Passcode Cup CTF 2016
Hey All! The past weekend was the first ever Passcode Cup, hosted by The Christian Science Monitor's Passcode organization, which took place at Impact Hub in Washington DC on Oct 21, 2016. While there was a huge showing at the physical event, what was is lesser known is that most of the classic challenges and scoreboard was provided by AlexL, Javuto, and myself. Alex from our team went in person, while Javi and I provided remote scoreboard and challenge support. Joe Needleman and crew also provided an entire live fire network on site, that simulated a water treatment plant's embedded network. Even Dr. Dan Manson was there, providing live coverage in his CyberFed style, which I have the video for at the bottom of the post. I'de like to spend this post talking about some of the challenges that we collectively had, and overall talk to the success of this CTF. So lets get into it!
For starters, Javier set us up w/ Facebook's open source CTF platform, which I think has a beautiful aesthetic for a ctf scoreboard! We had over 63 challenges deployed in this ctf, with another 12 challenges we could have deployed based on team progression. To break these challenges down a bit further, we had 27 trivia (580 pts), 8 crypto (400 pts), 7 web (975 pts), 7 reversing (1100 pts), 6 misc (700 pts), 5 live network (975 pts), and 3 forensic (350 pts) challenges, which really filled up the fbctf world map. Further we offered decaying bonus points on each challenge for the first three solvers of any particular challenge. With over 5,000 potential points, we weren't that surprised that the winning team wasn't even able to seize half, with the top scoring team at 2,416. This is probably because they had less than 5hrs for all of the challenges, but in that short time the teams collectively put more than 10k points on the board. You can see challenge map below, the countries without any shading don't have challenges in them, the countries that are shaded have challenges, and the countries that have the red triangle have been solved by some team. We released the challenges periodically throughout the CTF, largely based on keeping several unsolved challenges available at all times. Still, at least three of our hardest challenges went unsolved, perhaps we will do write-ups if people are interested in these solutions.
There was fierce competition here. Team Ten4-able (The Tenable team) was holding the lead for the majority of the competition, with PPPIII close on their tail, however it was CNSUVA who ended up stealing the cup in the final moments! There strategy for the surprise win was truly brilliant, despite sacrificing some of those bonus points for early submission. Since the teams also ranged all the way from highschool to professional, we had a number of professional mentors on site, that way if you weren't a serious competitor you could still take full advantage of the learning environment. You can see each teams progression over time in the chart below. That said, it sounds like everyone had a really fun time with the infra and challenges, and I haven't heard any major complaints regarding the infrastructure, competition, or scoring, which is nice for everything to go down without issue, especially considering this was the same day as the major DynDNS outage.
Finally, you can enjoy the stream and all the awesome talks and interviews from the day below. Hopefully this team puts something else together soon, as I felt despite the low resources and lead time, this CTF was pulled off smoothly with everyone executing on their part excellently. Again, a big thanks to Passcode for organizing this event, and Impact Hub for hosting us! Excited to hear some feedback from anyone who was at the event!
