Hacking Competition in Zhengzhou China – Real World CTF Finals 2018

While I was in Las Vegas for the DEF CON CTF,
niklas from eat sleep pwn repeat asked me about the Real World CTF Qualification but
I had no clue. Apparently my team qualified for the finals,
and I didn’t even know. You can see we are well organized. This Real World CTF seemed a bit weird, it
kinda came out of nowhere, it promised 100.000 dollars for the first place in the finals,
but the price was also in USDT, a crypto currency which is basically bound to the US dollar. It was a Chinese CTF by this company Chaitin
Tech. But the challenges were actually really cool,
and they were based on real world applications. Most notable was probably the P90_RUSH_B challenge
where a CS:GO map parsing bug had to be exploited. So for a while it was unclear if the finals
will still happen as we didn’t hear much about it anymore. But then suddenly we got the invitation to
come to Zhengzhou, china to participate in the Real World CTF Finals 2018 on the 1. and
2. December. We booked our flight, got our visas and had
no idea what to expect. Our team met up in Frankfurt Germany to fly
together to Hong Kong and then continue to Zhengzhou. On the first flight one team-mate figured
out a crazy combination of steps to crash the inflight system which is based on android. It leads to crashing the QT5PacLauncher. Screen goes black. And eventually it restarts. On iMacs at the HongKong airport where you
can surf the internet. You are supposed to only use this tool here. But again a team-mate found a way to escape
the program and gain access to the underlaying operating system. You can tell I was traveling with hackers. Anyway… we arrived later in the day in Zhengzhou
and unfortunately the weather was not great. Organizers actually warned us of the air quality. While it looked kinda sad and grey during
the day. The fog or the pollution(?) looked actually
really awesome at night. It really had a cyberpunk flair. We were staying in this huuge skyscraper hotel
on floor 40-something next to a lake and a convention center where the CTF was going
to be. So once we got settled we decided to walked
around and see some stuff. And we couldn’t believe our eyes. There were these big posters about the Real
World CTF and pointing into the direction where it would be. Oh wow this seemed a bit more serious than
we thought it would be. We walked a bit further and then we saw this. At the convention building there was a HUUUGE
banner with Real World CTF and all the team names. And a crazy looking entrance. What is going on?? What is this crazy event? Because I only had a crappy phone, here are
some pics from the next day. This is crazy…. There is our name! This is NOT what we expected. Who the f’ would be watching us? This is just a CTF! We are not like esport fun to watch? So the next day was the start of the CTF and
this was the first time we walked into the CTF area.WHAT THE F’ IS THIS!?Well… yeah… so this looked crazy. Each team had a cool table with our team names
and logos on it. We felt not at all prepared for this level
of professionalism. You would think we would prepare A LOT for
the huge prices,… but be real…. We have NO CHANCE against these other teams,
we were just here to have fun. But if there is a next time I will still prepare
more. This is insane. Around the CTF areas a few sponsors had setup
some marketing booths, like Pangu Team, Qihoo 360 and many more. But I never interacted with them. So we had about 1h to setup before the CTF
starts and after we resolved all our networking issues we were waiting for it to start. Countdown. 19 minutes. The CTF would go for two days. 1. And 2. Of december. And
Also the rules of the CTF were introduced to us. It’s a jeopardy style ctf, so very typical,
but several challenges required demoing it on stage. For example there was a challenge called station
escape where you were given a minimally modified vmware binary, they patched something in it
to introduce a vulnerability, and then you had to exploit it and pop the calculator on
the stage. For example here RPISEC exploited the host
and executed the calculator. And got FIRST BLOOD. There was some browser exploitation, some
web challenges, even doing some car hacking on stage. Oh and each team got a camera as well as a
router and both of them were challenges. You had to hack into the router and you also
had to find a way to access and control the camera without authentication. So there were really cool challenges. If you want to know what I did during the
CTF, well I can tell you I didn’t solve anything. Infact I spent BOTH DAYS. INCLUDING THE NIGHT TIME on the blockchain
challenge Acoraida Monica. I have done quite a bit of smart contract
stuff this year and I thought: “F’ YEAH! This is my challenge. No problemo. Ezy pointz”… gosh was I wrong. This challenge was crazy hard. And I did make progress. Slow. But progress. And thus I never gave up. Of course in retrospect I should have spent
my time on something else for points, but I actually learned SOOO much more about ethereum
smart contract internals. It was so useful to me. I’m so blown away by this challenge and
I definitely want to make a video talking about. However our team did solve a challenge. And that was the router. They were actually rushing it. Because demos on stage take time and the end
of the CTF was nearing each team had to register for a spot for demoing it. So we registered without having a working
exploit. And literally 5 minutes before the end the
exploit worked, a super quick test run was done to see if it works, and they rushed onto
the stage. With 3 minutes left on the clock, team ALLES! Was the last team to win a flag. Our only flag. But we were so damn proud. Overall the CTF was super hard. We were 5 people and I was sucked into a single
challenge, so kinda only 4 people. Other teams, especially the ones that were
in the top had actually more people helping offsite, over the internet, which is totally
fine and allowed. Our team just doesn’t have that many dedicated
players. So I feel like this CTF would have been perfect
for a team of like 8-10 people. I think that would have been sweet spot. 5 was too low, and 20 or so would too much. On average 1 day per challenge would have
been nice. Oh and just in case you wonder, solving a
single challenge was still pretty good. The final scorebored looked like this. Actually a team asked me to censor their cero
points because they felt so embarassed, so I hide it here. But they shouldn’t be embarassed. It was a really hard CTF and everybody should
be proud to even have qualified. While the stage and light effects and demos
was awesome, it was a bit of a bummer that almost nobody celebrated it. Very rarely people would clap or cheer for
successful popped calcs on stage. LCBC was probably the happiest on stage for
pwning a challenge. But with every demo we saw I was hoping that
the room would burst out into claps and cheers. So this is a call to my fellow CTFers, comeon! Let’s celebrate this awesome hacks more. Let us show people that this awesome! One other thing I’d like to mention was
how weird it was to have all those guards there. And at the entrance there were x-ray machines
for the bags and pat down. I don’t know if these guards were police
or just security, but there were not just a few at the entrance, they were standing
just meters apart, and they were standing there for HOURS, I felt so bad for them. That must have been sooo boring. There was even a large group patrolling with
riot shields and sticks and stuff every few hours or so. I think they were supposed to protect us and
make us feel safe and make sure nothing bad happens, but to be honest, I felt more threatened
by it. It was really weird. One other interesting cultural observation
I had was smoking. So apparently smoking was banned inside of
places or so just a few years ago, but people just kinda ignore it. Or well… they hide. In the toilet. So everytime you go to the bathroom there
are people and employees just hanging out and smoking. I’m somebody who really likes a clean, quiet,
empty bathroom, this was a bit irritating. Other than that nothing weird happened. Everybody was super nice to us and we were
put in a nice hotel, and breakfast was awesome, they even apologized constantly when small
things went not quite right and the organizers in general made us feel very welcome. It was a really well organized and great event. Kudos for that. On the day after the CTF, when the winner
was clear there was a small conference with an award ceremony. This is where we got a small glimpse into
day-to-day chinese politics. They even had live translators for us. I don’t remember who exactly spoke, but
there were several important people there and I think it was like the mayor and some
misters or so, just talking about the importance of security, and that the government has to
invest more into this, and support IT security education and this Real World CTF was part
of this. This was a competition in IT security on a
high level, in order to motivate young people to go into this field and also position China
as being cutting-edge in IT security. Or actually it was less about China as a whole
and more about the region itself, you know China is huuuge and they were often just talking
about the Henan province which has even a bigger population than Germany. And the city Zhengzouh where we were, is almost
3 times bigger than german’s capital city Berlin. So of course for local politicians it’s
more about positioning Zhengzouh as a hub for IT companies. This is where talent is, and where the REAL
WORLD CTF Finals happened. They want their economy to prosper. So of course this is all about marketing and
economics, but it was just really fascinating to not just hear about global political news,
but to get a small glimpse into this day-to-day boring local politics. And the marketing was really crazy. After the CTF they even got multiple pages
in a local newspaper ready for the next day. And so thanks china. Now I have to own a picture of Trump in order
to keep this piece of memory of the Real World CTF. I used google translate on my phone to read
some lines in the newspaper, but it was a bit rough. “The Most powerful brain idle sports network
offensive and defensive surgery”. We also got some stickers which of course
have to go onto my laptop. And we got this metal challenge coin. You can tell I had a lot of fun there and
I was so glad that I went. I’m really looking forward to next year
and hope we can qualify again. Thanks also to my team-mates, I really enjoyed
traveling and playing with you and congratulations to LC:BC, 217 and ESPR for rocking this CTF. And nice to meet so many new people and see
familiar faces again.

Maurice Vega

100 Responses

  1. Hey LiveOverflow, I've been in china for a while and speak the language and blah blah blah so maybe I can shed some light on things 🙂
    – Lots of branding/big convention center: Space in tier 2-3 cities is cheap, signage/lights is cheaply manufactured because it's all produced nearby, and labor is super cheap. And internet companies make toooons of money… Chaitin helps protects many top websites like the top banks, chinese uber (didi), huawei, etc. Plus the local branch of the CCP will fund a lot of it.
    – Little Celebration/clapping: Chinese people usually don't really clap or get too excited, including concerts and stuff. It's just how they are.
    – Security: The xray stuff is normal entering convention centers, subways, etc. All the guards with the "河南华威" uniforms standing around are private security employed by the company or government and are actually really cheap — think mall cops with riot gear. Because the company or zhengzhou government wants to show off their strength and project authority, they rent a ton of guards.
    – Position Zhengzhou as a hub: You're 100% right, I've been to similar things where districts of shanghai or random cities are flying out foreigners to have the same thing, trying to legitimize their local government or branch of the CCP. One of the headlines on page AA03 of that paper is “国际郑”举办高规格网络安全大赛 — Saying that "International Zhengzhou" Holds a High Tech Security Competition. These guys have too much money!!
    – Learn to pronounce Zhengzhou — it's "Jung Joe" — 'Ju' as in 'Just', and Joe as the name. Had to sneak a snide one in 🙂

     BTW here's a link to the paper he got: http://zzwb.zynews.cn/html/2018-12/03/node_102.htm, report is page AA03-AA05

    The paper also explains that a lot of the people that created the questions came from 蓝莲花战队 – Blue Lotus Team. They're a famous security research team from Tsinghua University in Beijing!

    Hope you had some delicious chinese food while you were there, and keep up the fantastic videos!

  2. A final qual é o prêmio para 1° lugar. Tenho 48 anos mas sou esquizofrênico. ❤️ Essa Área It.

  3. I want to become. I want to learn more about hacking and stuff and someday i want to compete with you in CTF . we will dominate that competition

  4. Hey this is unrelated to the video but I was playing with dotpeek and an application apparently made for exam simulations and I found a string that looks like this:
    (It's actually longer than this)
    I tried searching it but I still don't know what it is, at first I thought it was hex but I don't know how to convert it, it was labeled as VM password.

  5. They aren’t hiding the smoke in the toilets; it’s actually legal to smoke cigarettes in the restroom! It was a compromise for banning smoking inside of public areas.

    You are still not allowed to smoke in toilets of schools and hospitals, just a humorous cultural difference.

  6. I'd be more upset with owning a picture of the leader of an oppressive regime, but I guess crassness is more offensive than human rights abuse.

  7. 7:13 i see that r3kapig team win nearly every ctf from ctftime.org. basln, nasa rejects, dragon sector always score high and takes the cake.

  8. Trump is the man, dude.
    They respect him in China. He may seem like a brash idiot to you, but from the outside he is an unpredictable, unafraid threat who isn't embarrassed to fight for his country's interests.

  9. Could you recomend an archived ctf, where I as an beginner could train to solve challenges? I am an computer science student. Me and some friends want to train solving challenges. We tried the Pwnyiland ctf and failed miserably. We only solved some parts with the help of LiveOverflow's videos.

    Hi, nochmal auf deutsch: ich bin Informatik Student. Ein paar Kommilitonen und ich wollen anfangen mit CTF spielen. Kann jemand eine alte ctf empfehlen, wo materialien und Aufgaben noch online sind? Wir haben uns an der Pwnyiland ctf versucht, aber nichts ohne die videos von LiveOverflow auf die Reihe bekommen. Also wollten wir bei was einfacherem anfangen.

  10. I have been married to my husband for two years with no idea he was cheating. Suddenly i started noticing changes in his behavior, It seemed as though my life was spinning out of control getting to find out he has someone else. I confided in a friend who convinced and introduce me to a hacker [email protected] he was able to hack into my husband mobile phone. I was able to have access to his instagram,whatsapp,text messages etc. You can also send him a whatsapp messages +1 937-815-1491.

  11. In China and Japan it normal to not celebrate. Watch a pride fight or something from there. It's normal.

  12. China invited you so they can steal your hacking capabilities. My god is the world completely blind to their theft of IP????

  13. i would love to be part of the ctf finals one day. ive been trying to teach myself pen testing and hacking for the last 3 years mainly on kali. but as of like 2 months ago im taking it quite seriously. im still 16 so that means i have a bit more free time to do this in which helps a lot at least. where did you start?

  14. All they are doing is getting u to build exploits for things they need than they steal the exploit from u and use it on other countries

    Trump 2020😁

  15. I just watched the chinese series about ctf competition and got super curious. So i searched and found your vids. I’m just amazed at how you guys do these stuffs. 💪🏻

  16. Came here cause I'm watching the cdrama called go go squid. I want to know if this ctf thing is a real thing. 😅

  17. I'm a Chinese and i'm more entertained by this vid than educated. To be honest the level of security you saw in the venue was commonplace as the organizer probably put a lot of money and propaganda into it so they don't want to fuck up, and in almost any city's metro systems you and your baggage will be separately scanned for dangerous items so their practice is just an extension to that.
    PS: that CSGO P90 rush b thing got me ROFL

  18. oh BTW in about a month, the biggest event in CSGO is taking place in Mercedes-Benz Arena in Berlin. Hope you take some time to check it out!!

  19. A thing about the guards, they are everywhere in china, if you think airport security is overkill china has a similar level of security for entering any train station. They are not true official police but do work for the government usually, like every time you walk into any public space in china you have to get your bags xrayed and cloths patted down. It gets quiet annoying in big cities since lines can get formed at the entrances to subway stations at rush hour

  20. Teather is a currency created by the chinese government and they have a lot of control over it (just like USA and Israel have over zcash). So far it has followed the USD quite well but you can't tell if that's going to stay for very long.

  21. For those who don’t read Chinese, the convention name is “World strongest international CTF war group convention”. So the top hacker probably not normal hackers, and they probably have their name listed in China government watch…

  22. These guards were just outsourced security guards, likely employed by either building or event management. The emphasis on this CTF competition really shows where China is focused on for the future. Province of Henan, particularly its capital city Zhengzhou, is being positioned as a logistics centre for China due to its strategic location (centrally located, away from oceans or borders). This city is also very rich in history and culture. Awesome video, I enjoyed watching it from Canada. Hope that your team had many yummy pasta dishes in Henan!


Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment