Wrapping up the 2019 PwnThyBytes CTF

Here we are at the end of the first edition of the PwnThyBytes Capture The Flag Competition. We hope it was a challenging, learning and intriguing experience for all teams that took part. As organizers, we can say it certainly was for us.

Without further
ado, here are the winners of the contest:

AWS Builder Community Hub

First place goes to LC↯BC, who managed to solve roughly half of the published challenges. Their efforts paid off (literally), as they receive the top prize of €2,048. Congratulations, guys!

The runner-up this time is team hxp, which really pulled through during the last 7 hours of the competition, closing the gap between themselves and LC↯BC to just a task’s worth of points. For their sustained effort, they receive €1,024. Impressive determination!

And the bronze medal goes to team meltdown. They were neck and neck for 1st place for most of the competition, and they earn €512. Way to go!

Now that that’s out
of the way, we’d like to talk about what we wanted to achieve with this
contest, as a team of players who has seen a few CTFs, good and bad, fun and

We set off to
create a CTF that would give no quarter to participants, with the end goal of
winnowing the best from the rest. The challenges were intentionally hard and
very hard, based on information security problems we had faced or thought about
intensively. We were curious to see if other teams were familiar with these
topics or were able to become familiar with them during the contest.

Bearing in mind
that a new CTF will also attract people new to CTFs, we also devised what we
considered simpler tasks, with the idea that beginners will focus on one or two
tasks, learn about a particular subject in detail and gain knowledge that will
be useful for them after the competition.

Moving on, we’d
like to share a few stats to better illustrate the interest the CTF community
has shown in our little contest:

– 1,162 teams have
registered for the CTF, while 455 actually played and 53 solved at least one
challenge; we didn’t want our tasks to be that daunting, but that’s how it
turned out

– all those teams
used 4,368 IP addresses to tackle our challenges; not quite a botnet, but not
negligible either

– none of the top 3
teams managed to solve a Memory Corruption (pwn) task; we were not expecting
this, but as a team called PwnThyBytes, we’re not sorry about this 😛

As to the geographic diversity of participating teams, the top 20 countries by number of IPs that accessed our infrastructure during the competition looks like this:

The 3480 participants broken down by country

These 20 countries account for roughly 82% of visitors. We notice most of the countries are in the Northern Hemisphere, with representatives spread across North America, Europe and Asia. It’s noteworthy that Romania reached second place in this statistic, but that is somewhat to be expected given we are a Romanian team.

This was our first
attempt at organizing CTFs, instead of just playing them. We got some things
right, we also got some things wrong. Although this article sums up the first
edition of PwnThyBytes CTF, our work will not end here. We’ll be looking at
anything remotely resembling a log file or feedback: our
Google form
, the rating comments, public and private
chat messages on our Discord, as well as actual logs that show how our platform
performed during the CTF. While we will do our very best to iron out the
details, we hope the contest was a stimulating, fun and educational experience
for the participating teams. Enough so that they come back next year. We’ll try
to one-up ourselves!

We’d like to thank
Bitdefender for providing the resources to reward the winning teams and for
footing the bill for the infrastructure we used.

Last, but certainly
not least, we’d like to thank the people that willingly subjected themselves to
a 40-hour meandering journey through some tough tasks to tackle. No CTF can be
good without the players that seek it.

For those who love
to hack, we salute you!

Of course, for
those who have been patient enough to read this far, here is a selection of writeups, either from
participating teams or from the authors, so those of you who hit a snag when
solving the challenges and were left wondering what they missed can enjoy some not-so-light
reading. Pull requests are welcomed! 🙂

*** This is a Security Bloggers Network syndicated blog from Bitdefender Labs authored by Bitdefender Team. Read the original post at: