Weastie's Highschool CTF Experience: A story of luck and shenanigans

fluff

1560556451000


Hello! I'm Weastie and this is my first blog on this website. I don't expect many people to recognize me, but I've been very prevalent in the highschool CTF scene for the past two and a half years.

Well, it's currently 1am and I graduate high school in approximately 18 hours, so I figured I'll share some of the crazy shit that's happened in these two and a half years of playing high school CTFs.

PicoCTF 2017 - Sophomore Year

My Computer Science teacher who I was close with at the time notified me about this huge cybersecurity competition that was going to occur this spring. I had zero clue what a CTF was and neither did anyone in my school. My two close computer science friends, rjmtrekkie27 and the_truth decided we should all take a shot at it.

Like I said, none of us had any experience with CTFs or hacking, but that doesn't mean we didn't have the skill set. I made websites in my free time (and had some sense of security), and my two friends were complete losers - they literally read cryptography and math books in their free time.

After completing the basic level 1 questions, we realized we were screwed. What is binary exploitation? How do you read assembly? rjmtrekkie27 and the_truth had basic understanding of assembly from their own projects, but nothing near what we needed to know.

So throughout the course of this competition, rjmtrekkie27 decided to let the_truth go hard on crypto, while he sat down and watched liveoverflow videos on binary exploitation. He spent probably over 80 straight hours trying to solve config console, which was a classic printf to leak libc and overwrite GOT to system. To this day, if I mention config console he gets PTSD over the hours lost. Crazily enough, he actually solved it right in front of me while he was trying to prove that his script didn't work. The expression on his face was priceless. In the meantime, I had figured out what a blind SQL injection was. I figured the flag couldn't be too long, so I manually entered character after character of this flag. I spent probably around 5 straight hours (including ignoring my classes during school) of just typing one letter after another until I was finally able to finish off the whole flag.

Skipping forward to Toaster Wars 4. Holy. Shit. This is by far the absolute greatest unintended solution that will ever exist in any PicoCTF of all time. Basically, Toaster Wars 4 was part of a series of dungeon-style web games where you had to fight enemies and traverse through four floors. On the fourth floor, you could see the stairs to get up to the flag, but it was always blocked off. Before I go into our solution, I'd like to note that the intended solution had something to do with being able to go up multiple floors at once by utilizing the synchronization time between the database and the game server.

Basically, the_truth was reading through the source code when he found that the blocks that spawned around the stairs were generated after the player was spawned. Which means that there was an insanely stupid low chance that the player spawns inside those blocks, then can just move over on top of the stairs. So that's what we did. We played through 4 floors of Toaster Wars 4, I'd say around 450 times, until the_truth finally got the winning placement. His screams were heard across the world.

At the end of it all, 3 computer science nerds who had no idea what a CTF was managed to place 6th out of around 13,000 high school teams, with the biggest shoutouts going to rjmtrekkie27 who learned the entirety of binary exploitation during the competition, and the_truth for being an absolute god in general.

PaCTF 2017 - Sophomore Year

I don't have much to say here; we used all the skills we learned during pico and we got a max score on each round. I believe we did horribly during the tiebreaker but we got some nice AWS credits.

HSCTF 2018 - Junior Year

Well at this point, rjmtrekkie27 had graduated, so he won't be mentioned anymore. the_truth and I continued as a two-man wrecking team. We hadn't played a CTF in a while but I convinced the_truth that we should get back in to it, and hell yes we did. At some point between PaCTF and HSCTF, I learned basic pwn, so I was able to do the printf's and basic stack exploits. I have to absolutely thank god that the hardest pwn in HSCTF 2018 was just a use after free. Neither of us knew how to do it, but we spent a few hours looking at it together and solved it as a team. The rest of the questions weren't too notable, besides this question called something like "ABCDEFG....." (some series of letters and numbers). It was a jpeg image that had the bottom row of pixels deleted, and you had to figure out what they were. Sitting at zero solves with little time left, one would assume the question would remain that way. But not the_truth. This man read like 15 papers and somehow figured out how to do this stupidly complex cosine matrix thing (I say "thing" because the math is over my head), and basically brute forced his algorithm until he generated an image with the same pixels in every other spot. By being the only team to solve every question, we placed first. The second place team (who did not mark themselves ineligible until the very end), was Perfect Blue. At the time we did not even know who Perfect Blue was, but it turns out they're genuinely one of the best CTF teams in the world. the_truth and I still give them shit about how a team of two high schoolers beat them. At the end of the competition, they said "we didn't think anyone would beat us".

PaCTF 2018 - Junior Year

No. Just No. Skywriting and partial encryption? No. Just no.

PicoCTF 2018 - Senior Year

This is it. The most notable moment of my entire life to date.

Because the_truth and I had done quite well on just a two-man team, our plan was originally to just play like that during PicoCTF. Thank fucking god we didn't. The organizer of HSCTF, Ptomerty, reached out to us to tell us he had a 3 man team, and was looking to create a full 5. Ptomery's team was called "The Recycle Plant", and, at the time, consisted of himself, bravech, and feelgoodrag. None of us really knew each other, but we sort of just decided "ehh... why not?" and merged together to form "Stallman's Recycle Plant" (based on the_truth and I's appreciation for the legend himself).

Deciding to merge with "The Recycle Plant" was certainly one of the best decisions we made. Compared to PicoCTF 2016, this year had sooooo many questions, I believe it was more than 100. Being that neither the_truth nor I really knew how to do reverse, it was quite pleasant that bravech was a reverse god, and was able to finish out the category in just a few days. Ptomerty went ham on the pwn, using exploits I was not even aware of such as ROP gadgets and One Gadgets, which left the_truth and I very happily doing crypto and web respectively. the_truth was actually the one to solve the highest difficulty web question, Lambdash, which was by yet another unintended solution.

Things started to wind down as we finished most of the questions in our categories, until we got to heap pwn. Ptomerty knew the basics of heap pwn, but that's about it. The story of how we solved all of the heap pwn (but one) is absolutely legendary.

the_truth, being the absolute god he is, decided that he would take matters into his own hands. THIS FUCKING MAN, prints out a book about exploiting heap, reads it during school, comes back and solves cake (one of the highest point pwn questions). Now contacts was a different story... bravech, Ptomery, and I had been exploring for a while and we made some progress with the whole use after free idea, but not close to getting a flag. We decided to buy a quick ec2 server so we could work on contacts together. Things got pretty silly, using the "wall" command to transmit stupid messages and screw with each other. But I wanted to go a step further:

The GDB Penis

I felt bored and a bit useless, so I silently went into some GDB config files and wrote a quick python script that would draw an ASCII penis (8====D) and print out a random dick size everytime you ran GDB. This stuck with us the entire rest of the competition, no one wanted to remove it because it was so beautiful.

Anyways, some time passed and the_truth decided he wanted to solve contacts. We all made progress as a team, but around 1am we all decided to log off because we had school the next morning. When I woke up at 6am, I had tons of unread messages from the_truth. At 5am, I got something along the lines of "I FUCKING SOLVED IT". He was in school the next day. He literally slept about 30 minutes. When I saw him in the hallway, there were 0 signs of being tired, he was energized as fuck.

Now it's time for one of the dumbest solutions we've ever had, noargs. This was the final pwn challenge of PicoCTF 2018, and we had to solve it to stay in the top 2. It did not take too long to figure out all the basics, like how we could add a byte to any point in memory. Our first part of the solution was intended, you had to create a fake linked list using those bytes, but we had no idea how to go further. We solved basically every previous difficult pwn question using a one gadget, but none of them worked out for us. Until I made the discovery: the morecore hook. Basically, when the program needed more memory, it would jump to the location in the morecore hook section of memory. So how did we get the program to ask for more memory? Well, we basically sent it tons and tons of bytes until it needed it. This solution worked locally, but we could not get it to work remotely. This is when bravech had the genius idea of buying an ec2 server as close to the PicoCTF servers as possible, and running the script from there. This is absolutely the mindset you need when playing CTFs. We still give the_truth shit for not being the one to actually solve noargs even though he deserves all the credit.

By solving all questions but one, freecalc, we finished in 2nd place which qualified us to be flown out to CMU for a luncheon. It was fantastic getting to talk with some of the PPP members, as well as befriending the first place team (even though they solved freecalc :salty:).

Just to note some of the sacrifices made to make top 2 at PicoCTF, we all skipped about 3 days of school as well as staying up every night until at least 1am. It was clear that we were all very dedicated and cared too much.

TJCTF 2019 - Senior Year

Well, PicoCTF was certainly the highlight of the year, but "Stallman's Recycle Plant" decided to stick together for TJCTF. The competition had first place prize of 5 chromebooks, and since the_truth's laptop was old as hell, we really wanted it. So as cocky as we were, we named our team "LAPTOPCTF" praying we would win. I don't remember any of the questions being particularly notable, but we did manage to solve every question and finish out first place.

Angstrom CTF 2019 - Senior Year

We weren't too interested in this competition, but we played anyway. We thought it would be funny to hold onto basically every flag we had until the last 5 mins. When we submitted our flags, we jumped up from some really poor placement to 3rd within around 30 seconds. I still feel horrible for whatever team was in 3rd before us, as only the top 3 teams got prizes. We ended up winning some Otamatones which are awfully fun and annoying.

PaCTF 2019 - Senior Year

Even though we hated last years PaCTF, we played in this one anyway. PaCTF was cheesy as always but we still placed quite well, we're still tied for second and the tiebreaker has not come out yet. All I can do is give a quick shout out to the best CTF question to ever exist: Top Gun. Winnings (for each team, not me individually, also not counting AWS credits from PaCTF)

PicoCTF 2016: $250
HSCTF 2018: $400
PicoCTF 2018: $2500
TJCTF 2019: $2500 (5 $500 laptops)
AngstromCTF 2019: $100 (5 otamatones and 5 books, probably worth about 100 total)

Total: $5750

Conclusion

One thing you may have noticed, is that I've never really considered myself to be the "god" of any competition. I've always just been consistent in solving the web questions, and hoping my team does well from there. That's why I talked about "luck". I got insanely lucky to be put in the same school as one of the (at least mathematically and computer science wise) smartest kids in the country, the_truth. While he couldn't have done it without me, I would never have done anything notable without him.

Some other notes: During the last few months of senior year, the_truth and I competed in a ton of university and unrestricted competitions with our teams Sice Squad and Galhacktic Trendsetters. I don't really consider that part of my "high school CTF career", but we made very notable placements, such as being the only US team to make it TencentCTF (0CTF) finals. Unfortunately, we fell short of qualifying to DEFCON, as did every other USA team besides PPP and Shellphish. the_truth will be attending college at Carnegie Mellon University, where he plans to compete with PPP (I'll miss you, but I know you're going on to greater things). I am attending Penn State University, which has no notable history of CTF's, but maybe I'll start one ;).