you can run to um let's go ahead and pick up shellfish there because it's not them running the running the challenge right so they've created kind of like a template uh in their exploitation script where uh they're just like setting up the interaction with the program like inputting the different parameters just making sure that that works and then once they have that in place they can get kind of like make an abstraction on top of that and just make all the sis calls that they want so they're just going to use like a phone tools or something like that to be able to interact with the service but then they're going to wrap that so that it's this is called this parameters and it will handle the text formatting and the new lines and all that kind of stuff right just let them build their build their parameters this is very common when you do this time for the exploitation you kind of like transform uh functions in the program to like more abstracted operations uh we had a question here in chat if they have internet then they can do with the stuff yes they do have access to internet actually we can see it just now so pdbw uh just pulled up uh a reference here um so i think we're looking uh if we switched over in time you're going to see them looking up syscall tables which makes a lot of sense that was actually what we did we were testing this as well right yes um so in fact the first thing they're looking for is exactly exactly what you said oh i want to just read exactly i'm rumb and bash and that's where you're going to first run into this well wait a minute how do i actually get the strength it's as we like had uh some of the nautilus members and as we talked about this with some folks yeah everyone's first reaction is oh that's immediately trivial and then you're like yeah but where where do you get your string from you've got to have a pointer to a string and so you've got to think a little bit about that it's it's not super hard yeah but you have to figure out how to get something in a memory first that's going to be the string that you're going to call yeah we can see here for uh shellfish uh some debugging going on there was some gdb with the jeff extension i'm a big fan makes life a lot easier um i'm trying to see exactly what's going on they're trying to put some breakpoint somewhere looking at the memory mapping yeah okay uh so they needed the base address there to put the breakpoint in the right place although there's a function in jeff to to automate that but however uh you know what's the function uh it's called like pie break so they will like do relative to the oh that's kind of handy yes yeah does does the math for you with the offset that's cool uh there's a lot of different nice tricks with with that extension uh framework so i'm gonna talk a little bit just about the teams too right because we've got again we've got a lot of like these conglomeration teams and so uh briefly and we'll try not to miss so keep yeah you keep an eye on the teams to make sure i'm not missing somebody like you know getting close um but we've got team shellfish that has been around it's one of the longest running ctf teams uh originally out of ucsb but they've got kind of i think connections now a lot of different places uh so so uh team self shellfish is uh is currently one of our battling teams and ptb wtl is pwn the bites and wreck the line wreck the line i was like i don't remember that one both romanian teams right i believe so i believe so i think they have uh other members as well but i think they're like primarily romanian based and i think we do see that especially in the defcon where the teams are like these mega groups are coming sometimes they're just colleges or friends or online communities and sometimes they are just local regional or you know country ctf teams they normally compete against each other yeah and then they come together to form like a mega group and so you gotta like this sort of country you know based representation yes which also says something about like kind of like the you know ctf community aspect of the whole thing i think it's uh really nice to see these like different like regional communities like get it together you're both competing against and also participating with yeah um we're losing video on one of our capsules we're not sure is it losing on the stream as well or are we okay so i apologize for the for the flicker we've got some probably loose cable somewhere yeah um this is the the joys but uh technically i'm you know could be a lot worse like it is it appears to be working and so that's our big our big stress here so i saw some was it like s trace output or something from uh from the ptb uh screen there uh i'm not sure okay so okay i like that so looking at i love that we're seeing the highlights right so m map we started with exactly yes that's going to be your ultimate goal is you're probably going to want to trigger exactly but like you've got to get your memory first and so we're seeing like um someone's looking we're going to look for for m map to try to get get something into memory get a piece of memory that we control but they're going to have to still get something into that region right they're still going to have to actually get bytes at that address so that'll i seems i'm seeing some very interesting thing uh here on the shellfish side they're grabbing the address of the v syscall memory region uh which was not involved in any of the proposed solutions when we were testing i love it so i really would like to see what what's what they're going for there um and and to be clear we expect that there will be lots that this one in particular has an infinite number of solutions right there's going to be all sorts of ways that we didn't think about so we have one in mind that we expected but um i'm actually one of the things that i think is the most fun as an organizer is when somebody solves your challenge in a way that you completely did not expect yeah yeah as long as as long as it's not like so in this particular case we're okay if they solve it quickly because that's the point is to be as fast as possible sometimes if you build a really difficult hard ctf challenge and somebody like finds a trivial thing that you forgot that's that's a little soul crushing but like as long as it's like a you know a cool solution or like anything then that you just love to see it yeah although it sometimes you'll uh i love how ctf organizers will re-release the challenge right patch the easy bug you didn't intend give them points still but then make them solve it like the harder way as well too so i think that's a decent trend and one one good way to yeah um just get both out of it to reward them for what they did but but also keep doing that so we have uh oh so we've got something happening here so we've got an m-map syscall okay so we're looking at ptb uh and we've got m-map so we've got our syscall wrapper we're going to call the syscall by name so the m-map syscall what do we what are we doing that we know we're going to x is like ve is going to run something but what's m-map going to do that's going to help us yes so uh we need to put the string somewhere in memory we don't know anything about where what memory is mapped and so on so we'll just map we'll use the m-map thing okay and we do uh we didn't mention this earlier i don't think but the output of the syscall you ran is returned the return value uh yeah so so if there if there is a return from that syscall they're going to get that information back so any of these syscalls that that's useful we're going to see that so we had a comment sorry question here about what happens if they don't solve the challenge in one hour so even before that i think it's like 45 minutes or so some number on 45 minutes yes if they don't we will switch to a sudden depth challenge which is a very simple challenge uh that they will try to solve instead so we will just like discard all the stuff they've done so far and we'll switch to like a super super simple challenge and and mainly the reason that we're going to do that is just because we've got so many matches that we have to run that if they each start taking longer and longer and we're off schedule and we're keeping people overnight and we got it would just be kind of a logistical headache so we hope we don't have to if uh we don't have any bugs in our challenges and they're all the appropriate difficulty and the teams all do well you'll never see them we'll save them for next year um but uh those are like going to be like really really simple ones that we hope they can solve within less than five or ten minutes so that's kind of the backup plan we'll find out if we need it i have to say so far right on pace super happy with this this is like i think about what i would have hoped and expected um that we're seeing they've already got their frameworks up they know exactly what they have to do yes they're just building the right building blocks to kind of kind of see it yeah and this is also i think is something that's always kind of a challenge for me when when solving these kind of challenges like how much do you want like to take the time and like build the proper abstractions and like make your nice functions and and how much you kind of just want to like you know take that leap of faith and just throw together some like uh really uh crappy code that might solve the thing like that might work but if it doesn't then you have to like backtrack and it was like it's a whole mess there's i feel like there's a lot of game theory to it almost in terms of like you know risk reward explore exploits uh kind of kind of analysis where it's you have to figure out is this uh is is it worth it and you don't really know you do develop anything a little bit of an intuition like you can kind of look at it you sort of have a sense of like okay no i just need to bang this out uh and just hard code a bunch of bytes and that'll be fine uh in this particular case oh here we go this is interesting so now we've got to read syscall this is oh we also saw the syscall list on the other side with shellfish but but ptb um i think we have all the syscalls we need i think i think i'm like yeah exactly i think this is it this is these are the right ingredients they just got to assemble them correctly and make that cake yeah yeah and then we should be we maybe look at the winner but um we'll also keep an eye on shellfish and see see what's happening uh there as well uh and make sure that's yeah so they're using the f exec the uh function which i that variant i'm not i don't know i'd have to look at the main page myself yeah i i mean because these function they come in a bunch of different flavors right uh so it's interesting and again there is there is uh i think one of the things the teams are going to realize is that we didn't go for tricks we didn't we tried not to go for a sort of like tricky gimmicky things it's tried to be like pretty straightforward we want them to be fast and quick and sort of the obvious thing you would think of is at least our intended solution oftentimes that's that's not always the case lots of cts right you've got to find the very tricky thing and that makes it fun it actually is super entertaining yeah um something you can also learn stuff from like exactly down this rabbit hole research and stuff but i don't really have time for that like right so like put a book that k r or you know put like those websites have amazing really cool things you can learn uh but here we're not trying to trick them um yeah no no no giger users yet uh i have seen a couple of the uh participants in the room using gider up so yeah maybe we should keep it like a tally throughout the tournament like you know it might be too depressing for me that might hurt my my binge of soul might be too uh too hurt by that yeah so so uh but also not aware uh you're not one of the founders of vector 35 making uh biner ninja which is not used in this match but we hopefully will see it i hope we see and if all i want is one binge of user to win one round and that'll make my half make my heart happy right straight into the marketing material i mean yeah exactly exactly it's i will say you know the funny thing is biner ninja was actually designed for cts originally it was meant to be very very fast and quick and like to common things like patching things out yeah we're meant to be quick so that's probably kind of some of the things it does well so it is actually well suited towards a very very fast paced environment yeah but more important than that is knowing what you're doing all right so back to shellfish what are you seeing so shellfish uh they are creating they're writing a small cs program here uh calling m-map yeah i think they're testing out there they're maybe like i like that idea not completely sure about uh like the arguments or so for the m-map so they write they're writing a small little test program to just verify that they have like the correct understanding of the situation that's actually a really really good idea very good idea yeah because you know you don't want to like you have the added complication of a network service and the text protocol and your throwing script in your wrapper no no just get rid of that abstraction test the syscalls in a row directly and then once you've got it working then you can sort of port it to your throwing framework i think that's a great idea so i'm happy to see that uh but we are seeing so we're seeing just the straight up approach over here on ptb uh wtl let's watch them as they've got it yeah looking through yes is it uh is it buffered is input buffered or not they're checking that maybe they're looking for another piece of memory they're looking over here like the data uh segment so i wonder if they're looking for a place to reuse but this is asr right we didn't i don't think we gave them uh information about where the binary is executing executing here uh because it is kind of up to them to sort of like make their own memory with the syscalls that they've got yeah we can see here um going over to uh shellfish again they are putting this together is the m maps syscall now and uh yeah i think are they like slightly behind the ptb at the moment it's you know it's so hard to say though i having done you know we both done i think several versions of these kind of events and it can be really tough sometimes you think somebody's like not even close and all of a sudden before you notice they've solved it yeah and sometimes you can see them kind of kind of bringing it home yeah um yes uh nick uh i'm i'm jordan hi cypher techs on twitter the vecto 35 binary ninja guy uh and david we have thousands of binary ninja users there are there are many thousands of binary ninja users um we'll see how many are here besides the one that we have from ptb even though they're not using it maybe they just rein it just to like as a show of solidarity for me to make me feel better i'm a binary there we go there are there are yes there are many users yeah but anyway looking at the the ptb uh screen here uh i think you can see that they're debugging the read the calls here right no sorry that's the input reading routine uh and they are doing the syscall zero which is uh is that the read and uh yeah uh checking out some documentation about m-map stack overflow all this traffic but we have um shellfish again yeah fixing the uh m-map uh okay so ptb just found map fixed so what they were looking for yeah is they wanted to get the right flag to be able to pass to m-map to request a fixed address so you can there's different modes of m-map you can request memory and just take whatever you can get or you can just say no no i want this address please give me this address yeah so they're just going to hard code some some matters that they hope nothing runs against and this is kind of like a key to the challenge right where uh since uh well not necessarily since you do get the return they get the return address so they could like the simpler variant is just to tell m-map like no we're gonna allocate at this it's one less moving part to worry about um so yeah i i think you can go kind of kind of either way and this is so this is where about 20 minutes in this is where i think we'd be evaluating are we going to give a hint and i don't think they need any hints they both really know i think generally what the shape of the problem is um they're both working on it i i have every confidence that they're gonna i think they're gonna finish it out in the next 20 you know 10 20 minutes yes we hope we hope we're looking forward to to seeing them do that all right so we forgot to bring our water bottles over here to make sure we can stay hydrated but we'll uh we'll do that we're having to not only are we are we yelling over the uh the house audio but we have our masks on and uh there there have been easier streaming environments but i'm super excited to be here yeah so uh going over to uh p3 again um well and so yeah who we mentioned this before but right like this salt script they're running they're running locally they got the binary locally they're running in debugger so they can analyze both halves of it and then once they have it working yeah then they're going to go ahead and throw it against the real server remotely which is like standard operating procedure i feel like for these kind of challenges right standard phoneable challenge exactly and it's it's also why it's nice to have um it's it's nice to actually have like an environment where you can run it directly right whether it's the architecture you've got or the operating system teams are a little worried about having internet and we're like no no no we want to see you in like internet and remember these are some of the best teams in the world and they're still looking at stuff up we all are are doing that let's take a look over here at uh shellfish again and see where we're at yeah so they have another syscall that they're setting up you see uh them like uh well retrying that so they they're really making sure that the interaction here is working you have this like question from the program like do you want to make another syscall so they're just setting that up uh to answer yes on that and then you'll see they're about to set up another syscall oh there we go so we're looking at memory maps over on ptb so they briefly they tried to allocate the memory they went to look at in the debugger and to see if the memory is allocated yeah uh so the only thing i mean if if they're past that step the only thing left to do then is going to be to actually put bin bash there right like once they have the string bin bash into that location uh they they should be able to win it should be should be able to yeah uh we have a question in chat about if the challenges are going to be released to everyone after the finals uh i mean we haven't really talked about that but i mean i assume so yes that'll not anything stopping us from doing that so uh i'm gonna say yes on that provisionally yes yeah we'll double check with so now's actually a good time to talk about if you keep an eye on make sure we're uh we're getting a little close over here on ptb so so carl if you watch that uh but we do have a lot of people who've been helping out so far so there are three of us in person here at vegas that are doing all like this kind of stuff but we've had several other people contribute challenges remotely uh test challenges and do less stuff we're looking real close over here okay so again we've got our read uh we've got an exec we've got our m-map this might actually be yet so let's take a look and follow along ptb uh because i'm i'm smelling blood in the water i think if there was yeah so they like maybe they need to fix like some small thing here uh oh yeah is that they have some helper function there uh unfortunately i don't know really what it's like it was like interactive is it oh is that is it oh they're dissolving it that's it that's it is that it is that it is that it is going what what we already had it oh my god you weren't even looking the right screen congratulations wow that was so close that was so close okay um well done i can't believe how close that was all right okay so that was outrageous uh give me also i will go over to the players you talk to the players over here all right yes that was unbelievable i was i we even predicted we said we're gonna miss one we're looking the wrong way all right so let's do a real quick recap so we were with uh between the screen kind of turning on and off a little bit on the shelf of shy we were a little behind i mean that was like seconds they were seconds away that was unbelievable what a great finish um so just as a quick recap perfect timing super exciting very well done to both of those teams that was so close so close um so again once they were able to like get their shell all they had to do was run their script put their team number in from the page that told them what they had done i'm happy we saw all of our infrastructure working uh the overlay when we got a winner congratulations to team shellfish but man well played ptb that was so close uh really really well done we're gonna let them go back to their uh their teams and keep working on the rest of the challenges here we'll see if we can figure out how to turn off the the winner script um and uh and get back to the stream we will uh we're gonna leave the stream going so keep watching here but remember just on the hour every hour uh our goal we're gonna have a new round and so we're gonna get set up we're gonna get the next team uh and then we'll update our bracket now we have our first winner congratulations to team shellfish well done very well done oh my god that's so good oh my god it was so good yeah all right that's at a high bar for i think the competition for the the rest of the the event but what a way to kick it off uh we're gonna leave you at the intermission uh you can check out the scoreboard and then we'll be back uh in about 35 minutes uh with the next round yep see you later take care everybody to round two of our sydemy round one match two of live ctf here at defcon ctf you can see carl behind me instructing the competitors uh our next two teams up our uh team i'm just going to call slashers or slash slash slash slash because their official name is slash v slash home slash r slash dot bin slash tw i believe it's a combination of team benja team tokyo westerns uh home a bunch of a bunch of teams and they've they've combined themselves with like a a path so they're getting the instructions now on exactly what's gonna what's going what's gonna happen um they're hopefully about ready to go you you count it out count it out make it live and uh let's go ahead and actually pull up both of their screens we'll watch them start here and uh well as soon as we get in the word that the server's live they'll be able to refresh and start going on challenge number two you go ahead and count it count it in count it in all right here we go so we're going to go all right go go make it go all right we'll just do that no countdown no countdown this time so we're going refresh the pages we should be able to see them there we go download challenge download challenge okay so not uh little little less fanfare than last time but hopefully we are going to be live this challenge uh is specifically called open to interpretation we're not sure if all of our challenges are the right difficulty well we are sure as they all have great no you didn't sorry uh this is the wrong one you didn't replace the handouts okay go tell them go to them all right sorry technical glitch all right so we gotta warn them this is not the right challenge one second okay so this was still the old challenge there's there's a couple of like management scripts this is our first time transitioning from and early around so real short intermission and uh we should be back unfortunately we're still seeing some I think we've done terrible things to the usb inputs on one of our laptops and so we're we keep restarting that capture card we do actually have a spare capture card that's arriving shortly as well so we can we can switch to that if this um it ends up not working so okay we've told them to try again they're going to download a new challenge and let's take a look at a new binary all right let's take a look at that challenge it's just called challenge we should have named the challenge of the actual uh challenge name yeah in hindsight you know you learn all the lessons learned all right so we've got an IDA is this give me a program okay all right so we are on the right challenge now um it looks like we're having some difficulty with our one capture card unfortunately this one is problematic we've swapped out adapters cards we're we'll figure it out we have backups for everything yeah we'll uh we'll have a production look into that while we continue the uh commentary and when we say production we mean Glenn yes we have we have but you know it sounds more professional when you say production like yeah we'll have we'll have backup house the production crew look into it and let us know how it's going yeah yeah so we've got our second challenge they're at least going um let's go ahead and look at a just um team slash v slash whatever uh look at their desktop while we've got that working yeah um and then we'll we'll we'll keep an eye on the other one so it comes back up yeah we will see if worst case if we're not looking at one of the screens we'll still see winner so if we see a winner and we didn't just like last time we were looking at the wrong one yes shouldn't be a problem uh we should still be able to see uh that that's happened uh all the challenges will be available to download yeah we're gonna we're gonna release them we don't have a specific plan so we'll probably wait till just after we've recuperated a little bit um after we get back from Defcon but we do plan to release them uh I like I like that you're guessing uh about what type of challenge it might be so it open to interpretation is it a polyglot um I think it's more of a plan words of interpreter yes yes right I think it's uh we're not that clever with uh you know uh we're only moderately clever with the naming here right so yeah I think that's something like this yes so we can see here see here um looking at them looking at the program in the item and starting to uh build up a simple uh phone tools script uh so ptr lib actually I saw ptr lib um that's a good question I'm not actually sure the name of the individual players uh that we've got if you all saw like home uh yeah yeah ptr it is uh ptr uh and that makes sense that ptr lib so this is there like they're a throwing script library so I think we're not looking at a uh a phone tools I think we're looking at an actual like custom oh nice yeah that's always there yeah yeah from ptr lib and for star I I see yeah some people some of my players prefer to like build their own little uh thing uh I mean phone tools has a million things but it also it has a million things yeah yeah exactly it's like getting that whole box of stuff when you only need like the screwdriver yeah so there's certainly an argument uh there's also impone which is another nice one uh it's it's meant to be a little simpler kind of more standalone yeah uh but uh so let's let's talk about the the problem we can see um this is explicitly I believe a custom situation we've got a question mark and a so we saw that yeah that that little switch statement there uh again with the name open to interpretation and we think it's kind of like an interpreter yeah some sort of little virtual machine or some sort of interpreter that's gonna make some some simple changes uh I do love people people know this is like uh a live ctf because they they start their throwing script like immediately right like yes like they just immediately start uh start building that up uh so I think that's also kind of a good way to um in a sense document your understanding of the problem so far like writing down like the interactions like the different things and so you don't forget things and you kind of like as you like you'll often as you put to-dos like like you know you do this part but like I need to do this later but at least I'll remember it because that's my yeah I think you're right I think people use their little the throwing script almost as a um a stand-in for like a you know like a notes yeah exactly notes or task tracking or like we can see some debugging going on now as well um we're yeah we're not going to interrupt his his uh his throwing that's yeah in the interest of fairness um we're not sure why we're we're having glitches on that our one capture unfortunately so we'll resolve it uh before the next round but we're not going to once we've started we need to let him go until the first the person yeah because this is so hectic like the margin like as we saw in the previous match for those who watch like the yeah the seconds matter absolutely like literally there was like seven key strokes like between the play I don't think we will see a tighter match I mean I will be surprised you can't see a tighter I would be really surprised yeah we would have to go down to like you know uh recording yeah and so exactly we're seeing uh pwn dbg uh instead of yeah these what is your preference on debugging libraries have you like geff versus so I used to be a uh pwn debug uh user but I have switched to jeff yeah uh I mean a long time ago I was a uh paid a uh user yeah yeah um but then uh that kind of just stopped developing for a bit or something anyway I switched to pwn debug then I went to jeff um yeah it's my current preference so you can you can see I think just over uh the shoulder here uh some of the some of the players so the the people in in chat that are wondering kind of depends on where we lean if we're like yeah if we're letting him in but we're also trying to kind of we have to block off uh the other opponent's screen here right so because we have well at least one of the one of the teams now uh visible on our little monitors are in front of us um and we've intentionally kind of like laid it out so that you can't see your opponents you know uh monitor over here that we're using to to see them so we kind of got them angled down a little bit lower um yeah honestly they're all better than like stock gdb although like you know tui is not the worst thing it's it's at least better I feel like um then then like you know stock command line yeah I used to roll with like you know the display slash whatever and like build up my own little kind of custom props but it is I think I never really learned that I went like directly from the vanilla honestly that's the right choice yeah to a real tool yeah for yeah yeah one of those okay so we're back in Ida and it's interesting too because we started in in Hectoration the decompiler uh and now we're just looking at actual offsets here right so we've got um so some kind of overflow situation here going on okay yeah we've already so we already see somebody writing D's uh which were if we go back to that uh uh oh man all right you know what we might do I might actually have if you go look over the shoulder and just to give us an update come back and give us an update and see how uh on the starbucks side and let us if I knew I'm gonna do this right yeah so so yeah we'll um we'll go yeah you go check it out yeah I'll go check it out and then you can go back and give us a report and let us know yeah kind of looks like where we're at so apologies for this um this is going to be a wild and crazy weekend we're going to have a lot of uh a lot of stuff so hopefully this is the the only real issue is we've got to figure out our wire capture card is is freaking out we actually do have another capture card we'll we'll bring in uh and we'll get working in the break so hopefully especially if this is a really fast match uh that'll be really easy uh we will we'll bring this in okay so yeah there we go we can see the the switch statement um with the different options question a d s w and we noticed that there's some uh yep exactly so there's uh that comparison there right was checking zero was checking 128 but you'll notice I think this is actually why earlier we saw a ptr looking uh looking at the disassembly is because in uh the hex arrays you don't always see the signs is the comparison signed or unsigned right and so I I suspect that's what we were seeing before is um the switch over to disassembly was saying well wait a minute is this comparison sign comparison or unsigned because I think you can mouse over the with like the tool tip the comparison operator and it will say if I don't miss remember yeah but yes it's still like to get the exact details you might have to go down to the disassembly you could use binary ninja all right and in high level i l where it just it tells you a signed or unsigned comparison but I promise I okay I'll be good I'll be good uh I won't do that and I will say me with binary ninja would not beat these these folks with with ida right so like I'm not claiming that uh yeah it would make me uh infinitely better so to give a bit of an update then on starbucks uh it's actually very similar to the situation for uh the what what how do you choose to print a home homer like yeah homer bin uh that's now what we call these uh I've I've been saying slash slash slash slash slash yeah okay yes have a way have we do it yeah yes anyway so the starbucks uh they were in a similar situation uh they have like done some analysis they started out the small export scraped not quite as fleshed out yet as as the one like you know a bit shorter are doing some debugging looking at like registry values just making sure that they're completely understanding what's going on so there I would say at this point it seemed like they're fairly similar progress uh between the players I I I will say at least look so I actually have not seen like an official solution for this one yet so some of the challenges we wrote some of them other of our teammates wrote some of them we know the exploits and we tested them and some of them we don't just knowing kind of generally what's what's going on here uh and looking at those comparison uh I'm wondering where are I mean we're already this looks like intention right it looks like we're seeing like I have an idea of what we're doing we've already contacted like yeah like this looks like really good progress only several minutes in like if you'd ask me now do we need a hint I'm going to say like it doesn't look like it like you never really know yeah um but you can see here they're doing a leak uh you see this uh line starting with like glibc base uh if it's readable so they are reading eight bytes out from the program and then they're subtracting the offset of the put char uh address and then I like a bit more as well so from this they're calculating the the base address of the libc uh of the libc uh library which then can be used to calculate the addresses of other functions you might want such as system which is maybe like the go to usually usually the choice right and so like you know before uh we were talking about exactly e for the syscall challenge the last one and that's just going to be the raw syscall systems even better though right like what's you know what's the advantage of system over in exactly e I mean just so for the system you just give it like you give it one string argument which is like the the thing you want to execute uh and that's it you don't need to care about like splitting up like the command line arguments into like an array or all that stuff it's just like I wonder if we'll see somebody's system straight to the payload or if they're going to get a shell first and then run to the payload like they could kind of go either way yeah I mean personally even though this is again like do you take it like slow and methodically yeah and you want to debug it along the way yeah so I would just go for the shell uh because then the same solution also works out of the box locally as well as remotely otherwise they would that's good well if you get an error message it would say fauna found you would see some sort of like bug there I would still feel more comfortable doing like launching a shell and then going with that I you know I think that's interesting because again though last round literally seconds mattered if one team went one way one with the other and they were that close yes the team that threw the the straight to the the submitter yes would win so that's correct we will see we'll see I don't expect it to match I don't expect it to be that close this time there is a small catch to that though because they don't know that like you need to add an absolute address for exec right or exec ve does have to have the full path yeah exactly and they don't know the current where the current working directory so they don't know the full path of the submitter right but if they're calling system in this case if they're just finding system right exactly but I'm just that oh no no yeah true true you're right yeah like on this one you're right last round yeah they could not have done that they could have not done that nearly as easily right but whereas this one yes yeah because because the relative path thing only works because of your shell essentially which if you're going to call system it's going to run the shell for you okay and thank you for that for the the kind words I appreciate it grandma bullet you guys in chat we're definitely keeping an eye on it and happy if you guys have questions and I expect y'all will be seeing stuff that we missed because we're kind of trying to like juggle around and look a lot of different things in fact I even talked to one of the competitors and in the room watching the stream in the last round and he was like why didn't they use the brakes this call why didn't they they were all watching like you know they're doing the regular CTF but they were also you know checking out the competition seeing what the challenges are looking like wisely preparing for future rounds and they were they were you know commenting on better approaches so I imagine we'll have people in chat here that have feedback and have ideas on things that they can do I mean you also should keep in mind that like this is this is not your average CTF environment do we have it back oh it's teasing us no yeah it's teasing us unfortunately this is not your average CTF environment right this is much more stressful for the players like most of them are not used to like you know live stream when they're and even if you are even if you've done a lot of streaming it still is harder it's just 100% always harder there's people watching you're thinking oh do I clean up my desktop do I need to like is this my VM setup or you know there's just a lot more on your mind and it's also kind of like an all or nothing situation right and a normal CTF usually uh because we kind of moved away from the tradition of first blood points this is true nowadays it's all about total score exactly and it doesn't matter when it doesn't matter if you solve the challenge like five minutes into the competition or five minutes five minutes left of the competition right here it's it's everything like either you win or you don't we might be getting pretty close here because I am seeing uh I did see it looked like we had maybe had a system leak or we're close to a system leak so let's watch so we're looking at system provider so they've already got a convenient call again there's a call to system already in the binary oh and starbug is yeah yeah yeah why don't we go ahead and do another check Carl on starbug yeah I'm gonna go put it with them no we don't actually worry about uh past people learning things for new ones because again the challenges are totally different every match is a different challenge uh exactly so we so we don't have to worry about that uh the general setup well the way that we would compensate by that is I will say we specifically put all the easiest things that we knew were easiest first just because we wanted to be guaranteed that they would get solved in time so the teams that go first had less information they knew less about the environment and what was going to happen and maybe but it I don't know it depends on the player I think for some people going first is actually significantly better you just get it out of the way and you're kind of your nerves are over and some people though they really want to like see what's happening and know so it's hard to say it was totally random selection in terms of which round happened when uh so we'll see what it is and yes everyone not only has to use a laptop so one of the differences uh is that they're not only using a laptop but we plug in our video capture cards and those cards force uh specific aspect ratio so their font sizes can be a little bit off so we are handicapping them unintentionally uh a little bit that way as well too so how's it how's it going with starbug yeah so uh they have some good progress I saw them looking in the debugger I think they were looking at like uh the got uh so maybe a similar approach there with like we're writing uh or leaking uh addresses um I mean very fast to find the bug I think both teams write pretty I mean again this is meant to be an easy bug to find it's even just wiring it all up putting it all together building building the payload yes avoiding all the mistakes like yeah when you do these things like it's very unforgiving like this the smallest little like you you like you're off by one somewhere and things just don't work and like it won't give you like any meaningful error messages or something that's like you know as you would get when you're developing normal uh software I love that we're getting we're getting debug information so we got a logger info you know they're actually printing out their variables and stuff thank you as a as a caster and as a commentator it does make it easy when we can uh you know see what your your intentions are and kind of and kind of what you're doing I I also do like when I write my exploit scripts I'm I'm definitely more like on the cautious and structured side like I name all my variables properly I have like logging statements you put type in type hints do you actually put Python 3 type hints in it is that you that level of no it that's a that's a bridge too far for ctf okay it has happened but no no generally not well as I am the opposite I think by by nature I was always quick and dirty and I mean I wrote a lot of exploits with bash like I would literally to shove raw bytes in with bash and like if it works it's faster but when it fails it fails miserably yes because you're like way behind when it fails you have not it fails and you have not gained any ground like you just like it fails and you're kind of like still at zero while the slow and the thought you call like it didn't fail but it's like a very local and you're to measure progress potentially you can instrument a little bit better and see kind of where you're at yes but then it comes at this additional cost so I'm trying to see what they're doing so there's question here every team sends only one player yes correct so for each match the team chooses so they will get to know what type of challenge it is so we might say like this is an x86 64-bit pwnable challenge and they choose a player to send they do not have to pick the same player if they win the match in advance next round they can swap out for another player but for one for the if we for example switched up the architecture or made a reverse engineering versus pwnable or you know whatever other things we did they have a chance to swap it out so it's supposed to be the best person from that team for that style of challenge and for the stress of being on camera because some people are maybe better exploiters but really nervous about sitting in the room which it's it's a totally different experience yeah and they are not allowed to get help from their teammates yep they can but they can look on the internet they can have all these resources although I like we've seen either one of these they just they knew what they were doing they went straight in they found the bug their reversers near it and they they're writing their exploits but for example the last one was a little bit different where they were building syscall payloads and so we did see both of them looking up you know list the syscalls and the parameters yeah so if we have another look here and see what they're doing we need to trying to exploit script doing some debugging here you know checking the output of the script comparing it to the debugger itself yes see if the addresses line up making sure like you have your offsets and your lengths correct so it's all good again I'm not super familiar I think there's like a some kind of integer over underflow business going on in this challenge actually I'm curious if the challenge author who was in chat last time is in now feel free to drop hints just for our youtube chat and we'll we'll see if we'll see if negasaur is still around so okay so we've got it looks like a right payload a right primitive because we've got a target for an overwrite yeah oh they're looking for one gadget they want to figure out is there one now so to explain a little bit here one gadget is it's both like a concept and a tool so it turns out that in various places in libc if you jump to that address you will execute the shell just get a shell like it's going to call a system with been been sh or been bash or whatever yeah so some person or people have created this tool which will take a libc version and list what these addresses are some of them have like conditions like oh this register cannot be not a zero or you know it's a several years ago 1804 a bunch of standard installs that was less common it would just tend to just work unconditionally there was just addresses that were that's why it was called one gadget because it was literally one place you go you jump there all you need is control of instruction pointer and that would be all you got right now we're actually looking for roper so we're actually looking for rock gadgets to see how those work i'm actually going to go check it on star bug i want a little get a get a hit there yes so i'll leave you on the stream and i'll be right back with an update definitely hope jordan comes back with some nice updates there i'm gonna lean over a little bit to see better this so roper one of several tools to find rock gadgets in a program so they're running this on the on the program to find what gadgets are available to you then use them to build up the rock chain so return oriented programming and it can be a tricky as we see here it didn't look that they had a lot of things to choose i didn't see if there was like any filter or anything going on there but regardless they so they were looking for specific gadgets with specific properties like a call instruction i think there to be able to put this into the rock chain and then use that to develop their exploits yeah so again we see them looking at uh i did a little bit double checking what they're doing we can see that they're rewriting a part of their exploit there's some kind of address that they're going to trying to figure out what's what's the appropriate address so here they're going for libc base plus an offset so they're trying to go into one of these one gadgets i think uh and we'll see so they're just trying them one by one to just see if any of them works and if they have the constraints satisfied for for them to be able to do this but doesn't seem like it's working quite yet yeah so what do you have uh jordan all right so the update on starbucks i would just say starbucks looks like there's still kind of like thinking about the problem i kind of get the impression that that um uh that that slash v slash home has has more of a sense of of where they're going yeah and they'll kind of get the building blocks there uh could be wrong though again it can be really hard to kind of get the sense of where people are at in their head we're just trying to kind of watch and gain understanding but i definitely saw some more uh just kind of poking around uh it is interesting we did see a true pwn tools user right so it was uh pwn tools coming in from starbucks versus uh the custom ptr uh lib uh that we're seeing here and uh uh geff uh jeff i don't know is it do we is there like a canonical pronunciation i i just kind of guessed because gdb but yeah i mean i i've heard both i agree with like the the gdb being a geff but i think it's funny to say i think this canonical it could i think it's like it could very well be because it's like it's like in the name jeff uh yeah um so so we've definitely got some fans people are excited to see to see both their favorite players and uh yeah fabu it depends some of these these challenges there are absolutely things that you want to look up you might be looking up a bug in the tool or something you're doing this particular one is is kind of very classic i feel like that that that there's they know their tools they know you know what they're doing they've got they're not looking up the help for for bone tools because they're using features that they've used a lot yeah they're not looking up the help for these um you know these things just because they're more familiar with it all right so we're trying so we've got like it seems like we've got code execution right if they're already looking for gadgets they've got code execution they're really just trying to redirect exactly gif or jiff jeff or geff i love it exactly yes so we're trying to kind of pivot get us a gadget that gets us uh closer to our one gadget right so they need to see that they were looking for a move rsp gadgets they want to pivot the stack and potentially to use that to have like a longer rub chain potentially yep another technique they might have used to get a longer rub chain too is sometimes you can just actually pivot back into the same program right into like another read or another receive right on the program so let's say we're looking at some padding going down in here in the payload so they're just increasing it and it is fun too because the speed at which people uh operated at this tier we're done we have a winner i'm so sorry we didn't see it on screen but congratulations round two winner very good i wish we had that one on stream very sorry for the capture problems yeah we're going to make sure we take this time and we're going to swap out our our capture card so that we don't have that happen again but thanks again for hanging with us we'll be back with a better view of both team screens this time and we'll see you just in a few minutes thanks everybody already everybody we're back we've swapped out a capture card i think we're going to be good so let's go ahead and get everybody to help count me in you're ready we're going to do a countdown five four three two one go and refresh let's bring up the team screens uh production bring up our team screens they are live they've already got the binary and they are going there we go okay so let's get up our our team views and we're off we're back this round with maple mallard magistrates which i mean i'm that's the mighty ducks yes right like that's just i've decided that's what we're gonna call them we're gonna go to the mighty ducks and they're competing against osu sec or osu sec yep so who they are i believe they're from osu either oklahoma state or i assume it's a state university yeah i mean i would i would guess but i don't know for certain yeah i'm not i'm also not super familiar with like all the universities in the us and stuff so yeah yes but that sounds very possible um what do we have here on the competitors so we're looking we're looking at source code so i guess we gave uh source code on this particular challenge uh because because nobody's got uh either a binge open they're just going straight to uh so let's see we've got the handouts uh right that's some capstone uh library calls right this is interesting we've got okay so we've got capstone and they're they're gonna just they're gonna run they're gonna try it locally and they're gonna see how it works now this program it is challenge is called not coding okay so it's it's uh not show oh do we lose oh no we lost this did you lose that no we it's back it's back but like did you lose it on the capture because i think it's just our power yeah yeah okay we're fine so i think we're losing there's power something power with this is is causing trouble yeah you know what bring the break this way down yes uh let's see if we can do this yes so someone's saying uh Oregon State University someone's saying Ohio State University so they're all good guesses but i don't know which it is uh yes uh anyway uh while that's uh you know sorted out we do see if we decrease our power draw on our monitor here if that'll uh yeah let's hope that that's better that's how that works okay anyway uh after a bit of a rocky start again but but hopefully we'll recover new challenges each uh each each time oh there we go go be so is this actually the beavers would be uh beavers was ducks well the ducks are Oregon but Ohio State no Ohio State's the the Buckeyes it is Oregon State okay all right all right thank you thank you chat thank you chat for filling us in can confirm so i apologize we should have we're bad casters we should have had better better uh you know intel on our on our our teams you know how they say like the best way to get an answer is to say a wrong one yeah yeah oh that's how i like run a business it works great i just you know i say something in my co-workers are like no you're wrong i'm like okay but now i know the right answer yeah yeah uh so we can see here that you we should be streaming if we're not streaming uh at 720p it is either youtube or it's just our bandwidth because we should be streaming at 10 1080 uh and the vod that we're recording is also going to be 1080 so if we need to upload a higher quality afterwards uh we will get that all right oh this is interesting okay okay so wait a minute i'm seeing endosasm over here on and so remember i've got um maple mount okay so i've got um mighty ducks uh i've got the mighty ducks over here and i'm already seeing something really interesting this this uh start your clocks this could actually be fast to solve from what i'm seeing over here okay so this challenge was called not coding and what they're doing is they're told you must uh get a shell uh but everything that you run must be a knob which kind of like makes doesn't really make sense impossible yes like knobs doesn't do anything but we did we did give that we gave them a hint actually right so if it's locked at 720 yeah we apologize it is our uh uh it is probably just our stream bandwidth because i believe we're we're streaming at 1080p um and actually let's go ahead and go full screen to uh to one of the teams and we'll try to keep the full screen ones uh let's do the one with out the if we're at 720 we want it to be like real full screen so we'll get rid of all the the pretty artwork and we'll just do um let's do the the bigger one that's clear without even that yeah so this will get us uh looking at uh oregon states so we're seeing the preload right so what they're trying to do now is they're going to run it with their capstone yeah they're just trying to make the binary work so that they can like debug the stuff you see they do some ld preloads to get the proper um libraries running no these these are not two local teams as far as i know i don't believe uh it's funny that they're a duck themed right so the duck theme is oh yeah we are we are making progress right okay so what we're what we're looking at here is we've got a text file on the right that is a knob right and we're assembling it so it's test.s and this is being created as a knob uh but we mean when we disassemble it now it's not a knob yeah right so the reason why we're doing that and we gave them a hint we told them that the binary they're given is a 32 bit binary on this particular I believe the the point is that there's a mismatch here like yeah it's being disassembled as 32 bits but it's executed at 64 bits the other way around it's yeah it disassembled at 64 bit but executed this 32 bit so if if your bytes disassemble as an x64 knob but run as a 32 bit like actual instruction it will be run and so yeah we are definitely i i can't tell from this angle i don't have a good uh view on on osu they're looking at the code here um clearly the the ducks are are i would say in a strong like running an option they should have like they they know they they completely understand right this like i said this could be one of our faster solves because they are absolutely they get it now how long we'll take them to be able to payload and can uh are our beavers catch up that's gonna be that's gonna be the question we got it we got to figure out so you can see that they are looking up the capstone that is a good so that is a good thing to do because a lot of people that we tested this challenge just assumed it was disassembling as the same architecture with and so actually double checking that call to capstone checking the parameter checking that that information is actually not a bad idea i just think we're seeing we're seeing our our duck over here um make like they already they just they looked at it and they just knew they're like oh i get this i understand exactly what this challenge is yeah i mean sometimes you're just like on the same kind of like frequency as the challenge author and like i see i see where you're going with this and then like you know yeah yeah so so mmm and actually uh mmm is a very similar name to uh ppp yeah what a coincidence what a strange coincidence uh so we mentioned earlier we're seeing a lot of these teams kind of join together yeah uh and it's certainly if we look over we can see a opcode reference here which is exactly what you want here like you want to see like what's the um opcodes that will uh disassemble into the knobs yeah while at the same time have a different meaning in the third or two bit context now again though i wouldn't say there is sort of like once you get the right one that works the rest kind of flows pretty easily i feel like having having seen at least a solution to this we expect there's probably multiple but one of them like once you kind of get the right mismatch you don't need you don't need to build this really complicated payload it can be relatively straightforward so i say that to to mean that it could be i guess not out of reach yet like while i certainly if i if i you know we're in vegas if i was going to make a bet i might put it now on on uh on mmm yeah our mighty ducks but this is this is not out of reach there is there's no question because if it's okay right so they just found out for example floating point knobs are not considered knobs because it actually says fnop all right so it's fnop or however you know if you actually pronounce it and i'm also kind of wondering what the hell is uh fnop in the first place a fnop it's a knob that happens in the floating point instruction space right but like what yeah actually if memory serves it's even a funny opcode i think it's d9d0 because you know 90 is the is the the regular knob and so i believe let's i'm not sure but like yeah somebody check me out chat open up your binary ninja and type d9d0 and hit you know p disassemble it or we can look yeah we can look here so we're we're seeing working over through the knobs okay we're back in capstone so have we found out the key yet so let's see yeah they're looking at the captain headers i think they're trying to figure out exactly what the different uh constants mean like the different arguments to uh the disarm which is uh definitely the key to understand this uh challenge then to realize like exactly in in what way it's disassembled now you can you could go too far though right so like one of the i think the most important things to figure out is how much do you spend into one sinkhole before you move to the topic or how are you going too deep especially in this one where you know there is a solution that should be doable in 20 30 minutes right right and this is kind of like a little bit like a metagaming thing we just saw an fnop over there as well too on nice so they're look they're they're looking through the different different operations yeah but a little bit like a metagaming thing in the ctf like when because you know that there is a solution like it shapes how you approach the the problem and like you you start thinking about like okay what what could the author have been thinking about and and so on well and that's one more again i feel like um you know we saw immediately a 32 64 mismatch coming out of m&m so that was just somebody who looked at it and instantly thought if i was making a challenge like this about like this here's probably what happens and then it just they tested it and it worked and that's where like the experience really comes into play so iron we currently have mmm which sounds suspicious like ppp they're a duck themed team the full name is maple mallard magistrates i call them the mighty ducks and they're playing against the osu sec the oklahoma state university beavers so we have a duck versus beaver match coincidentally and actually for context the the the seeding for these challenges oh i do see our our stream bitrate kind of going up and down so i apologize for the 720 we are at the mercy of uh of the the bandwidth that we've got here but the good news is we have local feeds and we will make sure that we put um upload the videos of this to the recordings yeah yeah well we'll do the good ones later so um there was a question here like they can only use nop in shellcode and yes it's like yes sorry i just did oklahoma didn't i meant organ thank you lucas i apologize yes this is organ state university we're not operating on much like the us version of like sweden switzerland uh oh there's there's lots of them i mean it's just oh universities i know i know listen we've we didn't sleep a whole lot the last few days like we've been hard at work getting this done so that i guarantee you that's not the worst like mix up that we're gonna have all right so i'm starting to see this is interesting okay so let's go back over to the the ducks and we've actually got like a payload here so we're writing uh we've got this uh ox f zero and one f or no x f is just zero f and one f okay so we've got a bunch of knobs that the behavior oh i think they're just brute forcing they're just trying uh all different combinations of like uh op codes to see uh i don't think so i i think this is this is a little different i think what we're doing is we know something is disassembled wrong and we're just trying to either like increment a pointer so this feels further along to me oh you see that and they loop over all the 256 uh like oh immediate values now you're right you're right i'll take that back i it is trying like exploring basically building up like a playbook i guess of like what they have to work with uh well i i i will say that of all the o universities only one is represented at defcon ctf so by definition i think you might be right i think certainly into the the ctf community right now anyway uh organ state does have uh does have that edge on all of their other o universities so um uh the other thing i i think is really interesting i love looking at the tooling yep right like i love to see like somebody's using bb at it with very tight like indentation limits so you can see a lot of code like this is sort of personal preference and how people work some people are using vam in the shell and some people using yeah you know actual ides or somebody's using text editors yeah um so i i'm really curious to see uh more of that as well as we go and then uh yeah hex fined as well just to be able to get a quick uh quick analysis in fact when uh this challenge was being tested one of the things i saw done that i thought was really nifty was open up the binary um and i think you could do this in geeter or ida or binja um it works really well in binja though to be able to just like type a bunch of hex bytes and having just disassembled simultaneously in each of the widths oh nice right and so actually no you know i take that back you can't actually have overlapping architectures in ida or geeter you would but you could easily like wire up obj dump right do the same thing just assemble both side by side yeah let me fiddle with a bunch of bytes uh and work from there so uh we're looking yeah we're looking through a bunch of these i think once the right one is found it'll go quickly right so is there like one or two operations here that are like key there's at least one that that i when i saw it get done when when glenn was um was producing that the answer for was definitely um key and in fact we've got plenty of time left but if we hit like the 30 minute mark or the 25 minute mark what we'll probably do is go tell them a hint like the mnemonic that they should be aiming for right and that might help them you know get a little bit further along so we've talked before about what happens if teams don't solve this in time uh oh oh that's a good looking list oh this is interesting i see some inks and decks oh that's useful yeah what what could you do interesting if you could ink or deck a pointer well now i expect we're going to go back and look at um no you need the actual disassembly at this point though right like or debugger so there we go we're going to see geeter or we're going to see uh debugger i think we've got a gadget and now it's a question of what can we do with it yeah it's like incrementing uh very very useful to like either do like self modifying code or just you know manipulate just misalign some pointer at something else right like what can we what can we point at so yeah you have an ink esp example there's and there's a seg fault right so ready a bunch of those so we know there's there's something malicious happening right but how are you sure that so phabio to answer your question about why they're using a hex editor they're usually going to be using a hex editor here because they wanted to just enter a bunch of different bytes in and see how they were decoded how they disassembled a 64 bit and 32 bit disassembly because that's again they sort of crux of this of this challenge is that the the program tells you it's only going to run your shelf code if it only contains all all knobs but it's not actually true because it's it's going to disassemble them from one architecture and then run them for the other and so that's what you're you're trying to exploit let's double check back on our oh man this is this is tempting but let's go back over to the debugger let's go back to osu and let's let's see where we're at over here yes so they are also looking at an opcode reference and how it started writing a script so like they're you know on the same graph but if they if they get that ink they're only a minute behind yes right like honestly if you've got an ink they've they've still got a shot again that man I still know as much to where I put it so let's let's go keep our eye on back on the the ducks uh see where the mighty ducks are at and we're already looking at memory maps and if we should we should keep a vote of Jeff versus uh you know yeah uh poem bag or you know all the different other options so here we go so they're using Gider as well for the but like I'm waiting for like I think I think they're just so much faster than me because they flip the Gider and they flip away immediately I don't remember if they just remember they disassembly so much yeah I mean to be pretty they just wanted to you know double check like one small detail like you have one one question that you want answered just check back at it like what was the size of that buffer so again we've got the choice here between what register do we want to increment and so that's the key question right which one is most useful and I will say a debugger also makes a lot of sense here too yeah yeah a rx absolutely I think everybody is impressed osu sec and in particular the most impressed the thing about osu sec is that they're one of the few teams that didn't like combo up with a million other teams right because a lot of these other teams yeah to our knowledge they are like actually just osu sec yeah and it's something we've got a lot of their fans in the chat and yeah that that's super impressive you definitely get like an underdog vibe and you you want them to do well because they're competing against these like ctf giants that are around for 10 years and they're combined for the teams going up against like pvp plus friends like that's uh that's daunting yeah I've lost a lot to pvp without friends we all we all have over the years all right so taking a look at the debugger it seems like there's some kind of controlled values in there and some like is that the stack they're looking yeah it's looking at the stack pointer looking at the memory maps again looking at like this assembly what rp osu x64 I don't know that no that's yeah that's rp plus plus that's another rop okay rop gadget finder I tend to use that one I think like all the cool kids nowadays use roper but I think before before that rp plus plus was like the good stuff so I'm still kind of using that this is one of the things I'm actually excited about too right is is seeing the new toys and tools because I don't actively oh we got a little bit of it you know there we go so we were looking for um like it looked like god entries maybe we're I saw a bunch of a list of function pointers so I yeah I haven't actively played ctf in several years now and so I you know I know enough to maybe make a small challenge easy challenge and I know that's going to get destroyed by really good people but it's fun to see what are the latest tools what you know what have you know I kind of missed out on and watching people uh watching people do that so all right to recap we're 19 minutes in and we've got uh at least one team oh no this isn't you we're already in the double let's go take a take a look back over actually at osu because we aren't in the bugger yes that might be a good sign you can see them stepping through a whole bunch of knobs which uh doesn't really give them anything so far so I guess they're well but it's going to say not whether it is or not well in the output right so you see what they sent in no but you see in the debugger over and also in the output to the left it's listed as knobs so they haven't found the key mismatch yet correct or they haven't they haven't exploited it yes or like yeah actually taking advantage of it however you can see here over at mm that you have like a sequence of x values listed here in their exploit script so they try they look like they are like going somewhere putting together oh I wonder if they're putting together a shellcode payload in these immediate see it's called smuggle 32 right nice I like that and also again nice with nice naming of things oh yeah we've gone boring now now it's just x32 uh so we we lost the oh the more interesting name yeah I mean smuggled 32 I think oh there we go okay so an inky sp oh no no sorry not shellcode pointers right clearly executable code yes so they're gonna they're gonna have a this x32 which is going to let them them rot potentially and they're going to be able to ink the stack pointer this sounds like a great technique yes I'm a stack pointer overwrite the return address maybe and and and go from there yeah you've got to and then maybe either one gadget or multiple gadgets or like you've got a sort of straightforward shot oh there's a win function or or maybe you go oh you know what though if a team doesn't actually open this thing up in a disassembler if they only use a debugger they won't see when well they have the source code oh they had the source code they had the source code that's a good but this is definitely the thing that you can like you know because I think it's maybe like at the top of the like it's a small function at the top of the file like you know if you just scroll past that because like you don't notice honestly and then you build your mental model all around like you know a rough chain or or something it it's the kind of thing that happens a lot in this environment when you're doing a live ctf and you're under pressure and you're on the gun or you remembered it but it's 20 minutes later and now you've forgotten it right so it's it's possible we see somebody get tunnel vision and miss that so I mean I've done that like in several ctfs where like oh there was actually this memory region that was like rideable yeah something like you didn't see it the binary is actually executable even though it's running emulator or something and you assumed that the permissions were yeah it's uh you know it can lose you a lot of hours all right so we've got our inky sp pattern we've got our and we are using phone tools right so we're seeing phone tools do we I don't think we have a payload yet we're still got unfortunately for osu I think we we don't have an understanding yet right I think we're kind of lost in the weeds so so this is this is not looking good over there we're gonna we're gonna keep it on um keep it on the on the ducks and and see if we can uh see if this will this will this will come in right because this is I mean this is looking really good right we've got we've got the ability to misline the stack which gets us a return address overwrite which gets us an instruction pointer and we've got a win function right it looks like they're dumping this to a file now do we have a slr do we need to know if it's randomized or is it uh yeah this is uh I believe if the the source if they put the source again the first line of the source was the build instructions that was used to compile that binary so we would know if they flashed that again real quick um we've got uh not coding that c so oh we're going away makes you want to like you know yeah touch the screen yeah we should have like uh some kind of plug-in on the computer yeah it's like no no we need to look at this one well really yeah the the later iteration of this we're going to have more you know I think machines here but we're already overloading the number of available usb ports even with several hubs yeah um so I I'm curious I know there's a lot of uh beaver fans in the uh in the chat y'all still got faith are you still still hope or are are you um there we go see hang in so you there there are still the organ fans out there right organ I said right this time okay good I'll get right all right you can just keep rotating around like just different hoses each time I mean they might get yeah all right so you can see there again doing some like brute force looking for something else yeah so this to me is like is is like somebody stepped me back saying I'm not sure I have all the guy like I think that was all the gadgets they needed I think that was sufficient to win Glenn is that sufficient or is there more to it we're getting him mostly from Glenn yeah and I can't hear him at all I can't hear you unfortunately over there we're just going to roll with it and say that you know they might be of need a few instructions but I mean you should be able to because are you sure you can increment the stack pointer right but then you need to actually modify the value so you need one more thing to actually like no no if your buffer is on the stack then you don't need to do any such thing you can just return when it points to your uh if your input that you send in is is on the stack all right yes you just you do okay of course right so I think a variant of that is possible right in this particular binary so but your input is still slightly constrained then on the like let's say you would put you would put like a return address or like a something there I don't remember the the source code if this was like a string operations if a null terminate will break it or not that's that I see okay right yeah so you could potentially smuggle it like behind the the other stuff but yeah but no you give it binary because it it disassembly it doesn't assemble your that's right that's right you give it the the hex and it's actually gonna you know put that buffer as those bytes yeah yeah yeah presumably do it right five minutes to a fresh start no no no no we have so they they have plenty of time left yes um well so we are coming up on this is the point where if neither team had made progress we'd walk over to him and we'd say you need to misalign your your 64 your 32 and you need to find a gadget that's going to let you uh get the payload um but because because we're already seeing at least once at least one team has sort of made it to that point yeah and he clearly that's the case which has been for several several minutes now um we're not gonna do it now that said if we come up on 45 minutes yeah we do hit sudden death mode and we will switch over so there is 20 minutes left where if the duck doesn't successfully finish this challenge in the next 20 minutes there is still a chance that we go to sudden death and our beavers could have a chance yes so that's that is absolutely possible let's uh all right i'm gonna just look for a second and try to try to get caught up here where we're at because it's a little concerning when i see going back to the well of trying to find more gadgets right um and i'm wondering we're still looking for more patterns but as far as we know we think there's enough gadgets uh we think there's enough gadgets there yeah uh i have actually not looked at our reference solution for this so i don't know exactly what instructions it contains but i thought it was an uh i thought it was an ink ESP actually or inker deck ESP one of the two to like misalign the the stack pointer uh into a buffer you controlled right so we got a question about the sudden death thing yeah so we have this thing so there's a time limit of 45 minutes so if they hit that we will stop the challenge because then uh it was well if we don't want to drag this on for too long so in particular the whole match on every team versus team matchup really needs to stay under an hour otherwise the schedule starts slipping and throws off all the other events right so this what's that all right do you want it do you want to get on the mic and do it or do you just want to like tell us from there uh you have a mic over there you actually that mic is even still live so careful rubbing it on things but if you talk into that mic um it might be easier to hold it then try to put it on it's up to you there we go so i think we've got glen it looks like your levels are right let's see if this is our producer glen and challenge author glen is going to come here we'll tell you a little bit more uh rakesh about sudden death in a second let's let glen talk a little bit more about what the expected solution is here all right so this is why this is why the uh the competitors have those earmuffs on so they can't hear us as we're talking about all this these details let me just make sure the levels are actually working all right so generally speaking the way that this works is since you have the difference between x86 32 and 64 bits you can get what the mmm player has found which is a like a rex w knop which on basically on x64 x86 64 it disassembles to a knop on 32 bit it disassembles to like decrement stack pointer knop from this you can gain control over the stack pointer you can go either direction but the way that the reference solution works is it just changes the stack pointer to point into the buffer of knops that you send to the server and since the binary is not pi and so the addresses are fixed and there's a win function you should be able to just get the stack pointer such that when the function returns it returns to the win function i think we need to give a hint and here's my idea here's here's the hint that i'm going to give yeah i think mmm missed the fact that this does not have pi okay should we just looking for more complicated one but i also think that osu has missed the 30.64 we can get them the same hints to both of them and help them both out equally which is that we can tell them they need to double check how these binaries were compiled we need to tell them we need to check the first line of source code that tells them how the binary was compiled yes that will tell them both something useful to the state that they're at yeah all right so do you want to go get i will go i'm going to go do that because we did not add like the messaging thing so yeah so i'll go tell them so that or just write write a note out and then just hand them each of the notes right where's your notebook um here we go and we'll do this we'll do this now so we'll get them each that a little bit hint yeah and and to answer oh sorry uh glenn kill the volume level on that third yeah mute that sorry for the smr there on the the microphone as we set it down we got to be like yeah um i got you pin yeah okay awesome i'm tethered in because i wired my microphone through my vest this last time yeah i can go anywhere looking good but uh you can explain sudden death right so the the sudden the sudden death plan just keeping an eye on on on our duck just to see if they've got anything else the sudden death plan is that if we get into a situation where both teammates are stuck neither ones making more progress uh it's not looking like they're going to solve it in time we have a totally different challenge we have an easier simpler quicker challenge that we will field that is meant to just break a tie essentially because we don't want to have like something and we're neither one can solve it so if we get to the point where we have so 15 more minutes if we get to that point we will uh deploy a sudden death challenge we'll change it and say sorry uh you didn't solve it in the 45 minutes here's another challenge try that uh we haven't figured out if that takes too long we just kind of have to wait till that gets done so hopefully those but those are those are intended to be like the easiest possible challenges that we could do so that's what we're doing with that we're writing out the same hint to both themes uh first line in this first line of source code right so we're going to tell them that the they should they should each double check how the binary was compiled i think that'll be nice both fair and yet also useful to both of them so we'll go ahead and do that and uh get that to both the teams because what's going to happen here is again if if the duck can can finish this out if they can actually successfully solve this they have a shot at it but if they don't um then they're going to basically kind of be reset they're both going back to zero on this new challenge all right so the new challenge will um will uh be like fresh territory for both of them so let's let's let's uh switch maybe to the uh one of the other cameras and we can see uh like see see in the background as as uh carl's going to go deliver our hints to both competitors and uh we'll see if this has an impact on them and in the meantime thank you thanks uh is it down down or dawn dawn i forget i feel like i should remember this because i know i've i've seen it hit up before so that's a good question what is osu seck up to let's i think we're just looking at the source again it looks like um so we have deployed the hints to to both players um and it's it's hard to tell because they're just looking at the yeah that's not a bad idea peter that they might need a bigger hints um we we could we could get the both an explicit hint of something like the binary is not a slard and this is 64 32 bit misalignment um to get them both passed the next down thank you down down um or maybe it was down dawn it could be it could be one of each um so we do have um a bigger hint we might have to give to both of them we will see i i wouldn't i would not be surprised and it's and it's again this is one of those things where if you're playing at home you look at this and you think oh man all you have to do is move this neck pointer you you should totally be able to like finish this out it is so different it's so different when you are on the camera when you've been stuck in the step for a while you get kind of into rabbit hole as you're thinking surely there's some other gadget that i'm missing surely there's some other thing that i need to find um or if you feel like you just don't even have a uh have a way to do so let's go ahead and prepare the next hint yep um that we'll give them in a couple minutes if if one of them starts to make more progress maybe we'll we'll hold off um and we'll see what happens uh i if we give them the op code we're giving one team what the other one already has um so i think this hint should say um yeah i mean maybe maybe we can yeah let's think what what what's the clock at yeah i think uh so i need a few more minutes right so there's a question about how long so the idea is that at 45 minutes we will switch to the we start every match on the hour so we started for us at 4 p.m uh pacific time so we're 34 minutes in so we have 11 more minutes uh before we so we're uh are we brute forcing maybe we're done brute forcing yeah they removed the for loop okay so we're not putting some address in there uh this is test.py okay so this python quit unexpectedly nice uh wait a minute exact v launch maybe we are close yeah okay this is this is a good sign okay yes oh look he's looking for a system okay okay this looks positive i think i think that the realization has been has stuck home i think we're about to watch uh watch it come on home stretch i still don't see osu second fortunately coming up with that key 32 64 insight um even after the hint that the binary was compiled for 32 bit but the disassembly is 64 bit so we're looking for a banshee string we're going to pass it as an argument to system right so they're going to skip the win function they're going to just uh put the but this is again there's literally a win function yeah you just need the address of that but luckily this is 32 bit right so they can just put the argument on the stack and then i mean it's like exactly it's marginally more difficult slightly before we put two addresses on this back instead of one address so as long as there's room and i believe there's there is plenty of room yeah not a huge loss but yeah definitely could have cost them okay this this is looking real close we're getting the last address in let's see if this does it uh yeah again we predicted this earlier we said the win function we gave them a source it's very easy to miss you you 100 can get tunnel vision and and totally either have forgotten about it or never seen it in fact in this case i wouldn't even be surprised never seen it because there's not been a lot of poking around in the uh because there was so quick at understanding like sort of what the goal was yeah exactly and that's the thing then you build this abstraction in your head mental model yeah mental model like and this this thing just doesn't exist like there it is congratulations all right we have a win congratulations to our ducks i'm excited we didn't need a sudden death that is our third round uh complete we will see you all back here and about hold on hold on hold on hold on they said was just a local that was just local no no it's not submitter it ran did run it ran right no no no it's sorry i i did you didn't trigger right i saw it trigger on yeah yeah yeah we're done we're done we're done all right congratulations okay we will see everybody back here uh at the top of the next hour uh very very fun match uh thanks to both the teams we'll see everybody in a few minutes we out everybody uh we are here again the last round of the day apologies for the the 10 minute delay on this one we've we're trying to hunt down a bad cable once somewhere in our infrastructure is a bad cable and it's causing one of our streams to have issues so we might have some intermittent connectivity for one of our players apologies for that uh we're going to go ahead and get a kick off right away we want to get these team members back to their teams as soon as we can so uh let's go ahead and get a countdown of five four three two one go and now they're off okay so uh we've already got the first one downloaded so and in this particular one actually can you grab me my notebook over there with our teams and whatnot um this one we've got uh the new organizers and i believe we've got team taiwan was the name that they uh they requested because it's again another one of these these mega teams uh that has uh a conglomeration of many different uh different teams so we've got team bolson team 217 team tsj dot tw uh and so there's another team that has tw in the name that's tokyo westerns right a japanese team but this is the taiwanese team because it's dot tw right so uh let's go ahead mix up yeah let's go ahead and take a look at uh a team i think team bolson should be the one that i've got over here on my monitor and they are already off and they're in ida looking at our challenge now again you'll notice all of our challenges are named challenge just the way that our doctor deployment kind of works the official name of this challenge is called nerd sniped right and it what are things you can get nerd sniped by a lot of things but uh yeah we'll see how i get nerd sniped by like a rubik's cube yeah a good a good puzzle maybe yeah a good puzzle you could see maybe something like that that'll do it uh so yeah so we got you 1080p back and going hopefully we'll figure out our uh our issue with our our hdmi cable and we'll have uh much better consistent capture across both team members tomorrow something about this cable is like it's heating up or something it's the first we had several hours of testing last night with no problem and something something's going on now so we'll we'll we'll give that a run and sure enough i literally just saw a rename solve puzzle so we've renamed this function solve the puzzle um so what they're looking for they know it's a puzzle of some sort i'm curious if we get uh someone just kind of running it and interacting the binary or if we're going to more static analysis um but actually yeah this should be should be much higher quality with with the full 1080 unfortunately we don't have even the local recordings we're also not 1080 they were only in 720 as well so i apologize those first couple matches uh we're not gonna have uh we're not gonna have the the um uh the higher quality video for those either but all 12 other matches from here and out are going to be in high def uh because we have a lot of these to go so you'll see your favorite players the one in the first couple rounds they're going to come back we're going to we're going to see them again uh so oh no that was cool what was i didn't i didn't notice that website have you seen that one before uh i'm curious what that was so now they're on the ubuntu repo uh they're getting a particular glibc version which makes sense that's often common i think for most of these we like included a libc if we thought it was necessary yes um so it's kind of a hint to the teams like if we we we're we're trying to like give out everything that we could make it as self-contained as possible and so we'll see uh we'll we'll see if that one ends up ends up being useful but we've got our binary challenge uh this one is starting to to be a little bit more difficult though i would i would say yeah our challenge difficulty is cranking up a tiny bit uh and we're going to see that kind of trend throughout the whole the whole rest of the weekend right i'm sure last semester once somebody finds an amazing solution too solves it quickly yeah but on the topic of like difficulty like that's i mean we have an idea of like what's more difficult than what's easier and so on but uh of course like we can be wrong like people can have like different you know specializations and their skill sets and and so on so something that we might think is in both directions right right exactly yes so uh something that we might think is usually might be actually kind of tricky and then the other way around uh so it's going to be interesting to see what's what's going on there's still some reversing like the initial reverse engineering going on of the program for example this kind of step uh was not really needed in the previous challenge where we just gave it on the full source code uh with like names and everything um and and it is uh uh yeah as an organizer you have a lot of levers to pull you have a lot it's ironic because we have the organizers here up playing on though unfortunately they're on our our non capture screen unfortunately um i just had to make sure that we had them lined up right i freaked out for a second i realized and yes they are they are the right halves um but uh the team organizers uh we're not seeing them but as a challenge organizer as somebody making challenges you can strip a binder you cannot strip a binder you can include debug symbols you cannot have any you know so all these yeah different levels of optimizations yeah like because a lot of optimization also kind of acts as a slight like obfuscation mild obfuscation yeah yeah so um we've all seen these like you know optimized mem copies and everything but you have all these like big magic stuff going on um so yeah you get vector operations in your in your mem copies right it's so yeah and that's and that's where to some degree you can make uh an easy challenge hard with just tedious things yeah so it is interesting that you see a lot of sort of like i would say cheap challenge design where it's like yeah we just made it harder by doing x right it didn't make it more interesting it just made it like yeah just slightly more annoying to do the thing that you want so it's sometimes a really good easy challenge is actually like you're just really focusing on that one core thing that you want you want to do yeah which makes a lot of fun for for what we're doing here so right uh so still at that time we're trying to name different things we've seen like they name the functions like so puzzle and you see some variables getting named like the input um it's all trying to like get get an understanding of what is this program doing uh and they're kind of like two parts to it like first of all like what's the intended functionality of the program and then from there you can start to understand in what way is it acting uh not as intended like where's the or or no in this case we're where the the author intended to bug right but in the normal case where it's unintended vulnerabilities yeah or in this case what's the surface level intended what's it what's a claim to be able to do yes uh and then what is it what does it actually do that maybe there may be difference right so let's see uh what we're doing so and this is nice too because we're actually getting this is the first time we've seen a little reverse engineering workflow yes a lot of the other ones have been like basically a quick glance at the code or this assembly has kind of like revealed what's going on yeah here the action I need to kind of understand what is going on okay so we're still sort of starting our framework for our our exploit here but I don't I think it's just getting the menus and interacting with it right and so we're looking oh okay so there's a current puzzle state all right so puzzle that puzzle looked interesting that looks like maybe like a nine by nine grid yes of numbers yeah it could be uh maybe like a sudoku I think that's a great guess and of course you know we're a little a little spoiled here a little tainted knowledge but this is indeed a sudoku uh in fact when we when when somebody was like we kind of play testing evaluating this challenge we sort of were like wait a minute you just you just solve a sudoku and that's it and the author was like no no no no no that's not actually not actually possible uh so it is a little bit trickier than that so we'll see as our teams discover um it's not just a straight put it into a sudoku solver get a correct answer and win um it is going to be a little bit more tricky and this is one I am almost positive we're going to need a hint on right so I'm I'm going to propose at like 15 minutes in we don't see um like progress progress in fact actually let's why don't you go ahead and take a take a look at the organizers maybe too yes I will do that and if we if we're looking for them to to uh kind of have a hint as to what they're doing like indicate that they know what they're doing yeah yeah oh does it come on occasion okay so it's apparently flickering in and out occasionally we're getting getting our video we swapped out the capture card that worked for a while until it didn't uh and then we swapped out the usb c cable now we're for a while until it didn't and so now we're convinced that it's just the hdmi cable itself uh that is there's close in trouble and I think this has been true even if we were direct wired into the laptop so it's not the capture on the other side yes because we also did swap out the uh the usbc adapter once too so we've swapped every component except the the hdmi cable uh partly because they're like taped to the floor and they're a 30-foot long cable so we got to go and get some oh there we go I saw I I did see a solver pop up briefly I saw a sudoku solver yeah I was just gonna say also the player from the organizers copy pasted the uh current state of the puzzle into and they googled for a sudoku solver um so we'll see to what extent that will help them it's I mean again I'm not completely familiar with the intended solution here but I would assume that it still involves like yeah solving the sudoku but not only doing that it is trickier than that yeah yeah that's right so um I have a little bit more info um yeah we're still seeing that that kind of solver flashing and out occasionally um on the on the display so uh it it there's gonna be some memory corruption here yeah there is indeed this is not just now although I will say it is actually a perfectly valid category of challenge in a lot of cts right where you would actually do have a more programming challenge or puzzle that happens and I think honestly even in moderation I think those can be fun and enjoyable yes mixed in amongst your traditional like happy competition yeah typically they are branded as uh ppc is the category in in normal cts which I think is like professional programming challenge or something like this people familiar with like you know icpc style of algorithms competitions or so might find although usually they're kind of like framed uh slightly differently yeah but it's kind of like the same uh general idea there yeah and there's there's no security flaw there's really just rather solving some hard mathematical problem with the right algorithm or with the right approach uh to to kind of get it working right but that's not the case here like there's there's an aspect of that but that's not enough we are doing this is this is truly a point of all there is memory corruption involved uh yeah although I will say and I'm looking to see if somebody finds um the the sort of like win function like when you have a correct solves cts correct solves to doku um I think we're going to see like so this this function here uh they've named it check returns right whether or not we've successfully calculated the value um a valid uh solve this uh the result of that is going to determine basically what you call a win function so it is going to kind of do the win for you so you already sort of you know that you have to solve it right your just question is okay what mechanic will actually get me to solve it and can I cheat it do I have to have a combination of a solver plus it's like what what what does that that ratio go to entail because it's face value it kind of looks like you just solve this and okay and you win yeah but but you know like you defcon finals even even being a sort of easy live ctf I would I would think people would be like now wait a minute like there's there's something here and I think if you can also uh there's not a lot of uh values here and so I don't know like I think the idea is that this these are just not solvable because there's not enough information there like some sudo kubals is a very minimal but they're designed to be solved right made to be solved I think I remember that like if you have 13 digits you're guaranteed to have oh is that so here we go so one two okay so this one definitely has more than that but there's going to be some other issues with it still I'm not sure if my trivia is is is correct but I vaguely remember like if you have 13 digits you have a unique solution you can have a unique solution with fewer digits so I don't know that that's true because I can just give you all of the ones for example and all of this nine and all the twos and that doesn't give you enough information to know where all the numbers other numbers are maybe maybe in terms of like because like you know so it's high it's maybe it's 21 or something then I there is a number I would believe it I'm just you know where's where's our cracking the cryptic uh oh yeah friends yes and go to the youtube stream yeah great uh great channel so so here we go we're seeing uh sudoku solver python so we're seeing people of us to get that all right we are now 15 minutes in yes I think we should be preparing our hint because I actually think this one is a little too subtle and we're gonna have to point in the right direction yes without actually giving them the things so yeah we should notice notice now that even though the time is like 24 right 5 we started 10 minutes late because of technical difficulties so they are only 15 minutes into the challenge correct correct so we have we have more more time than the clock looks like compared to the other ones where we started much closer to uh to on time so uh we're trying to solve again so so trying to solve around here which is not going to be sufficient so I think we need to figure out if there is an official hint from the challenge author so we've got a glen over in in the production booth uh as it were which is otherwise known as the other side of the table that we're sitting on here yeah um it's gonna it's gonna reach out and see if we have an official we have like three times the number of computers compared to the number of crew members for this uh setup we have a lot of displays and I mean an order of magnitude more cables I think than uh yeah but it's uh and once we once we find out what is breaking our our secondary capture uh and so actually speaking of which I'm gonna go ahead and go take a look at the organizers I want to see what they're making progress right uh well we figure out what we're doing with that uh with that hint yep if we're gonna give it um and if the chat if you guys have any questions about where we're going let us know yep and I'll be back in update great so while Jordan does that we can try to see is that we okay so I've just been informed that the puzzle that the that you are given is impossible to solve that's the kind of the trick here so at face value everything looks fine you just need to solve the sudoku but actually there is no solution this is like an invalid state for the sudoku uh so um one stay and this is something that can really throw you off right because if you all take this and like you input it into a solver or something and the solver says like now there's no solution you might be starting to think like maybe the solver has a bug or like some maybe my in the format of my input is is wrong or something like this um and and only later you might question the like the impossibility of the puzzle so this is where they have to then cheat to solve the impossible sudoku um to then get this win function um we can see here on on on the balsam screen that uh they are looking still at the kind of uh the compilation here um thinking hard about this uh trying to figure out like what what is going on here like why is this not working um they have this it's it's this check function right uh so they're trying to think about like what in what way does this function not behave uh correctly maybe uh maybe they have realized that like you're given an impossible uh puzzle um so let's see they're gonna try to seems like they're writing like a small like formatting uh function they're looping through like the x and y axis and and and uh printing uh something um so yeah um still unsure exactly where they're going with that but let's see here now they run it so so quick update is both teams are taking the sort of wrong approach now and they're still looking for solves so the hint they're both going to get is you can't win you need to cheat right which is uh almost feel like there's some kind of deeper philosophical uh thing i mean it's it's a true life statement probably yeah um yeah let's uh um yeah i had a lot of thoughts about that but let's not go too too off too deep and too yeah um i you know so here's the other question do we want to give them a little bit more of a hint um do we want to tell them exactly kind of how like the more of a hint as to what they want to show i think we have time right no no we have time uh let's do that and uh yeah in fact well that's too late now uh i mean i was thinking in the in terms of like since this is the last match of the day we could have afforded like you know extending the uh standard game time but i don't know if it's fair to do that once well we do it to the same two players either way it's it's only fair relative to each other because every match is different different challenges different conditions and so to some degree right right so you could argue that it's fair but let's say you can't win you need to cheat you need memory corruption yes it's uh it's dangerous to go alone like take this yeah take this it's dangerous to go alone take this memory corruption i love it all right here goes the first hint yes we'll see if this gets them on the right track again or if we need to uh in the meantime i'm trying to decipher what this uh script is doing they have a solve function there which then will not really help them since you can't solve this um it's uh yeah it's it's still like you know a little bit unclear where the players are and this unfortunately we can't read the minds of the players that would be uh immensely helpful uh when doing this type of commentary we can just try to guess based on what we're seeing on the screen so and yeah again like if you have any questions or comments from from all of you were watching this i got some smiles i wish y'all could have seen it but there was like oh yeah of course okay okay so they both they were both you know going down the solver approach so i think we're gonna see a lot more i don't know right uh we're gonna see them actually digging into the binary right and following that way so that's that's all that's nice to to hear that like the the hint was uh appropriately level then that it was uh useful to the players yeah i think they both they both were at a spot where it's going to help both of them we'll see if you the one starts to starts to uh take advantage of that or not okay yeah so we're looking at check stack we're looking at the binary properties seeing is you know and that's actually a great habit to be in too i really think that a lot of people overlook that again we saw that last one with the with the mallard with the ducks where like it not being randomized i think added a little bit extra slow down there right yes definitely uh because you could have gone straight into uh you know yeah this is i i think i i i have this as a pretty good habit like always run file always run check stack yeah uh yeah it's kind of like when you're doing reversing uh reversing engineering challenges always run strings always been walk yeah just like just out of habit yeah just like the things that you things that you do right all right so let's let's watch it okay so now yeah now we're seeing them actually where we want them now they're back to versus nearing they're looking for vulnerabilities and and what they're going to do is they're going to use the vulnerability to win they're going to use the memory corruption uh to get to to to not code execution directly right but to the win state so what they're going to do is they're going to need to corrupt in such a way that they can create a solved board and they should have hopefully still remember this right because they know that the point was to win they saw that they saw the win they saw the win state they saw that's why they were trying to solve the puzzle so i think they know that yeah the question is are they going to uh be able to figure out the memory corruption in time so that's the question that we're looking for and this is kind of interesting i think uh this type of ponible where like a lot of ponibles you have kind of this like standard workflow where you try to gain control of certain aspects of memory yeah you're trying it's always it's a pointer over right or it's something that gets you a memory right so you get a pointer right like to a rock chain too like you know um but here you're just doing kind of like maybe we're we call like a local memory corruption you're just like or it's not quite a logic vulnerability in that it is memory corruption but it's not useful it's not being used for control flow right hijacking you're using it specifically to just change the behavior of the state and change the behavior that yeah the functionality through it's it's normal legitimate means but by entering a memory state that it didn't intend for you to enter right so in a lot of these cases we have like the program wouldn't crash for example with the like if the exploit is like slightly yeah you just you just fail to get a quick puzzle it's just not solved right yeah what's not to say that they couldn't crash with this vulnerability necessarily it depends on how it's actually constructed but there are there are certainly use cases or there are cases where you know an exploit isn't actually exploitable in them in the you know direct uh code execution state it is rather just by exercising some other right logical state of the program and I think yeah in general like what everything we say here about like the you know pony balls and like general ideas there are a lot of like if some butts and stuff like to all of these and exceptions but you know we're trying to you know make some broad strokes here about different types of challenges I'm a little nervous this one feels like that we the first one we might have to unleash a sudden death I'm hoping we don't right but I and I like the challenge because like you know like we're talking about I think it has that that good twist that you're going to not get a a pointer over right but you're going to like you know influence the state of the binary so I'm hoping and we've got we've seen great work from all the teams so far so we know we have high quality people we'll see how it's going this is also I said the one of the larger binaries we all get very small binaries very very self-contained this was a little bigger it's still I think small in the CTF scale of things which in CTF is smaller than real-world binaries oh yeah but relative to the live CTF binaries this is this is larger than some of them yeah luckily they don't have to like sift through a 300 megabyte binary what who doesn't love yeah sorting out massive binaries yeah I think I remember opening the Minecraft binary in Ida at some point uh then I went to bed and uh yeah continue to do it still yeah no I think it was like just barely finished but it took like eight or nine hours to analyze that yeah big binary or even like obfuscated binaries can can take a long time to analyze for sure yeah oh here we go so let's look we're seeing an inch 64 inch so making sure the types are correct that is a that's that's good I think I think uh analyzing the types is useful although what I will say is that just looking at decompiled code is maybe not the best way to analyze any kind of type issues right no I think it's like it's a good it's a good start to give you the big picture uh and uh but then at some point you might have to drill down on things and I think this is also kind of interesting again with like different types of uh pwnable challenges like uh some pwnable challenges like the bug is obvious and the exploitation is difficult absolutely and then you have these more like reversing heavy pwnables where like you have to figure out like very complex data structure but once you have kind of sorted everything out the bug just like appears uh and and then from there it's typically not that hard or yes and I think our our previous examples several of our previous challenges were more on the side of like it's obvious where the bug was but actually landing it was was sort of the tricky like we just let you run this calls yes which ones that's the tricky part like actually you're you're payloaded the execution same thing with like not coding like we just ran your bytes sort of you had to like do that it I think those are sort of like show coding heavy and the sort of like constrained environments are some of my favorite challenges um probably because I'm just bad at the like the more uh I don't know what's it tedious but the more in-depth long-term reverse engineering so I mean I'm more of a reverse engineer myself so like I like those things but then for example when you get to these like you know complex heap exploitation things then I'm you know completely you know out of like there well there's always just you know kind of familiarity and and experience with it one of the things I was going to mention um and and I say this that I don't do the heavy reversing heavy ones as an author of a reverse engineering tool but maybe that's why you built the tool right well that's also why I have co-workers who are much better than I am that's the other I highly recommend that approach um so the but one of things that I was going to comment on is that I like one of the things that Gheedra I think really does well that a lot of uh um uh both Ida and Binja have actually changed as a result is their side-by-side view having the synchronized side-by-side decoupleation with this assembly I think was a really important improvement and kind of like the standard workflow and so now you'll see Ida and Binja both have much better split pane synchronization those kind of workflows very much inspired I mean you know I assume ill-fact also was was inspired and was like oh yeah that's it you know I like the way to get to do that too but I certainly from from Binja's perspective like we definitely did that as well yeah um so I do think it's it's good seeing difference oh here we go we've got uh I don't know is that the same that's just the same screen um but we are so they're looking at libc uh trying to download like the appropriate libc version right yeah they're using this um web page where you can like put in uh offsets for uh different functions to like uh to match up with like fingerprint uh the libc version and then download it so uh most of the times I think you need like two offsets and then it will match to which version of libc is running so again when we're building these challenges if we don't think they need libc we are not providing it now that's not true in all competitions though so you know they may not yes trust us yet I think this is like it is a convention among I would say like experienced uh organizers within right because why make that an extra tedious step that it's just it just mechanical and you just go to we all know about the website we all know how you would do that however if you come up with a solution that's different than the intended one you might have a solution which does require absolutely and then you might go this round anyway yeah yeah so it's it's not necessarily bad it is just it should be a hint that maybe you're not taking the intended route right yeah doesn't mean that you're wrong but you might be venturing into like unknown territory all right so let's be thinking about our next tent because like I said I'm a little concerned we might need to do a different one um I don't know triple tap control and get the uh get the spoken dictation pop up I'm gonna go oh nope nope so somebody else in the background excited about something yeah I thought for a second we had a surprise win and we're off screen I'm gonna go ahead and check in with uh was it organizers is is organizers organizers is unfortunately not being captured so we're kind of in the dark there um so I'm gonna see if I get a little bit more of an insight hopefully we're making good progress there and I can come back with a little bit of an update yep um and then maybe then go ahead with some hints then based on current status uh so uh yeah again they're looking at like um figuring out like libc versions or downloading uh like an Ubuntu image I'm not entirely sure what's going on there uh but yeah um well we'll see if we can manage to kind of like see what in what direction they're going with with this um but yeah I uh it's it would be very interesting to see like if they have kind of figure out where uh where this check function is going on uh unfortunately I don't have like the reference uh solution so I'm not like super familiar with like exactly where it's where like where it's doing something incorrect but um yeah it's uh also going to be interesting to hear then what what the organizers are up to if they have good progress so we're also kind of a little bit in the in the dark uh on that but um hopefully um we I think we are going to give them a hint that I'd see uh Jordan and Glenn are discussing a little bit but what's the exact hint that we want to give them here to to you know uh point them in the right direction um it's yeah we can see here in the uh lower lower corner here we have from time to time we have uh the organizers screen like flickering in and out uh unfortunately that's the tech situation right now and in the meantime I can give you a little bit of an update on the combined scoreboard for the for the DEF CON CTF we have still like a fairly tight race uh we have a span of about 18 000 points for the the leaders katsubin down to 14 000 points for the team in 16th place so definitely still like everyone is definitely still in the game uh with top three being katsubin uh mmm and perfect roots and they are all within like you know less than uh some percent or so uh of each other so it's it's uh or maybe like 10 percent uh each other so yeah definitely a good uh good competition there so um Jordan is coming back here so what's the status what's the organizers doing uh we're gonna need some hints they're they're both still looking I don't see any kind of progress so we're gonna we're gonna drop a hint yes um the hint that we're gonna there's a couple of hints we considered one is have you considered fuzzing because literally just sending in a bunch of a bunch of bytes will actually um cause overwrite your your uh your your your game state yes right so that's the key thing that they need to figure out that if they send in just a too big of a solution it will actually corrupt the the state and they'll get weird boards boards and then it's a matter of oh okay how do I now create a board that would be solvable right so one that we considered the other one was um don't let yourself be boxed in to your solution it's a sudoku puzzle that's a little probably more obscure so yeah um I think we're gonna go with just um how big how like how big is your solution again question mark or how many bytes is your solution question mark as our as our next hint and I think we're gonna need to give them that because there's still some work to be done right um and we want to to give them both a shot at getting it otherwise we're gonna go to our sudden death so that's the hint we're gonna go with any type way to comment here from from KGF uh these seems interesting c-challenges I think it would try them all but I'm sure it would take a lot longer I would too yeah so that's okay but it is uh like a good idea uh I mean in general for CTFs to like uh try out challenges after they've been solved uh normally for a lot of of CTFs people publish uh write ups so you can like try the challenges uh that you didn't manage to solve uh and then kind of use like a write up or so as a reference and then guide your attempt as well to learn more um I think the idea is that we are releasing all the challenges it might take a few days for us to recover from this weekend we have 15 matches so another 11 matches to go after this one but yeah we will we will definitely publish them and then yeah you can even like you know organize your own like mini uh tournament in your own uh you know CTF team or uh you know hacker space uh I know that I heard from the 40 competition that uh Shellfish actually did some practice for this tournament uh by doing like a small uh mini competition of their own within the team which I think it paid off at least it appears it paid off as like one of the winning teams yeah we'll see how far they can go um so uh we have the hints prepared Jordan is going to go and hand that off to the players uh we are what's the clock at so we are so 545 so we are 35 minutes into the game which just mean that we are running uh up like against the sudden death clock here uh let's see if they can manage to figure out this on the other hand this is also kind of a similar situation to the previous challenge where we were 35 minutes into the game and then uh it kind of just I clicked for one of the players and they managed to go all the way so it's going to be really exciting to see what's going on still a bit difficult to kind of like get to read on Balsam's progress or like their understanding of the they're kind of like looking at the code probably thinking very hard about you can see like the mouse moving around trying to build this mental model of what's what's going on you're like kind of like running the code in your head you know what if this has this value like how does that probably it's probably the least interesting part of a live ctf right that's the only downside when you have a more reverse engineering heavy challenge yes is that you're just seeing people like maybe name stuff if you're lucky or at comments but most of the time it's just looking at it right and what we you know when you know you're getting closer when you start seeing a crash in a debugger and a payload being written uh and we don't have it yet i'm gonna go ahead and keep an eye on uh the organizers just briefly yeah and see if we get any of kind of that similar progress right so we have oh okay we did have a comment somebody else pointed out thank you for clarifying the reason that that somebody was looking for the libc was to actually run it because if you don't have the same vm uh handy you can't run that uh libc so you can just grab the libc from another another version of linux to be able to run the binary so that is another a completely valid reason that you might do that um yes probably just easier to maybe look at a previous stream or have we actually i don't think we told people what platform that most of our challenge all of our challenges were created on that's actually a good note yeah so future for future things we should because that's again normal and a ctf happens all the time you have to figure out the os that was created for match version information and whatnot right not our intention to make that part of the challenge here and it's the thing it's like ubuntu 22 was recent somewhat recently went in like lts release and a lot of people haven't uh updated to that yet um i you know i will accept like shared responsibility on this because i you know update your computers people uh but 20 oh four 20 to oh four would probably be that ubuntu it's most you know common or debian yeah certainly it's it's frequently but all right i'm gonna go ahead take a look at the orders i'll be back and we'll see how it's gone awesome so um i was talking about something um when it comes to these challenges um trying to get back on you know my train of thought there with uh oh yes so you know with this like looking at another player looking at code trying to figure things out a lot of times when i talk to people um who are you know not experienced ctf players or don't know what ctfs are uh you often get the question who's like oh is this some kind of like e-sports thing or like could you could make this into some kind of like uh e-sports thing and to an extent this is kind of what we're trying to do here uh but of course it has it's shortcomings that like some aspects of ctf um is kind of like watching someone else take a maths exam uh it's you know occasionally not the most exciting so we're uh really trying to by adding this commentary and trying to understand what the players are doing we're trying to make this an interesting and educational experience for all of you um viewers uh there um so i i hope you uh do uh enjoy this and then you know have some takeaways and definitely check out the challenges uh afterwards uh to also kind of get a feel for uh that's you know it might some of these might seem simple but when you're sitting here and actually trying to do it you have to consider and take into account all of these like small little details like if you just out off by one like a small bit somewhere like the whole thing uh doesn't work you need to do all this troubleshooting debugging and i think i mentioned it earlier but like when you're writing exploits you are essentially it's like software development but with your like hands tied behind your back you don't get like all the nice tools and helps and error messages that you get like during normal software development processes where you know you have all of these modern tools to help you but here you're kind of like you're trying to bend something in a way that was not like intended to be used you're messing with the state of memory um and so on so it's you really have like everything stacked against you and that is like a big part of the challenge when doing these uh polynomials these memory corruption uh challenges um looking here at the code here we can see that uh the balsam player is writing some small helper function here to send a number uh maybe they're gonna try to you know use this to try to send the different amount different number of numbers and uh you know see if they get a kind of any kind of reaction uh out of that um haven't really seen yet what oh so now they're gonna send like a thousand zeros that's that's interesting um so we comment here like yeah it's unsolvable yeah like the sudoku itself is unsolvable and that's kind of like the twist of this whole thing that's uh you know at face value just to solve the sudoku and win but then it's it's unsolvable so uh yeah that's kind of like the recap for for people just recently tuning in and speaking of recap just to tell you again a little bit about what we're doing here so we're here uh in vegas uh on site at defcon so organizing this live cdf as part of the um official defcon cdf so this is kind of like a sub event where all the 16 uh participating teams uh participate in this like single elimination knockout tournament where in each match the teams send one player to go um head to head against the other team to be the first one to solve a uh relatively simple uh ctf uh challenge i mean relatively is relative yes yes and that's i really want to stress relatively and i want to be clear i wouldn't personally solve half of the ones that we're feeling in the allotted time uh i we you know tried some of them in it you know i could get them but maybe take a little bit a little bit longer so uh i have a lot of respect for these people they're all very very good and they're dealing with the pressure being on camera there's a crowd standing around them watching them it is uh it can be it can be pretty nerve-wracking so uh i'm predicting oh that is quite the visual effect there yeah uh you know what the photosensitivity warnings here uh i think it's only an arm under i don't see no no it's not as well yes we have some yeah so not sure what that's about uh feels like our whole infrastructure is slowly melting uh so we know it's fine it's wow that is that is unusual yep um maybe we're getting hacked by the players like through the hdmi cables they're playing the other game the other the other ctf yeah i mean we would be lying if we would say that we did not have a discussion about like what shenanigans could the team try to pull off and how we would yeah yeah measure against it or what we would do so doing that kind of like threat analysis or threat modeling against yeah three more minutes wow three more minutes until it's gone this has been very fast 45 minutes it's looking unlikely um uh that either one i did see some some debugger action yes um i'm going to make one last pass if we see somebody very close so that they're making progress that we might be able to give them just a little bit extra but basically we're about ready to deploy or if they actually want to extend it um that's not a bad idea we can both ask both if they both say they want to extend it we'll let them go because they're the last one yeah and if so the rules are if one of them says they don't like they want to go sudden death then we go sudden death if both of them want to extend it then it's fine exactly right i'll see what they say but ask them like you know independent like you know one on one like to not give any like pressure yeah i mean it would it would be cool to see a solution on this and i think we do since we have been keeping up with the schedule we do have that kind of time but again the uh yeah it's difficult to to to say what the players want like this is also kind of like a kind of game theory thing like do you want to go to sudden death or not like it's a high risk environment right when you're going to do this super fast do you think that you because you also you don't know the progress of the other player like do you think you have better progress than the other player in this challenge right now and if you don't do you think you have a better chance of beating them in the sudden death one versus catching up with them in the current challenge it's definitely not an easy decision to make by the players so uh what's uh what's the verdict what do you think what would you if you're in their shoes oh no i would say extend it absolutely yes okay nice so we have a game here yeah so i'm i'm happy with this because i don't want to change the rules in a way that they're unhappy with but they both want to solve it i i mean nobody wants to give up on it no no no no no no that you've been working hard that you started you have a little bit of an idea right i'm glad i really want to see them see this through yes we'll let them go it's the last one of the day so we're not running over anything else um i'm actually kind of excited no 100 so uh story related to that so i was playing in the qualifiers for the def con uh ctf with our scandinavian uh team norse code and i was basically sitting all weekend with one challenge uh so i mean i took breaks and met some friends and stuff but there was a lot of hours this is paris challenge there was this was paris challenge it was the uh crypto-ponible thing uh so after i don't know if i spent uh i don't remember it was like 10 20 or 30 hours on this but regardless i uh solved it like two minutes after the ctf ended yep and that uh yeah i mean on the one hand it's crushing and on the other hand though you still solved it yeah you still solved it and that's the thing like when when the time ran out like i could have just stopped because like it doesn't matter anymore like we're not gonna get any points but i i was so close i did not want to stop there yep yeah so the only kind of like um saving grace for or you want to call it for that was that in the end solving that challenge or not would not have affected whether we qualified or not that that would have been crushing that's a little demoralizing yeah when it would have been it would have been the difference luckily even if with those points we wouldn't we would have been just below the qualifying limits yeah so at least at least you had clarity there there either way yeah i was comfortable with that that was fine and also that means that you know i could uh uh be part of this uh without having to like betray uh the the team right so uh yeah all right okay so we are there's a question here about whether it was n cats no this was the uh it was a crypto portable uh challenge uh it was about like a function closure thing uh c plus plus we could go ask yeah perry she's somewhere so she was she just was in the room she just left right um but yeah i've heard a number of people that that worked on that it was a great challenge like i i enjoyed it a lot but it was tough okay so we we don't have a hard time but now now it's basically we're just going to let it go until either we are convinced it's going to take way too long or uh you know we'll see at this point but they both want to keep going i would love for one of them to get it it not only means we get to save one of our sudden deaths um but i think it's just way more fulfilling for them and for the audience to see kind of like the yes the hard one the hard one's all so we're looking forward to it um it is interesting that we've got rob gadget address just kind of coming it looks like it looks like a template i think that this existed because yeah hopefully they have an idea that that is but we are seeing like someone is writing something very deliberate here right this is like a to print out the board somehow but um let's see they are trying to see i mean this this like double loop there is to print out some states but that's a part above you see something where they're like cutting off they're swapping all right oh is this just to generate valid generate a solution that they i mean i would just search the internet for salt sudoku board and copy and paste it but but if that is what they're doing that would that would be valid right so the idea is like you want to kind of like overflow and stuff to like basically insert to modify the state into something that's either solvable or already solved and so they they need to have that okay so we're seeing we're seeing interesting we're seeing calculations we're seeing length calculations unfortunately i was hoping we get some more video from the new organized up it came in briefly yes with some debug output there right yeah yeah well we'll leave it up for a second just got shown both and we might be able to see a little bit yeah see there it's coming on man that's tantalizing that's so mean yeah this this cable is has been yeah we might have to do some shopping oh there is definitely a shopping run tonight so we should be able to have this solved uh and out of the way and that way we got a long day eight hours tomorrow of hopefully uninterrupted stream yeah we'll see we'll see if that if that turns out to be the case i mean given that it's only been we swapped out the capture card the usbc cable the htmi is the only thing we haven't swapped out but it's been that same side of the table consistently yes it's been having these problems makes me think that yeah we've just got a an htmi cable that is suspicious uh so we'll see we can we can get that going all right um actually let me i'm gonna go ahead and do another in-person look i'm gonna go ahead take a look at new organizers um we'll be back with an update shortly because i debugger is generally a good sign yes i saw oh wait oh uh i saw like a bin bash string in the debugger there somehow but that doesn't really make sense right because well i mean with the intended solution that doesn't mean they're not gonna do no yeah and there also is the so i'm trying to remember how the wind function runs it may just show it may be from the wind function on the stack as well too i don't remember but now they shouldn't be getting to that yes let's see i don't see the in the meantime i wanted to take like the like just ask people who are watching whether you are like uh is anyone here in the in vegas attending defcon or are you watching from uh all over the world like who do we have here we saw someone from kenya even chimed in earlier oh wow they were watching so we know we do have yeah uh some worldwide watchers interesting to go and see those like analytics afterwards see uh who's watching um but yeah it's um do we have any people so and by the way like if you are um if you are here at defcon uh you know feel free to come by the the ctf area uh we probably won't be able to talk a ton but hopefully yeah like if you come if you come during matches you can watch the matches if you come between matches uh you can you know have a chat with us hopefully uh if we're not panicking uh yeah someone's watching from the ctf floor okay nice and also from europe in the hotel room giving a feet a break yeah that's a wise decision i think i'm ready for my my feet my throat like several parts of me need a break oh yeah yeah i mean we've been talking here for like okay so there's this is interesting these these uh there's ascii values are being converted to integers on on this so we we're looking at debugger dump of the game state right so we could see we do see the the game state there's zero you know it's really obvious to see those those numbers cool um yeah and you can see uh look at that base thing there you have like generating a list of integers from zero to 96 which is interesting is that um yeah we have what you're from estonia brasil people who are saying they they want to go visit defcon in the future yeah i think defcon is like it's a cool event to to visit it's uh i think they're trying to increase the amount of streaming and online presence as well too so you probably will be able to find other streams i think there's even some webcam like 360 degree webcam virtual cameras they're putting up in a couple of the rooms where you can watch what's going on so they're trying to improve like the accessibility i mean i'm certainly with with covid in general most conferences have tried to adapt better for okay we have somebody watching right next to our camera let's hope they don't bump it um but anyway again checking the code here the right thing um i'm trying to get a better feel for what they're doing like again they're generating like a list of numbers uh okay also they need to find like the right offset where they're overflow like this actually looks really good yes this actually does like really good i'm glad we let it go once they finish this yeah yeah if they get the right offsets like let me go look at the other one but we might be closing in yes so that's that's really cool like we're gonna like once they get that thing it's gonna be real quick like we are probably gonna miss there's a big risk we're gonna miss like the moment but so basically if i'm reading this correctly what i'm trying to do is like find the offset in memory like they're overflowing something and then how far into this do they want to put whatever they are placing there which should be the the solved or solvable state so yeah they might definitely onto something just switching the numbers around a little bit maybe it's that they so they switch the zeros to a one which seems to have crashed the program and then checking why this is happening um yeah we have someone from morocco as well cool uh that's uh it's cool to see we have people all over uh i guess the i'm trying to like work out like what what time it is across the world at the moment uh but uh wait but the people are watching from europe it's like in the middle of the night there uh so that's uh dedication uh hope you're enjoying it and trying to see here then they're just quickly looking at the disassembly again uh trying to maybe looking for some specific offset or so um yes they did get some specific offset offset to to put a break point uh there right and then they're also looking at the base um oh yeah to make the break point or maybe not the break point or the um the the offset where to inspect the memory oh yeah oh yeah people saying they're watching from like yeah definitely middle of the night um you know uh awesome Netherlands represented as well so i i'm seeing some interesting stuff there but uh what did you see uh uh from the organizers from the organizers yeah so the i i mean i hate to take bets yeah because i've lost a lot of money at this table so far if uh if uh if uh if this was a gambling arrangement i would i would not be doing so well but i will i i feel also feel like i tend to favor my side of the table yeah and then we've had all these surprise victories from the other ones yeah pop up several times but all that said i do think team taiwan has a little bit of a leap so looking at the new organizers we've got a script uh it has a bunch of it's some a mixture of gdb some phone tools and then as well you know sending inputs and kind of breaking in i didn't get the sense that they they had an overall plan for what to do right but again the definitely the one thing i've learned is that i don't know what i'm doing anyways like it's it is really hard to understand exactly what's going on their heads and so you're not always right um whereas i will say it certainly looks like with that offset right with it we were seeing a a a valid solved sudoku trying to find the right offset to line it up which sounds like from what i understand of it is is the intended solution um so we'll see yep can we can we get some some confirmation is the the solution if it's just misaligning the correct board the certain number of bytes will that trigger it essentially any correct board at the right offset so just put the right amount of padding bites in and then it will overwrite it the right say again then you mark it as salt yeah oh just send anything and it will just mark it as salt right okay so what our producer there said was that you first you send a solvable state you override the the thing the state with the solvable one and then you just send something to like trigger the recheck and and like have it be solved and then you get to win uh there and we can see here they are like working out in a text editor yeah it still looks like they're trying to solve the state as it exists not overwrite the the state with their solve like so what i saw but i wonder i'm a little afraid they got the overwrite but if their exploit didn't try to like send another round for validation it like overwrote it but then never oh oh wow that would be uh that would be terrible um so it is possible that they've essentially had the right solution no that's just didn't re-trigger it to be able to actually get to the win function um so we will we will see uh we're only a little bit late especially actually we technically we have two more minutes before the original length of this all right and we're letting we're on long just because the the the last one of the day um and we prefer they have a chance to do it if they can but there will our voices will give out and there will be some point which we say sorry we're cutting you off uh but none of us want that to happen so so we'll see yeah we're taking uh we're taking a bet here and uh hoping this will work um we're also about to lose power on our our chats yes Tunisia excellent welcome yeah i've been to Tunisia for a CTF competition have you really i actually i think i get invited to speak there one time at a conference and yeah there we go um so let's see if that actually powers it i don't know what this is plugged into at this point yeah yeah we have our power on our one of our screens here all right good and that we also have like a graphical glitch on the mouse and screen but it's just it's just blocking the ads so i'm okay with it that sounds great that's okay i wish i wish all of my graphics glitches just blocked out ads as i surfed oh yeah so uh as an employee of a big ad tech company i would have to a a large tech company whose revenue might depend heavily on ad yeah uh you know yeah are you allowed to ruin ad blockers no i'm not gonna make you talk about work i'm not gonna make you talk about work all right all right i'm not gonna do that all right so here we go so i this still feels like we're trying to solve it i don't i don't see i don't see the the the exploit like i don't see them actually like exploiting it well i mean this might still work if their idea is to just like overwrite a couple of values and then make it soluble and then put into solution like that's not a fast solution they're gonna inherently have to overwrite the whole thing though right because they're just linearly well i mean it might be that they think that they can only overwrite like the beginning of it or something like this you're still gonna have a null at the end so no no no necessarily because it's gonna convert in right yeah no that's okay that's fair i mean it could it could work like it's not the not not the intended play but uh could probably work so yeah unless there's a question mark at the very end of the puzzle if there's an unallocated one at the very end that would have to be well we'll see yeah we'll see all right a few more a few few more bits thanks everybody for hanging with us this has been like just utterly exhausting and super exciting um just as a quick recap you know from our from our earlier games we had a nail biter of a finish at the very beginning from uh shellfish versus ptb wtl oh yeah like they were i think within a few key strokes of each other like you can't get a tighter match like i know we were looking at one screen as they were about to declare a winner yeah and then the other one popped it just was so quick yeah so that was fantastic make sure you go back and check the uh the replay on that one uh we're going to end the stream today when we're we're done with this particular challenge um oops sorry about that hit the mic run uh we're going to end the stream today uh once we're we're done with this challenge and we wrap it up but uh we'll we'll be back tomorrow a long day tomorrow so the stream is going to run for eight hours straight uh actually it's nine at least because we've got eight no no that's right eight total hours eight more than one hour now we'll see we may end up needing a break well we're going to try to get breaks by taking trading off you're going to see some guest commentators we're going to have some other people come in and fill out different roles should we uh i think it was already written on twitter but the the idea is to have we have a live overflow uh hopefully joining in and uh kamosa brandon falc so two popular people in like the security uh like content creation the space yeah yeah i'm i'm i'm excited looking forward to uh to chatting with both of them uh and i'm also looking forward to have a break and as we each get to yes maybe maybe alternates uh every other round so one of us will we'll get to your rest and also make sure we give our producer glenn uh a break as well so yeah we'll be cycling through that um we've got a variety of different challenges um maybe for any of the teams that happen to be listening we want to talk about like the overall types of challenges that we have no no no super spoilers but like i will say i think we're pretty representative right right there is a uh heavy pwn focus a little bit of re yes there's um certainly a little bit like shell coding or constrained exploitation um solution having a quick look here again yeah trying to get caught back up no oh man so they have a solution there right they're sold screen this is i mean it's they have a solved solution but yeah there is a hashtag free jordan glenn and call it uh yes uh so yeah just to clarify that's my uh nickname or like uh then so yeah in in in the pack harder thank you yes i mean if thank you uh negasora this random person who showed up in our chat certainly not the author of this particular challenge that is uh stymied our opponents for so long so right yeah but but uh you're not wrong it's if they just would hack harder we could we could take a break and we could yeah we could get some dinner so let's let us because it is i would say we are gonna have to hit sudden death pretty soon because we're looking at another several minutes of sudden death as well so um we'll uh we'll take a look maybe i'll take one more pass at new organizers we'll talk about having a uh you know giving up a sudden death we'll kind of consider what we want to go um yeah i'll uh i'll go ahead and give a bit of a oh just use a data glove that's a what is a data glove that's a reference i don't get uh isn't that the uh the the game controller thing the no that's a power glove that's a power glove yeah yeah but child of the 80s of course like yeah yeah yeah no no i mean yes that's a thing from before i was born sam no trolling no trolling please stay no no no no no no we will we will find you you're in the room we remember this no we don't we don't talk like that that's uh yeah don't use it yeah next you're gonna be asking for for network forensics or something something crazy yeah we might call the goons yeah i haven't taken you out of the room yeah all right i'll go check out new organizers and we'll be back i'll give an update on the um defcon ctf scoreboard uh in the meantime um so we uh have like a slightly larger spread now uh with uh like spanning from just below 14 000 up to uh just above 18 000 points between the 16th and the first uh place with uh katsubin in the first place mmm in second place and perfect root in third place and if i'm not misremembering i think uh last year we did have like a top fight between katsubin and uh ppp as well they have kind of pulled ahead those two teams and created like a slight gap down to third place so uh i do think this uh like mirrors uh some of what we saw last year uh went with uh regards to like the standings but this is only the first day of the defcon ctf a lot of stuff can happen uh this is like far from over uh so we're gonna be keeping uh an eye on that um throughout the weekend and give you updates it's uh yeah i mean if you're here in the defcon ctf room you can see this really funny visualization the the nautilus institutes have put up it's like some 3d animation of like a bunch of weird uh machines uh one for each team like spitting random objects at the other teams like showing i guess it's showing like who is attacking whom possibly there's like seashells and stuff uh flying around uh you know i guess there's some joke about there about like shells and seashells and you know that um but again taking a look at um the um screen of balsam here i'm i'm still not entirely sure with they have this like partial solution or like a solution they have a split up the solution into two parts and then um trying to send some like they're sending some data and then they're sending the other solution still not exactly sure what's going on uh so we have an explicit data handler crazy keyboards yeah i would have to look that up uh afterwards uh but uh yeah i still think uh i'm still thinking power gloves would you know really help out in this situation uh maybe you could have them like you know different like rock gadgets and stuff mapped to the different buttons and stuff that's uh you know the way to go anyway you can see uh them like in the debugger here inspecting the memory there a little bit so i'm looking at the global variables you can see you have the standard in the standard object and then further down they have these objects and you can see you can the byte values there uh in the like the middle of the of the printed out block uh with the different digits of the senuka solution um yeah it like it feels like they are very close to to getting it but still like a bit unsure exactly what's going on um so um yeah we have uh jordan coming back here now so uh we'll get an update on on where we are we are going to give them a sudden death hints we're going to give them a hint that is just because here's here's the the thing that we have missed talking about it so far i was looking back over with the the example solution and the the the nuance here is that there's a length check that that we've been that has been kind of showing up a little bit now length check basically um prevents you from even if you overwrite it with a fully solved board from actually solving it on that throw so you overwrite the state of the board all but the last one right and the last one you leave empty and then you can just solve it by overwriting the correct last answer i see so it's a little bit along the lines what we've been talking about but it seems that they've done like a weaker variant of that where uh they didn't have like as good of a solution there was a question here about uh is there anywhere to explain the ctf format there's an ad going on as well as these one-on-ones yes so kind of like the main of the main ctf the defcon ctf is the uh traditional defcon attack defense uh that you know we all know and love uh although you know there have been like variants and twists to it over the years um then within this competition this live ctf is like a sub event where it's running parallel to the attack defense aspect of this so each team sends uh one player for each match and then we play this knockout tournament and in the end this will generate the ranking from the knockout tournament which is then fed back in and will uh affect the scores of the main ctf uh event so uh this will be valuable and might definitely affect the final standings of the defcon ctf i'm not completely aware of like what's like the waiting factor is like how the scoring model works for for the ctf um and so so i couldn't tell you like exactly how valuable it is to win the tournament versus getting second place but we've been trying to find a balance where uh the teams can definitely i'll tell you in a second but yes uh first i'm gonna deliver the hints and i'll be right back and we'll see if we can we can bring this one home right can you just read me the hints here first here we go first attempt overwrite almost all second attempt solves due to length check yes sounds great and we will see if this does it yeah this is almost like a straight up solution like this could almost be like a write-up for the you have to understand what the program does and that that's the state that they've they've got yeah but they have that yeah so now we're gonna give them like the final hopefully final hint here that we'll just like hopefully blow this case wide open and you know they have them solve it from there did we get any reaction from the players on that i was too busy coming back i should have i should have watched okay okay i see yeah we got we we got some forehead touching okay says says our producer yes um so we'll see will it i i think this was this one i think is on us yeah i think this was a little too subtle for what we're kind of aiming for and again being in a high pressure thing it's just not to say that these are not excellent explorers it is just very hard and there's this was a little bit of a little bit nuance a little subtle nuance oh yeah i think because of the the way that the length check happens in the binary you can't actually fully overwrite and expect to do it it will already know that it's an invalid attempt and so it's not solvable but then you have overwritten the the correct state such that you can then solve it because you moved it from an insolvable state to a solvable state right and somebody else might have got it you don't know but it's definitely this is definitely a little harder it's certainly it's it's more subtle than some of our previous challenges yes um but but we'll see what we'll do our best to keep keep dialing in the difficulty and see how it goes so let's keep an eye out for the the winner we may see because we're not looking at the new organizers we might get that off screen or we might see team taiwan pull it off here in the main window so i'm i keep rooting for for whoever we have the capture car working on just by very nature being on my side of the table yeah yeah um but but you know like uh being a uh swiss not citizen but swiss resident i'm you know kind of like maybe rooting for organizers a little bit uh so are they uh are they a swiss team so they are a swiss british-american team i think okay oh there we go all right so there you know have the winner congratulations awesome awesome oh my god down to the end down to the end it happened again it's happened again so i'm gonna go you can go congratulate them go talk to the team i'm gonna go ahead and see see y'all out uh just a quick summary i think we've already kind of covered what's what's happening the rest of the day we're gonna go recuperate we're gonna fix our hdmi cable so we'll come back with uh tomorrow we'll hopefully have uh the ability to see both screens more effectively uh instead of having the flickering that we had this time and uh we look forward to seeing eight challenges we're gonna have eight more rounds we're gonna finish up in the morning four more rounds of round one and then in the afternoon we're gonna move straight into round two and we're gonna go all the way from eight teams all the way down to four by the end of tomorrow so come back and uh see that long day look forward to seeing you then take care and have a good one