Just like last year, we participated in the bSides Lisbon Capture The Flag security competition that took place a few days ago. The conference itself was excellent, with a diverse and very interesting presentation schedule.

bSides Lisbon was a two-day event, with the Capture The Flag(CTF) competition taking place on the first day, in parallel with the workshops. This year the teams were limited to 4 members, but the number of teams was the same, 10. Participation in the CTF was conditioned to those who did the qualifiers challenges and scored a place in the top 10.

We won the last two CTFs so we decided to apply the same recipe from last year, having Cláudio Gamboa again in our team.

3.5 hours later and this is how our dashboard looked like:

Some of those 100's were more like a 1000 :)

Challenges in black are the ones not solved (by our team), and the ones that nobody solved will likely show up in next year qualifiers, with some twist. Please note that not all challenges are shown in this image.

We will only explain the challenges we solved but we have to recognize the organization effort to have challenges that included very recent vulnerabilities, like Pwnable 100 with the CVE-2018–10933, aka SSH2_MSG_USERAUTH_SUCCESS.

Trivia

Router (100)

My router is high on drugs.

The answer was the KRACK, the vanity name of the attack that affects WPA2.

Bug (200)

Whats the vulnerability?

We were given a file, which contents were:

Trivia 200 challenge

We (one of us) immediately recognized this as serialized Python so we wild guessed it should be related to the Python pickle library, used frequently in CTFs. After a few attempts, we found the right answer: deserialization.

Say My Name (300)

What’s rfp real name?

After submitting at least one Request For Proposal attempt (reminiscents from a corporate past..), we started googling for rfp in the hope something would show up. Quicky Rain Forest Puppy showed up which ringed the bell. Another google search and we got the answer: Jeff Forristal.