 Good morning and welcome back to day 3 of Hackasat here at DEF CON CTF 30. Let's get ready to do it. Not Hackasat. I said I did it! I did it! I was so afraid I was going to do it. Welcome back to live CTF. Listen, we're going to edit that on the VOD. We're going to change it. Welcome back to live CTF here at DEF CON CTF finals, DEF CON 30. Let's get ready to do it. Let's let the teams get going for the semi-final round. Five, four, three, two, one, go! All right, so as you can see, we are starting to get a little bit tired here as we get towards the end of the competition. But we are down to the semi-finals, so we're going to have two semi-finals today and then the grand finals. These are important matches. Like looking at the current scoreboard of the DEF CON CTF, these points will affect the final standings. Absolutely. We're at the point where both the point totals are going up, the amount the teams are getting for making it further into live CTF, and the teams that are here are all teams in the top half of the scoreboard. And so this can change things. Yeah, definitely. Let's just take a quick look at each of the teams and see what they're doing. Starting over here with MMM, pulling up Gidra. Was that what they were using in the previous matches? I don't remember. Well, so they've changed their players before. So I think Jimmo was using Ida, but... Yeah, Ida on Windows. Yes, yes. But we may have had Gidra before from Robert, so I'm not sure. But... Right. Yeah, let's check with Starbucks. We can see a bit of a terminal starting with Python. Let's go ahead and tell everybody the name of the challenge, kind of the information on this one. This is called AES of Spades, AES of Spades, because really that's what it's all about, right? It's very important that you get the good name, the good pun. Yes. And then you figure out how to make a challenge out of it. Right. And I originally made this challenge, or like I started making this challenge, and it was like in a messy state, and then Josh came in and kind of salvaged it and turned it into something that we see here today. So I don't really know what the challenge is about, except that as the name... You know what it was about originally? Yes, yes. And it's changed, and so we're going to find out... Right. I mean, it does involve AES encryption. Like that's definitely still there. We can see if we switch over to MMM's decouplation here, you can see that AES 128 in it and AES 128 encrypt. So there is some kind of AES encryption thing going on here. So they are doing a little bit of decouplation, trying to name the variables, making sense of what the program is doing. So we've been told that basically it's an arbitrary write dressed up with some AES encryption. That's basically what the challenge is about. But if we switch over to Starbucks again, we can see that they are using an online disassembler. I thought that was a little unusual. I was a little surprised by that too. So they are... I'm not entirely sure. They are verifying a couple of... Oh, they're doing some calculation with some offsets. I want to look at maybe some opcodes. Yeah. Oh, they're writing a little piece of shell code, right? Yeah, you can see... Yeah, so they are putting together a small piece of shell code. Oh man, they really need to learn binges. This is what binges is really good at. I'm trying not to do it too much, but I have to. I have to. This is exactly the kind of thing it works really well for. Yeah. You can stay right in the one app. But yeah, it's... So building up their payload using an online disassembler, online assembler rather. Yeah. And there we go. We get a brief little glance of the source code and they are off again. So this is interesting because we can see that in contrast to MMM who started more like analyzing the code, they went straight into putting together some kind of payload. As you can see here, their exploit script being put together. There's some shell code there that has been assembled. And I'm not entirely sure what the shell code was doing. I saw that it was... And it looked like a pointer address. It was using some kind of pointer within the program and there was a syscall in there. Maybe changing memory protections. Well, it says it's code and it looks like they're dropping... I mean, right. So it could be, you know, an mprotect plus shell code, right? Yeah. Yeah, but the thing they have labeled code looked like it had a... Is that a pointer? No, we'll see. I think it is. If we do switch over to MMM, we see that they've also started putting together an exploit script here. You can see they have this calculate key function. So I guess that they, in this program, your resulting payload it could be like the result of the encryption. So... I mean, I will say watching Starbucks, like I... It looks like they know what they're doing. They certainly are making... Making an attempt to... They're XORing the IV with their shell code. Oh, okay. So like, I'm not sure... That sure sounds like a thing that would be useful. Yeah. Yeah, so here... Okay, so the payload is the IV. Oh, interesting. Okay, so the IV that's used for the encryption is part of the payload. And so actually that makes a lot of sense. We're seeing them XOR that in. Yeah. Yeah, they saw that very, very quickly. Certainly faster than we could follow along as they looked at it. It makes sense, though. These are our top teams. Oh, so actually where did that? Oh, okay. So that was memory. That was a piece of memory that they pulled out of the binary. And they're XORing that with the code, which is the IV. Oh, okay. That's interesting. But it's actually interesting to see now. So they are looking now in the debugger. I guess they are now testing out their payload to see if it is working. So this could be a quick one. Yeah, good girl being... I mean, I'm not sure exactly how many steps there are to this, but if we were already seeing some shellcode being thrown in there, there might not be too many steps involved here at all. If we switch over back to MMM, we can see that they also... They have this calculation function. They put a bunch of A's and B's in there, and from that they're calculating a key and an IV. And we can see they're starting to put together the interaction to send this key, send the IV, receiving an address. There's maybe like a leak, like an intentional thing. We would just give them something there. Yeah, and I don't see them yet creating that key. So if I'm looking at this now, it looks like Starbucks is a little bit ahead, just based on how they've already got the memory address pulled out. They're XORing with the IV, which is their code. So I'm seeing that looks certainly further along. And we did see Starbucks show up earlier into that payload and started, that said, I would say that first person to start writing their payload script has not been an indicator of success. No. It's been sometimes slow and steady wins the race, and sometimes quick to get your script out does, and so it's not... Not my consistent. We saw MMM here trying testing their payload. I saw them like connecting to a local setup of the challenge. It was not a successful export, at least. That's all I know. It was hard to tell to what extent it was successful or not. The further along we get in this competition, the more we need pause, because these players are so fast, just trying to kind of keep up with them. We did see some of the classic AA's being put in on Starbucks just a second ago off camera. Right. They're also checking memory mappings there, was it? Or... Yeah, I don't know if they're searching for their values that they sent in. Right. So just to do quickly a little bit recap of where we are in the tournament, this is one of the first semifinals between Starbucks and MMM, and then right after we will have the second semifinals between Perfect Root and Recapig, and the winners of those respective matches go to the finals. Yep. And these teams, I'm trying to look over a little bit at the scoreboard of the main event. And yeah, these are all in the top half, at least, of the scoreboard. Actually, Recapig might not be looking at that. It's really... Oh, right. Okay. So in order relative to one another on the top scoreboard, MMM isn't in number one, but Perfect Root is in number four. And I would say they're within striking distance, right? Right. For their about 4,000 points behind MMM. Actually, a little bit less. They're almost about 3,000. Right. And it depends, though. If MMM wins this, they've basically fended off in the attack even if they lose in the finals. I don't think anyone will be able to kind of close the gap to them based on this event. No. But if they lose now, and Perfect Root ends up winning in the finals, Yeah, that could be... That's going to put it real close. It's going to put it very, very close, and it will really depend on how they do in the main event. Right. Let's not forget that they have like almost... Well, it's like a couple of hours. Three and a half hours of this, yes. Exactly. Left in the game here, too. So definitely a really exciting... It's always fun when the competition is not decided until the last moment. It could go down to the wire. You want it to be... I mean, as an organizer, you want it to be. As a player, you would love to win it early. Oh, I mean, sure, sure. It is a blowout. When you're playing a CTF, how many times have you not been thinking like, oh, can we just not solve all challenges so I can go to bed? But yeah, that's not going to happen in the CTF. Okay, yeah. So I'm seeing Starbucks over here is definitely continuing to tweak their script by pulling out the pointers that they're... The memory address that they're using. They're verifying that memory and updating the IV that they're storing. Because it's just called being made there. And then they are trying to figure out what happens afterwards. This might be it. Are we switching over to live? Oh, did it work? Uh, they look like they were... That's this. This is going to be... I mean, it's going to be tight. I think both teams have really good progress on this. So, yeah, no, they have some bad instruction there. There's something wrong. Yeah, there's a bug earlier. There's something wrong in their exploits. So not there quite yet. They're going back to the assembler. Oh, they switched it to... Oh, there was a typo there. They've missed a zero at the end of an immediate value. And so they had to shift it off so the value was wrong. And this is the thing, like, these... That's the little bug. You're working with this low-level stuff. Hold on, hold on. Did they just switch? They just switched to throwing live. They went through it live. Are they going for it? Oh, they are typing. They're just going fast. I'm just checking here. Oh, no. Oh, they're going. They're going. Oh, it did not work. That's such a port. Okay. There it is, here it is, here it is. Oh, typo there it is. Starbucks, congratulations. Well done. A super fast speed race. Well done on the challenge. Ace of spades. Congratulations to Starbucks, who makes it to our finals. We'll see you back here for our next round. So, and welcome back to our second semifinal round. I'm Cypher Tex here with Zeta 2. I introduced you, sorry. And on the line, we also have live overflow. Hello, I'm back. Excellent. So, we got three commentator matchup today as we get closer and closer to the finals. Here, we're going to have Perfect Root and Wreckapig. And let's just go ahead and count them down right away. Everybody, five, four, three, two, one, go. And we'll quickly switch over to the teams. They are ready for this challenge. Yeah, we saw, so they've been given the name of the challenge, Loopy Brain, which... And they were told it was an interpreter. All right. So, where does that take us? I think also the menu is immediately telling the teams what this is about. Yeah, they definitely knew what sort of challenges it was. In fact, we even saw one of the teams beforehand where the webpage opened with the spec for that particular flavor of language. Both flavors of language, I guess. Right. I saw... I was also actually looking at one of the competitors' computers before the start and they had in their exploit template, they already had helper functions for BrainFuck code. So, yeah, they're taking this seriously. So, wait, did I get this correctly? You mentioned them the name and they immediately knew it was about BrainFuck before they had... Yes, they knew before they even showed up. They were ready. We've got... Oh, you told them way in advance So, we do tell every team the name of the challenge. Yes, like an hour in advance because we want them to send up the right person. Oh, okay, I didn't know. I think we had a problem with our stream capture. We may have been having some glitches there, but I think we got it all straightened out now. Yeah, it seems good. Right, yes. A little bit of visual artifact there. So, if you're on the stream, we should now be up. Okay, so let's go ahead and take a look. Again, they know that it's an interpreter. They know that it's PON-able. And I think this is actually a category of challenges that's been around for a long time. In fact, we were looking and we realized that someone who had actually written a version of this like nine years ago for another CTF, it was a different challenge. Yes, but it has a lot of similarities. Very, very similar. Yeah, so we thought it was really funny. It's a common idea. I think difficulty-wise, since Carl, you wrote this, like how would you rate this one relative to some of the other ones? So, the original version of this was kind of difficult, I would say, and then we toned down the difficulty a bit. So, I would say it's still definitely not one of the easiest challenges we've had, but I hope it's not one of the most difficult ones either. I had a quick look at it and immediately I thought, oh, that's going to be an easy challenge until I heard about or noticed a little twist that's in this challenge that does make it a little bit more tricky. Well, yeah, go ahead and describe what you saw, because I think for the stream, we're going to give them the pleasure of knowing what's going on, even as the competitors are having to figure it out. Yeah, maybe I should mention what brainfuck is. It's an interpreted language that is working on symbols. You have, like, imagine a big field or something, and then you can move a cursor to the left, to the right, you can increment, you can decrement a certain field. And, essentially, here, the movement on this big array has no constraints, so you can have out of bounds reads and writes. And so it should be pretty easy to go out of bounds. And I don't know if that field is on the stack or in the global. It's on the stack, yeah. So you should, as you said, looking at it, you can just, like, oh, I'll just increment the data pointer outside the bounds of the data area into, like, the return pointer, and you're done, right? Right. And that's what I thought, oh, this is actually some, they should figure this out very quickly, and it would be quickly done. And then it's just about the tooling to get the brainfuck program to manipulate the memory in the correct way. However, there's a size restriction on the brainfuck program, and that makes it significantly more difficult. So, like, a lot of exploits, right? You're in a constrained environment. You've got a small bit of shellcode or a small payload. So what are you going to do with that? Yes. So I think, yeah, go ahead. Yeah, the players are looking for something to loosen their constraints. And, you know, these things can get creative. There are many ways how one could do that. Maybe you can change the accepted size. Maybe you find an interesting, you know, maybe you can overwrite the return pointer and find a very useful gadget in an interesting way. I mean, it's a limited brainfuck program, but with some creativity, they could find some very interesting exploitation paths for this. It's a little similar to the Involve Challenge before, right, where we actually had a simple command injection, except it was too few characters. And so they had to use one of the other vulnerabilities to make that the limit larger, and then they were able to use the original kind of design. A lot of similarities here. And I think a key thing here is that the data array sits just after the program array. That's the key inside. When we see them naming like data and code and noticing they're adjacent to one another, that's going to be the point at which we know that they're on their way to figuring this out. If we look here at RikaPigs, who someone says that it's how it's pronounced in the chat, if that's correct. Yeah, I'm not sure exactly which one it is. Yeah, we've been saying RikaPigs throughout the tournament, but it might be RikaPigs because they're from Team Eureka. That sounds good to me. Yeah, it sounds good. Anyway, what I was going to say was that they saw that there's a win function in the program. So they don't need to do a full exploit chain like a rub chain or something like this. They just need to take control of the instruction pointer and point it to the win function. Yeah, there's different things to make it easier harder. And this one, we already knew the challenge itself had enough difficulty with it that we wanted to make it a little bit easier once they had the ability to change a pointer, for example. Right. Well, another way... We also can see the interesting setup from RikaPig with the interesting Windows 7 VM with all the reversing tools. Yeah. Not even full screening it, just like working in... I don't need the full resolution. I need two start bars are fine for me. I know, I'm impressed. It's like, it feels like a little bit like a handicap. Like they're playing with the difficulty set to high, to flex. So just switch over to the perfect route here. I see a lot of blue stuff on this screen. Yeah, so they've actually opened up the file in Vim. So they're hexed editing the challenge to change the LD string. I don't think I've seen that before. It looked like they were changing... All right, this might be to make it easier to run the challenge locally. Oh, modifying it to their version of the letter. You can see that it seems to be running now. Yeah. So did they also have problems with the version? Yeah, I think it was the version of the loader is different than the one on their box. And instead of... So we actually give the loader with everyone. So you can, one of the other teams demonstrated earlier, which actually was even aware of, that you can run the loader as an executable and then pass it the argument of the application and it will still run it, which is basically what the kernel does for you when you execute it. But so instead of doing that, they just literally put a bunch of forward slashes into the raw string using Vim, where the reference to that library was, so that it would use the local one that they had instead of the one-hour original system. Yeah. I want to switch back over to Ricapig. You can see them running the debugger here as well with the challenge. And you can see a little bit there in the background. You can barely see it, but they have this script and you can see all these like deck pointer, ink valve, deck valve, and so on. These are the helper... Yeah, operations. Yes. And you can also see that they had a comment in the code with the dot slash submitter two. So they already have the string, the thing they have to run to win. Like, so they're, you know, they're trying to make all the difference as much as possible. Yes, they know that this can be tied since we are like... Seconds have literally mattered. I was wondering what are the rules if one team is accidentally running submitter with the wrong team number? Then that result stands. So if you make the other team win, the other team wins. Yeah. So we have told the teams this. We did debate that and we told them that that was going to be the way that we would do it. So be very, very careful with your... And I will say it's... The risk isn't as bad as you might think only because each team, when they first connect to the server, they get a, they choose their team and it gives them their exact information. So most of the teams click their team name and then just copy and paste all the information from there. So, haven't anybody messed it up yet? But, yeah. No, my fear there would be that someone would like keep their templates from like the previous match and then reuse it or something like this. Maybe for next time we should have like not just one or two, like a small... We should match with the global, the global IDs of the... For example, every team has an ID on the DEF CON network as well. Yes, yes. We should do something like that. Lesson learned for next year, yeah. There are a lot of things we can improve, but I think it's been running pretty smooth this whole thing. I hope you've been enjoying it, the people who have been watching throughout the weekend. So, I haven't seen anybody yet figure out that first constraint, right? I don't think I've seen anyone get their way out of... Well, we can switch over here to... It might be difficult to assess if they have seen it because it's like a mental note they would make themselves, right? Right. We would have to look at when they start writing brainfuck if they realize that they are constrained or not. Right. And that's what I wanted to point out here on Perfect Roots screen. So, they tabbed away from it now, but just when we switch it, you can see that they had this small program with the loop and the input. Right there, the P equals. Yes. You see, the comma is the input. It will take one byte input from standard input and write it to the current cell on the tape. And then the brackets are a loop. So, they are... They're kind of... I think they're going... You see there's an input in a loop thing going on. So, that's definitely on the right track. Though, I think they want the greater than sign rather than the plus sign. But, you know, maybe they have another idea. There are probably a lot of different solutions to this challenge, but you need to escape that initial constraint. Yeah. And letting it over right into the next into the next buffer and then getting the interpreter into that buffer. Right. So, there are like... Is probably the hard, like the main... That's the bug. Bug. Yes. Exactly. So, what... Well, there's essentially two bugs, right? Yeah. It's the one that I've also mentioned initially here. Yeah. I think you can increment or decrement the data pointer outside the data region. Right. But then to be able to have enough code to do it in the first place, you need to escape this like nine character program limit. And the way you can do that is it can actually get the instruction pointer to jump into the data region. So, they're going to stage up their shell code. That's what we're looking to see. If we don't see that in the next five minutes or so, I think we're going to want to give them a hint on that one, because we're going to want to see somebody with that second stage, because they still have even more to the challenge, even after that point. So, we'll see the exact timing and we'll figure it out, but there's more work to do. So, this one is... Again, this was a little on the harder side, but it's also super interesting that they have to kind of like chain these things together. Yes. So, we can see here on Rikapix assembly, you can see that they're looking at the reading of the program. Like when we're reading in the program, they're looking to see if they can smuggle, for example, they saw that we're using the string length function there to maybe check if they can smuggle like null bytes or something into this. Yeah, not exactly sure where they're going there, but just looking more into the... You can see now, this is the heavy cursor basically on half the bug there. You could say that the loop of the interpreter keeps going specifically until the program counter, usually in a situation like this, you would have like a comparison be like program counter is less than the end. But in this case, it's program counter not equals that specific size. So if you manage to get the program counter larger than nine in this case, it will keep going. Yeah, so that's part of it, but then how do you get it past it in the first place, right? So that's the other thing that they still have to find. I also just noticed that, I mean, I have seen the source code and I didn't quite realize at the moment, but I'm seeing it here in the disassembly that the size is hard coded. So it's not a variable that they can easily... change. So it is definitely a bit more tricky to escape that. In my mind, I thought they can change that limit from a variable standpoint, but it's definitely hard coded. So it's right there as an actual value. Yeah, the immediate right in the... Yeah, the immediate, yeah. Compilation, yeah. And yeah, we can... That might be quite tricky. So... Oh, they found the bug here on perfect route. Yes. So you saw there very briefly, in their small initial payload, you saw that they had an unmatched opening loop bracket at the end of their code, and that is exactly the bug. So if you have an unmatched bracket, the subroutine that handles the loop, it will, when it sees that initial bracket, it will then keep searching forward. And it doesn't stop at the maximum limit. Exactly, because that check is in the outer loop. This is in the subroutine to find the matching bracket. It's handling that particular bracket, yeah. Yes, and it will just keep going until it finds a matching end bracket. So you need to first write a right bracket into the data section, and then have a left bracket in your code, and then the program counter will then... And just to clarify, when you say data section, it is specifically the buffer in memory that is for data on this... Right, I'm not talking about... Yes, the actual data section that exists in the elf. No, I'm talking within the brainfuck context. We have the program and the data. Excellent. So yeah, so I would say perfect route, well underway, no hit needed, perfect timing. Yeah. That is great to see, and we're just looking to see if RikaPigs can catch up, which certainly there's still a lot left to go, so it would be at all possible. In the previous matches, RikaPig has shown they spend a lot of time in IDA, and it always feels like they are behind because they are still just reversing. They're not working on exploit, but then suddenly they start crafting their script almost blindly without really a lot of testing, it seems like, and suddenly they really run full speed. Yeah, exactly. Very different styles. You see a lot of both. You can see that they are, I think, looking at the goth table, and now back to the interpreter. I haven't seen that much of their exploit script yet, so as I said, they're just really looking at the code, trying to figure out what's going on. Yeah, feel free to hang out with them for just a little bit, too, we'll wait and see if they bring up their code. Right, yeah. They might catch a glimpse of that. I'll keep an eye on perfect route, let me know if something's happening over there. So I'm, this is really the situation where you would want to be able to read the minds of the players. We just got a pause time, go over there and ask them, what are you thinking right now? No problem. Oh, that's surely going to be appreciated. Yeah, I'm sorry, can I interrupt you? This is what you're really trying to thought, will it? Right. But it feels like they have not quite seen this loop bug yet. That's my impression. When you do programming or reading assembly, when you have experience, you have this mental model and you can really reason about the code that is happening. But brain fog is a language you usually are not used to. So now not only do they need to craft the brain fog program, but they have to craft a very small buggy program that does something interesting. And reasoning about this little code, condensing it down these kind of abstraction layers you have in your mind when working with code bases and so forth. This is all missing with brain fog. And I think that is really, really difficult to do, especially under pressure. Yeah, definitely. I had this when I was creating the reference solution for this. There were several moments where I went like, oh, I'll just do this. And then I realized that doing this is something that would be trivial in a normal programming language or anything. But in this context, it's actually quite a hassle. Yeah, and you're kind of merging these two contexts too, right? Because you have, and this is actually really interesting because while this is clearly a toy language and not real, it very much models what you see, like in a browser and JavaScript, where they have a virtual machine, they have often multiple interpreted languages, and you are both working within and outside of at the same time. So you have to work within the memory model of the native program. They're breaking the layers. Yeah. Yeah, so I think because we're seeing progress here on perfect route, we're good without a hint. They don't seem stuck. They seem like they know certainly the first challenges. And Rika Pig still got time to catch up. So I think we're okay. Yeah, checking with the... We also do have a little bit of extra time too between this match and the next one. Right. I'm not sure if you mentioned it also. Oh no, you did with the unmatched loop, where that perfect route has that already in the code, right? Yeah, exactly. So you can tell there... And you can also see there was some debugger output there when they were looking at the memory. And they're right here. You can see all those three E's, I think, if I remember correctly, that corresponds to a dot, right? No, that's two E's. So three... No, it's one of the relevant characters in this and you can see that there are way more than nine of them. I think it's going to be the greater thing because they got the greater than just 128. All right, you can see they're in the payload. They're writing in a lot of greater than, oh, and this is exactly what they need to do for the stage two. This is exactly what you see they have... Move that pointer all the way over into return address or something else, right? Right, right. So they're definitely on the way. So I think they're just calculating offsets. They're just trying to figure out how far to move it over. Right. And then they need to figure out how far they need to, or what they need to increment to get that original return address over to the win function. Yeah, so the idea here is that you walk the data pointer over to the return address. Pi is enabled, so they will have to print the current return address on the stack. They print the current return address on the stack, use that to calculate the address of the win function and then write back the new value. Or a partial overwrite of the return address might also work fine. Yeah, couple of answers. Just for clarification again, what we are seeing right now with the brain fog program from Perfect Root, they have an input loop. The comma is input. So basically they will have a loop that keeps wanting to get input data. And then they send that and that causes writing more of the code. And then the original program has the open bracket, which is now matching what they were inputting later. Yeah, so because they put another bracket later, that lets the part of the program is looking for that match to jump over the end of the code. And when it finishes in the data, the later on check that says, am I equal to the end, says no, you're not equal to the end. Keep going, this is fine. And it continues to interpret. Right, and you can see here that the additional data you've got in there through the input loop came in through all those commas. Exactly, yeah. Right. And you can see that the second phase there in the exploit script, it starts with a closing bracket to attach that jump. Because otherwise it's going to go right past it. Yeah, that is going to crash. It's looking for the matching bracket, just keeps going until it's either there or it hits the end of memory page. Something's weird going to happen. Yeah, exactly. So it's not going to do what you intend. So they definitely didn't know what they're doing here. They just need to figure out the details here. Yeah, we're having some discussion in the chat here about the Google CTF Accelerate. Competition that I was involved with and a lot of my colleagues. They're like similarities to this, but there's like the game hacking element to it as well. It is a visual element, which is nice. Right, yes. So we will be hosting that as well in September. People are asking for videos. Are videos from 2021 coming out? They are coming out. We've had some, there was a lot of work. There were people getting like long COVID. There were like a bunch of unfortunate events, but the videos, the video files still exist and we will release them. Not lost, they're coming out. No, no, no, we have them. I have a spreadsheet tracking all the different video files. They will be released. So yeah, so keep an eye out on social media stuff for the Accelerate information as well. That's going to be super fun. We're actually doing it on site this year. Oh, very nice. Trying to bring an esports vibe to it as well. I think that would be super cool. Fantastic. Yeah, it's really exciting that we're seeing more and more of these events that try to let you see inside the hacking as it happens. Yeah. I guess it's not a coincidence then that those of us that are involved in it tend to be involved in multiple things too, so. Yes. I would say the area of security, live hacking competition. It's a very, very small field. Yeah, very niche. Yeah. All right, so we've changed up the code a little bit, so we've got our ending bracket. We're going to move the pointer just a little bit extra. But that's actually, it's the problem that the data pointer and the instruction pointer are essentially overlapping right now in their code and they're trying to. Yeah, this is exactly what I think, you know, live overflow here you were talking about. This, you need to create this mental model of these two pointers walking this buffer and it's not really something that you're familiar with. Yeah, so I'm just looking at this. My guess is that you can never win this race though, right? Because a single byte is a single byte and so if your data pointer and instruction pointer are the same and you're going to move them both the same right, wouldn't you have to put it into a loop that would do faster? That's how I did. I basically just had a loop that went on until, like I had an input loop and then until I sent the null byte it would stop. Yeah, yeah, yeah, I think they're going to need something like that because I think essentially just putting a bunch of move bracket, move rights is going to increment both the program counter and the data counter at the same rate, right? And so you're never going to win that race because they're both moving forward at the same rate. I guess that would be different if each byte was stored in like a bigger structure, like it was like a d-word or something like that, you might be able to misline them differently that way. But so I think until we see that, they're going to be stuck on that stage unless I'm misunderstanding where that is at. And so let's, yeah, are we seeing anything from RikaPix? Because they have some ground to gain. They have been staring at the Ida code still, I think. I do wonder what they are thinking because they must see that they can move that array out of bounds. For sure, I cannot, like it's too easy. They for sure have to know about it. It's hard though when you get put on the spotlight, sometimes something that would be immediately obvious if you were sitting at home. But I do wonder if they've seen the restrictions and they understand, okay, we can't actually pull it off and maybe they are hunting for a second bug and maybe playing around, they might notice, could notice it, but I think they are just like in their head trying to figure it out. Yeah, that's a good point too. Again, that's what we saw earlier, is that maybe they're trying to just put this together in a one-shot as opposed to build a small piece, test it, build a small piece, test it. And so speaking of mental models again, you can see that thanks to how the program was compiled. So if you look at the source code, the program array and the data array, there are two separate things. There we go. Oh, nice. That's a good looking one. Yeah, yeah. So they are looking at the definition here. They're looking at the loop construct. Yes, that is an interesting thing to look at. I think that's a fantastic thing to be looking at. And look how they write the code here. They write it in pseudo code and probably translate it then into brainfuck code, because this is just easier for them to reason about what they are doing. However, I do wonder if they missed then this trick with the keeping open bracket, because that is something you can reason about in a brainfuck program that is moving the cursor forward while a dangling open bracket is not something you would think about. No, if you were right in C and you would have an unmatched bracket, your code wouldn't compile. So that's an error. You fix it and then you're done. So I was saying in the source code, the program array and the data array are the two separate variables next to each other. But the way this is compiled, if you look at the decompilation, it looks like one array and then there are a bunch of offsets sometimes when this is being accessed. So that can make it a little bit harder to reason about this. You need to kind of detangle this and say like, no, this is not one array. This is two arrays that happen to be next to each other. Yeah, and that's the part that I think we're still not seeing perfect root kind of pieced together because they're trying to treat them independently without realizing that I think they happen to be overlapping. Because they've got this, they believe they've calculated the distance correctly, but I think that all they're going to end up doing is overriding if they put too much data in. They're going to end up actually just overriding the return address with their data, which won't help them. Because they're not going to be able to write the proper values. They're all going to be arrayed things that happen to match these characters. A perfect root is going for here now testing, writing arbitrary bytes instead of increments with the input command, which obviously would save space. Yeah, I think they came to that conclusion as well and realized, oh wait, let's just put the value, the direct value that we want over top of it. Again, I think that the only piece they're missing is that they need to be able to increment the pointer more efficiently. Yeah. Or sorry, increment the data pointer. They need to be able to move the data pointer to the right without having the code pointer move at the same rate. And so once they put that together, they should basically be done. So there are basically two ways you could do this. I think. No, no. It's a fundamental flaw. They need a loop. They have to have a loop. Yeah, I thought that they could have stuff before the closing bracket, but that's the wrong direct. That's the other way around. Right, it will be after that. It doesn't matter. The closing bracket always begins. It just makes the problem worse, in fact, if you do that. Yeah, exactly. So yes, they do need the loop. And this is exactly the type of problem you would face here. You're thinking like, oh, I'll just overflow the buffer. And then I was like, oh, no, wait, but I'm kind of like cutting off the branch. I'm sitting on it while I'm doing it. That's a great analogy. Yeah, it's a great analogy. All right. So there is a chance that we need to give different hints, potentially. Maybe if they're both stuck and they're both not making progress, we need to give them each a relative hint. I hate to do that. I would really prefer to give the same information to both. But if we end up, I think we're still okay on time. And so I don't think we need to immediately do anything. But just something we've got to figure out. Recapig was highlighting the limitation of the lens. So I think they are still struggling with... Yeah. I think they need to get past that initial hurdle. And PerfectRoot is just really still stuck on this one. But we have time, I think. And honestly, Recapig could come to this realization and still catch up to PerfectRoot. Like that is absolutely still possible here. Yeah, maybe their mental mode is already much further. I don't know. They spent a lot more time in Ida. So maybe they figured out the array situation. Right. Maybe they would better understand that and be able to create that loop to get them past that point. I will say though that what PerfectRoot is doing makes a lot of sense in terms of analyzing things in the debugger while they're doing it. But what I think what they need to do is to track the variables that represent the pointers for the data and for the code in the virtual machine itself. I think that would really help them realize this. So what they keep looking at is just the rods, like the stack frames basically. It's just the raw data where everything lives. They're not looking at what is the pointer for the code and what's the pointer for the data and what's happening there. And so I think checking that in their debug script each time would probably make it click for them what they need to do. But we'll see. I want to get a question in chat. Actually, I would love to hear both y'all's opinion on this. Somebody says, how can I start learning CTF? What do you guys each recommend? It's a great question. Yeah, live overflow. What's your take here? Let's start there. Well, I hope my videos help. I have a binary application for this. And then that might go to because I learned by doing it. I didn't have videos. So recommending the way I learned is through war games, like over the wire or Pico CTF. I haven't done Pico CTF myself, but that seems to be an amazing resource everybody recommends. And over the wire, these are the type of challenges that I really learned with. Yeah, there's punnable.kr. Oh, yeah, there are many of them. Yeah, there's a whole bunch of them. I would definitely say if I were to name one starting resource that would be Pico CTF, that's where I would start. It is really, really well done. Yeah, they do a good job with that. It starts very easy, very simple. They have help forums where you can ask about it. And it slowly ramps up. They have a wide range of categories. So it's not only like the ponables that we've seen in this tournament, but they have like web challenges, forensics, cryptography, all the stuff. And all of these popular sites, like Pico CTF and over the wire, there are lots of solutions online, which you should, you know, you need to find the balance between avoiding the solutions and at some point looking them up, but not just looking them up, working through them in case you choose to look through it, try to maybe look at it, and then close it again and re-implement it. You know, there are various ways how you can learn, but just don't cheat yourself, but... Yeah, you could fail on either side that, right? Like you can never look at the other resources, which is kind of, some people suddenly refuse to like do it at any outside kind of help, which takes them longer to learn things. And then other people look too early and never force themselves to go through the learning process. So I think that's a great way to describe it. I mean, the reason why I enjoyed seeing live CTF back in the day was exactly this problem because I was playing these war games and, you know, doing it kind of my way, and I've never seen anybody else. How do they do it? And then I'm seeing live CTF and they solve Opponable and see how they do their exploit script and everything. That was mind-blowing to me. So yeah, I think it's important to, you know, take advantage of all these resources, what they can offer, and combining them all together. Yeah, I think you're not going to be as fast as the folks we're seeing here today without years and years and years and years of practice. No, yeah. These are people who are at the top of the field and have really practiced. They play a ton of CTFs and it takes a lot to kind of get here. So don't be intimidated. If you see them doing this, I mean, even like as casters when we're watching them, we're in awe at the speed that some of these people look at. I mean, like all three of us are, like, you know, fairly experienced CTF players, but we're still, you know, impressed by this thing. I would say we're mid-tier compared to what we're seeing in front of us speed-wise, certainly. And this challenge is, like, doable. I think all the both players know that this is doable and still it takes them a lot of time and they are super fast, you know, like, but maybe from an outsider, it might seem crazy that you have to spend an hour on something that we would call easy, but it's just a matter of the fact. These things just take a lot of iteration, tons of information you need to think about and reason about. Yeah, even an easy challenge takes a lot of time. I think we do need to give a hint to both teams. I think we're going to do the same hint to both. We're going to write two bits of information to each one of them. Yes. Right? Because we're going to write the same hint of both, and they both get the same hint, but it will contain two parts. Yes. The first part will... What about doing, like, opening bracket, closing bracket, opening brackets as the... As that one? Actually, you know, maybe we each give them each just half the hint, because the problem is if we give... Oh, then we tell them where they are. ...Recopakes, we're telling them something, they're telling them something that PerfectRoot has already figured out. So we each tell them one bit of information to get them past where they're currently at. Right. This is... But in terms of fairness, both hints wouldn't it be just put it on the same paper? So the problem with doing both hints, here's the problem with both hints. If you give both hints, you're telling Recopakes something that PerfectRoot already knows. Well, depends on how we tell them, right? If we do... So both of them are struggling with loops, right? So maybe with the hint is like, maybe you need a loop for... Have you considered using a loop? Yeah. Yeah, have you considered that? That is the exact same thing for both of them. Yeah. That's fantastic. Okay, okay, okay. That is brilliant, and I love it. And I think we should definitely... I think we should do that. So that's a hint. Have you considered this? You need to use a loop. Yeah. Because they both do right now. They both need to use a loop. We will give the same hint, but they will have... There's different contexts to it. That's fantastic. So Jordan is preparing this hint. So there was a question here in chat. What would you guys say is the CTF level of this challenge? So like in any normal CTF context, I would call this a fairly easy... An easy challenge, but for like the... If we talk the big... Serious CTF... Not serious, that sounds so... No, it's not an easy beginner challenge. It's an easy challenge. In the context of teams that have been playing CTFs for 10 years. And that context is an easy challenge for anybody. Like even for me, you know, that's a nice challenge. I would spend a couple of hours on probably... It's doable. It doesn't feel impossible, but it's also like still has some trickery you need to figure out. Right. So we are about to give them the hints now. Jordan is going to go sort that out. Yeah. Yeah, there's this traditional... So mentioned here, it's like... There's someone saying it's a 200. So sometimes we'll hear, especially older CTF players, like rating some challenges on a 100 to 500 point scale, which two players who started playing in like the last couple of years doesn't really make sense, because nowadays we typically use the dynamic scoring system. But you know, the most common format of CTF is the Jeopardy style, like inspired by the TV show. And in that show, you have like in each category, you have five questions of like 100, 200 and so on down to 500 points. And that is how CTF challenges used to be scored back in the days. So yeah. Yeah. So the dynamic scoring system that's currently in use makes a lot of sense, because you're sort of letting the... One of the main problems, and you've seen it here this weekend, right, is we think something's easy and turns out to be harder. We think something's harder and turns out to be easier. Like we generally have gotten it pretty right, but it's impossible to be perfect. You're not going to get exactly the difficulty, right? Because you don't know exactly how people are going to solve things or what they're going to see. And so dynamic scoring... Yeah. And then into what kind of technical problems you run into. I mean, there's solving the challenge thing as one thing, but then maybe you cannot run the binary. Oh yeah. Turns out that the emulator can't run into the bugger. Maybe you look at the wrong thing. Yep. Maybe you misinterpret something as a bug that is not a bug, or you know, tons of dead ends you could run into and waste time on. Yeah. And so all that can factor in. So being able to dynamic-based score challenges is really nice. And it's essentially the organizers saying, the fewer teams that score this, or maybe the longer time it goes on scored, the more points it's going to be worth. And then the more people to solve it, the less it will be worth. And so it kind of self-balances. And so you gain more points by solving things that fewer of the teams solve, which kind of makes sense. And then if something is solved by fewer teams, it's more attractive. More teams want to solve it because it's worth more. And so it's sort of like it really does a good job of letting that problem of the organizers not being able to perfectly gauge the difficulty doesn't really matter because the team that solves overall the most things that were solved by the fewest of the people are going to be the ones with the highest score. It also kind of took away the first blood that was often in some CTFs, which is with time zones, sometimes a little bit tricky. Yeah, it's very controversial. And even in person, even like here at Defconn Finals, I'm not a huge fan of first blood. So that concept is, the first blood means just the first team to score on a particular service. And so there was something as a bonus pool of points that could only be, and some of them were like even stages of the first three teams, we get some sort of back off on points to do it. But yeah, especially with things like time zones, it can be really hard to have that work out. The other problem with first bloods is that, or actually it's some of the reason that people did first bloods was to try to counteract big teams. Because large teams can spread out on many, many different topics. But a few really hard challenges that only an expert could solve by having first blood points, you're incentivizing you're one particular really good person. So that's actually one of the other things that organizers have to consider is do they want to let their game be winnable just because somebody has a really, really good team of people who are all pretty good? Or do you want to focus a core team of experts? And these are like topics that people who are in the CTF community or organizing CTFs like love to discuss these things about like, you know, how do we create fair competition environment where you have these different like conflicting aspects like, you want it to be accessible for new players while also being competitive for experienced players and you want to encourage the right type of behavior and so on. So it's definitely not an easy thing. Coming back at here, what Perfect Root is doing, I mean, they were given the hint now that loops might be the solution to the problem they are having, but as they haven't executed on it, their code still doesn't include any loop thing. They might be set on something, they might believe that they are on the right track and keep going as far as I can tell it is. Yeah, I'm afraid they either thought the hint applied to the thing that they've already solved, which it kind of did, which is why it was relevant for RikaPigs, but they might not see how it applies to their current problem. But no, so actually, I just realized they might not need a loop. Go on. Yeah, so. I mean, if they carefully override the values, right? No, so you, okay. Everyone tried to picture this in your mind now. We need a whiteboard. Yeah, this is where we need a whiteboard. No, yeah. Professor Carl needs to pull up a whiteboard. Right, but so you have the data, the program section, it's small, and you have the long data thing here, right? And then you use a loop here in the program thing to start writing stuff here. So you write data that's coming, and you're writing a brain fact program here. And then right in the beginning here, you have an end bracket, right? So your data pointer will go over here. And then you will stop to this, and this will then jump to the end of your program and jump to the end bracket here. So your instruction pointer is still, like in the beginning of your new program, while the data pointer is like, you know, in the middle or later. The data pointer at the end of the payload? Yes, and then they keep going, like they do go in tandem, but the data pointer is always going, raising ahead of the program counter. And then as long as you have, like, enough instructions, because you're going to need to go back and forth a little bit to read and write, and you might need, you know, it might catch up to you. So as long as you space all of that correctly. And you actually could put some attentional padding there too, right? Like you could just easily pad that out. All right, like you could put just extra characters and have your data pointer be at the very end. So this is definitely doable without, well... We think it is. We've proven it. So it could be doable, but it certainly would be easier to do it that way. So we might just be seeing... So yeah, so maybe they're fine ignoring that hint and continuing on, which, yeah, we'll see how it goes. Right. RekkaPik is still working with Depsudo code, trying to reason about it. There was a comment about a leak, pointer to the leak or something. It's just, it's unfortunately just below what they are showing right now. Yeah, it's a... But essentially it's the same loop, right? Get the pointer via loop and then pointer get. Like that's the correct thing. And now just curious if they leave that bracket then at the end open. You know, this is the read-in loop that Perfect Root also has. But if they figure out the open bracket, it's still unclear. And I want to switch over to Perfect Root here because I see what I think they're trying to do when they have a bug in their code. Again, you can see these like dot plus, dot plus and so on in their code. What I think they want here is a dot greater than, dot greater than to like dump out. You see, I think there are eight of them in that or maybe that's just six of them. But the idea here is that they... You want to use the dot to print the current value and then you advance the data pointer to the next step. But the plus sign increments the current value to the point in yet, which is not what you want to do because then you're just like those dots... They should see it at least, right? So in the output, if they're watching the output, they'll notice that I'm just getting this increment value. And this is why they're getting... You can see in the output there, they're getting NOPQRS because they're just incrementing the same byte and printing it out over and over again. So they want to change those pluses to greater thans to... If they're trying to actually dump out. Yeah, good catch, good catch, yeah. You can, you know, you might notice that I've been... Had to program a bit of brainfuck to build this challenge. I would think so. Yes, this is, you know, not healthy. It is at least, you know, one of the things I've seen teams do on similar kind of challenges is just do a similar kind of virtual machine but totally different instructions. At least this one is sort of intuitive, like plus and dot and greater than and less than. Correct. In fact, I think we even added, from the research we've done, we added one instruction here. We extended the language with one instruction to make the challenge easier. So in my original solution, because like if you do an override of the return address, you need to function to actually return, right? And the only condition for the loop to break is if the program counter is at exactly nine. So in my original solution, you had to like make something to make the program counter jump all the way back to the beginning. But we decided that we get rid of that and we instead add another instruction, which is the carrot character. And that will just... It's a little up arrow, so... Exactly. So like instead of going left or right, to go up to go out, yeah. So, but it is nice that this is at least kind of intuitive. These are just random letters. I feel like, well, actually, if there were random letters, what you probably would see was them using more of those kind of macro that help us to find a variable that what's called ink or deck or next or prev or something like that. And you'd use those in line instead of the raw characters directly. Right. Oh, you told. Yes, go ahead. I was just seeing in RikaPik, they figured out the unmatched bracket. Oh, fantastic. You see here on line 60, there's a common unmatched bracket. Oh, yes. Yes, I saw it. Nice. Oh, very, very good. And I also wanted to point out over on the perfect root side, you can see that it changed all the pluses to greater than characters in there. They're both making good progress. This is fantastic. Oh, that's really great. So we can see, do we think that RikaPik can catch up to this? That's the, you know, exciting thing here. Just trying to keep an eye on, you know, both teams here. So back to the chat question, there's a little bit of discussion going on about dynamic scoring and whether it's a bad signal for beginners. And that's true. You can't actually, one of the downsides is if every challenge starts at 200 points or 100 points and it's just based on how many people solve it, you find the ultimate difficulty, it's hard as a new person to know where to start. A lot of CTFs will kind of give some hints. They'll say an expected value or they will say, have some other difficulty ranking independent of the points. And so that way the organizers can say, we think this is hard. Hey, it turns out it was easy. It was a bug that they didn't intend. It ends up being using the points drive low. So you can see that signal afterwards and go, well, I wasn't going to try it, but looking at what people solving it, maybe we're going to try it now. A lot of the long running or like notoriously difficult CTFs sometimes have like a category that they call like baby or like a tag. Baby's first or maybe challenges. So that they would say like, you know, okay, we have a lot of difficult challenges, but we have selected a few here that we think are going to be good just for people starting out. Also, you can just wait a bit for, you know, wait a couple of hours into the CTF and see like which ones are being solved. Yes. But you don't even have to do that because when I play CTFs like this and I try to find the challenge that is easy, I don't need to wait until the points are degraded. I look at the first few solves of the challenge and if it's teams, I know like the big, you know, the top CTF time teams that solved it. I know, okay, that's probably hard. But if it's like teams I don't know, then I assume, oh, that is doable. That's a really interesting signal. Yeah. There's a lot of like metagaming that's been developed over the years. All right. So we're still seeing perfect route is tweaking and tuning. I haven't seen, okay, so they're inputting in. Yeah. I mean, I'm looking at the code that the payload there and like the structure is all correct. Like they're dumping out. Yeah. They're rewinding the data pointer Oh no, no, they have another bug. Do you see the last back arrow needs to go forwards instead because they're running over the return address to print it out and they're rewinding the data pointer. But then they need to go forwards again. So that last comma less than actually comma graded them. Evil. Yeah. So there are these small things. And I will say this is a good example where actually building a program with more structure where you didn't use comma pure and you actually just instead did something more obvious might have helped the mental queue of like, no, what do I intend to do here? Am I trying to go forward or backward or up or down? Yeah, yeah. So we'll see. So I'm looking forward. If RECAPIC catches again or RECAPIC, this absolutely could be a match again. Yeah. I mean, RECAPIC is definitely catching up again because perfect route has been at the stage now for quite a while. And I don't know, like the progress hasn't been as big leaps. I feel like on perfect route side. I mean, they definitely have a better understanding of it. But, you know, they are not close to solving it. I think. Oh, no, you said the magic words. As soon as we predict that, they tend to blow through and solve it. It's like saying, oh, surely it won't rain today. Because I just watched my car. Yeah. Maybe you should predict the game that RECAPIC is behind. This is, oh, RECAPIC is real. But there's no way they can catch up. And then two minutes later, winner, winner kind of pops up. Yeah. We have a lot of casters curse going on this tournament. That's all right. I don't want to unduly influence the game here. Okay. So what are they looking at? Dumping out. They're printing what they believe to be a leak. Okay. So they're verifying a leak. They think they've got. Yes. And you see that. Oh, they just missed it. Yeah. They just missed it. They still need to change that to a greater than. Yes. So the other way you can do it is you can skip the rewinding and just type the address in backwards. But this is like an easier mental model. I think Perfect Root is like very close to something. I think that they're actually, I think they only need to flip that less than to a greater than. And then, you know, they're basically done. Yeah, they're basically done. Then they'll still have to actually do the overwrite, but they've got a leak and they've got the address and they've got the difference. And then it's, yeah, right. Four bytes in return. The only last thing would be, do they see the escape? If they don't see the exit or sorry, the exit operation. Right. They might not be able. That might be another stumbling block. All right, because they might be, this is another danger, right? Of like abstractions and mental models, right? They might say like, oh, this is brain fuck. And then they just not even look at it. No, but and they're just not noticing that we have this extra, because then if they do need to rewind the instruction point of thing like all the way to the back, that's a little bit annoying because you need to kind of shift the way you would do it is you have another unmatched, you have a more like closing brackets and then it will search backwards for corresponding opening brackets. And then you do that like multiple times and stuff. It's a bit annoying. Yeah. So let's see, what are we leaking over here on perfect route? We've got so Yeah, it's really about like working that debugger and seeing that, you know, they're not overriding what they think they're overriding. Yes. So I want to switch over to Rika pigs because I think they had some, the debugger up looking into the code. I want to see what payload they are currently sending. It's, you know, they are, they have progress clearly. And now they're looking at I'm trying to see what part of the code this is. It's the printing. Yeah. So they're looking at the print, the dots operator. And I'm not entirely sure what they, what the question they are trying to answer here right now. Yeah. So this is hard to tell. Yeah, so we're internally, you know, we're debating right now. Do we think they, they can solve it? Are we going to be needing another hint? Or do we need to switch to a sudden death? It is the way that we've been handling that transition is if we hit our time limit, which we are actually coming up on the original, the original end, but because this match has an extra gap, we might go up and basically ask the team and say, do you want to move to sudden death? Did you want to switch this? I really don't want to switch to sudden death though. We've seen what happened last time. Yeah. I will say though, our sudden death is real sudden on this one. So if we go to it, we're pretty sure that it would, it would be solvable, but certainly would rather have the teams be able to finish this out. And we do have a little bit of actually, we built a gap in time here between the semifinals and the finals. So I keep, I'm trying to figure out what Perfector is doing. They're rerunning the same thing over and over. Yeah. That reminds me of how I placed it here, just hoping that it changes. Like, oh yeah, there was like the same thing that Falk said yesterday. I can know. Yeah, exactly. Even though I know it's like, you're already going to keep rerunning it. They think they've got to be doing this, thinking that there's some like randomness that's impacting it. In the meantime, I can give you a score update on the the main scoreboard for the Defcon CTF. We just had a cycle, by the way. There was a cycle. MMM in first place, tightly followed by Katzabin. It's the same top fight as we've seen multiple times before, I think. And then we have a water paddler in third place. Fairly close as well. So there's definitely a lot of things can happen. And the, all of this stuff has not factored in the points from this live CTF. So it's going to be really interesting to see what happened. Perfect route who is in this match. They are currently in fifth place, but if they would win this or like even go on and win the finals, that would bring them almost up to first place. Almost. I mean, they wouldn't let them jump. It might let them jump Katzabin, but it wouldn't let them jump Naples for sure. Yes, but they will also get some points from the tournament. Yeah, because MMM is going to be getting some points having made it to the semi-finals. Right. How long will the main CTF run? When will that be over? It runs for another two hours. So it's really getting there. Yeah, these scores are probably not going to shift much. And if you're not familiar, so just like a real quick summary of what the final format is for a DEF CON CTF, it's an attack defense CTF. There are, all the teams are given essentially a number of systems that they're, or a number of processes that are running out of system of theirs. They have to defend it by patching those binaries and they have to attack their opponents by finding vulnerabilities, creating exploits and sending them against everybody else. And so it's a zero-sum game. You sort of start with like a certain amount of points and then as someone steals from you, you lose a point, they gain a point. And so what you see happened is you see everyone started, I think at 20,000 points or 16,000 points or something like that and then they're spreading out. And so the top teams steal from the lower teams and so the lowest team now is down at 14,000 points and the highest team is up at 22,000 points. So you're going to start at zero and then build up. You start kind of in the middle and then some go up and some go down with this particular scoring method. And so that does mean though that there's not a lot of like big shifts, wild shifts because it's, there's only so many kind of points available. And so it tends to be harder to come from behind at the very last minute, although sometimes not as close as you are. And there's one new soul on the surface that no one else has done can start to swing it because the graphs will shift in terms of the rate of scoring. Go ahead, Lava, for one second. Yeah, we should look at perfect truth. They were actually, I think, confident about something that they, that the code did. They had this, you see it now uncommon echo point. They were running it, which looked like they were checking if they got the code execution. I think they think they are pretty close. Yeah, I still think that they are missing that. Unless they're doing something different than we expect, I think you're right. Yeah, they can see they're trying to submit. I mean, they did uncomment it again, commented it out again, but it was in there. And they had it running for a bit. They had us, do you see they have a while true loop? They were thinking that something is, yeah, as you said, that something is random a little bit when we are, so they were running it in a while true loop, just trying it over and over again. Yeah, and they had enough by, well, there we go. That's what they were looking for. That's what they were looking for, because they had a 90 at the end, they were off by one. Oh, that's the, oh no, no, no. Yeah, that's it. Now they have it. They have the return. There was a longer, there was top of the stack return address. They shoot. Yeah, they were off by one, but they mainly added that extra right over there to the end. And so, yeah, not the most reliable unexploits. Yeah, that's, uh-oh. Uh-oh. Well, there have been, so depending on the challenges, there was a situation where you didn't always see your output. And so if you try to do an echo point and detect on it, I know that at least some of the earlier challenges- No, no, it was just the submitter program, for example. Oh, it was just the submitter. This should not be an issue here. Also, they're just running it locally, right? Oh, no, I think it was specifically the command injection with the back text. That's, that was when it was involved. Right, because they may need to do the semicolon. Right, the back text, you wouldn't see your output. So I think though, in this case, this is still solid. If they actually get this, they should be right. So I'm curious, is that 0.069, is that them calling the win function? Or is that the offset of the- I'm a little bit unsure, but like, to me, it looks like they may be- Is it, is it pie-enabled? Pie-enabled, but they are leaking the- Oh, yeah, they have a leak. They have a leak. But the thing is that- Yeah, in fact pie-enabled, because you can actually see a wreck, if it's literally just now pulled up checksack. Right, they just missed it on screen, but they were looking at checksack and they saw the pie. They literally just piloted it. Yeah, they looked annoyed by it. They're like, oh no, there is pie. So I mean, again, it is solvable, but that doesn't mean that they can't just hard-code something and win. Right. But come on, we did get them a win function. But if that's a concern for Recapic at this moment, they feel like they are getting close to tweaking some addresses maybe as well. That's a good point. They may actually- Yeah, I think we're really close here for Perfect Root. And it is still possible that Recapic is able to, depending on what the state of their payload is, I'm really curious to kind of postmortem, analyze this later and figure out why that many, many, many, many runs on the Perfect Root side is what part of this is not reliable? Or what are they analyzing when they're running it like a million times in a row? Or they change it out to remote? Yeah, they're just going to throw it. And they are confident that it's really just a little bit of randomness that's the problem. And I'm not sure what randomness is coming into play that was causing them trouble. Yeah. Are they maybe just partially- No, no, no, they have a leak. It looked like they were partially overriding. You can see that they took the leak and they sent back everything except the last- Oh, they're brute forcing. That's what they're doing. Is they're brute forcing the win relative address? I bet that's exactly what they're doing. They're going to just- Oh, but why are they not? Just writing the exact difference. Like, read the full value and then change it relatively. I mean, I don't know why, but I think that's what they're doing. I'm pretty sure that- It's the brain fact program in Maine because then the return point would be- Oh, is this an issue? They are not like- I'm not so sure if I will misremember this, but does that not point into Lipsy's dark main and so that points into Lipsy code and not- Yeah, so- But maybe I'm also saying something. That might be- Yeah, actually, no, I'm- Oh, that might be- They're not brute forcing anything because they're not trying different- Yeah, I mean- That might be- The last two bytes doesn't make sense. So I realize that this might be the issue. What is the issue? That the return address is not to- Since this is running- Is this running in the main function and then the return address is not- It's to Lipsy and not- And not within the program, so they don't have a leak in that sense. They would need to leak some other value. So your solution then was- Was it because it incremented or documented it? No, because I used a much more complicated solution before we simplified the challenge, but my complicated solution still worked on the simplified challenge, but we didn't verify that the simplified- So what was the complicated solution for correctly overwriting the return address? Like what was the- Well, it involved the ROP chain. Oh, interesting. But- Sorry, we've got a little bit of a- We've got a couple of bad cables we've been fighting. Yeah. So if we lost the stream there for a second. I can relate to the group. Is this something- Yeah, yeah. Well, you have your script and you just keep running your thing, looking at memory values just- You know, running in circles a bit. Yes. I'm trying to think about whether they could leak some other value that's within the- You know, I mean they totally could. They just need to find some value on the stack that's within the program, right? Isn't the main also a function that gets as a parameter the address of main, which might then also be somewhere on the stack? Right, it has to be. So one of the addresses, it will be on the stack just a bit further away. Oh, maybe then it's not the bug that they had the less than signed- Maybe they're overwriting. So it was just that they needed to go a little bit further down the stack and then they go up again. So maybe that's not a bug at all. Maybe we've just misunderstood- Yeah, they were intentionally leaking the main pointer, not as a return address as an argument. Yeah, that's very reasonable. So then the question is like, so what is the bug like? What is Perfection stuck on now then? If that's the case, they should be able to overwrite their return address with that main pointer, plus the offset to the win instead, right? Should work. I mean that should absolutely be a valid solution where it will put them back into the main, put them back or sorry, put them back into the win. So then as a matter of fact- We can see them, yeah. So, oh, this is so, you know. I know. No reckon. It's imperfect knowledge on all sides. And that's just a double check factor. Oh, look, yeah, because they look, they are working here with some addresses as well. They, second prog address, leak address. Slow and steady might still be valid here. So yeah, let's take a look at them for a while. Now pointer should point to end of second program, right? Which is a good understanding, which maybe, I don't know, if Perfect Root had that understanding where the pointer or the data pointer and the instruction point are pointing to of the brand program. Yeah, no, it's definitely interesting to see the completely different approaches here to the challenges from the different teams. Oh, they have, okay. So I'm just keeping an eye on Perfect Root. They actually had, they had Win. Is that a backtrace that they're showing, or is that just, this is something, they were- Are you saying that they did have the address of the Win function? Win itself showed up in one of these traces. So right there, right there. I think they're just doing a backtrace. I can't even tell. I think that's a stack, right? Right there at the bottom of the deck right there. Right, that's it. Yeah, the bottom of the stack is backtrace. They showed when showed up on there. They had Win in this backtrace and they were hidden exception earlier. So something was blocking them from returning directly. Yeah, because I mean, they don't have in their program that they're running, right? They don't have anything that returns, but I've seen them hit the return instruction. So I'm a little bit unsure what's going on there. Oh, are they, is that what, that's what they're brute forcing? They're brute forcing the behavior to try to get an exit that's clean instead of just calling exit. Oh. Is that what they're trying to get around? If they literally just call the exit. That's, I mean, could be. Oh, wow. That's, that might be what they're fighting. It may, because again, we don't see, we don't see them calling the exit instruction. No, no, no. Yeah, exactly. So they should be able to just do that. I mean, I think, I think we need to tell both of them because we haven't seen neither team. Oh, right. Yeah. So let's add a hint for the, for the, because I think we need to let both of them know. And this is probably going to be the last day. If we can't get it here soon, we're going to just have to unfortunately go to sudden death. But let's, let's see if we can. Oh. Oh no, we can't get that hints. We can no longer get that hints. I just saw that. Yeah. So the, let's switch over to, let me switch over here to recupying. You see that they have, they are calling the L just. So they're padding their code with the exit instruction. So they are very aware of that they can use. They know exactly what that's going to do. If these two players would combine their knowledge. They should have half of an exploit. Yeah. Which is a good example of real CTF with, with teams. They would compliment each other so well. Absolutely. And they would resolve this in, you know, a fraction of the time now. Yeah. And that's why playing with a team is so much more fun. They catch your mistakes and look over your shoulder and they point out, hey, did you really mean to do a plus or a greater than or in that, you know. Right. It is so much more enjoyable to do a CTF with, with somebody else. Right. And the thing is here that perfect route, if we, if we go back to them, they will not notice this because they are not even looking at the code anymore. They're just in the, they're looking, the export and looking debugger. They're completely missing that there is this extra instruction. What do you think they try to do? Like disconnect and then that makes main return because it exits out of the, the brain fog loop or how, how do they even reach the return? I honestly think they're flailing and I think they don't have a clear plan and they're just trying a bunch of different stuff to see if they can get it to Paul's system. Hold on. What is this with main stops? Wait. There was a red look. They overwrote main red. They add red and it's pointing into win. But now they actually can win. What are the, yeah, this should, this should just, oh, no, no, pop RVP. Pop RVP is going to pop the pointer to win off. Right. Because wind is on the stack. No, no, that's, well, is that, oh, no, that's actually the I did pause on the, on the, they were at the red of main and it pointed into win. So somehow they reached that red apparently. Yeah. Are they having, yeah, they're having trouble with the call to system. Are they accidentally, no, I don't know. Yeah. So they shouldn't have to work with the arguments because wind sets all that up. Yeah. But they're, if they're triggering, if they're breaking in there, what is breaking that's causing, are they trying to do like a small rub thing here instead of just. Yeah. I'm not sure what they've actually switched over to doing. So in one frame when I paused, they were at the return of main. And so, you know, it, the, the Jeff output showed where it would continue and it pointed into win. But at the end of win, at the return of win. So, okay. So they're like off by a few bites. Yeah. But there was such, just one frame where I paused on and then on a consecutive one, they were actually stepping through win. So, so I don't know what, what changed. Like why, why suddenly it was at the start of win. Sometimes not. Maybe that is the randomness they are observing and we haven't just noticed that. Right. I want to switch back over to Ricky Pig a little bit. Yeah. I'll keep on. And look at how, I mean, you can't quite see it. Now you can see it like, like how beautiful they're like export script is here where they have created these abstractions for the instructions and they're giving them meaningful names instead of these random symbols. And you can see how they're slowly building this up, adding the comments and going very methodical in this. And, you know, they're slowly catching up. Importing time. Not sure why, but maybe, okay. They're just going to do a short sleep here, it seems. And I'm not sure exactly how far, but you can see they have the initial stager with the unmatched bracket. They have the second stage here with padding out with the exit instruction and stuff. So you see, they're really getting there. And the perfect truth is, you don't have to switch back, but I'm just watching them. They're in the bowels of GDB debugging system trying to figure out. Oh, is this like trying to figure out like, in the libc and they're getting like, yeah, like they're in like, pause and spawn action currently. There's some of their exceptions being triggered. I don't know what has been corrupted or what's changed. They must be really frustrating that they start looking through that. Yeah. See, we had a question, what we want to do here. If we want to go to, if we're going to give them a hint or... I kind of still want to... I feel like we do have a little bit of time. We don't need into all of our spare time before our final match. We want to give the team whoever wins, does want a little bit of a break to flush their head and not go straight into it. Yeah. But like, yeah, we do have to cut this off at some point and switch to a sudden death. This, this just, yeah, this still feels like something is inches away. I mean, I don't know what in the world is even blocking this because we're seeing the, the win function is being called. Like they're calling win. Could it be some like, have they like messed up the stack pointer in such a way that there's like stack misalignment or... I don't know and they certainly don't either, given time the debugger being sent. Oh, now they're going for one gadget? Yeah. So they're going to try to avoid our win function and instead just go directly for... Now did your original one use the win function as well or was your original solution avoiding it too? No, my original solution did not use the win function. Yeah. So it may be that just by avoiding it, they're going to end up getting a win here. So that is a possibility, but I just don't know how long it's going to take them to do that. And then the question is, is Rika Pig going to sort of slow and steady and be able to catch up or do we just need to call this one and move on? Actually, now that you mentioned the misaligned stack, I do remember writing a challenge for the cybersecurity change Germany, like a basic PON-able and there was a win function, I believe, and when you solved it, there was a problem with misaligned stack because something in that code is expecting stuff to be aligned, but there was a pretty clear exception that when you Google it, you would find the information about that. And the solution, you actually had to do one basically pop red to align it again and then the win function did work. Now that you mentioned this, I remember that. Which though isn't really an option when you're working from an interpreter like this, right, where you sort of have this different environment. So it's not clear what that would even look like because they have a single overwrite of the return address. No, no, I mean, they can override a lot of stuff if they want. Yeah, but they'd have to find the next return address on the stack and then go overwrite that as well. No, no, no, they could replace the... Oh, it's just two in a row. Yeah, exactly. Yeah, that's right. Yeah, they could do that. Yeah, that's actually... And since they have a leak, they can use that to just find the red gadget. Well, they already had the Wip-Z. Yeah, the Wip-Z was already essentially there. Oh, here, let's switch over here again to RickiPick because I just saw on the terminal, I saw the stack smashing detected. Message, which means that they have overwritten the return address. Not only have they overwritten the return address, they have triggered the return because otherwise the stack smashing... Well, we knew that they had those exits because they did that padding and so they had that part of it right away, which again, I don't see that at all. So might we... Is it possible that we might see the big catch-up moment here from RickiPick? Tortoise in the hair. This might be... Yes. Yeah, there's a move-apps instruction that doesn't like unaligned addresses, which is... Which happens in system. I have a video on that, solving that basic PON-able challenges and I had this problem. Yeah, you get a stack fault. Stack fault at address zero, a very weird exception. And then you look at what instruction caused the exception and it's a move-apps instruction. And when you Google that, you will then find move-apps, unaligned address, and then... So that might be the issue here, that the win function is just not callable. Well, no, my suspicion is it is callable if you exit cleanly. So my suspicion is because that brute force that we're seeing from PerfectRoot, I think is an artifact of how they're getting their return out, right? I think that's what's potentially getting it misaligned. Whereas if they were to actually just let the interpreter cleanly exit out, that they would... And here I want to say, and we see here on RickiPick's screen, that you see that right and you saw the stack smashing detected there. So they have been just writing a bit too far on the stack. I'm not entirely sure if this is an intentional smash to just verify that they are doing the right thing, or if it's an accidental smash because they misaligned some of their data. That still remains to be seen. Yeah, I think we are going to have to certainly go to sudden death here pretty soon. I think in certainly the next five minutes or so, if we're not like real real close, because we don't have confidence yet that we don't know for certain if the exit cleanly would solve it for PerfectRoot, and we don't know... And even the things that they're changing now, there's one gadget attempt might be a little ambitious for the time that's left, right? So we're still trying to figure that out. Yes. So the question is, do we ask them or do we just go to sudden death? I don't think we give them an option. If we should give them as long as we can, and once we hit the moment where we can't go any further, because we just have to get on to queue up for the finals, then we're going to have to just cut it off. Yeah. So I don't know that we're there yet. We're seeing a one gadget attempt. Oh man, I want them. I want them to do it. Yeah, I really want to see this. Yeah. So how is that? I was looking over there on Rikabig. Yeah. So Rikabig, they are inspecting the stack here in the debugger. And you can see here their program, the padding that they filled out. Oh, so okay. So since they're doing this padding thing, right? Then they are, I suspect that the smashing was because of like they miscalculated exactly how long their like padding and stuff should be, right? So we'll see if they can kind of like fix that alignment up or like the size of the payload, and then to move on to actually controlling the overrides. That's what I'm trying to say. Yeah. It's, I mean, for a while I was really like, okay. I thought maybe it was easy. Yeah, I thought they were just blowing right through it. I'm not so sure anymore. Like this could really go either way. Yeah. And again, I mean, I think I'm not confident. I'm going to say we got to get three more minutes to like be sure someone's going to solve it, or we're just going to have to switch over to our sudden death because we do want to give them at least a good 10, 20 minutes to solve sudden death and then go to the bathroom and come back for the finals because you know what I have to ask. And the finals, unfortunately, we have to have enough time for that because the scores have to be in. We have to announce the winner. It has to go, it has to go into the Defqon CTF final score. So we do have some hard limits that we're unfortunately working against where this, we need a winner to be able to allocate these points. The good thing is that the teams can choose to send another player for the finals. That's a great point. That's a great point. They were not required to send the same player. Yes. So it is entirely possible that someone decides, hey, I'm burnt out. You got to send somebody else. That last CTF ruined me. So do you know how the other teams have done this so far? Have they sent other people in these subset rounds? So far, only NNM, I believe. So the total that any team would have to send is for four rounds. So it's not an overwhelming amount spread out over these three days. Right? And so it's not too crazy. And so we've only seen so far NNM. I think it's the only one that I've noticed. Yeah, they swapped between Robert and Jinmo. For their rounds. So between their first and second and second and third, there was a switch in and a switch out. But everyone else seems to have been sending the same person. Do you think the players did this voluntarily? Or do you think within the team they had to throw a coin? That's a good question. Yeah, I'm not sure if it was. It seems like that's varied. I think some other teams specifically said they were kind of like picking coins. Because multiple people wanted to go and they had to kind of pick out who was available. Yeah, I wanted to go as positive. I was more worried that they would feel uncomfortable. Okay, I think we're going to have to switch over to sudden death. I hate to do this. Of course, we want to see them solve it. But at this point, I'm just seeing some hesitation on perfect route. It doesn't seem like Alex has kind of a sense of what it's going to take to finish this out. So let's go ahead and I'm going to go ahead and let each team know that we're switching to sudden death because we want to give them a break between the final rounds. And we will just give you a second. I'm going to take off my gear. I'm going to let them know and we'll count that one in shortly. Right, so that's unfortunate to see. Obviously we would want to see a finish, a working exploit. But it's understandable that the schedule requires it. And of course, they are also missing from the main CTF, right? I mean, it's not the final hour kind of of the big CTF, maybe? It is almost. There's one and a half hour left of the main CTF. So it's not like that they can't do that much, but still they are missing from the main team, right? Yes. Quite a long time now. And this is like a choice the teams have to make, right? Like, who do they send for this? To balance that? Where do they think their most skilled players are of the most use? Right, sorry, we were just preparing for the sudden death part here. So we're just getting them set up, swapping out the challenge and giving them a new, simple challenge. And this challenge is going to be super simple. I mean, I barely know if we're going to have the time to commentate on what's going to go on here. Because I think we're picking our simplest challenge in the stash. Yeah, it's going to be rough. Okay, so Jordan is over with the players explaining the situation. Somebody in chat asked what sudden death is. This is when the weapons come out. Yes, yes. No. This is when we see the first blood. Right, exactly. No, so the sudden death is that we stop the current challenge and we should have people not walking past the camera. But anyway, sudden death, we stop the current challenge. We swap it out, completely new challenge. This new challenge is supposed to be super simple. It's going to be like, it's going to be fast. It's starting now and then they have the new challenge and they're down again. We're switching over to the split view. They're downloading the challenge and yeah, they're going to look at it. And this is going to be a slaughter. Is this the format string thing, Jordan? I'm not sure. Sorry. Yeah, yes. Still gives it up again. I actually don't know which sudden death we had lined up for this one. Right. So we can switch over to Ricki Pig and see they're just looking at here. And it's about inputting some passwords here. And you need to input your logins. You can see that they need to log in with admin and correct towards battery staple. The classic KCD password joke. Right, yes. And then is it just reading in shellcode and executing it? Is that what I saw? I'm pretty sure that, yeah, this one is like meant to be pure speed. Yes. Perfect route. It's already opening Google. Right. We have some shellcode in there. And they are, wow, this is stressful. So I think they basically just send admin password or username password and then send shellcode and it will be executed. So let's see who can do this first. We can see them copy pasting the username. So and then they, as we can see here, I won't switch over to Ricki Pig because you can see very clearly in their exploit script. Actually, you can see it clearly in both of them. Oh, this is going to be rough. I really hope the flag submission thing is... Oh, the LS didn't work. No, right. Perfect route was... Right. Switch over to perfect route and see that there's something not working with their... I think they need... So they might have to pad out the shellcode to be the size of the inputs. There we go. Yep, that's exactly what we're saying. We're seeing the padding coming in and out. Yeah, they're padding it out and then they're sending it and will it be... There it is, there it is. There's the shell. There it is. We have a winner. Congratulations to perfect routes. Oh my God. That was brutal. That was very, very harsh. We got to go on a break. We got to get back to the teams to talk to them real quickly and line up the final round. We'll be here in 30 minutes with the finals. I look forward to seeing you back here then. See ya. Thanks man. Hello and welcome back to our final event of a very long weekend. We are super excited to be here. We're super excited to be looking at the best two teams. Are you ready? You said you were nervous the second ago. Oh yeah, I mean this is like the final match. Like this is when it all comes together. So we've had perfect route. We've had starbug. They've both battled through three other rounds to make it here to this final event. And we're going to get the game started to get the competitors are nervous. They're going to go for context. The game is over. The DEF CON CTF itself is ended. This is the final bit of points that anyone could get in this event before it's going to be tallied for the award ceremony later today. So let's do it. Everybody we're going to kick it off. Five, four, three, two, one, go. And let's let them rip. So let's take a look at the teams and what they're up to. We're going to need a reset on our capture card over here. Capture card reset please. Yes, we've got one that's not working. But in the meantime, we'll just go to perfect routes and watch what they're doing. And we can see that they're immediately going into IDA to look at the code. Oh, we've got different themes at least. So now we've got our black and white themes. Yes. Both doing the exact same thing, looking at both their systems and popping open their default template scripts. What is the name of this challenge that we're looking at today? So we're looking at the F in the stack, right? We actually had several challenges internally named F in the stack. Yes, it was F in the stack and another F in the stack. We changed the name of that one, but this is the original F in the stack. So it's a reference obviously to the meme, like actually the chat, but on the stack. Right. So does it actually mean that we're looking at like a stack based buffer overflow or is that just kind of a troll on the name? Yeah, not entirely sure. We have a menu here with three different options, four different options. You can load a file where else was there. When you do that, there's like a file name, there's a call to F stat or L stat, actually. So yeah. Well, that was interesting, actually. Let's go ahead and take a look at that. So you said it was F stat or L stat, but if we look closely, let's let that come up again. So again, they're moving so fast, but if we notice there's a call to one of them, but the error message says the other. Right. And that's so that is interesting. Interesting. It's the kind of thing as like, you know, as a, there we go. We're getting some Fs. Thank you. Nice. Chat. Love to see it. There we go. So in the chat for Fs in the stack. Well, maybe maybe we do that once it wants to get sold. Yeah, yeah, yeah. Exactly. Once they actually beat it right now, the challenge is standing tall. Yeah, that's a great idea. And by the way, the reference there to DEF CON CTF is canceled. DEF CON is canceled is very much a meme. If you've not been to DEF CON before, every year there's a joke that it is canceled. Excellent. I'm glad to see Live Overflow in chat as well. Looking forward to hi everybody on Live Overflow's Twitch stream. I know he's been watching all week and long with us, even on the times where he wasn't chatting with us live. Right. So we've had him as a commentator as one of our three guest commentators. We had one person from Nautilus Institute Lightning here on site and we had Gamosa Labs and Live Overflow calling in remotely. It's been really adding to the... In fact, we might want to, if we can get the title below, our names fixed, we'll get that corrected. That's awesome, but super minor. Super minor, but yeah. We can go to Starbucks, you can see that they are just dumping out ETC password. So you can see here in the menu, they can load a file, they can print the loaded file, they can unload the last file, and they have an extremely convenient call RAX. That's a nice option. Nice. That was very handy of someone. Right. So I would assume this means that you want to control the value in RAX. We're looking at reading of PROC self-mem. So we're looking at interactions. Okay, I freaked out for a second. I hope they had a shell instilling. Right, no, no, no. It looked like they were looking at PROC self-FT0. So opening standard in as a file, you can do a bunch of trickery stuff there. We're looking at PROC self-mem, also an interesting file. The whole PROC pseudo file system is pretty interesting in a lot of these challenges. Absolutely. It comes in very handy. So yes, the reference there. Every is confirming DEF CON CTF. The main CFTF did end a little bit early. I don't know the full story, but we heard from the Nautilus Institute that there was some issues that they had to close down one hour early than expected. So normally the intended end of the CTF this year was 2 p.m., but they ended out slightly early, which means this is the only game left. This is the only points that people can be getting. And we've only got two teams that are in a running. We've got Perfect Root and we've got Team Starbug. And this could have... This definitely could change the destiny of Perfect Root in terms of making it into the top teams here. I don't think it's going to make them into first. Having seen the scoreboard right before OpenDark, it probably wouldn't get them all the way there. Although it is worth noting, there was actually an incident earlier on. One of the things that happens a lot with these kind of CTFs is you're really worried about fair play and what's appropriate and appropriate. And there was, unfortunately, one of the members of Perfect Root was fork bombing one of the other boxes. Maybe they weren't aware of the CTF culture and when their team caught it, they specifically said, hey, we're sorry when our team members didn't know this was against the rules. They were penalized a little bit for that. Between that penalty plus the amount that they could get by winning, if they win this, that would have maybe been enough to bring them all the way into first from that fourth position that they were in. But I think with that penalty, they would probably end up somewhere in the second place range, even if they win. Probably not going to upset the entire competition just as a result of this event. But it's going to shuffle around. It's going to change the standings. Yeah, no matter what happens, in fact, even if it ends up being Team Starbug, it's going to jump them way up in the board. We should remember also that it's not only the winner who gets points. There is a point distribution for all the teams in this tournament. As I said, we'll probably not at this point change the winner, but it will shuffle around the standings. I want to go and look at Starbugs because I was seeing some interesting stuff there. They're trying to play around with the file system. Like what interesting file could they be looking at? If I remember correctly, like the intended solution involves like a sim link or something, like you're supposed to open a sim link and then close it to get some kind of uninitialized memory or something like this. I know that, yeah, I've heard that it is of all the sim link and that's the difference between that L-stat and that F-stat. All right, link-stat, file-stat. I was actually going to ask about the difference there as I did not remember this. So the intended there I believe is an F-stat which if you call it on a sim link, will give you the file it's pointed at, the ultimate actual file. But if you use L-stat, you're going to get just the sim link information. Right. So that's I think the difference. And one of the changes again, we've talked a lot about how getting the difficulty right on these can be an issue. One of the things that we did during testing was realize, hey, let's make this a little bit more obvious that this is intended. So that's why the error message that was in there just said before, stat failed. And now it says specifically F-stat failed. Right. But that was, as you said earlier, when you saw the call, that's not the function that's called. Right. So hopefully that's not- It's a little bit subtle, but it's a hint. It's a hint that's kind of baked into the challenge. Hopefully it's sufficient and it gets them what they need. We'll see. I still love the name of that menu choice, too. Extremely convenient color. It's a little tongue-in-cheek. It's a little... Yes, we've been like, you know, because we want to make these challenges simple enough that you can solve them very quickly. We have been like putting in a bit artificial gadgets and aspects of the programs here to make them easier to actually exploit. So let's just even get caught up and get a sense of where everybody's at. I don't know that anybody yet knows exactly what they're doing. I don't think so either. I haven't seen any crashes. I haven't seen any weird behavior yet. I think they're still exploring the program, trying to figure out what's going on. You could see in the exploit script there, they're trying to start a buildup, that kind of template we talked about before on the stream, like building abstractions around those interactions in the program so that you can just easily then put these building blocks together into an exploit. Yeah, and I will point out again, these are the top players in what is already a collection of the top players in the world. Right. And so I think the one lesson we've found is that the further along we make it in this competition, the harder it is to see what they're doing because they move so quickly that we need the freeze frame, we need to pause. And one of the things I would love to do next year is actually bring them in for commentary afterwards, have a little debrief session, but we kind of got to balance how much of the time we take up since we are going concurrently with the real event. This is part of a competition. It's a very prestigious competition. All the teams are here to play to win. They really, really want to win. They get the glory of winning the DEF CON CTF. They are awarded black badges, right? Eight black badges for the winning team. It is the only event that has gotten consistently eight back badges every year. Normal events get one maybe, or maybe two. And so this is like the biggest pinnacle of all, and there are dozens or hundreds maybe even of competitions. If you can, all the little challenges all over the event. There are tons and tons of things here at DEF CON, but this is the pinnacle. And so we did our best to try to like integrate within the CTF, but not take too much away from it. We've got the best people up here. We're only here for a maximum of about four hours each. And that's over the course of like a three day event, I think the best we could do. Yes, and I mean overall at DEF CON CTF, like within the CTF community, it's like one of those like, I would say top five or so events of the year. And it's certainly one of the most longest running CTFs. For sure, for sure. Certainly the consistency. It's probably like the best known or maybe the only known like outside of like the CTF community. I have actually had people like recognize DEF CON CTF if I'm wearing like my leather jacket. So actually it's one of the other things is that the winning team usually gets a leather jacket, or at least they have in the past. I don't know if they still do that, but you would get like these DEF CON brainy leather jackets, which doesn't even be a lot of good in Florida, but occasionally I get a chance to wear it. Right. So switching over to Starbucks again, we can see here that they're looking at S maps, which I don't even know what that is. What is it? Clock self S maps? Yes. I don't know either. Like maps will show you the memory mapping. Which is actually what Perfect Dude is doing right now. They did just that in their script. They leaked out right self maps. You can see there, they're looking at like a whole bunch of other mapping and stuff. So they're playing around with this. Maybe I don't know if they're like looking for something specific or just checking around a bit to see what they can find. I mean, certainly with that caller AX, right, or that they're given extremely suspicious menu option, it makes sense that they're in their script, they might want to understand the base addresses so that they can shift and adjust an actual pointer where something is loaded. So for sure. Combining those I think makes a lot of sense, but there's still... Right. You need to break that down and then do the sub goals. You know that the end goal is to control the value of this register, but... Where are you going to point it? Right. Where are you going to point it? And how do you get there? Yes. And I think they know where they're going to point it by reading the product self maps. I think they both kind of can figure that out. They can figure out the offsets. They can find this out. And I don't remember, is there a win function in this binary? I don't remember if we've seen that. If it exists. Does a win function exist in this binary? I'm asking our producer. Does a win function exist in this one? I don't know that it does, but we're going to double check on that. We're going to have an answer on this very shortly. In the meantime, we can see that's perfect route. They are... Yes, perfect route is still the same player. They have not swapped out. Okay. So there are... They're in the binary. There is not a traditional win function, the way we've seen other ones, where it's literally just a system of BNSH, which is that you could just call it and immediately get a shell, with the way that these challenges have standard input wired up to the network socket that the teams are connecting to. But you can either hit one gadget, or there's actually a component in the binary itself that has a syscall available that's kind of intended as another potential target. Right. And that's actually a good way to make it so that teams can... That we can make sure the difficulty is intended to be a little lower. If there's only exactly one path through the binary, it decreases the odds that somebody's going to get to it in time. So having a couple of different sort of parallel paths is often a nice way to make these accessible. So, okay. Looking at... Actually, we're looking at perfect route. I almost said perfect blue, which again... It's one of the components. It is one of the components, yeah. So again, many of these teams... Perfect blue and rudimentary are the components of this team. Yeah, and many of these teams are kind of combined here for DEF CON CTF. And some of them I expect will play together afterwards, and some of them will kind of split back up, maybe only come together once a year, just for this event. I think we'll see probably both of those. Yes. So... Okay, now this is... So we're looking at the right... Yes. We have some cheer in the chat. Is that... Let's see if I can make... Not embarrass myself. Is that like Korean script? And that is Korean? Yes. For sure. I thought you were going to read it. I was like, oh, you can... No, no, no, no, no, no, no, no. We're not... Let's not go that far. I just wanted to identify the right... The character set. All right, fair. But I've actually heard that actually learning to read the Korean is actually relatively simple. Yeah, the pronunciation is straightforward. And unlike Chinese, for example, I can read a little bit of it, but it's every character's its own words. So I'm going to try it out. Yeah, yeah, yeah. I love how much love our contestants are getting. They are so handsome. They are so wonderful. And I'm glad our chat appreciates that. We have some fantastic competitors on both sides. So actually, to answer your question in chat, I know we have Alex on the perfect route side, only because I saw a prompt earlier. So they've got their path, their username is Alex, in the virtual machine. I don't know if I've seen that 14-star bug, the name of the player that they're sending. Right. So... There we go. So we've got the answers coming through. Oh, yeah, yeah, excellent. You're doing the fighting. Yeah, that's, you know, also something I learned when playing CTFs in Korea, that you have the fighting. It does this like working hard. There's like a post thing. Oh, nice. I think it was like, you know, this. Apologize for any like, you know, misremembrance of like how this is supposed to be. But back to the game, let's go to Starbucks. You can see here that they have some kind of leak, I think, because the Pone Tools output is switching to the Hex output, which it does when there are non-asky characters in your debug log. So this is something I really like when using Pone Tools, like when you use the tubes library, turn on that like debugging things, you can just see all the bytes being sent and received from it. And you can see that within, or prepended to that text, there is some, you know, seemingly random bytes, but you know, probably. Well, that looks like a pointer actually. That looks pretty much like a pointer. That might be a pointer they're leaking back at. The two pointers there actually. Yeah. So you can see that pattern with the 0f0000 looks like the three upper bytes of a address, typically either, probably a library, are going to be in that range. Yeah, like the libc or something else. So thank you very much for chat. We appreciate the love. It is, it has been exhausting. We are really excited to see these teams. We're also really excited to be done and rest our voices and just lay on the ground. I think I'm going to be quiet for a little bit. I'm just going to crash on the floor here right after. Just like, yeah. But no, I mean, if you are here in Vegas at Defcon, after like, you know, Void Mercy, sorry, Void Mercy is in. Yes, that makes a ton of sense. Oh, okay. That's the handle. There we go. Right. So if you're here at the event, you know, come talk to us afterwards. Tell us what you, you know, what do you think about the event so far? Maybe if you have any wish, anything to the wish list for next year, if we do this again. Let's come back and take a look at Perfect Roo because they're payload now. They've actually been using that, the ability to send things into, no, where'd it go? It went away. So they had an allocate check right there. So by doing a load file from standard inputs and then sending some data, they're able to allocate chunks of different sizes. So they are looking into ways to control the heap allocations by using that standard input as a file read and then just sending an arbitrary amount of data to fill up that buffer. So that's a really clever way to get exact sized allocations. And we'll see if they are going to need that for their exploit. I still don't, I don't see anyone who has actually found the, the vulnerability itself for about 15 minutes in now. And yeah, just the standard end, right? You don't even need to do the other version of it. But I'm still waiting to see somebody demonstrate knowledge of the actual flaw itself. They could be in their head, but I'm not seeing any, any scripts yet. I do like this, the leak that we're seeing here. I'm pretty sure this is some kind of memory leak. Sure, yeah, sure looks like it. Yeah. Every bit in here, you're calculating the libc base by taking the leak and subtracting an offset, the classic part of your exploit, right? So there's definitely some progress there. I'm not sure if that will take them all the way. So, so we're saying that like one possible solution here is to leak a libc address, get your libc base, somehow control the register, rex register, and then go for the one. That's the bug though, right? That's, we're still looking for somebody to find that bug. Right. How do they get that racks control? Once they have that, I think that the rest of the components are pretty straightforward. So, so that's what we're looking to see. And we've got plenty of time. The good news is this final round can also, much like the last semi-final round, which was able to go a little bit longer before we went to the sudden death. We do have a good hour and a half, I think before we were going to have to switch over to a sudden death, but we do have, still have a hard limit. Yes. So if we're not able to solve it, we will switch to one of our sudden deaths. And as you noticed in the last round, our sudden deaths have gotten real fast. We made sure that our sudden deaths are just very, very quick. Oh, that one was like, it was like under five minutes. It was pretty quick. Yeah. So, in terms of both things being Korean-based, actually I think we have a mixed mixture. Perfect Root has a couple of different groups that have come together, I know. Right. But I do think Starbug may be predominantly Korean. Right. And Perfect Root I think is mostly US-based, but... Students who may have come over, or were, yeah, may have been from a variety of places. They have, I think, friends from... I know that Perfect Blue is like a US-based team. One team who was a college team, right? Right. Well, a lot of them were still in college. I think many of them have graduated and are now in industry, but they kind of met and started there. Yes. So, all right, let's... We're still... See, this is surprising to me. I wonder, are they... I feel like this is a lot of work on both teams, and yet, almost just stepping back and looking and saying, where's the bug? Right? Because I don't see anybody who's found the bug yet, and I feel like all this work that they're doing, it's a lot of motion, but not a lot of destination yet. And so, I kind of want to see somebody, like, just stop and just spend some time really marking this up in a decompiler, really looking at... Yes. Although, if I did not see a stack smashing detector there, right? Then maybe we do know the bug on Starbucks side. That's interesting because... So, what is this script doing? That was a shell, I think. What was it? Yeah, so copying it into the VM, this is what we've seen before, copying it out of the VM and going to throw it on against the 10th service. Say, oh, it's not working remotely. Oh, my God. Okay, so we're very close. We can hear the frustration. Yeah, you can hear it. And the teammates are behind... Yeah, they're shearing out. The emotions, the emotions are... As long as they're not telling advice. Yeah, that's the other downside. As long as they're not giving any hints, they can show all the emotions. Yeah, it's exactly encouraged. Oh, they're trying to figure it out. It's so... Yeah. So, I would love to see... Take a look at that exploit. The next time it comes up, and I'm very curious, what are we... Are we seeing that... Like, they're trying to run it remotely. Oh, they have... That's a... That's a... They're running it. Is this it? Is this it? They double-check it. Yes, team two, team two, team two. That's it! It's the winner! Congratulations. Congratulations. Very well done. Very well done. All right. That was amazing. Let's go ahead and just step back. Congratulations to Team Starbug. Starbug was the winning team. So, well done. Made it through all four rounds of live CTF this whole weekend. The amount of str- It was stressful for us just watching. I cannot imagine how much effort and energy these teams have just been exhausting themselves. It is so hard to sit up here in a room full of people staring over your shoulder. The pressure is crushing. It is amazing. So, Chat, thank you very much. You guys hung out with us this all weekend. Look forward. I can't wait to see a lot of people figuring out afterwards. They're going to freeze frame in slow-mo and we're going to get a much more information about the different approaches and how things worked. I think LiveOfo is still running his recap stream. You're going to head over there after this and we'll keep an eye out for the challenges because we are also going to be releasing all of these challenges to the public. We'll put out a GitHub repo with both source code and the exact binaries that teams were given. Probably put some information on the website there. Link to the different things, the YouTube channel, the GitHub repo. Let's go ahead and take a look at that bracket one last time and fill that up and we'll show what we did this last several days. So, we had teams coming from the round of 16 all the way up to this final event. What a great showing. That was super fun. We want to also like a big thanks to everyone who helped out making this possible. So, we had us and Glenn here on site in Vegas for this and you have multiple people off site as well. Thanks to Josh for all the challenges. Thanks to Nick for a challenge. Thanks to Rusty for a bunch of work on challenges. Thanks to Brunley for bringing us food because we had several meals brought to us here that was like super, super helpful. So nice. So, this was a blast. And then, we had Live Overflow on commentary. We had Brandon Falk and Gamosa Labs on commentary as well. Also as a guest commentator and Lightning of course from Nautilus Institute. Yeah, and speaking of big thanks to Nautilus Institute for bringing us out in the first place. We really appreciate that. So, good job to Starbucks for winning. Fantastic. All right, we are going to pack it in. I think that's about it for the stream for now. We look forward to coming back. Live CTF is not going away forever. We would love to come back again for DEF CON CTF next year but if you're actually interested in live CTF coming to another CTF, like we want other people to be doing this as well too. We think just the idea of showing what teams are doing and talking about it and being able to make it a little more accessible is super fun. And so, we're looking forward to that happening. Right. So, yeah, that's going to be it for us. I've been Carl, Cedar 2. Jordan. Cyberdex and we will see you next time. Bye. Take care.