This edition saw 1113 teams register, with only 236 of them scoring at least one challenge. While the start was relatively smooth, we suffered a DDoS attack approximately 4h into the competition. It took us a while to find that you can actually scroll down in the security settings of your Cloudflare zone (🤦♂️) :
When using the "I'm under attack!", the browsers were challenged to access the site and the attack was quickly stopped. Thank you Cloudflare for saving the day 😍 !
Back to the CTF results, here's the top 20 :
The top 6 teams will receive 8 tickets for the conferences, while the top 3 will also receive hotel accommodation for 3 nights. The full results are available on CTFTime.
Here are the stats, with time to solve the challenges and number of solves :
|Name||Categories||Points||Time to solve||First blood||Number of solves|
winhttpd challenge wasn't solved, although Dragon Sector was very close.
curlpipebash challenge was a troll welcome challenge enticing you to pipe the output of web server to a bash shell. Of course, nobody should ever do that... The webserver was creating a session, valid only for 1 second and returned another
curl command with another URL, specific to the current session. The second
curl command would download a script that would attempt to exfiltrate the username and hostname through a chunk-encoded request, as well as inserting a message in the
.bashrc of the user :
THANK YOU FOR PLAYING INSOMNIHACK TEASER 2019
The server would display the flag only if the
[email protected] wasn't sent. This lovely challenge gave us the following interesting data :
A lot of people (387!) are using the root account, and a total of 1312 unique users were pwned. It shows that even skilled security professionals can be pwned easily...
Finally, if you're unable to get rid of our thank you note, here's the command you can safely copy and paste into your terminal 😉 :
sed -i.bak '/THANK YOU FOR PLAYING INSOMNIHACK TEASER 2019/d' ~/.bashrc
We look forward to seeing you all onsite for the Insomni'hack conference and CTF !