Tuesday, January 1, 2019

Dragon Sector wins CTFtime season 2018!

CTFtime's 2018 season is now over and for the second time in our team's history we've managed to get the top place!

(If you've arrived on this page without context, you might want to check out these two explanations on what a CTF competition is - Wikipedia, CTFtime. But in short: it's an IT security/hacking tournament, with close to a hundred events being played out throughout the year. CTFtime is the main global team ranking and CTF aggregate site.)

As you can imagine, we are really happy with this achievement. It has been an extremely busy year for all of our players, our guest players and doubly so for our captain valis and vice-captain Redford, who behind the scenes orchestrated the success.

Insomni'hack CTF 2018 (Copyright SCRT SA)

We started the season strongly with winning the Insomni'hack teaser CTF for the fifth (sic!) time in a row. The main Insomni'hack CTF in Geneva, Switzerland - the biggest on-site-only CTF in this part of the world - was less fortunate for us and eventually we were bested by the German powerhouse - the Eat, Sleep, Pwn, Repeat team (top3 in 2017 CTFtime season), with our friends from p4 finishing third.

A week later, at the end of March, we qualified from the second place to the 0CTF/TCTF 2018 CTF which was to happen in May in China.

And May was a good month for our team.

It started with two legendary CTFs - the PlaidCTF organized by one of the world's best teams - the Plaid Parliament of Pwning from Carnegie Mellon University (the only team that was always on the CTFtime season podium in the last 8 years, winning the season 3 times!), and the DEF CON CTF Qualifiers known both for the immense difficulty level and heavy participation from top tier teams - it's basically a battlefield with only a handful of teams qualifying to the offline finals in Las Vegas, US.

While we were pretty far from the top places - top6 on PlaidCTF and top10 on DEF CON CTF Quals - we still managed to add a decent amount of points to the global ranking, as well as qualify to the DEF CON CTF finals.

0CTF/TCTF 2018 - note DS emblem on the top right (Photo by Redford)

Near the end of May our team went to Szenzhen, China to compete in the 0CTF/TCTF 2018 finals alongside amazing teams like South Korean CyKOR, Russian LC↯BC or Japanese TokyoWesterns to name just a few. Eventually we managed to secure the top place and a hefty amount of points for the global ranking.

To complete a good streak, we've also won the online Security Fest CTF at the end of the month.

The summer is usually pretty slow on CTFs. We've qualified to Google CTF in June from the second place (finals were in October), as well as the CODE BLUE CTF from the first place. DEF CON CTF finals in Las Vegas went OKish at best with Dragon Sector finishing at 9th place.

In the meantime we also traveled to Beijing, China and had (again) the honor of playing the invite-only WCTF 2018, which we eventually finished on the second place!

WCTF 2018 (Copyright 360 Vulcan Team)
(DS members from the left: adami, mwk, Redford, q3k, implr)

September brought us 3rd place in the online TokyoWesterns 4th CTF, with Plaid Parliament of Pwning winning and Taiwanese 217 (top1 in CTFtime season 2017) as runner-up. Given the high rank of the CTF we still were happy with the results as it increased our overall global score.

Teaser Dragon CTF 2018's website

Our own Teaser Dragon CTF 2018 also took place in September and we've received excellent notes from the CTF community. The main Dragon CTF 2018 was to happen in November during the Security PWNing Conference in Warsaw, Poland.

(A short note on how the global CTFtime scoring system works: Each tournament has a rating weight from 0 to 100 - the more the better - with both the CTF winning team and CTF organizing team getting double the rating weight in points, and teams on further places getting less and less points (see the formula if you're interested in details). However, the total global score for a team is calculated only from the team's top ten scores in the given year, and this includes the CTF organized by the team. So in case of top teams at some point during the year even winning a lower-tier CTF doesn't necessarily benefit the total score. We started paying more attention to this around late summer limiting our participation and conserving strength for the year's end.)

One more CTF to note for September was the small local (and eventually unranked) Security Case Study CTF in Warsaw, Poland, which featured teams limited to 3 people. As such, both p4 and Dragon Sector entered multiple teams to play the CTF (each team competing separately). In the end while DS won the CTF, p4 took both the runner-up and third places (blast, foiled again!).

Security Case Study CTF 2018 (Copyright CyberSecurity Foundation)
(DS members from the left: valis, Redford, Gynvael)

The last quarter of the year is always pretty hectic - multiple tournaments are scheduled for that part of the year, so it means a lot of traveling and playing for the team. If you add to it the fact that we were in the midst of preparing the Dragon CTF... Yes. Hectic is the right word.

We started with getting 2nd place on the online Hack.lu CTF organized by FluxFingers, and then proceeded to win the ultra-high-weight HITCON CTF 2018 (with Plaid Parliament of Pwning as runner-up and BFKinesiS on close third) - this netted us close to 200 points for the global ranking!

Google CTF 2018 Finals venue (Photo by Gynvael)

In late October we traveled to London, UK for the Google CTF 2018 Finals, but finished there on 5th place. Early November meant going to Moscow, Russia for the CTFZONE 2018 Finals, however we also fell short there and eventually landed on 6th place with two top-tier teams from Russia taking the top places (Bushwhackers and LC↯BC) and p4 closing the podium.

November was also the month when the main Dragon CTF 2018 took place. A lot of preparations happened weeks before the CTF, yet we somehow always end up polishing the details up until the last minute and not really getting too much sleep beforehand (it is then that we've realized that valis is a vampire and doesn't need any rest, and that Gynvael looks like a literal zombie unless he gets his beauty sleep).

Dragon CTF 2018 (Photo by Gynvael)

Still, we managed and we were happy with the results (and so were the players)! And we proudly joined the small-yet-growing group of CTFs with custom game hacking challenges (a trend started by the famed Ghost in the Shellcode CTF, and continued by e.g. the aforementioned Insomni'hack CTF).

Arcane Sector Online from Dragon CTF 2018

In December we played only two CTFs: the hxp CTF 2018 and the annual "season finals" in the form of the renowned Chaos Communication Congress (or 35C3 for short) CTF in Leipzig, Germany. The latter was especially important for us, as it's one of the very few CTFs with the ultimate 100 rating weight. Also it was organized by Eat, Sleep, Pwn, Repeat - this basically certifies quality.

In the end we've finished 3rd on both CTFs, with pasten one-upping us as every year. The KJC+MHackeroni team from Italy won btw - they are extremely good, but similarly to pasten, play only a few CTFs during the year.

And this was enough to keep the first place in the global CTFtime ranking, with Plaid Parliament of Pwning being really close on the second place, and our friends from another Polish team - p4 - taking the 3rd place (it's worth mentioning that multiple other teams were really close to the 3rd place, e.g. TokyoWesterns, 217, 0daysober - organizers of Insomni'hack or dcua - the Ukrainian powerhouse).

So GG, WP. For us it's time to rest...

...until January 19th that is, since we have to win Insomni'hack teaser 2019 CTF for the 6th time in a row :)

Dragon Sector, Dec 31, 2018