HackingForSoju invited me (a HFS veteran) to contribute some challenges to the qualification round.
The teams struggled to solve these challenges and not many scored but many teams got very close.
They were challenging for a few reasons:
- CTF Infra needed more scale, and the digital ocean networks had limited inbound capacity
- The challenges were multi layered, with a mix of easy tasks and then more difficult aspects
- Neither of the two challenges followed a typical CTF format. Triggering remotely required a bit of patience.
The challenges:
-
The KGBFSKFSB challenge is based on cloud services today where outbound traffic is not always a given
-
The Blyatblaster9000 challenge is based on "0day" for my Frontier Technology-based soundbar, which will probably never get a security patch. The real device can be exploited from an open AP or from a web browser on the same network, leaving a root shell on the linux device...
Also, Chrome's recent private networks feature does not prevent exploitation IRL.