The last stripe CTF was amazing, I managed to be one of the first hundred or so to get to the last stage but got utterly stumped by it. The solution involved tracking the incrementing port numbers of a Linux server as a kind of side channel attack to bruteforce a password if I remember correctly - a very interesting puzzle.
The whole thing was very fun, I highly recommend anyone interested in security to give it a go. The XSS challenges were also cool: they ran a headless webkit browser to emulate a user so your XSS code actually did something.
The last stripe CTF literally changed my life. I've always been interested in security but didn't have the confidence and honestly thought I didn't have it takes to be successful in the field. I decided to try the CTF anyway just for fun and was able to finish everything much to my surprise. I had read about SHA-1 padding when it affected Flickr so I knew just what to do on the level that involved SHA-1 padding, which I thought was the hardest.
When I came to HN and saw a lot of people I admire talking about how hard it was, especially daeken [1], I remember thinking something along the lines of "well, I thought it was hard but not that hard", and decided to try to find a few security bugs in open source software... Best thing I ever did... In just a few weeks I found some nice bugs on both Drupal and Wordpress, got the first CVE credited to myself, and then I started to have fun (and some profit) with the various bug bounty programs around the web, most notably those run by Google (I'm currently 0x05 overall) [2] and Facebook (7th) [3].
After a year doing security work on the side I was able to quit my day job last august and now I make my living basically as a security consultant and also as a "bounty hunter". I also got multiple job offers from US companies (I currently live in Brazil).
And all of this happened only because the stripe CTF gave me the confidence to actually follow my dreams. Oh, and I still don't know if I have what it takes to be really successful in the field, but frankly security bugs are everywhere so I go ahead and keep on finding them. I'm learning a lot every single day and the mean time between bugs is getting lower and lower, which is great. So thank you Stripe. Thank you very much.
Shameless plug: BTW, I'm in the committee for the W2SP conference, so if anyone has some interesting discovery to share, please submit a paper.
Yea, I definitely had fun as well, although my week dictated that I was in the ~600s for finishing level 8. I might try to put a little more time in up front for a higher finish this time.
The last level involved compromising one of the earlier servers iirc because the pw dbs only responded in-network. The "Password Database" was chunked amongst a few servers, requiring an increase in the port number on the response due to a waterfall type password check (ie: if chunk1 is correct, go hit chunk2 server and check). You also had to re-check your chunks because other people's requests were making the port increase as well. I had a huge rush when my script finally stopped and my "password" showed up on screen.
Definitely looking forward to one based in distributed systems as I've been researching that sort of stuff over the last year and such.
I enjoyed the most recent one so much that I went back and did the first one and enjoyed it even more. They have images available for it here[0] if you're interested!
Thanks for the kind words! As a note, this CTF is going to be a different angle — rather than being about security, this will focus on distributed systems engineering.
Is there any way to replay these old events, like via AWS AMI's or something? I missed them and see some solution code / slides but I'd love to still try and figure these out on my own if possible.
We have images for the first CTF: https://stripe.com/blog/capture-the-flag-wrap-up. The second CTF had a more complicated architecture, which we never ended up packaging. It's possible we'll get to it at some point (alternatively, if anyone is potentially interested in packaging it, feel free to ping me — I'm gdb@stripe.com).
I also loved the last CTF. I got to the last level but by the time I'd worked out how to attack it port numbers seemed to be jumping all over the place. I figured that it was just that too many people were hammering it. Had a solution that worked locally, and I was pretty happy to have gotten that far. Really looking forward to the next round - especially now that I work for myself and can dedicate the day to it :)
If I remember correctly, I got around the jitter by pipelining the HTTP requests - ie. shove several HTTP requests down a TCP connection without waiting for the responses. This made it far more likely that the server would execute your requests contiguously without anyone else's being serviced in-between.
Can confirm. They had code to lock the server to you and guarantee you got consecutive ports, but SSL handshake time on your HTTPS requests meant you wouldn't keep the lock for very long.
I started brute forcing before the jitter was very bad but only got one chunk in with my Python script.
I rewrote my solution in Go (which does http pipelining) and I could solve a whole password in about 4 minutes even during the peak time during the day when everyone was trying.
My Go solution could reliably get 10-20 valid port numbers in a row during peak times, and only jittered for 3 port numbers or so.
(I started my last block at about the same time as Eevee, but it ended up being 8044 so I had to settle for 21st place)
Which I knew that at the time :) I hit the last level when only 200 or so people had finished (I think, from memory) but I gave up on the jitter front. I don't have much experience with the lower level networking side and I ran out of time to dedicate to it. Having said that, I learnt a load along the way. Really looking forward to the next round.
I had little to no experience in the last CTF and managed to progress through roughly half the stages from memory. You can research as you go, and it's all good fun.
That's really interesting. They might use Bitcoin somewhere in the backend to move funds around. If it's cheaper and faster to route everything through Bitcoin than exchanging currencies and dealing with bank transfers, it might be a good solution.
Very interested to see how this is structured and how it is going to work - it sounds like this time around it is less about the competition piece, but still leaves the opportunity for those who want to test their skills against others to do so. Any way you slice it, it will be great to see what they've put together.
The last CTF was super fun. I have been waiting for this announcement, and am happy to see it will be a whole new kind of game. I am sure it will be great given the high production values of the last one.
Looking forward to this and curious how it's going to be structured (writing clever state machines?). The last one was amazing (nice American Apparel t-shirt too :-)!).
I love that Stripe puts together these competitions. I still wear my shirt from the first CTF proudly :) I wish I had more free time to participate again...
Can you please show me the page where the "distributed systems" is about? What I found is the "distributed search" page which restricted to a certain type of document indexing algorithm. If this is all the competition about, please don't mislead users that it is about "distributed systems".
Nope, none planned. (We don't have any engineers based there.) I'd be open to a community-organized event if someone's excited about hosting though — ping me at gdb@stripe.com.
Absolutely -- though experience will definitely help you if you want to compete, we've tried to make the levels educational too. There'll be plenty of pointers and hints, and there will be lots of people around IRC. There are also IRL meetups if you're around SF, Boston, or London.
Why is the valley crowd treating distributed systems engineering like it's a new fad? And why are they only using tech made in the past 5 years? The field has been around for four decades, yet they focus on only a couple algorithms and models?
> Why is the valley crowd treating distributed systems engineering like it's a new fad?
There's certainly been a lot more interest lately in building distributed systems, and in certain models mostly related to databases. I think a lot of this has been pushed by a few companies with an interest in either pushing these fields forward or being known as experts. A good example might be Basho, who've generated a lot of buzz around the Ricon conferences and the Think Distributed podcast.
To be clear, I think this is a good thing. I personally think distributed systems are a really interesting topic, and a big swell in interest generates discussion and lots of interesting reading material. :) Granted it also generates a lot of faddishness and crap, but that's the price of any kind of wide interest in a topic.
And really, while there's some crap out there, a lot of it's actually really good. I've been enjoying aphyr's recent blogging about Jepsen, a lot of the recorded talks from Ricon West were really interesting, and there's been some good discussion on Twitter and lobste.rs related to these topics.
So sure, the valley might be treating this like a fad. They also do that with *.js and obscure editor plugins. :) But in this case I think that's not a bad thing.
Do you get negative points so that the font color is light grey?
Is that because your words are a little bit challenging?
I'm with you. Distributed Computing is not new, especially it's not only about a couple of algorithms. But looks like folks here are only familiar with the algorithms, such as the algorithms used by Google.
Actually Distributed Computing means a lot more than that. I'm going to write some blog about that, but not quite ready yet.
The whole thing was very fun, I highly recommend anyone interested in security to give it a go. The XSS challenges were also cool: they ran a headless webkit browser to emulate a user so your XSS code actually did something.