CSCBE is CTF created for Belgian students, that takes place every year. This year was the third year I participated in the CSCBE. It’s also the last year since it’s only for (Belgian) students, and I’m graduating in June.
Cyber Security Challenge Belgium
In Belgium, just like in the rest of the world, cyber security has become a strategic priority for organizations across…
It all started with the qualifiers on Tuesday and Wednesday the 9th and 10th of March 2021. I asked a day off from my internship and sacrificed the day to work on my thesis, so I would have enough time to participate. Our team “no more handshakes” consists of Arno, Robin, Laurens and me.
The first thing we noticed was that there were less challenges than past years. This was a bit of a disappointment. After having a good look at all the challenges, and solving some of them. We realized we needed to create a script for most of them, which I’m not really a fan of.
Since I’m doing bug bounty in my free time, I wanted to have a look at the web challenges, but to my disappointment, there were only 2 and a 3th one was added after some time. Our team did not solve any of them. After the challenge, the “writeups” (weren’t really writeups for the web challenges) got published in the discord server of CSCBE. All three of the challenges turned out to be LFI challenges. 3 out of 3 challenges was a little bit over kill in my opinion. One made use of base64, the other one of XXE, and the last one turned out to be a “classic zip slice” as the creator called it. This is the only one that I think we could have solved if we used the right keywords in Google. We have not much experience with LFI in the past, so this was a little bit frustrating.
The only challenge I solved (after a lot of struggling) was “Maizie”. This was a remote netcat shell, that outputs a maze. The goal was to send the solved maze back within 2 seconds. After spending some time, I was able to interact with the netcat shell, get the maze out, convert it to binary (1 for walls and 0 for passageways), solve the maze, convert it back to the original format, and send it back to the shell. But the shell did not give anything back after entering the solved maze. I messaged an admin and he told me to use pwntools to interact with netcat. This took some time as well to make it work and finally, the shell accepted the maze but… It gave back another maze to solve. My code was too horrible to put in a loop, and I was too tired already, so I decided to go to sleep and continue the next day. The next day I finished the script, and got the flag back :).
Our team ended up 24th on the scoreboard, and we qualified for the finals.
The finals on the 26th of March, were almost as disappointing as the qualifiers. We had until 12:00 AM to solve a few challenges (I enjoyed these more than the challenges in the qualifiers). But…. their were 10 social engineering challenges, where you needed to get certain people to say one of two given words. These people knew we would social engineer them, since they were employees of the sponsors. In my opinion, there is nothing wrong with a few social engineering challenges, but 10, with each of them worth 10 points, is just too much. I started out with one that went great, but quickly gave up because there were queues everywhere, and I wasn’t motivated enough to wait in queue for each social engineering challenges, neither was my team. We only solved one of the 10 challenges, so we lost a lot of points on this.
After lunch, the group was split up, the teams who qualified in the morning, went on with the finals, the other teams were able to play a CSI game. We went to the briefing of the CSI game, but as soon as we heard we had to queue again, we decided to quit. Although the game looked nice, we lost all motivation already before lunch.
In the finals, we ended up on position 25 of the scoreboard.