The Great Indian GCCS CTF Challenge
Disclaimer: The images and certificates are too blurred to be disturbing, The names on the certificates are imaginary, it has absolutely no bloody relationship with living or dead (Because of Typos and govt. just won't correct it, I wish they ask for taxes from the imaginary man they created in the next financial year)
Warning: My Name is Nipun Jaswal ( Pronounced as JAS - WAAL) its not Jayaswal/ Jaiswal or whatever the hell you write. I am a Chandravashi Rajput and you can find more info on it here: https://en.wikipedia.org/wiki/Jaswal ( Yeap, you got it right, we still have a king and have ancestral palace). So i hope this clears the confusion, Next time, you write my name correctly or browsing the history of my clan, you will find that we are excellent warriors with the sword, so don't let me chop your head off. :)
Hello guys, this post describes my experience with the GCCS CTF challenge held on 20-21st Nov 2017 at JW Marriot, Aerocity, New Delhi.
So Basically, there were two rounds of the CTF challenge, an online one and the other on-site at the premises itself. I along with two of my friends( Deepankar Arora, Harsh Daftary) participated in the CTF event for the very first time in our lives. Having conducted an endless number of pentests and finding gigs of vulnerabilities worldwide, we thought of it as a new challenge and wanted to win this.
The online qualifier was just like any other CTFs - Jeopardy style and we came sixth (6th) in the overall results and were selected for the final CTFs.
GCCS CTF Qualifiers 2017
Despite registering with the correct name, MyGov Blog listed my name with a typo, to which I mailed a couple of times, NO RESPONSE. I tweeted the same, NO RESPONSE. I wish they make typos while collecting the tax and I will no longer have to submit it.
Here starts the big picture, we reached JW Marriot, checked-in and were asked to be ready by 6:30-7 A.M in the morning and were taken to NCIIPC office for the CTF challenge. There were three teams in the rooms and for some unknown shitty reasons, one team had to be shifted to another room(Conference room). Eventually, we were selected to shift to the other room.
Describing the room, a very well built, nice and spacious room with a huge LED right in front displaying live scores. The room had everything which included a 4th class (the next level to third class) internet connectivity.
Speaking of the rules:A team is only allowed one laptop with limited network connectivity to the challenges.Other laptops can be used to connect to the internetMobiles had to be kept outside.Infrastructure should be dealt with care, No DOS, DDOS attacks etc.
What we actually got:A fully clogged internet connectivity, even Google took ages to loadA room with absolutely dumb Wi-Fi connectivity where when we changed our sitting positions, some random guy came in started telling us " You broke rule number two #2"
And now the CTF starts:We were tasked with three tasks which were quite easy frankly. However, the way it was designed, only one of the teams could have done it. BECAUSE the designers forgot to remove the hardcoded MAC addresses from the tasks. Anyhow, one of the question's hint said " The FLAG is switch's MAC address ":The teams who did that task successfully were the same teams whose hardcoded values were kept in the challengeThe winning teams could see two routers but the other two could only see one Clearly, a design failure here. Another thing, a SWITCH's MAC address isn't the same as ROUTER's MAC address and is generally interpreter in XXXX.XXXX.XXXX format.
There's one more challenge we did and that was to download a file whose description said "Read Rule Number five" the file said rule number 5 is important. So we entered "5" and that was the flag.
I spoke to the other teams who did manage to complete the challenge and they said the last one was to input our own IP address and that was the flag.
To summarise, we had the following four-five flags:1. Open the DOC file --> "Rule 5 is important" ---> Enter "5" as a flag ---> Done2. Connect to the Kali Machine[Provided] --> Open Wireshark --> Get the Router's MAC [Only if you are on the system whose router's value was hardcoded] --> Done3. Connect to Kali Machine --> Get the Assigned IP ---> Done
So technically, only one team was to win this due to the flawed challenge. We went back to the hotel unhappily and unsatisfied. Later, at the dinner, we met someone higher in the authority and she spoke to us in a very humble and helpful manner. We explained her everything about what happened at NCIIPC. Later, around 11-11:30 we got another mail saying that the CTF will happen again tomorrow morning. We were quite happy to hear this and started preparing.
Next Morning, we were taken again to the NCIIPC and as soon as we reached the metro station, we were told to get back to the hotel since the challenge would now be conducted in the hotel itself. So we took the metro back to Aerocity :/
So, now we have been provided with a Boot2Root kinda challenge which was quite well created and we started kicking the hell out of the challenge.
Wasting Time @ CTF with Deepankar Arora and Harsh DaftaryWe knew some folks will trick, and we started our MITM detectors and found out that a number of systems were trying a MITM attack. However, the challenge was remotely hosted so we switched onto our Airtel 4G. The challenge went down a couple of times and we reported the same. However, what reply we got back was shocking:
"Some guy over the speakerphone said, only this team is facing a problem, we can certify that everything is good at our end"
Response to this arrogant reply was quite simple: 1. We were on 4G, there is absolutely no way to track us from a JW internet 2. We used our VPNs and connected from an Amsterdam IP address, again, no way to track us 3. There was no CTF style portal, anyone on earth could have been connected to the IP address, again no way to track us
Moreover, here's the proof:
Only we had a problem?? Ahhh... Doesnt look like bruv :P
Got You :P, Don't lie atleastWithin 1-1:30 hours of the challenge, we managed to gain limited access to the machine and demonstrated the same to the organizers. Having the access, we called one of the organizers and told him that the CTF is being played globally with a lot of different IPs from various countries. To which the organizer said,
CTF is now open globally, WHAT? Really? Then why the f*** are we in the finals and sitting in JW Marriot?
Now one of the other team started playing dirty and they removed our access and deleted the challenge itself. We reported this and were asked to prepare a report. We sent our report by mail and were not selected to be the winners despite being the first or second ones to gain access.
I have no regrets about loosing this one. I will still be happy loosing 1000 more like these because the way everything was conducted and that too on a global level, it is heartbreaking. Frankly, if this is the kind of challenges or conduct our govt. is looking forward to. I believe we would never be recognized a giant globally in the cyberspace.
Adding salt to injury, they provided the certificate of participation which was in so much high resolution, that the pixels almost got randomized and looked like a cheap [again fourth grade] copies. I mean even a half-blind with photoshop skills can create a better-looking certificate.
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'; color: #454545} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'; color: #454545; min-height: 14.0px} They never learned from their mistakes and again made a typo in my name. To which I simply rejected this third-grade certificate and chose not to have one. We played another CTF after a few days called TUCTF with 900 teams, we came 180 something, but this was much more satisfying and at least 92929323939293 times better then the circus we had at GCCS 17.
Meanwhile, i love my country and have been trying to help in whatever way possible. I would urge the govt. to take more initiatives like these but surely in a more organized manner. I am a professional, my team at GCCS were all my work mates and elite of their fields. But, there were students in the participating teams as well. I dont know what impression does it leave on them. My nation is zillion times better at producing such events but i am afraid this just wasn't the day.
Warning: My Name is Nipun Jaswal ( Pronounced as JAS - WAAL) its not Jayaswal/ Jaiswal or whatever the hell you write. I am a Chandravashi Rajput and you can find more info on it here: https://en.wikipedia.org/wiki/Jaswal ( Yeap, you got it right, we still have a king and have ancestral palace). So i hope this clears the confusion, Next time, you write my name correctly or browsing the history of my clan, you will find that we are excellent warriors with the sword, so don't let me chop your head off. :)
Hello guys, this post describes my experience with the GCCS CTF challenge held on 20-21st Nov 2017 at JW Marriot, Aerocity, New Delhi.
So Basically, there were two rounds of the CTF challenge, an online one and the other on-site at the premises itself. I along with two of my friends( Deepankar Arora, Harsh Daftary) participated in the CTF event for the very first time in our lives. Having conducted an endless number of pentests and finding gigs of vulnerabilities worldwide, we thought of it as a new challenge and wanted to win this.
The online qualifier was just like any other CTFs - Jeopardy style and we came sixth (6th) in the overall results and were selected for the final CTFs.
GCCS CTF Qualifiers 2017Despite registering with the correct name, MyGov Blog listed my name with a typo, to which I mailed a couple of times, NO RESPONSE. I tweeted the same, NO RESPONSE. I wish they make typos while collecting the tax and I will no longer have to submit it.
Here starts the big picture, we reached JW Marriot, checked-in and were asked to be ready by 6:30-7 A.M in the morning and were taken to NCIIPC office for the CTF challenge. There were three teams in the rooms and for some unknown shitty reasons, one team had to be shifted to another room(Conference room). Eventually, we were selected to shift to the other room.
Describing the room, a very well built, nice and spacious room with a huge LED right in front displaying live scores. The room had everything which included a 4th class (the next level to third class) internet connectivity.
Speaking of the rules:A team is only allowed one laptop with limited network connectivity to the challenges.Other laptops can be used to connect to the internetMobiles had to be kept outside.Infrastructure should be dealt with care, No DOS, DDOS attacks etc.
What we actually got:A fully clogged internet connectivity, even Google took ages to loadA room with absolutely dumb Wi-Fi connectivity where when we changed our sitting positions, some random guy came in started telling us " You broke rule number two #2"
And now the CTF starts:We were tasked with three tasks which were quite easy frankly. However, the way it was designed, only one of the teams could have done it. BECAUSE the designers forgot to remove the hardcoded MAC addresses from the tasks. Anyhow, one of the question's hint said " The FLAG is switch's MAC address ":The teams who did that task successfully were the same teams whose hardcoded values were kept in the challengeThe winning teams could see two routers but the other two could only see one Clearly, a design failure here. Another thing, a SWITCH's MAC address isn't the same as ROUTER's MAC address and is generally interpreter in XXXX.XXXX.XXXX format.
There's one more challenge we did and that was to download a file whose description said "Read Rule Number five" the file said rule number 5 is important. So we entered "5" and that was the flag.
I spoke to the other teams who did manage to complete the challenge and they said the last one was to input our own IP address and that was the flag.
To summarise, we had the following four-five flags:1. Open the DOC file --> "Rule 5 is important" ---> Enter "5" as a flag ---> Done2. Connect to the Kali Machine[Provided] --> Open Wireshark --> Get the Router's MAC [Only if you are on the system whose router's value was hardcoded] --> Done3. Connect to Kali Machine --> Get the Assigned IP ---> Done
So technically, only one team was to win this due to the flawed challenge. We went back to the hotel unhappily and unsatisfied. Later, at the dinner, we met someone higher in the authority and she spoke to us in a very humble and helpful manner. We explained her everything about what happened at NCIIPC. Later, around 11-11:30 we got another mail saying that the CTF will happen again tomorrow morning. We were quite happy to hear this and started preparing.
Next Morning, we were taken again to the NCIIPC and as soon as we reached the metro station, we were told to get back to the hotel since the challenge would now be conducted in the hotel itself. So we took the metro back to Aerocity :/
So, now we have been provided with a Boot2Root kinda challenge which was quite well created and we started kicking the hell out of the challenge.
Wasting Time @ CTF with Deepankar Arora and Harsh DaftaryWe knew some folks will trick, and we started our MITM detectors and found out that a number of systems were trying a MITM attack. However, the challenge was remotely hosted so we switched onto our Airtel 4G. The challenge went down a couple of times and we reported the same. However, what reply we got back was shocking:"Some guy over the speakerphone said, only this team is facing a problem, we can certify that everything is good at our end"
Response to this arrogant reply was quite simple: 1. We were on 4G, there is absolutely no way to track us from a JW internet 2. We used our VPNs and connected from an Amsterdam IP address, again, no way to track us 3. There was no CTF style portal, anyone on earth could have been connected to the IP address, again no way to track us
Moreover, here's the proof:
Only we had a problem?? Ahhh... Doesnt look like bruv :P
Got You :P, Don't lie atleastWithin 1-1:30 hours of the challenge, we managed to gain limited access to the machine and demonstrated the same to the organizers. Having the access, we called one of the organizers and told him that the CTF is being played globally with a lot of different IPs from various countries. To which the organizer said,
CTF is now open globally, WHAT? Really? Then why the f*** are we in the finals and sitting in JW Marriot?
Now one of the other team started playing dirty and they removed our access and deleted the challenge itself. We reported this and were asked to prepare a report. We sent our report by mail and were not selected to be the winners despite being the first or second ones to gain access.
I have no regrets about loosing this one. I will still be happy loosing 1000 more like these because the way everything was conducted and that too on a global level, it is heartbreaking. Frankly, if this is the kind of challenges or conduct our govt. is looking forward to. I believe we would never be recognized a giant globally in the cyberspace.
Adding salt to injury, they provided the certificate of participation which was in so much high resolution, that the pixels almost got randomized and looked like a cheap [again fourth grade] copies. I mean even a half-blind with photoshop skills can create a better-looking certificate.
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'; color: #454545} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'; color: #454545; min-height: 14.0px} They never learned from their mistakes and again made a typo in my name. To which I simply rejected this third-grade certificate and chose not to have one. We played another CTF after a few days called TUCTF with 900 teams, we came 180 something, but this was much more satisfying and at least 92929323939293 times better then the circus we had at GCCS 17.
Meanwhile, i love my country and have been trying to help in whatever way possible. I would urge the govt. to take more initiatives like these but surely in a more organized manner. I am a professional, my team at GCCS were all my work mates and elite of their fields. But, there were students in the participating teams as well. I dont know what impression does it leave on them. My nation is zillion times better at producing such events but i am afraid this just wasn't the day.
No comments have been added yet.
