The handbag of Cryptax
Write-ups Publications Tags About
The handbag of Cryptax

Contents

BruCON 2023 CTF Overview

   387 words   2 minutes 
Contents

BruCON 2023 CTF

Many challenges, many flags in this CTF.

/images/brucon2023-ctf.png

Our team happily ranked 6th / 64.

/images/brucon2023-scoreboard.png

Positive aspects:

  • It is really interesting to have a full document with network and architecture diagrams of what looks like a real beer brewery. It makes the challenges feel real and I appreciated the time the organizers took to prepare such a scenario
  • I enjoyed the PLC challenges where we used and hacked into real PLCs. We don’t have PLC-related challenges very often in CTFs (because it’s difficult to set up) and I found that lovely.
  • I was a bit reluctant on the CTI architecture challenges where we had to go and explain our solution to organizers to get the flag. I wasn’t at ease with that at the beginning, but in the end, (1) organizers weren’t trying to trap us and would give flags quite freely if they had heard more or less what they wanted, and (2) it helped work on challenges that were real. Working on paper, diagrams etc is also part of the job sometimes, so it’s a good idea.
  • Several challenges were very easy giving everybody the opportunity to flag at least a couple of times.

Negative aspects:

  • There were perhaps too many of those very very very easy challenges.
  • We need a flag format, and the flag format must be used for every challenge. We don’t want to have to guess “is that the flag they are waiting for, or should I find something more?”.
  • Some descriptions were misleading, like the PLC challenges were requesting an UUID as flag… but error it wasn’t a UUID.
  • Too many points were attributed to the CTI Architecture challenges IMHO. The issue is that the borders of each challenge in that section weren’t well defined. For instance, if you find an issue with RDP, you don’t know if that’s the first issue, the second or the third. Fortunately, organizers were cool on that.
  • There were too many “unconventional” challenges (CTI, CTI Architecture) and not enough “standard” challenges in contrast. I did appreciate the unconventional ones though, just perhaps the ratio was a bit too much.
  • Do not create challenges where the same solution can be applied to different challenges like DNS 1 and DNS 2, or Web 1 and Web 2. I believe this is a testing issue.
Updated on 2023-09-30
 BruconCTF2023
Back | Home