Hacker News new | past | comments | ask | show | jobs | submit login
Google CTF 2019 (withgoogle.com)
251 points by zipslip on June 22, 2019 | hide | past | favorite | 136 comments



Dig at Apple from the third stage of the beginners' quest;

"Your first thought is "Why does the display stand need to announce its price? And exactly how much does 999 dollars convert to in Xenonivian Bucklets?"


I wonder if Google will end up buying more of those $999 stands than any other individual customer.


Stuck on this one, can see readme.flag but not sure how to proceed


Ended up using makemime which showed the data in base64. Good enough! Interestingly enough though the ORME.flag showed permission denied... I'll have to go back to that one later.


I think one of the binaries probably has a privilege escalation vulnerability. Looking with la -al you can see the last modified dates, there's a couple of interesting ones


Same. As far as I can tell, none of the usual restricted shell escape tricks work, so you just have to search through all the binaries on the system until you find one you can abuse to print the file contents, and that seems like more of a time sink than it's worth.


env /bin/busybox strings README.flag


Nice one! Was wondering if there would be a way to call BusyBox with one of the missing binaries.


Use iconv.


LOL; I used split in the temp directory to create files of a single byte each and ran md5sum on them.

That's quite a bit more straightforward :)


Well I spent an hour trying out as many commands as possible before giving up. Then came across this comment: https://news.ycombinator.com/item?id=20252612 and went through his Twitch recordings to see if he could get past this stage. That is how I learnt about iconv. :)


Hehe. I kinda love this though :P


shuf also works (its in /usr/bin) -- this took me a ~long~ time to figure out


i ended up using fold. theres also has to be a way to read the ORME.flag by modifying the file permissions but i haven't figured that one out yet.


Yeah I went through all of the non-deleted commands and fold ended up being the one I found too. The beginning instruction says some levels have multiple flags, so I'm guessing ORME.flag is the hardmode flag.


I bypassed the shell by executing the binary straight from the loader so I was able to do a chmod +r and cat to get it.


how did you do this? amazing


/lib/ld-musl-x86_64.so.1 /bin/busybox chmod +r ORME.flag /lib/ld-musl-x86_64.so.1 /bin/busybox cat ORME.flag


Google also sells expensive stands: https://cloud.withgoogle.com/hardware/

Though it does more (rolls) and actually made by BenQ.


Their Android team could learn a thing or two about proper framework development from Apple.


Does someone do in-depth posts/videos/talks about any of these (Google or FB) CTF challenges by breaking up what is happening, what, why and how they tried per challenege and how did they finally come to the solution step-by-step?

These things have always intimidated me and I'd love to know more.


I started streaming it yesterday on my Twitch channel, but I was asked not to by a Google employee.

I've been working through the Beginner's Quest instead, which is actually a lot of fun and has a cute story.

https://www.twitch.tv/videos/442406188 if anyone wants to see the broadcast from yesterday.


Thanks for the tip on using iconv. I spent an hour trying to figure out which command to use for that README.flag! Learnt something new!


Always happy to help! <3


Gynvael Coldwind (member of Google security team) probably will do. Here's video from last year's Beginner Quest: https://www.youtube.com/watch?v=qDYwcIf0LZw


ctftime lists writeups, but in general you can google "whatever ctf challenge name writeup"


Check out LiveOverflow on YouTube. He's gone in depth on a bunch of CTF tasks and his solving process.


People often write this up after the fact.

Google’s CTF normally drops write ups (both their own and links to external solvers’) in some shared repository afterwards.

Of course they won’t go play by play through everything they thought about every time, but they are pretty good reads.


Check out MurmusCTF. [1]

1. https://m.youtube.com/MurmusCTF?uid=UB9vOGEUpw7IKJRoR4PK-A


CTF = Capture The Flag

(I didn't know what it stood for at first).


And what it means in this context:

https://en.wikipedia.org/wiki/Capture_the_flag#Computer_secu...

> In computer security, Capture the Flag (CTF), a type of wargame, is a computer security competition. CTF contests are usually designed to serve as an educational exercise to give participants experience in securing a machine, as well as conducting and reacting to the sort of attacks found in the real world (i.e., bug bounty programs in professional settings).


The emoji virtual machine (step 3 or 4) is cool. I'm trying to understand what it does to speed it up.


I'm on that as well, for me it seems it just decodes some Unicode characters and does arithmetic to print the message, I don't know why it's taking so long or how can I speed it up.


It's calculating prime numbers which is why it's slow.

Now if only I was to work out which prime numbers it wants... :)


Hints: Prime numbers, Palindromes, XOR and offset for later :)


have you guys figured it out? I got stuck here too.


I'm having a hard time even getting it to run.

"python vm.py program" results in "SyntaxError: Non-ASCII character '\xf0' in file vm.py on line 19, but no encoding declared;"

adding the relevant encoding (# -- coding: utf-8 --) then results in "RuntimeError: Unknown instruction ''\xf0\x9f\x96\x8b\xf0\x9f\x92\xa0\xf0\x9f\x94\xb6\xf0\x9f\x8e\x8c\xf0\x9f\x9a\xa9\xf0\x9f\x8f\x81'' at 370"

I assume debugging the program is part of the challenge? Or is it just supposed to work?


Run it with python3, not 2.7X


https://github.com/InverseIntegral/ctf_writeups/tree/master/... - great write up of the solution here


There's a pretty simple optimization in the labels you can do, but it doesn't really help that much. The first block of letters is XORing with one set of primes that follow a common pattern, but the second one is stumping me. I let it run overnight and basically made no progress once it hit the second block.


Running it with pypy sped it up quite a bit and got it far enough to figure out the remaining portion of the URL.


Haha, I was gonna try exactly that, but I got too lazy trying to install pypy3 on my shitty centos box. My other option was to translate it into real assembly, but that also seemed like more work that I wanted to put into it.


> My other option was to translate it into real assembly

I wrote a compiler from emoji-code to amd64 (mostly because I'm more interested in compilers than reversing). It runs quite fast - prints the whole domain in ~1 min. I'd highly recommend it to people who are into assembly, it was a fun exercise.


How did you implement the JUMP_TOP instruction? You need to jump to the x86_64 instructions that correspond to the given emoji index; did you implement a jump table?


Yeah, I put labels corresponding to the original IP throughout and used a jump table.


That's pretty cool! I just transliterated the instructions into C macros; but i didn't bother with the jump tables. The nice thing with this approach is that you can mix vm instructions with c code freely; and get gdb support. I needed that because speeding up via C wasnt enough to decode the full URL and I still needed to do additional reversing.

Was your method fast enough to get all three parts of the URL?


It produces the full domain name (up to .com) in ~ 1 minute. If there is more to the url (a path, ?= parameters, etc) after the domain name, then no.


would you mind sharing this? I'd love to check it out :)


https://pastebin.com/eEuJcy18


I guessed the URL, but found nothing on it.

I'm guessing the flag may be in the rest of the message to be decoded.


Check the pngs across the domain. There is something special in at least one of them.


Already checked them out, for EXIF data, visually and also inverted colors. What I am missing?

I scrapped and downloaded around 55 pngs.


Yeah, I found 55 profiles/pngs. Tried ordering the profiles by the image # (from 2 to 56). Noticed the profile names are also a variation of two emojis, so tried looking into binary/morse, but nothing.

As the comment above implies, it seems like my approach was wrong and the answer is in one of the images I guess


I might be going the wrong way with that then. Using stegoveritas I noticed that PNG has a bunch of "ISO-8859 text, with very long lines, with no line terminators" files which isn't normal for PNGs.


If you'd like to whine a bit with me, join me at: ##ctfcompetition @ freenode, I'm currently under the nick caulifl0wer


I checked the pictures a lot of times, maybe I'm missing something.


I'm lost on the beginners task. These things always make me feel stupid.


yeah, the beginner one is definitely higher level that I would've expected a beginner level one to be. Definitely starting with a binary/reversing challenge is already quite a bit more than I'd expected from the very first beginner level.


You really don't need to reverse the binary to pass that one haha. The string isn't obfuscated in the ELF, you can just look at the file in a text editor to see the flag


Haha I feel extremely stupid now! Thanks though, after being unblocked I'm making decent progress, already gotten then next 4 levels. This is really fun for beginners!


No problem.

I think that feeling is extremely important when learning new things. It show's that you are starting to build a model of the problem space and filling it with things that were non-obvious to you.


It's running `strings` on the binary :P


I feel you.


Can’t wait until Facebook team wins it


For those not in the loop, Google’s team won the Facebook CTF a couple of weeks ago and then used it as an opportunity to advertise Google CTF: https://www.fbctf.com/scoreboard


Seems like I am even more out of the loop; what type of CTF is this? It appears the original article dives right into teams and rules and write ups without explaining what it is all about, which just leaves me even more confused.


There is a link in the "What is the Google CTF?" section that leads to the following:

https://buildyourfuture.withgoogle.com/events/ctf/#!?detail-...


https://en.wikipedia.org/wiki/Capture_the_flag#Computer_secu...

https://ctftime.org/ctf-wtf/


I don't know about anyone else but this is a pretty hard ctf. It's a lot harder than other ones online


Google CTF is generally pretty challenging, yes.


The CTF is staffed by volunteers who make up the problems. I wrote one in 2017 for the Google CTF Quals and found it very difficult to balance.


Three of the problems in the beginners quest have 2 flags. In two of the problems, the problems themselves tell you that there are two flags (or give you very obvious hints), but I have no idea which one is the third problem that has a second let alone how to get it...could anyone give me a hint?


stuck on https://govagriculture.web.ctfcompetition.com/ this task, any help?


Same here. Unless there's some steganography, I'm really all out of ideas. I see see the content of folders (/static/, /static/images/, etc), but that doesn't help. I can't get anything out of /admin and the content of /post don't appear anywhere for any sort of XSS attack.


There isn't any steganography (at least for the flag that I found). They have a bot that actually "reads" your post, which you can verify for yourself. This is alluded to in the message that you get when submitting a post:

> Your post was submitted for review. Administator will take a look shortly.


> which you can verify for yourself

How can you verify? That's what I was stuck, it's hard to test things if you're not getting any sort of feedback. That message seemed pretty constant.

EDIT: I see, managed to verify it by putting an image on my own webserver and seeing the log hit. I got a rough idea now, thanks!

EDIT2: Got it :)


I completed the challenge. You don't need to see the result of the entry to deduct if XSS is possible.

If the server is parsing your input, maybe you can find a way for the server to leak more than it wants.

If you want more information, or simply the answer, PM me.


Hi, could you provide some more information regarding how one can force the server to leak more information than it should? I have been stuck with this exercise for quite some time and am honestly out of ideas.


Firefox ext:Canvas blocker crashes on your site.


> Eligibility: The Contest is open to individuals who are (1) over the age of eighteen (18) at the time of entry; (2) not a resident of Quebec, Cuba, Iran, Syria, North Korea, Sudan, or Crimea; [1]

Why Quebec is banned?

https://buildyourfuture.withgoogle.com/events/ctf/#!?detail-...


Stringent local laws with respect to competitions.

https://www.thebalanceeveryday.com/why-are-so-many-competiti...


> Quebec's sweepstakes laws are designed to protect its residents from scammers and to ensure that prizes are awarded as promised.

The solution they came up with is to make the rules so complicated that there are no sweepstakes available in Quebec! Cool.


> Why is Quebec excluded from the CTF? Local laws and regulations make it extremely challenging for us to run a competition open to residents of Quebec. We are truly sorry about this, and hope to change this in the future if possible.


This aspect could be the real hurdle:

"Pay a fee of up to 10% of the sweepstakes' value, depending on who is allowed to enter."

So they would need to pay Quebec $3K just to have the competition available there, even if it is a global competition.

It sounds to me that Quebec have got to have some reason for these Quebec special laws. It has nothing to do with France, there has to be another reason. Does anyone have any ideas?


From a 2011 Globe and Mail article:

> Ever notice that Canadian contests keep barring the poor residents of Quebec from entering? It's not that contests are illegal in Quebec – it's just that the government makes it especially difficult to run one.

> For one thing, contest runners have to pay tax on the value of the prize. For another thing, contests with prizes over $2,000 have to register their rules with a government agency, the Régie des alcools des courses et des jeux – which is usually just referred to as the "Régie."

> To top it off, contests with prizes worth more than $5,000 actually have to deposit an amount as a security with the Régie, as a means of protecting consumers should the contest runner fold or renege.

> When compounded with the complexities of working in two languages at once, many contest runners simply disqualify entrants from the province.


Yeah that's a good way to make everyone just skip your whole province. Just like how all the big headquarter offices moved to Toronto from Montreal in the 1970s, Quebec keeps shooting themselves in the foot. This chart shows everything you need to know:

http://www.newgeography.com/files/cox-toronto-evolve-1.png

By all means they should be the dominant city in Canada instead of Toronto, or at least equal. But they are so obsessed with mirroring France's obsession with rules.

Canada almost always ranks near the top of the Economic Freedom Indexes (higher than the US), while France is in the middle ranking below most post-soviet eastern European nation states.

https://en.wikipedia.org/wiki/Index_of_Economic_Freedom


And yet, housing prices in Montreal are much more affordable. And it has much better transportation options (separated bike lanes) despite significantly harsher winters. And Montreal is significantly happier [1] than Toronto or Vancouver. In other words, population growth (or money, or property values, whatever) isn't everything.

[1] https://www.theglobeandmail.com/investing/personal-finance/a...


I tried living in Montreal and the long punishing winter trumps all of the other great benefits of Montreal over Toronto. It goes on far longer and the snow fall is far, far worse. But yes it's also a far prettier city than Toronto with a better music and cultural scene with super cheap rent.

But I now see it as a far better tourist destination than somewhere to build a life/business. Unless you're an artist or student who can't afford rent in a big city but still want to live in a big city (which is what 99% of the young people I met seemed to be doing, a whole lot of creative but unmotivated individuals).

I also found the stereotypes of the francophone Quebecois I heard my whole life growing up in Ontario to be surprisingly accurate (I went in highly skeptical as I'm a bit of a snob myself). The francophone parts of town were often both rude and hostile to someone still learning the language, while local laws force every worker to start every interaction in french. I was basically forced to start every interaction in every cafe/convenience store apologizing that I don't speak french well and continuing in English, missing every opportunity to learn. I also witnessed multiple protests over companies like JC Penny and not french-ifying their brand names (which sounds crazy to me), which I thought was ridiculous and unsurprising that business was slow there.

I spent a year living in MTL then came back multiple times over the last decade and very few new buildings or businesses changed. Meanwhile Toronto build about 100 new skyscrapers and new companies in the same time period.


Almost everything in Canada, every ad, promotion, service has some kind of special section for Quebec.

They insist on having completely different laws for every little thing. From a companies POV, its probably as legally onerous as operating in a different country altogether - not worth it.


> From a companies POV, its probably as legally onerous as operating in a different country altogether - not worth it

It's much worse than that. Google didn't research the sweepstakes laws in, say, Paraguay or the Gambia before making this announcement. They figure that, in the worst case, their legal department will tell them not to award the prize if the winner comes from a country where they can't legally award it, and they'll scramble the necessary PR people if that comes to pass.

For Quebec, on the other hand, they'll be forbidden from carrying on business in all of Canada if they advertise this competition as one that can be won in Quebec. A terrible chilling effect - and I say this as someone who universally favours the freedom and self-determination of small nations such as Quebec.


As a resident, yes this is pretty much it.

For an American firm especially, it's just a odd little place with everything in a different language, it's just not worth the hassle for lawyers and risk, so they just skip it.


the laws were probably written with lotteries and gambling originally in mind, and made overly broad to prevent people from finding loopholes. (like, say, a poker tournament where the chips aren't worth real money, but there is a cash prize at the end.)


It is also because the government is the one managing casinos and gambling all together. Even a bar is prohibited to have game consoles if they don't pay some kind of fee to Loto-Quebec.


Quebec is always banned in most online competitions with a prize (I believe you can participate in Codejam for cannot win any prize), because local law forces these competition to be both in French and English. If it's not bilingual, they're not allowed.


Better question: why is under-18 banned?


Most likely for any contracts accepted to be legally binding.


Google Code Jam has no such restriction.


Google Code Jam has restrictions:

16 years or older to participate; 18 years or older to attend the onsite final round.

> If your age is not at least the Minimum Age [18+], you are only eligible to win a t-shirt.

https://codingcompetitions.withgoogle.com/codejam/rulesandte...


I think some jurisdictions have laws requiring that, probably as an anti-gambling thing.


Just guessing: because it's not available in French.


France isn't banned?


Might be required to provide instructions and support in French to be allowed to run a copetition in Quebec, but no such rule in France.


> Q: I got an error: PERMISSION_DENIED: Permission denied.

> A: Try picking a different team name, the team name you inserted is already taken.

A: How to tell your software was built by security people.


Would not be surprised if this strange FAQ is part of the puzzle


The stated prize amount spells ELEET, so that might support your theory. Although it also supports the theory that there's no prize money whatsoever.

I'm getting all introspective and seriously struggling trying to figure out why I have such a viscerally negative reaction to this. Like not just bafflement or indifference or boredom, I actively hate it. Can't really explain it. But it's apparent that I'm not their target demographic.


> The stated prize amount spells ELEET, so that might support your theory. Although it also supports the theory that there's no prize money whatsoever.

Prize amounts for CTFs are frequently variations of “leet”; I see nothing strange with this.


I would think it's more secure if it didn't leak which were taken. For example, "Name invalid or already taken, please try another"


There’s literally a scoreboard with a list of teams…


As if it's that hard to sight-validate a team name.

The error message doesn't leak which names are taken. The faq interprets the error message for the user.


Acronyms suck


"Capture the Flag" is pretty long if you use it frequently, though.


> Q: I got an error: This browser is not supported or 3rd party cookies and data may be disabled.

> A: Enable 3rd party cookies.

Come on Google, why do you require third party cookies for a competition amongst the most privacy conscience people on the planet?


I’m always amazed how a company that creates the world’s most popular mobile OS and web browser is unable to code a decent mobile webpage.

Scrolling this page is sufferable, anchor links don’t work well, etc. Basic stuff.

Look no further than G Suite, Google Cloud for more examples.


I have heard of this argument often, and I don't quite understand it. It's similar to saying "I'm always amazed at how a country that has the most number of Nobel prize winners has some citizens that can't do calculus"

The people that work on Android and Chrome are not the people who work on websites. It's okay to say the website doesn't meet your expectations, but it's better to recognize that those are different projects worked on by different people with different set of requirements and resources.


Companies are not countries. People are hired in the first and born in the second.

Companies should be concerned when their actions don't match the narrative they are trying to sell about themselves. If the Mobile Web is important to Google (and it should be), it must be a company wide effort. The “that's not my department” excuse doesn't cut it.


"I'm always amazed at how a college that has the most number of Nobel prize winners has some professors that can't do calculus"


That's a better analogy.

Still, colleges are usually much more eclectic than companies. Even MIT, usually known for STEM, has one kick ass humanities department.


To be fair, the challenges are impossible to solve on a mobile phone so I am not sure why they should invest time and effort to make it mobile friendly.


It's not that hard to write a decent mobile page. It's often the result of over engineering.


But you can't use a mobile to play CTF in the first place. It would be over engineering if they made the page usable on a mobile for absolutely no reason.

Some of the stages in the CTF require you to download zip files and mount DMG/NTFS files. How do you propose to do that on a mobile?


No one is arguing for CTF to be playable on mobile, just that the page should be easily readable.

And it’s not hard to do that.


The entire competition is a volunteer/20% thing internally. It doesn't go through the same design cycle as official Google products. For this year, they also rewrote the scoreboard site for scratch (it's now uses Firebase).

[source: I was the on-call SRE for the 2017 edition]


I believe you, still, it's hosted at a Google's domain and it's a company's core competency. I don't think that's excusable.


I mean, it's not like this CTF requires you to unzip data, use a terminal (decrypt Base64, use Telnet and python scripts) and read weird files with unreadable characters


What has that got to do with anything?

You should be able to read the page on mobile effortlessly.

The fact that is polemic is symptomatic.


I notice they're continuing the proud silicon valley start-up tradition of building a website that doesn't actually tell you what Google CTF is :P

Even when I click on the beginner's quest, I've got paths, flags, endings, challenges...

...but nothing to tell me what the hell the thing actually IS!


It’s in the link at the bottom of the “What is the Google CTF?” section.


You'd think that the "What is the Google CTF?" section would answer the question "What is the Google CFT?" rather than sending someone to another page.

All Google would have to do is move the sentence "they consist of a set of computer security puzzles (or challenges) involving reverse-engineering, memory corruption, cryptography, web technologies, and more" from the secondary page into the paragraph that's supposed to answer the question. It would actually be shorter.


Ah, I actually followed that link trying to find out. All i see on my browser is a bit of text with a big blue button that says "will you capture the flag?", which isn't really helpful, which takes me back to...the original website.

Now on the one hand I'd say, ok, its not google's responsibility to try to have websites/non-standard browser configs set ups actually work with their web pages...

On the other hand, I'm sure the kind of security people google is looking for all surf the web with standard browser configs and permissions enabled...

And as the other commenter has pointed out, I know its radical of me, but I would have thought the "What is the google CTF" section should contain text which answers "What is the google CTF".


Scroll down


I did. Its not a big page. There's nothing there.

Now I'm not a (total) idiot, obviously I can debug it if i have to (and if other people are telling me "there's stuff there, you just can't see it").

If i open it in chrome with extensions turned off or a default mobile browser, stuff now appears, so yeah, its got to do with script permissions and the like.

But again, why not just include actual text in the "what is google ctf" section that answers "what is google ctf?", and/or in the beginner's section that explains what's going on, and of all the groups of people you'd build your webpage for, are security people the ones that you want a website that breaks if they block your default scripts/permissions?


If your having this much issue with figuring out what a ctf is its probably not for you. Googles ctf is pretty damn hard


If their goal was to minimize participation and competition, then they certainly succeeded. I don’t think being unfamiliar with something should ever be outright disqualifying.


If I were holding a competition for bakers, I wouldn't feel obligated to include a paragraph explaining what a "bake-off" is. I knew what a CTF was years before I knew enough to compete in one; it's a central part of hacker culture going back to the mid-90s.

Every puzzle here places you in a different unfamiliar situation. The only "outright disqualifying" thing is whether you can figure out something on your own. You essentially failed the first test.


If you put it that way, it wouldn't be wrong to think of it as a disqualifying round


They probably didn't include the text there because there are "FAQ" and "Rules" links in that page, and clicking on those lead to lots of text. They could have made the links more noticeable though.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: