Announcing The Matasano/Square CTF

Go easy on us for a bit; this is a fresh deploy in a new environment and it&#x27;s bound to be janky. The odds of it not completely asploding tonight are pretty low.<p>Happy to answer questions.<p>One obvious question we haven&#x27;t answered: how long will it be up for? Answer: a&#x27;unno. Until it gets boring? Or super expensive? We&#x27;re in no rush to shut it down. I&#x27;ve never understood why awesome CTF events are so eager to shut down.<p>Here&#x27;s what it looks like:<p><a href="http://twitter.com/tqbf/status/423992147155509248/photo/1" rel="nofollow">http:&#x2F;&#x2F;twitter.com&#x2F;tqbf&#x2F;status&#x2F;423992147155509248&#x2F;photo&#x2F;1</a><p>We&#x27;re on Freenode #uctf if you want to bug us live.<p>In case you&#x27;re interested: this is a very small Rails app talking to an emulator we wrote in Golang that exports an HTTP&#x2F;JSON interface.

Can someone explain what &quot;cmp.b @r13, 0x2400(r14)&quot; does, and&#x2F;or how I would find out myself?<p>I looked through the manual and saw the instruction &#x27;cmp&#x27; tests the two parameters for equivalence, but I don&#x27;t see &#x27;cmp.b&#x27; anywhere. I found the TI manual for the instruction set which happens to say something about &#x27;.B&#x27; being a byte operation, but I&#x27;m not sure if that&#x27;s related.<p>The tutorial explained that @r13 uses the value in memory for the address in register 13, but &#x27;0x2400(r14)&#x27; is really confusing.<p>I was thinking it just meant register 14, but that doesn&#x27;t seem to be the case because the comparison fails when r14 (which is the value 0x0000 at this point) and @r13 match. I thought it also could mean the literal value &#x27;0x2400&#x27;, but the comparison still seems to fail when it should match, and that doesn&#x27;t explain the r14 in parenthesis at the end of it.

PSA for people like me who aren&#x27;t security specialists: &quot;shellcode&quot; (in the survey) does <i>not</i> mean &quot;a shell script&quot;, it means this: <a href="http://en.wikipedia.org/wiki/Shellcode" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Shellcode</a>

I&#x27;ve worked a lot in assembly, but never tried to exploit anything before. This is like crack.<p>I&#x27;ve always been meaning to try out a few public problem sets of this sort that a couple university security courses publish. Theirs are often based on a VM image with various binaries inside them that you are supposed to exploit. While those would probably have the advantage of being slightly more relevant to my everyday work (since they&#x27;re running a Linux OS&#x2F;environment more like the one I regularly use and program for), this contest makes it much easier to get over the hump of setting everything up, and of course the points&#x2F;competition aspect is highly motivating.<p>Nicely done. :)

I used to jump at hacking challenges in high school, blowing off homework and in the summers staying up til 5am.<p>Nowadays I see these and I have to practically tie myself to the ship&#x27;s mast to not drop everything I&#x27;m doing and sink days into it. I couldn&#x27;t resist with Stripe&#x27;s CTF but had to quit after I got busy. This one&#x27;s especially hard because I love tinkering&#x2F;building embedded devices.<p>I guess the point is please, please keep this running as long as you can so I can have a crack at it when I&#x27;m not working day and night =].

During the tutorial, it seems like the memory dump goes blank for me (it loses its scroll bars, and loses its contents) -- <a href="http://i.imgur.com/ta9iykd.png" rel="nofollow">http:&#x2F;&#x2F;i.imgur.com&#x2F;ta9iykd.png</a><p>This is Firefox 25.0~b1+build1-0ubuntu0.12.04.1, on Ubuntu 12.04. I&#x27;ll try it on something more modern when I get home.<p>Looking forward to it!

The lock (fake) manual is available here:<p><a href="https://microcorruption.com/manual.pdf" rel="nofollow">https:&#x2F;&#x2F;microcorruption.com&#x2F;manual.pdf</a>

I encourage anyone who&#x27;s avoiding taking part because they don&#x27;t know assembly or reverse engineering to at least give the tutorial a try, you might just surprise yourself!<p>Having not really touched assembly that much before, I found the tutorial to be an excellent introduction. I&#x27;m now battling with level 4 after thinking I wouldn&#x27;t even get past the first level.<p>Great work Matasano &amp; Square!

Dean Pelton: Agnes, cancel all my appointments.<p>Agnes: What appointments?<p>Dean Pelton: ...Wishful thinking.<p>Damn. There goes my weekend.

PWNED! I&#x27;ve never been one to shout at my computer, even in multiplayer games, but I&#x27;ve been doing plenty of yelling over here, and a few victory dances too.<p>This is AWESOME, thank you for putting it together. This should be mandatory training for developers in languages with no bounds checking. It&#x27;s downright scary how easy some of these exploits can be. Yes, I know x86 makes things more complicated, but I had no idea the basic concepts could be so simple after reading disclosures about buffer overflows, stack smashing, and other spoilery stuff I won&#x27;t mention here. Working on Algiers right now.<p>Minor bugs: I like to hit &quot;enter&quot; in the debugger to keep single stepping, but every now and then the focus disappears from the input window. Typing &quot;s&quot; works because it seems to jump back to the window, but typing &quot;enter&quot; does nothing.<p>Several levels produce garbled text from puts() -- doesn&#x27;t affect the playability, just looks funny. Or maybe you fixed that already, I&#x27;m not able to reproduce it now.<p>It would be nice to be able to copy&#x2F;paste from the memory dump to the disassembler without having to trim the other columns off first.<p>And the cherry on top: remember my &quot;hide box headers&quot; setting. Thanks!

&quot;Never printed on paper.&quot;<p><a href="https://microcorruption.com/manual.pdf" rel="nofollow">https:&#x2F;&#x2F;microcorruption.com&#x2F;manual.pdf</a>

FYI - On level 3, the &quot;okay&quot; button is obscured by the page footer, and can&#x27;t be clicked on one of my machines. Scolling down doesn&#x27;t help, the button remains obscured by the page footer which scrolls with the page.

And then it turns out that this was a massive Mechanical Turk.

Possible bug in the score board:<p>In most cases, it won&#x27;t let me see the scores for levels that I haven&#x27;t beaten yet. Presumably this is because seeing the input size and min cpu cycles would be a strong hint about how to solve the level.<p>However, when viewing a particular user&#x27;s profile (e.x. <a href="https://microcorruption.com/profile/294" rel="nofollow">https:&#x2F;&#x2F;microcorruption.com&#x2F;profile&#x2F;294</a>), it shows their completion stats for the level you are currently on, despite having not beaten it yet. The levels after it are still obscured, though.

If anyone is worried about participating because they don&#x27;t understand this domain very well, don&#x27;t be. The tutorial is very useful, and the interface is generally very nice. Check it out.

This is embarrassing, but... I&#x27;m totally stuck on puzzle #2 (Sydney) since the cmp doesn&#x27;t seem to match up with what&#x27;s in memory, and I bet that the puzzles won&#x27;t get any easier from here! Is there a good resource, trove of documentation, or excellent book for those of us who would love to learn how to do this stuff? The tutorial great, but it was definitely pretty basic.

Encountered quite some bugs with FF (Aurora here), most prominently the highlight wasn&#x27;t updated when I moved a step forward.<p>Suggestion on top of that: It would be really nice to grab the whole &#x27;firmware&#x27; and dump it to a local .hex file. If that isn&#x27;t allowed for obvious reasons&#x2F;by design: Fair enough.

I put my credit card number in, and it didn&#x27;t give me an account. Did I do it wrong? Why isn&#x27;t there a padlock on the signup? Ohh nooo...

I was all excited with myself for passing the first one after the tutorial and then couldn&#x27;t get past the second...though I&#x27;ve been drinking.<p>This is very cool and I think would be &quot;even more awesome&quot; if there were a separate version that provided a tutorial for the skills required for each level.<p>For us &#x27;tards. :P

This is fun. For those looking for more details on the instructions and addressing modes, check out the MSP430 User&#x27;s Guide:<p><a href="http://www.ti.com/lit/ug/slau049f/slau049f.pdf" rel="nofollow">http:&#x2F;&#x2F;www.ti.com&#x2F;lit&#x2F;ug&#x2F;slau049f&#x2F;slau049f.pdf</a>

I went through the tutorial. Seems <i>very</i> cool. Disappointed that &quot;password&quot; worked though - I thought it would show me how to read the value my input was compared to instead of just matching the string (and lucky guessing).

This is awesome, I&#x27;m having a lot of fun reactivating my assembler knowledge.<p>Also, I want to compliment you on the interface, my laptop broke yesterday and I&#x27;m doing this on a borrowed Acer A500 tablet without any serious problems.

As someone completely inept in this niche, I&#x27;m looking forward to the results. I hope you share them. You&#x27;ll probably have to dumb them down for us commoners.

This is great. I hope at least the UI is open-sourced at some point - it&#x27;s really clear and it&#x27;d be good for other reversing tutorials.

Just did the first one. This is a lot of fun. Great work!

This would be a great way to crowd-source the cracking of a digital lock ... I hope you&#x27;re opening the warehouse that contains all the NSA&#x27;s secrets (every HN story has to have comments that reference the NSA or they&#x27;ll be thrown into the dead-pool).