!SpamAndHex at the 24th DEFCON CTF Finals!SpamAndHex at the 24th DEFCON CTF Finals

Yes, we did it again. We played against the best teams in the world at the 24th DEFCON CTF Finals in Las Vegas. However, it was not as easy as it seems to be.

This year was fairly different from any other years before. For the first time in human history, teams had to play against the DARPA Cyber Grand Challenge (CGC from now on) winner machine Mayhem from ForAllSecure. Before we go into the details of the DEFCON CTF, let’s check what happened in the finals of the CGC machines.

One day before the 24th DEFCON CTF Finals took place, 7 selected machines fought against each other to win the CGC and play with human teams. The competition was launched in the morning on August 4, but only the last couple of hours were open to the public. The very first thing that caught our eyes is the huge effort that DARPA invested into the event.

Competitor machines stood on a stage in an air-gapped setup. Their tasks were three-fold:

  1. find vulnerabilities in CGC binaries
  2. generate a Proof of Vulnerability (PoV a.k.a exploit)
  3. patch the vulnerability with a maximum of 5% performance lost. This was a strict and essential condition of the game.

The gaming hours were divided into 96 rounds under which 82 challenges were selected for the machines. Long story short, Mayhem turned to be the winner and ForAllSecure won 2 million USDs. Congratulations!

Next day, the DEFCON CTF finals started with a few hours of delay due to some initial issues that Legitimate Business Syndicate (the DEFCON CTF organizer team) had to solve. The game was designed to operate with 5-minute rounds so as to accumulate the points for each team after each round. So 14 human teams and a machine, Mayhem. Similarly to previous years, the challenges were released gradually, however, the teams could not attack each other directly. They created patches and PoVs for vulnerable CGC services, and submitted them on a central site. This year, the tooling and the strategy of a team played crucial roles in the competition. Simply, you could not do anything without understanding the CGC platform. The most important thing of all was, however, the patching strategy. After patching a service it was stopped for the next round, so it was not available. As I mentioned above, performance played a key role in the competition: the more vulnerabilities you patch at once the more points you will have. One more important thing: a PoV could only slow down other teams, but you did not get points for them directly. If a team did not play this strategy, he could not perform well. Unfortunately, we put much more emphasis on PoVs than on a good patching strategy. At the beginning of day 3, we were the 11th team out of 15, then the scoreboard was hidden away for the last 4 hours. For the final results we have to wait a couple of weeks.

On one hand, we see that a better strategy could have brought us better results. On the other hand, however, we are really happy to get into the Finals for the second time in a row. Similarly to last year, we could not have realized our goal of participating in the DEFCON CTF Finals without the generous support of our sponsors. Huge thanks to them once again! We hope that next year we can play once again with the best teams in the world.

Here are some photos about us:

!SpamAndHex at DEFCON24 T-shirt front:

!SpamAndHex at DEFCON24 T-shirt back:

And finally the team:

Without our sponsors, it would be impossible to participate, huge thanks to them:

CrySyS - Hunity Defense - BME Faculty of Electrical Engineering and Informatics - Tresorit - Microsec - ESET/Sicontact - TMSI - Sophos - Symmetria - Dimension Data - MRG Effitas - Search-Lab - Balabit