
Google CTF 2019 - zipslip
https://capturetheflag.withgoogle.com
======
AJRF
Dig at Apple from the third stage of the beginners' quest;

"Your first thought is "Why does the display stand need to announce its price?
And exactly how much does 999 dollars convert to in Xenonivian Bucklets?"

~~~
tito3
Stuck on this one, can see readme.flag but not sure how to proceed

~~~
kwesthaus
Same. As far as I can tell, none of the usual restricted shell escape tricks
work, so you just have to search through all the binaries on the system until
you find one you can abuse to print the file contents, and that seems like
more of a time sink than it's worth.

~~~
shripadk
Use iconv.

~~~
archgoon
LOL; I used split in the temp directory to create files of a single byte each
and ran md5sum on them.

That's quite a bit more straightforward :)

~~~
shripadk
Well I spent an hour trying out as many commands as possible before giving up.
Then came across this comment:
[https://news.ycombinator.com/item?id=20252612](https://news.ycombinator.com/item?id=20252612)
and went through his Twitch recordings to see if he could get past this stage.
That is how I learnt about iconv. :)

------
hpeinar
Does someone do in-depth posts/videos/talks about any of these (Google or FB)
CTF challenges by breaking up what is happening, what, why and how they tried
per challenege and how did they finally come to the solution step-by-step?

These things have always intimidated me and I'd love to know more.

~~~
some_furry
I started streaming it yesterday on my Twitch channel, but I was asked not to
by a Google employee.

I've been working through the Beginner's Quest instead, which is actually a
lot of fun and has a cute story.

[https://www.twitch.tv/videos/442406188](https://www.twitch.tv/videos/442406188)
if anyone wants to see the broadcast from yesterday.

~~~
shripadk
Thanks for the tip on using iconv. I spent an hour trying to figure out which
command to use for that README.flag! Learnt something new!

~~~
some_furry
Always happy to help! <3

------
jaden
CTF = Capture The Flag

(I didn't know what it stood for at first).

~~~
philshem
And what it means in this context:

[https://en.wikipedia.org/wiki/Capture_the_flag#Computer_secu...](https://en.wikipedia.org/wiki/Capture_the_flag#Computer_security)

> In computer security, Capture the Flag (CTF), a type of wargame, is a
> computer security competition. CTF contests are usually designed to serve as
> an educational exercise to give participants experience in securing a
> machine, as well as conducting and reacting to the sort of attacks found in
> the real world (i.e., bug bounty programs in professional settings).

------
Tepix
The emoji virtual machine (step 3 or 4) is cool. I'm trying to understand what
it does to speed it up.

~~~
dysoco
I'm on that as well, for me it seems it just decodes some Unicode characters
and does arithmetic to print the message, I don't know why it's taking so long
or how can I speed it up.

~~~
koyote
It's calculating prime numbers which is why it's slow.

Now if only I was to work out which prime numbers it wants... :)

~~~
aereal
have you guys figured it out? I got stuck here too.

~~~
gctfthroaway
I'm having a hard time even getting it to run.

"python vm.py program" results in "SyntaxError: Non-ASCII character '\xf0' in
file vm.py on line 19, but no encoding declared;"

adding the relevant encoding (# - _\- coding: utf-8 -_ -) then results in
"RuntimeError: Unknown instruction
''\xf0\x9f\x96\x8b\xf0\x9f\x92\xa0\xf0\x9f\x94\xb6\xf0\x9f\x8e\x8c\xf0\x9f\x9a\xa9\xf0\x9f\x8f\x81''
at 370"

I assume debugging the program is part of the challenge? Or is it just
supposed to work?

~~~
grafporno
Run it with python3, not 2.7X

------
wnevets
I'm lost on the beginners task. These things always make me feel stupid.

~~~
ehsankia
yeah, the beginner one is definitely higher level that I would've expected a
beginner level one to be. Definitely starting with a binary/reversing
challenge is already quite a bit more than I'd expected from the very first
beginner level.

~~~
AJRF
You really don't need to reverse the binary to pass that one haha. The string
isn't obfuscated in the ELF, you can just look at the file in a text editor to
see the flag

~~~
ehsankia
Haha I feel extremely stupid now! Thanks though, after being unblocked I'm
making decent progress, already gotten then next 4 levels. This is really fun
for beginners!

~~~
AJRF
No problem.

I think that feeling is extremely important when learning new things. It
show's that you are starting to build a model of the problem space and filling
it with things that were non-obvious to you.

------
0xDEFC0DE
Can’t wait until Facebook team wins it

~~~
saagarjha
For those not in the loop, Google’s team won the Facebook CTF a couple of
weeks ago and then used it as an opportunity to advertise Google CTF:
[https://www.fbctf.com/scoreboard](https://www.fbctf.com/scoreboard)

~~~
stingraycharles
Seems like I am even more out of the loop; what type of CTF is this? It
appears the original article dives right into teams and rules and write ups
without explaining what it is all about, which just leaves me even more
confused.

~~~
nvrspyx
There is a link in the "What is the Google CTF?" section that leads to the
following:

[https://buildyourfuture.withgoogle.com/events/ctf/#!?detail-...](https://buildyourfuture.withgoogle.com/events/ctf/#!?detail-
content-tabby_activeEl=about)

------
ackbar03
I don't know about anyone else but this is a pretty hard ctf. It's a lot
harder than other ones online

~~~
saagarjha
Google CTF is generally pretty challenging, yes.

------
abidart
Three of the problems in the beginners quest have 2 flags. In two of the
problems, the problems themselves tell you that there are two flags (or give
you very obvious hints), but I have no idea which one is the third problem
that has a second let alone how to get it...could anyone give me a hint?

------
dexhunter
stuck on
[https://govagriculture.web.ctfcompetition.com/](https://govagriculture.web.ctfcompetition.com/)
this task, any help?

~~~
ehsankia
Same here. Unless there's some steganography, I'm really all out of ideas. I
see see the content of folders (/static/, /static/images/, etc), but that
doesn't help. I can't get anything out of /admin and the content of /post
don't appear anywhere for any sort of XSS attack.

~~~
karlding
There isn't any steganography (at least for the flag that I found). They have
a bot that actually "reads" your post, which you can verify for yourself. This
is alluded to in the message that you get when submitting a post:

> Your post was submitted for review. Administator will take a look shortly.

~~~
ehsankia
> which you can verify for yourself

How can you verify? That's what I was stuck, it's hard to test things if
you're not getting any sort of feedback. That message seemed pretty constant.

EDIT: I see, managed to verify it by putting an image on my own webserver and
seeing the log hit. I got a rough idea now, thanks!

EDIT2: Got it :)

------
m_rn
Firefox ext:Canvas blocker crashes on your site.

------
kbumsik
> Eligibility: The Contest is open to individuals who are (1) over the age of
> eighteen (18) at the time of entry; (2) not a resident of Quebec, Cuba,
> Iran, Syria, North Korea, Sudan, or Crimea; [1]

Why Quebec is banned?

[https://buildyourfuture.withgoogle.com/events/ctf/#!?detail-...](https://buildyourfuture.withgoogle.com/events/ctf/#!?detail-
content-tabby_activeEl=about)

~~~
archgoon
Stringent local laws with respect to competitions.

[https://www.thebalanceeveryday.com/why-are-so-many-
competiti...](https://www.thebalanceeveryday.com/why-are-so-many-competitions-
void-in-quebec-896835)

~~~
wcchandler
> Why is Quebec excluded from the CTF? Local laws and regulations make it
> extremely challenging for us to run a competition open to residents of
> Quebec. We are truly sorry about this, and hope to change this in the future
> if possible.

~~~
Theodores
This aspect could be the real hurdle:

"Pay a fee of up to 10% of the sweepstakes' value, depending on who is allowed
to enter."

So they would need to pay Quebec $3K just to have the competition available
there, even if it is a global competition.

It sounds to me that Quebec have got to have some reason for these Quebec
special laws. It has nothing to do with France, there has to be another
reason. Does anyone have any ideas?

~~~
zaptheimpaler
Almost everything in Canada, every ad, promotion, service has some kind of
special section for Quebec.

They insist on having completely different laws for every little thing. From a
companies POV, its probably as legally onerous as operating in a different
country altogether - not worth it.

~~~
dmurray
> From a companies POV, its probably as legally onerous as operating in a
> different country altogether - not worth it

It's much worse than that. Google didn't research the sweepstakes laws in,
say, Paraguay or the Gambia before making this announcement. They figure that,
in the worst case, their legal department will tell them not to award the
prize if the winner comes from a country where they can't legally award it,
and they'll scramble the necessary PR people if that comes to pass.

For Quebec, on the other hand, they'll be forbidden from carrying on business
in all of Canada if they advertise this competition as one that can be won in
Quebec. A terrible chilling effect - and I say this as someone who universally
favours the freedom and self-determination of small nations such as Quebec.

------
dmix
> Q: I got an error: PERMISSION_DENIED: Permission denied.

> A: Try picking a different team name, the team name you inserted is already
> taken.

A: How to tell your software was built by security people.

~~~
paulryanrogers
I would think it's more secure if it didn't leak which were taken. For
example, "Name invalid or already taken, please try another"

~~~
saagarjha
There’s literally a scoreboard with a list of teams…

------
umutisik
Acronyms suck

~~~
saagarjha
"Capture the Flag" is pretty long if you use it frequently, though.

------
jedberg
> Q: I got an error: This browser is not supported or 3rd party cookies and
> data may be disabled.

> A: Enable 3rd party cookies.

Come on Google, why do you require third party cookies for a competition
amongst the most privacy conscience people on the planet?

------
tambourine_man
I’m always amazed how a company that creates the world’s most popular mobile
OS and web browser is unable to code a decent mobile webpage.

Scrolling this page is sufferable, anchor links don’t work well, etc. Basic
stuff.

Look no further than G Suite, Google Cloud for more examples.

~~~
thanhhaimai
I have heard of this argument often, and I don't quite understand it. It's
similar to saying "I'm always amazed at how a country that has the most number
of Nobel prize winners has some citizens that can't do calculus"

The people that work on Android and Chrome are not the people who work on
websites. It's okay to say the website doesn't meet your expectations, but
it's better to recognize that those are different projects worked on by
different people with different set of requirements and resources.

~~~
tambourine_man
Companies are not countries. People are hired in the first and born in the
second.

Companies should be concerned when their actions don't match the narrative
they are trying to sell about themselves. If the Mobile Web is important to
Google (and it should be), it must be a company wide effort. The “that's not
my department” excuse doesn't cut it.

~~~
saagarjha
"I'm always amazed at how a college that has the most number of Nobel prize
winners has some professors that can't do calculus"

~~~
tambourine_man
That's a better analogy.

Still, colleges are usually much more eclectic than companies. Even MIT,
usually known for STEM, has one kick ass humanities department.

------
ACow_Adonis
I notice they're continuing the proud silicon valley start-up tradition of
building a website that doesn't actually tell you what Google CTF is :P

Even when I click on the beginner's quest, I've got paths, flags, endings,
challenges...

...but nothing to tell me what the hell the thing actually IS!

~~~
saagarjha
It’s in the link at the bottom of the “What is the Google CTF?” section.

~~~
ACow_Adonis
Ah, I actually followed that link trying to find out. All i see on my browser
is a bit of text with a big blue button that says "will you capture the
flag?", which isn't really helpful, which takes me back to...the original
website.

Now on the one hand I'd say, ok, its not google's responsibility to try to
have websites/non-standard browser configs set ups actually work with their
web pages...

On the other hand, I'm sure the kind of security people google is looking for
all surf the web with standard browser configs and permissions enabled...

And as the other commenter has pointed out, I know its radical of me, but I
would have thought the "What is the google CTF" section should contain text
which answers "What is the google CTF".

~~~
saagarjha
Scroll down

~~~
ACow_Adonis
I did. Its not a big page. There's nothing there.

Now I'm not a (total) idiot, obviously I can debug it if i have to (and if
other people are telling me "there's stuff there, you just can't see it").

If i open it in chrome with extensions turned off or a default mobile browser,
stuff now appears, so yeah, its got to do with script permissions and the
like.

But again, why not just include actual text in the "what is google ctf"
section that answers "what is google ctf?", and/or in the beginner's section
that explains what's going on, and of all the groups of people you'd build
your webpage for, are security people the ones that you want a website that
breaks if they block your default scripts/permissions?

~~~
ackbar03
If your having this much issue with figuring out what a ctf is its probably
not for you. Googles ctf is pretty damn hard

~~~
r-w
If their goal was to minimize participation and competition, then they
certainly succeeded. I don’t think being unfamiliar with something should ever
be outright disqualifying.

~~~
fyrabanks
If I were holding a competition for bakers, I wouldn't feel obligated to
include a paragraph explaining what a "bake-off" is. I knew what a CTF was
years before I knew enough to compete in one; it's a central part of hacker
culture going back to the mid-90s.

Every puzzle here places you in a different unfamiliar situation. The only
"outright disqualifying" thing is whether you can figure out something on your
own. You essentially failed the first test.

