How Hacking Actually Looks Like - ALLES! CTF Team in Real Time

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

if you follow my channel you know that i have been playing the google ctf 2020. this year our team actually placed very well and so we were invited into kind of like the google ctf finals it was like an inofficial finals it was more like an experiment and it was really really awesome it was called accelerate accelerate was a very different kind of ctf competition because it was actually done in rounds where four teams would compete against each other within a 90-minute window so it was not a ctf that would go like the whole day or even like multiple days only roughly like 19 minutes long and the ctf was a game that had to be hacked it was a jump and run game the other special thing about it was that each team had to live stream one machine from them during the ctf and try to do as much of the solving as possible on that machine and then zetta 2 who you might know from the pony races which is multiple hackers competing and racing against each other and solving a challenge he was creating commentary for it so at the time of releasing my video google might have already released the commentary versions on their channel if so you can find it in the description below because we were forced to share our screen we actually had a setup within our team where we all streamed our screen to a central machine and that central machine was then switching between interesting people to show to google at that point which means i have recording from almost the whole alice ctf team competing in accelerate and i think this is very unique insight into how a ctf team plays together i could make a typical video write up to tell you how certain challenges were solved but i think as a change for this one i actually just shared in its entirety so you can see exactly like how fast and slow people solve certain stuff and what we were doing so this is probably kind of boring but i will add some commentary and give you context and explain what is happening and maybe you can put it up like in the background while you play some games or whatever and look it on the side i don't think that this video is particularly interesting to a lot of people but i think there are some people out there that just cannot imagine how playing a ctf can really look like in real time and for those maybe this video is exactly what they were looking for [Music] but before we jump into the actual competition i need to tell you about our preparations the competition was for us on a sunday and not even one week before that i believe on monday or that tuesday we received a test game so we can already explore a little bit like the game's capabilities and with those files we could already prepare a lot and think about strategies i have to admit that i was not very involved in those preparations but others from our team went in sane they completely over engineered the whole thing so let me show you the example game that we got and what our team has developed within not even a week to be ready for the competition here's the demo game we received and you can see it's running in the browser now the version you are seeing right now here is already heavily modified by us we were playing around with the source code of the game which is obviously written in javascript so you can also modify it and on top of that we build tools the first important tool that we have is a websocket proxy because the game is communicating using web sockets with the server and we wanted to have a custom proxy so we could much more directly and automatically interact with the game's traffic and potentially like modify it and get more insight into it on top of that a back end was built that you can see here it's the alice accelerate tool and what's notable you can see in the top left which is basically the game view the map that you also see in the actual game to the right and then you can see the current coordinates three challenges that are part of this demo and then you can also see the three test challenge terminals up here so the thing is the game could only be played by one person who is playing in the browser you can't have concurrent connections and this is where then the left interface comes into play basically one person is playing the game in the browser using the proxy and everything and then the rest of the team at alice can use the tool that you can see on the left and that is a live sync so when you walk around in the game because obviously proxy sees all messages we can capture everything exactly where the player is currently and so everybody in the team can watch and see what the person is doing and now it gets really crazy so here you can see how the player activated an overlay that shows some information about the game objects that are currently in the scene again this was all done by modifying the actual javascript client of this game another player is approaching a terminal and basically all the challenges are implemented in these terminals and when we interact with it we see a terminal output now this terminal output is binary data and it even says here here's some binary data figured out and the idea is here just to make sure to test that you can actually like read and interact with binary data that is being sent over in the websocket for this terminal and this is where the collaboration tool on the left comes in the tool can automatically tell that you interacted with this terminal and it will show the text that was being output in the web app and you can also see that it automatically created like a hex view of it because it was binary data and this way now all the other players in our team could help solve this challenge so the player actually controlling the game doesn't really have to do it now we in our collaboration tool could actually now work on this challenge now the player jumps up here and this is quite a bit of tricky jumps but also here was another hack implemented and it's called auto jump which can be enabled just by holding shift and basically what that would do is it just jumps at the latest possible moment on the edge and this way you can very easily and precisely pixel perfect jump up at the right moment to reach all the jumps and now when we walk further you can also see that the collision map is turned on in red which shows you what exactly has collision on this map which reveals that there's like a hidden pathway through this black area here to reach this other terminal and when we reach the terminal you can see the web app automatically updating again showing the challenge detail and you can now even like send commands using the web interface to solve the challenge and sending the correct binary data gives you the flag which you can now hand in but if you paid attention the proxy automatically detected that there is a flag that arrived in this terminal and automatically placed it here in this left form you can now see that the status color changed from red to yellow which means we have a flag here and if you pay no attention to when we reach the flag control input this is where we enter the flag the web interface and the tools that we build automatically detect that you are at the flag control and then automatically hands in the flag that was submitted here this is all the idea of saving time that automatically the flags are detected stored over there and once we reach the flag control pc we actually uh just automatically solve it now you probably also have wondered what these blue and green lines are these again are also other overlays especially the blue one is teleport location so you can see that from a portal it like goes somewhere it just shows you where things go the green block is actually a respawn point and you respawn here when you die in a certain area and the areas are divided by these green lines so if you die somewhere here on the left you will respawn here and if you die somewhere on the right you'll respond here this is also very important because there might be some tricks where you have to strategically die in a certain space to respawn somewhere else or so forth that's why we also drew this in the overlay to very quickly see where the areas are to respawn in a certain place you can also see here how the player can actually zoom out and zoom around the map this is not built into the game again this was achieved by modifying the game source to be able to do that and now pay attention in the bottom right corner it says here accept external routes and this is another killer feature of the tools that we build the feature allows basically to create routes that the player then automatically like runs and jumps to and you can actually create these routes in the editor on the left in the web interface here's how the editor looks like in the web app so you can load the same map and then you basically place down nodes and when the player reaches that certain node it changes which button is pressed if somebody from us creates a route we can send them to the player on the right and you can see it here accept external route and if they now press enter then the route will be loaded into the scene and this is how the route looks like you can see all the different jumps and different actions that a player would do reaching a certain node and so forth it's kind of simple but very powerful tool to be able to pre-program routes and automatically jump areas we created this because we were thinking there might be areas that are very difficult to jump and we wanted to make sure that we could like easily like solve it once and then then we are good there's also a speed tag feature that we found which we thought might be interesting obviously because we are racing against other teams and we want to be the fastest these are basically all the tools and hacks that we build there are a few other small things but that's basically the essence of it and i leave you now with a quick speed run through the demo game which basically solves the whole game automatically with the route feature again on the left you can see the web interface that all we other players are seeing which is automatically synced from the actual game and on the right you can see the actual game being automatically played through our routing tool and that's basically all the tools we had and our strategy is when we received the actual real game is to quickly apply the patches and hope that the game client didn't change too much so that we could easily put in the hacks that we already built and then we also have to get the proxy running and the website up and running to have this collaborative web application so now you know our setup this is what we are going into the competition completely over engineered completely insane i'm like blown away by the dedication of this team insane multiple people spent easy like 50 or 70 hours on developing this but even regardless of how much time they spent on this it's insane how fast they were able to like come up with stuff like this writing their own websocket proxy building a whole platform for collaboration of the terminals editors for route planning and automated jumping and then a couple of other like game related attacks and analysis stuff just incredible but now it's sunday and the competition is about to start in just a moment we will receive the game files so we have a period where we can prepare and analyze and get our setup going and then the game actually opens and then the real race starts now we are just moments away from receiving the files ginwell is typing and we are all anticipating the map files bear strip map colon but where are they given my voice where are they send them come on send them what's happening question mark dun dun dun dun dun and here we finally got them immediately we notified each other on discord that the files are there and we download them have a look at flow i think he is like the fastest here he's downloading the file the map file and saves it in a certain location and the first strategy is to get an editor to look at the map up and running tiled is an editor for map files for 2d map files like this and we knew already from the demo files that tiled can be used to open the map and you can immediately obviously see like different sections of the game map files and you can look at the different objects of course the first thing we do is just get a little bit of an overview i mean it's basically just looking around and looking at the different sections and a bit getting a feeling for what this map is like it's a little bit chaotic there's not really a plan to look at this and eventually you can also see that flow is looking at individual graphics and different objects maybe to see like special graphics i mean it could be that for example a hidden flag is somewhere in the textures or something right so yeah we start to look at this you can also see that it takes a bit of time for everybody to download the map files and do things with it but you know eventually more and more people will look at it like thomas too just fyi my screen is still black because for some reason i screwed up recording on my part for this early section when the game then actually starts i have the recording but just as a reminder we are now in the first stage where we only get the map and it's not a playable client or anything like that the map is in adjacent format and all the other resources are like typical images you can also now see that flow starts to take notes about different map stuff he's looking at new entities that he has found inside of the map and if you look here at the names it's a cracked wall exploding exploder which already tells us oh maybe there are walls that we can actually destroy we need to figure out like where maybe we can get some of this explosive and where are these cracked doors so we can open them up but we also see like doors and keys so now we know that we need to find keys and and at the doors where they fit to just in case it's not quite clear how he does that on the right you can see his terminal where he simply listed the directory of the different graphics that he found and they have certain name and so for example here you can see it's exploding exploder and that's how he looks at new stuff that he hasn't seen before in the meantime you can see cherry warm on the bottom right working on the source code of our collaborative web service now this web service is not really functional yet because we don't really have a game to actually have like updates and everything but if you remember in the introduction video i told you that this collaborative web app also has the map in the top left which means if you can load the map there we can maybe already like prepare routes for example and look at the map with that editor because that editor has a few different features such as you know the the overlays about where teleports are going and where the different sections are for respawn locations and so forth so cherry will make sure that we can launch this new the collaborative tool on on the website so you can already see some of us trying to browse to that site as well but the page is not available yet now you also see maybe that in the top middle the where it says alice the alice logo is missing this is actually the stream that we were sending over to google we kind of forgot uh right at the start to enable it but there we go the server seems up and accessible and now we can start using the web app as well and you can immediately this is awesome we can scroll around the map it looks similar to tile but we have this feature for example of these green lines and tell us where are different regions for respawns but we can't really do much other than now look around the map and the most interesting thing for us is to look at the different respawn regions that you can see divided by the green lines because that is information that you can't see in the tiled editor as i told you in the introduction of our tools there might be tricks where you die in a certain region and then respawn somewhere else and that might be necessary to maybe progress so we try to identify maybe places like this but we also generally just get an overview over the different regions that we can find because this game is a bit larger than the demo game that we had and we already like noticed oh this is interesting this looks like maybe a dead end or something and how do we get there it's like so far down there out of the way and so you know we just try to explore these different things and we talk about the different areas that we notice and while looking at the different respawn regions we actually start to notice a very interesting place where you know this trick of dying and respawning in a certain other location can be useful and there is actually a command to like kill yourself at any point so we knew that you know maybe this is actually something that is necessary and we found this cave here all the way at the top where where a small portion belongs to the upper respawn region which means we kind of want to like maybe jump up there and then quickly die to be able to respawn somewhere else on the map and again this is only information that we could very easily and quickly see thanks to this collaborative tool that is rendering those respawn regions you can see everybody is kind of now looking a little bit at this tall vertical tower because it doesn't seem really an easy way to jump on anything at least it doesn't look like it and so we were a bit confused maybe what would be up with this tower like how could we get up there and so maybe it's time to now compare a little bit with tile maybe we can find some information that maybe our own renderer of the map is not really showing and maybe we are missing something in the tilt editor you can also like disable certain layers or enable certain layers so it's easy to find maybe some interesting parts and we can find this message high which we thought oh it's a small easter egg i remember at this point that i was really wondering about this area down here in the cave because you can see it has a little bit slightly different color now i don't think that you could actually like necessarily drop down because there was actually a floor with a collision but i was wondering if there are maybe some glitches and bugs with very thin walls where if you maybe like have a high speed or something you could actually glitch through this wall and you can get in the bottom part and maybe that bottom part is like very important for something for me that idea seemed like a really really good idea and i remember like talking about this on discord with the others at in this moment and otherwise there's not too much to say about this part now of the game we only have those game files so we just keep looking around you can see that maybe different players start to look at a few of the resources other players might using tile to look at different objects and different layers and just like you know playing around trying to maybe find something that wasn't like clear before we were also talking a lot about the different areas in general like we were talking about certain interesting structures and maybe what we were expecting there also remember that we found these breakable walls and the explosives so we were thinking oh where could actually explosive walls be located and so maybe thinking a little bit already about the possible routes and if we could like how to get there or which parts we can break and so forth you know just a lot of open questions and we try to think ahead what could actually be thrown at us once once we get the actual live game you're maybe also wondering why we are not being able to find out a lot more about this game and this is because a lot of the actual like game objects especially the interactive ones are actually communicated from the server so it's not actually inside of this map file itself so a lot of the interaction stuff we don't really know we can also have a quick look on cherry warm's screen this is nico he's actually looking at our internal wiki where we kind of divided up tasks that have to be done very quickly so it's clear who is responsible for what you see for example that in the first 30 minutes of the game it says here in german that we are getting the game package with the client and server and we need to dump the code immediately into the accelerator pre finals github project and thomas is responsible for that and then localo has to fix the editor which is our collaborative web app tool and then thomas has to apply mod patches to the overlay ripple which is the modified game client to have these overlays and then thomas also has to test the patches and this is all responsible for the game and then in the front end we also have that locator has maybe has to fix the editor so that the game javascript is properly updated cherry warm is responsible for the proxy he has to make sure that the hooks that we have in this proxy to maybe modify and do stuff especially the tick parsing the tick is the updated data that always gets sent between the client and the server which is then used for our collaborative tool to like sync you know where the player is currently at and these shared terminals that i have shown you in the beginning so this is our internal wiki it's obviously like important to have clear tasks assigned to the responsible people so that we are actually very fast so there's no question like who is doing that or who's doing that it's like there's basically a clear game plan that we created beforehand by the way this game was created by gin by ale and bitshift mainly as far as i know and as i explained it was four teams competing against each other and actually in our group we were our team alice paston more smokely chicken and 5bc so we were in an insane round paston is obviously one of the best if not the best team in the world and then more smokely chicken is also an incredibly insane team and five bc of course two and so we already thought we have definitely lost um we have no chance against them we kind of felt already uh this is really unfair we are like in in one of the toughest group of the whole competition and really really bad luck somebody else had asked how it could be that we have this team composition and and i think somebody heard that it was randomized and so i asked goonwale like what the heck was going on like what is up with this biased random algorithm and then he told me that it was not really random they looked at the teams and their time zones because obviously the ctf is only running for like roughly 19 minutes so they had to make sure that you know it's at a fair time for all the teams involved it's it would be really unfair if you have like asian teams competing with european or american teams and then in the time zones would be like that it's like in the middle of the night for one of the teams so that wouldn't be really fair so they looked at the time zones and unfortunately we are like in that time zone so my joke response to guinval was then that it's bad to have randomness seated by time ha ha that was a good one right it's really hard to say what we were like doing at this point um not really sure but let's have a quick look here at flow because he's about to look at the json uh map file itself and looking for certain values i'm not sure exactly what he was thinking during this time but you know you can see obviously we were trying all different kinds of ways to like look up certain information and learn more about this new map that we got ah he's looking for cracked so the cracked walls as i mentioned we were like looking for like places where cracked walls could be placed and so we were really wondering like if some of these objects that we are seeing here in the tiled editor are exactly cracked walls that can be removed and exploded and so yeah we were kind of just like searching for that here multiple teams were competing in multiple rounds and it was essentially the same game but some of the challenges were different and if i understood it correctly then actually in our round there were actually no cracked walls the usage of explosives and cracked walls was part of another round i think the organizers did that so that the teams couldn't like leak the solutions to certain challenges for the other rounds or it could also accidentally leak and so they wanted to make sure that this wouldn't happen and also this probably makes it more interesting for the viewer because obviously you can watch all the different rounds where the teams are competing against each other and if they have different challenges it's probably more interesting to watch each of the rounds but yeah obviously we didn't know this yet that we don't have correct walls and so we were like looking for that a lot it will later turn out that we actually have like uh doors and controls for these doors but we don't know this yet um you will later see that the control computers where they are located they are actually not here right now because these are like dynamic objects that are then loaded through the server and yeah we don't have that yet okay i was actually just talking a little bit of rubbish because i did go back and check the actual map file that we received when the game actually launched and that map file actually contains these interactive objects such as the door controls and the doors themselves and i just realized again like what we were getting it was a stripped map without all of these objects and maybe i should tell you here a little bit of a story why we were getting the stripped map beforehand and the reason for that was that we were not the first team to compete so there were previous rounds and we were and we all had to stream our screen to the google server and there was a test stream endpoint and what other players or other teams didn't realize was that these test stream endpoints were public so you could actually also watch the other teams test streaming and one of our team players was watching the other teams test streaming and he noticed one team streaming a little bit about their internal setup and when they were streaming their own setup he noticed a server that we're using to exchange files and now our team member was a little bit naughty he kept looking at that server and when the game for that team actually started and they were switching over to the real endpoint that requires a password and you can't actually then look at it he noticed that they were using that to exchange the game files so he got access to the game files before all the other teams now when we noticed this we were thinking about how to proceed now because that's a little bit of a icky situation we are now in because basically um i mean it could be considered cheating so we did the only right thing and and we contacted seta 2 and gunwale and told them about what happened and what we decided how to proceed with it basically we decided that the player from us who had access to these game files would not participate in the early part of the competition and would not look at any game files and he would only start jumping in once we all had this initial phase of looking at the game files basically nullifying his potential advantage that he might have gotten because we were honest and direct about this this was also fine by the organizers but the organizers also had a bit of another idea to deal with the situation and what they were thinking was let's actually give out a bare version of the map beforehand because the map is kind of like the biggest adventure you see the map you kind of like know what is already going on now because this was leaked from another team as i mentioned there were also different challenges for the different teams i didn't really know this up until this point yet so i was wondering why they would hand out this map file beforehand but essentially this is the advantage that our team player potentially has gotten because you know the challenges included in the leaked files that he got were actually not the ones affecting us but obviously he could see the map files so that's why for our round um there it started much earlier and a bear version of the map file was given out to all the teams and that's why we were in this early round and with giving out this early map version the so organizers violence at the two and so forth also decided that it was okay that our player that potentially was exposed to these uh leaks could just start right away and play with us because this kind of like nullifies his advantage as you can see right now thomas here is also looking at the actual raw json map file and you can see that he's looking for the type gravity this is something that we noticed and saw and we were run wondering if there's something that modifies the gravity of the player maybe that could be used to like float around or there are some sections of the map where gravity is inverted and we wanted to make sure we understand what this gravity type does and if it affects us in an important way there could be some challenges around this and i think we didn't really know what this type gravity means yet because i don't think this was anything that was already in the test game that we had received previously so i remember us talking about the gravity and speculating what this could mean speculating about potential challenges and so forth yeah i don't really know really what to tell you and how to fill the remaining roughly 10 to 15 minutes before we get the actual game files you can see us just still exploring the different regions and tiled and looking around taking notes and just you know thinking about potential things that could happen as you might have noticed when we were looking at the map entitled then the regions had different names i'm i'm telling you now the names from the top left going to the right and then down there was a blue tower sepia city green pines last resort forbidden basement tunnels green pines entrance and cave without bats cave without bats is where the player was also spawning and remember how i told you very early in the beginning that from the green respawn areas that we know of that this small section above the cave without bats where where you have to jump and then die to teleport up it's actually called green pines entrance i didn't even realize this but i guess this is a hint that here's the entrance into green pines and it maybe hints a little bit okay somehow you need to figure out that you can get from this entrance up into green pines because there's no other way and that's maybe a bit of a hint that players can maybe look at these respawn regions and killing yourself so that's actually a pretty good hint i didn't even realize this but it also like shows that our ideas that we had that maybe playing around with these respawn regions and killing yourself in very strategic places to respawn in other locations is actually something that the organizers and the creators of this challenge were also thinking about and so it meant oh yeah for sure we know exactly how to solve this challenge part here you can also see flow having open tiled and on the left our ctf pad where multiple people are currently taking notes about like different map stuff you see for example the types below i remember that i extracted all the types in the map json file from all the entities so to to see if there are any new ones and i think this is how we discovered maybe the the gravity type and so everybody here is taking notes on the different areas and you can see for example here green pine's entrance killed to teleport to green pines so this was a plan we already had and in the tunnels lots of door color rises and it's connected to sepia city but not sure how to teleport up it's also connected to blue tower last resort maybe it could be the end because in the bottom left or the small thing because there's doesn't seem to be a way how to get out of it so yeah i don't know let's note it down and then there's also the forbidden basement which might only be reachable with killer views or maybe there's also a portal but we don't know that yet you can see keep exploring keep having ideas brainstorming making sure we have notes and think about all the different possibilities we are now roughly nine minutes away from receiving the actual game files now when we receive the actual game file the server is actually not yet playable so we can't solve all the ctf challenges yet when once we receive the game fast we have 30 minutes getting everything our tools everything up and running and then the game opens up and then actually kind of like the real race starts but we can try to pre-solve or prepare as much as possible in those 30 minutes and you can already tell you know like having access to the bare map file is a lot of time that we had we at this point we are kind of like not really knowing what we could do you can see all of us just kind of like staring at the map rendering at tile taking some notes thinking about the different areas but if i remember correctly there was like not much talking about though we were slowly start to thinking about potential routes and um how we route certain things if you look closely you can see for example a lot of jumping stuff going up where you only had very small platforms and you had to jump up and these were things where our route planning tool could be really really cool but the route planning tool doesn't work yet because the route planning tool requires the actual game file i did not implement that editor and i'm not really familiar with the code but as far as i know the route planner is actually using a simulate sticks or steps from the actual game which is kind of like simulating the next game frames and that can be used to kind of like predict where the player would jump to and walk to and i believe this is how they can like draw the different jumps and where it would jump to in the editor and we don't have those files yet we don't have the actual game client yet so we can't actually like prepare routes i remember us also talking i think after the ctf that we should have maybe tried to kind of like get the new map into the old demo client that we had so that we could actually prepare these routes beforehand that we now could actually do these routes you know we don't need all the other game stuff but if we had the map in a way where we can already prepare the auto routing to be able to automatically have the player then jump around that would have helped us a lot but you know our tool didn't allow us to do that yet maybe at this point it's worth mentioning what kind of skills you need to participate in this level of ctf uh we we don't actually know the kind of challenges yet we only know that there are two kinds of challenges there are in-game challenges so for example maybe you know jumping in certain crazy ways or finding out how to break certain doors or this death skip where you kill yourself and then you respawn in a different place you know these are also kind of like game hacking stuff same as the speed run for example is a game hacking thing and those might be in-game challenges but then there are also out game challenges and these are implemented with these terminals and these terminals maybe give you a file or a url or something and then you have to solve that ctf challenge independently of the game and the flag can then be entered somewhere and then opens like a portal and gives you access to another region of the map and so at this point we don't know yet what these out of game challenges will be i mean they certainly will be kind of small challenges so they can be solved quickly but up until this point all the preparations that have been done for this game from our team is web engineering there was a lot of javascript and general knowledge how kind of like games are architected and this allowed us to write patches for the game so that we can modify it and like render these overlays render the collision maps create this editor that we can browse around rendering the different green lines that are separating the regions rendering the respawn points all this kind of stuff all that stuff is just web engineering knowing generally like a lot of javascript canvas how games are structured and so forth and then on top of that you need obviously a lot of software engineering skills to build all the tools around it i think the internal wiki was for example written a lot by cherry warm and others i and sorry i forgot who else was heavily involved with that but this is all engineering efforts that help us to be more efficient in ctfs so being good at programming and being a good software engineer being able to build tools and products like this is extremely extremely helpful for ctfs as well of course you know it's not really necessarily realistic that you need to write javascript game hacking tools for real-world penetration testing but it's about being able to have a problem that you are facing and then creating software that solves that all the people implementing here these tools have exceptional problem solving skills and you can throw them any kind of challenge any and with challenge i mean like also real world problems and they will be able to approach this right tools get inside analyze these problems carefully and efficiently and then being able to like solve them and provide good solutions and that's what i love about ctfs they train these kind of skills now i talked a lot about web engineering but of course i completely forgot about the websocket proxy and if you look around there are some websocket proxies out there or websocket libraries that you can use to kind of like implement your own proxy but management together with i think it was a2 and kf but not sure exactly who was involved they wrote their own websocket proxy by hand from scratch mainly it was i think speed and they want to have it being and they wanted to have it very extensible and so you you can like kind of like get very deep into it and they call them hooks so you can almost at any point at parsing and receiving and handling websocket messages create hooks that then do something with the data if there's an encryption layer write a hook for that decrypt that and pass it on to like the next layer and so forth and again this was then also integrated in our collaborative tool because the game ticks were transmitted through the websocket proxy the game ticks were also massive the gametex was actually json data constantly being sent from the client to the server and this tick data this json data did not just include like the current player location or maybe which button was pressed no the player was actually sending the complete game state which includes the complete map on every tick this also meant you can't like easily cheat and change certain things because the server will always be able to verify the client state and as soon as the client state is kind of like wrong the player gets disconnected and ticks were sent multiple times a second i forgot how fast but it was like i don't know like 30 30 times a second or so and then it was kilobytes of data like really large json blobs and for example for our collaborative tool we had to extract the uh player position to be able to render the current player position in the collaborative tool and and the web proxy was written in python and if you use just basic json powers every tick that is so resource expensive and too slow and so we had to use some kind of other json parsing libraries to be able to be very fast with it now i tell you everything about this websocket proxy right now because this websocket proxy is integral and very very important for our collaborative tools the web circuit proxy will become a topic in just a moment and you know being able to implement the websocket proxy is actually really important even for penetration testing it's not necessarily that you need to know how to implement a websocket proxy in itself it's more like that you have the skill and ability by looking at like the protocol definitions and so forth kind of like re-implementing it yourself this could apply to any kind of protocol or proxy and there are not many websocket proxy projects out there for example there's burp suit which just kind of like recently i guess at this point it's also like more than a year or so that they have a websocket proxy in burp suit but before that you didn't have it and if there was a web application or something else using web sockets it was really really hard to analyze and kind of do penetration testing with a websocket protocol so if you ever faced for example a client's application that is using websocket you would need to be able to implement your own tools and this is again something where ctfs help you practice it because they force you to implement maybe these tools that even didn't exist really before but it forces you to do it in this competitive environment and you learn a lot and maybe you have actually then developed some tools that are actually usable than in real life or might actually be worth it to be open sourced i'm telling you all of this because we are just moments away from receiving the actual game files and the websocket will become an important topic in in a moment here are some last moment notes made by ivan uh taking notes on where it could be like abusable respawn locations where you you know die and then respawn it in a different place which might be usable to either solve a challenge or just to be faster traversing the map well what else can i say our preparations i think were really awesome i think what our team created was amazing and huge respect to my team members who spend so much time on all that stuff i think it's awesome and that made this event so much fun at this point we also didn't know what exactly other teams have prepared like how the tooling from other teams looks like so we were really wondering that we really over engineer it how are the other teams looking but yeah we don't know yet when you see this video maybe you already have the google commentary video out where you can see how the other teams played it and see their tools so that might be cool i've also seen that one of the other teams was joining naham sack on a twitch stream showcasing their tools that they created i will also make sure to link to that stream below so you can check out the crazy tools that other teams made which then also shows that you know it's not unique to us creating these tools it's a typical ctf thing that kind of everybody is doing i should also maybe prepare you and say that the tools we have written are not perfect they were really rushed and so they might have bugs especially when we have to apply them to the new game that we will be receiving shortly i think somebody was still like fixing bugs in the route editor that we had i'm not exactly sure where it is because it's not here recorded so i assume we don't have a stream from that person and and that kind of sucks unfortunately not everybody was streaming and recording their screen and this might also affect some of the challenges that will come because maybe those challenges were not actually solved here on the screen but you will still see us like handing in the flags and progressing and so forth now we are just kind of like hanging around unfortunately we will also lose some of the streams for example a2 nkf has some upstream internet issues and he restarted his machine which then also dropped his stream for just a moment and he was then streaming again later but the issue is that then the recording somehow broke too so unfortunately we are losing him but on a positive note my stream is now up for some reason i had exactly the reverse issue my recording only started like now but it's good because the game is about to really start so i guess this is a bit more the interesting part now in advance terminal on the right you can see that he downloaded a match 3 package.7zip so we just received the actual game files but the 7zip is encrypted so we can't actually unzip it yet the idea here is that all the files are distributed to all the ctf teams and when everybody has it and everybody confirmed that they received the files then they will hand out the decryption key and then everybody can unpack the zip and start playing now the the file is very small so it's not necessary in this case but it's a typical thing that can happen for ctfs that are especially more competitive like attack and defense so the files especially for like larger vms are distributed beforehand everybody can download it even if they have a slow internet and then later the decryption keys are handed out but i guess here's it still makes kind of sense just to make sure it's synced and everybody received the file and there are just no issues and now we are just waiting to get the decryption key at this point we also got really nervous everybody was like hyped everybody in discord was like yo let's go i'm hyped and whatever we can't wait for it actually to get started maybe what's important to mention again remember the action plan we had step by step in the wiki thomas is the person who will download and push the files into the repository this repository will be the central place where everybody can work on the files if necessary so for example the patches that we applied to modify the game client for you know the overlays and the hacks and whatever these are applied in this repository so and we have it in the repository so everybody can like modify and help doing that or let's say like the people that are actually responsible for applying those patches will do that and then other people can also do this and then the person actively playing the game in this case also thomas he can then always pull the new state of the repository and thus the client and then can just restart his game and has then all the hacks or whatever that were developed that's kind of the strategy we were going for waiting and waiting and waiting you can see everybody is kind of like prepared to unzip the file with the password entry flow has the password prompt open i also have the sensor password prompt open but i also realized oh maybe i should prepare some of the tools i might need so i actually um start here gydra because maybe we will get a binary that we have to reverse or a pwnable or something and i might need the gitra to to look at the assembly so i just thought oh i should maybe get this tool ready other than that we were just waiting and then in discord we saw that gunwale is typing and when gunwale is typing it means he might just like create the message to send us the password so everybody got really excited in in discord and was oh oh my god oh my god it will start in a moment goodwill is typing and then ginval took like so long typing and we were like getting really anxious it was a little bit going insane and and i don't know what to tell you we were just like getting really amped up really hyped that we just waited for goodwill's message and it should be there in just a moment and gunval finally drops the password message and everybody can go ahead and decrypt the zip file just kidding goodwill still hasn't sent us the password oh my god it was you know when you have to wait for something like this when you saw him typing and you think he will send the password over in just a moment uh yeah what what can i say it was just like we were really getting nervous at this point a2 and kf was joining us back again he restarted his machine but as i said unfortunately we lost his stream but now we are really really close like we anticipate the password any moment and so somebody was also saying hey thomas you are the person who has to push everything in the git repository maybe you should prepare the 7-zip unpacking with the password entry already so that you can be like the first and be super fast at at pushing it into the repository so prepare that but finally finally the password is here so let's switch over to thomas because he's the one who has to like prepare all the files for the repository so you can see him entering the password having it decrypted he probably also has a second screen that's why you can't see him like handling the files right now but in just a moment you should see him doing some commands and stuff to push everything into the repository in the meantime you can also see that all the other people are just exploring the files right now and they are talking about what they can see in the unzipped version they notice that a little bit different files have changed they talk about if the document structure changed so if it's still the same you can see me opening up the map here for the first time the other nobody else has opened the map yet entitled generally just exploring in and looking around unfortunately thomas who is preparing the repository right now with the new files and putting them into the correct folder structure and everything uh he's unfortunately doing that off screen not the one that he is recording or streaming right now so you can't quite see that what's going on actually it also looks like that nico is also preparing the collaborative tool that we are having so he is moving right now here the new map into the accelerate tool repository that we are having the bear map obviously didn't include everything now we have the map that includes everything so he needs to restart the collaborative server that we have so everybody can then you know use that as well to investigate the map all right it looks like that the server is up and running and there's a new auth key so the web service our collaborative tool is running on the internet and we obviously don't want anybody else to stumble over it and see our collaborative tool and that's why there is a secret auth key that we that is then shared between us and we can use it to then log in into the web app so the collaborative tool seems to be up and running at least with the new map of course it's not quite hooked up yet with the websocket to actually get the game state and and have all these features that you have seen all the way at the beginning of the video with you know the terminal outputs the automatic flex submissions the synced player location and all these features now to cover responsibilities again just for you it's clear thomas is responsible for playing the actual game with the real server later and he is also responsible right now to set up the folder structure for the game the game files will be put into a git repository so that the others can then work and modify these game files if we need new hacks and it will also be used to apply the patches for our you know in-game hacks and you can also see how thomas is locally now running the game and serving the game files and setting up the proxy as well and because he will be playing it locally on his machine he is also the person that is basically setting up all of that then nico is actually running the collaborative server you know that can also load the map and everything with the terminal features and so forth but management in the top right he's responsible for developing the websocket proxy so he mainly developed it and so he knows how to fix stuff if things are broken and they are now splitting up into a different discord room because we are all still in like one room and of course there are way too many people talking about different stuff and it's very important now that we resolve all technical issues and to just get our tools up and running i was not part of the websocket room but i can already tell you that they were running into technical issues so i can't really say um looking now at management's stream if he already knows that the websocket proxy has issues and what the issue exactly is but they might have already figured it out or at least soon they realized that the websocket proxy has issues this also then means that a lot of features from our collaborative tools wouldn't work but maybe they also only figured that out when we get the real server because right now we are only connected locally like everybody can run the game you might also see like multiple people maybe starting the game at some point and playing it a little bit the only reason why this is possible is because they run it locally access to the real game to the real game servers will come soon but this already means we can now get actually familiar with the new game server and client but obviously we don't know a lot of the challenges yet we could theoretically basically figure out some of the in-game challenges and solve them already i'm really sorry that my commentary for all the other players sucks because i don't really know what they did but at least i know what i did and if you look at my screen right now i'm looking at this red object and i try to figure out what that is i walked up to it but i couldn't seem to really interact with it and so i opened then tiled and look at the map itself and try to find that object and see what exactly it is it will take me a little bit to realize that this is a key and then it also will take me a little bit more time to figure out how to pick up that key at the same time you can actually see here also iphone also seeing that red key and he i think already realizes that he has to bring the key up there into the key slot to open that door you can also see flow going through some of the other game objects especially these control inputs which are actually part of one of the game challenges that we have but we don't know this yet at this point so we are still wondering what these control inputs are and now flow is actually finding another key a purple key and he starts looking for keys in the source code so as you can see he is here grabbing over the source code but in the meantime we are still talking about the red key that we found very close to the start because we were wondering how we can pick up that key and somebody was suggesting can you press down but i did press down and it didn't work as you can see now flow is obviously searching for keys and so forth so he has he's actually already a bit further with investigating these keys maybe even key presses you know we were wondering what other key inputs does the game take so maybe there's another key to pick up that red key unfortunately i think flo was in the other discord channel so actually we had no clue how far he was and what he was actually looking at right now at this point somebody joined our discord channel and was saying hey managama is like working on proxy patches and so forth and maybe that would be interesting to stream for google as well so i'm not quite sure what management was actually doing here again he was in a different discord channel i guess here's management working on the proxy i'm still not sure if at this point in time management knew that the proxy had issues and if he was actually working on these patches or if he was just working on the general patches that had to be done to make the game work with the websocket proxy it does look like he's working on the patches of the game so that the game connects to the websocket proxy and not to the real server and now i see here the stream flow is picking up that key in in our other voice channel we are still wondering if we can somehow pick up that key and flow already figured it out but unfortunately we didn't know about this because he was i think in in the other channel but it also doesn't seem like he knows what to do yet with the key you can see him going like opening up the console and then he will also switch over to the terminal again looking around again for keys and um trying to grab for different stuff so right now he's for example looking for escape i'm not sure if he realizes that this is the key that has to be put into the slot just right in front of the door but also in this moment another player who is i think not streaming right now figured out that there might be um other keys and they and they told us maybe try to press shift a or maybe it could be space also and just when he was saying like maybe it could be space i actually was also going back into the game and i think i just randomly decided to press space and then i was also able to pick up the key so let's switch over to my screen and have a look at my glorious moment of the ctf i think this is the biggest contribution that i have given to accelerate for our team as i mentioned and i can't mention it enough the remaining people of the team built all these amazing tools and the organization all that stuff and i i'm just here the marketing guy okay making a video about a bit the experience that's it so i reach here the key drop-off point i put it in and the door opens and i announce proudly on discord that i can now enter here this pathway so let's check out the next location this is the location tunnels i guess not i guess i turned around what the heck was i doing i don't even know oh right i remember i went back because we were also switching over the stream to my screen so that google in their coverage can see that alice now actually like open that one door and they can like see that we were progressing and in what area we were now unfortunately we have now lost another stream from managama which is actually kind of sad and kind of important for this coverage here because again management is responsible for the websocket proxy which we slowly realize will have more and more issues um again i still think at this point we didn't maybe quite realize that the websocket thing has an issue at least i did not know about any web socket issues at this point yet i will realize this a lot later for now i'm still just exploring the map and looking at different regions and seeing um what else can be done and remember this is also just the pre-round we are still using our own local server and client to play the game we are not actually connected to the real server and just if this is confusing to you why they give out the server as well it's just like it doesn't really affect the game hacking at all because the challenges are or the the actual real challenges are implemented on these terminals and for that you just need to have access to the real server which is handing out the actual challenge we can just locally run here the server and of course we just won't get those challenges that's basically it of course what we can solve is things like these stores like we can find the keys and open the correct doors and that's basically what we can do and you can also see me for example here investigating now this area at the bottom with all these different doors some of them seem to be open like some of them seem to be also doors but they are not closed and then there are closed doors and this will turn out to be one of the in-game challenges for our round off competition that we need to solve but what exactly is up with these doors i don't know yet just investigating just looking around and you can also see here the cool overlay feature that was writing down the names open and closed door as well but let's have a look at thomas because he's reviewing some of the patches here right now not entirely sure what he was exactly working on but on the right you can see for example here the speed tax constant value which takes like a speed multiplier and on the left you can see here some key states that have to be done and of course the speed run can be activated by pressing a key so i wonder if this is just implementing and patching the client to enable all the hacks actually yeah on the left here we can see for example here observe process input and you can see that if a certain key is pressed it will enable the auto jump and a lot of other stuff so yeah so they are working right now of applying the hacks of the client as patches to the actual javascript source code of the client so that you get this overlay that i was showing you all the way in the beginning where you could press certain keys to enable auto jump or speed tags draw these lines draw the green division lines between areas and so forth like all that overlay stuff in the game that has to be patched right now here oh what the heck just zooming back here and seeing lukalo using the route planner so this is in the collaborative tool that we have when you open the map and i guess he fixed the editor and made it work now with the new map and with the new game and i guess he's planning now here out a route for jumping up this section as you can see this looks very similar to the demo map all the way from the beginning where there were quite some trick jumps and these walls have some very annoying collision maps and so you need to very very precisely jump exactly at the right moments you can obviously do that by hand but it's very annoying you will fall a lot and so if we could have an automated jump route that we can load and the player just jumps up there that would obviously be perfect for when the game actually starts that would save us so much time i guess this is what lukata is working on just like trying to get some routes prepared another thing that i could mention regarding the challenges that we kind of know will happen first of all we have seen the overlay that google is using during the streams and they are counting and like show visually how many challenges you have solved and so we knew already the total amount of challenges and if you just look over here at flow who is using the collaborative app you can see also that we have the flex just below the map on the left and it shows all the available challenges already and so this is how we know how many in-game challenges and out of game challenges there will be this data is actually pulled from a javascript config file if i remember correctly other than that you can still see thomas applying patches working through merge conflicts ensuring i guess that everything works not exactly sure what the steps here is i assume that he just sanity checks each change here each line that changed to make sure like nothing broke and maybe he can also catch new stuff that was introduced in this into this new client when we look again at what the others are doing you can see that localo is busy making more routes as you can see there are a lot of very small platforms and it's a very long path that has to be jumped there you can see flow looking at the same area just a different section of that area so there are just a lot of platforms to jump and this is obviously where our routing tool can be really cool he can prepare all these jumps so that later than the actual player can then simply load this route and automatically jump everything now there are two ways how these routes can be shared the first one is you can if the collaboration tool is working you can just send this route to the player and the player gets then a small pop-up external route incoming do you want to accept it and you can just load it and immediately use it and the other option is that you can also save the route as json file as i already hinted we will later have some issues with our collaborative tool not working as we were hoping it would work so the sending it to the player directly doesn't work so we will do the saving as json soon at this point we were also just generally checking out all the areas of the map and thinking about how to get there and if we are able to get everywhere or you know maybe is are there some challenges that we need to solve to get somewhere else and so forth and so for example we were looking at the other keys because there was the red key at the start but there were other colored keys as well in different colored doors also in different areas so we were just thinking it's the sequence where you can like walk all to all these places and open all the doors and get to all the areas or if there are still some places that are unsure how to get to and i for example was unsure how to get into that area where lo carlo is currently creating that route because there's no direct entry to it i knew you could do the kill respawn trick in that one cave entrance to get up there but i also was wondering how to get to that cave entrance in the first place because there's a high vertical tower that goes up there and if you just look at the textures like this it just looks like there's no way to get up there but again then people were saying oh there are actually collisions but they are almost like pixel perfect you can also see here thomas just playing around with the client so thomas is our main player he is running the main game and so you can also see like the overlay of the game and so forth this is the actual game as he was like reviewing these patches for the game client he's testing i guess all the hacks and if they are still working with drawing the coalition maps scrolling around the map and all these other stuff you can in the bottom right corner see for example the enabled hex so yeah he's still working on getting the client instrumented with all the hacks that we had and making sure that they work now it's also getting a bit quieter on discord at least in our channel i don't know what exactly is happening in the proxy channel but we were just kind of like looking around we were like throwing ideas around like should thomas first collect all the keys or should he do something else first when when the actual game releases so yeah very unsure oh did you notice how thomas are kind of like clipped through the ground here i think this is actually just a visual glitch i don't think this is actually happening but we were like really confused what the heck happened here did we glitch through the ground and is this maybe another bug or vulnerability that has to be exploited in some other area of the map localo is still busy creating routes very patiently and you can see that also thomas is just like trying to get some of the client further set up i have no clue what kind of issues he's fighting with but i mean it's all basically engineering issues right it's like understanding reading javascript getting the patches applied debugging if something is not working figuring out why it's not working and so forth it's just like it's just like web development at this point if you look at my screen you can just see that i'm just like casually playing just walking around a little bit exploring the map maybe we could actually look a little bit at floor i'm not exactly sure what he's up to but he seems to just dig a little bit deeper right now maybe we get a sense of what he might be thinking about it looks like he's just restarting his local client so let's maybe just watch a little bit of the gameplay when you just load into the game so this is this to the right of the spawn you didn't really see is actually the end of the game but there's a door that stops you from reaching the end and you have to solve everything to open that door now he's going up but that's wrong because he should go down and this is where the red key is located so he is just going to grab that red key and then he has to walk up to the one door that then leads into that long hallway that just takes a bit so let's just wait for a moment so i'm wondering have you actually been watching this video up until this point if so maybe write jalapenos into the comments i'm really curious how far people are actually watching this probably nobody but let's see another thing maybe that i could mention just while he just casually playing the game is i don't know what your expectation is of ctf players when they play a ctf we are now almost like an hour into the ctf and we obviously received a lot of like files and stuff to go through and obviously we had good preparations but did you expect this to look a bit more crazy like did you expect we would be like hardcore hacking and doing crazy tooling and i don't know coding cracking hacking whatever because maybe you have a wrong imagination of what like playing ctfs and hacking actually looks like this is much more realistic it's a slow progress there's a lot of communication happening on discord we talk about stuff there's this whole web development part where obviously our hacks have to be patched into this game client things are not working some other people trying to work with the websocket proxy and so forth so don't worry about if you think you are slow at it or whatever it doesn't really matter like even in a competitive environment like you allow me to be this arrogant for a really good ctf team you know like it doesn't have to look insane right it's it's just like mundane technical problem solving that has to occur you know there's it's it's nothing crazy but what is actually crazy is what is happening on thomas's screen right now so it's just like jumping up that one section that i just earlier told you about i was not sure that you could actually jump it and he's using here the auto jump feature that is hacked into the client and he can also now enable here the overlay where you can see the death area and where you then would like respawn you can also see here the blue arrows which show you where certain like teleport portals are teleporting to and so forth now think about the difference this was to floss gameplay flow was playing without the hacked client but thomas is the one who is trying to get this game completely running with the game hacks it looks like we are pretty ready with the game client itself now around this time management who is working on the proxy actually joined our voice channel because he wanted to talk to somebody telling us also that there are issues with the proxy and it has to do with the deflate feature so actually when we were playing with the test client our team actually suggested hey can you implement deflate feature to compress the size of the ticks that are being sent through websocket this way the speed tag would be even more feasible because you are not that much bound by the traffic you are sending and they implemented now deflate but that broke the proxy and now they try to fix that deflate feature so deflate is basically just the algorithm name for basically what is implemented in like zip files the deflate algorithm and so now they are wondering how could they fix this first of all he asked flo if he still has this feature that he built to strip away the deflate layer for the proxy and then they were wondering if you can strip out the deflate feature from the client basically if you can prevent the client from using deflate but then somebody else was saying well they are using chrome api so you have actually no control over this so whatever chrome wants to speak with the server this is what is being spoken and after that they realized oh wait maybe we can use our proxy to basically strip away the information that the server supports deflate basically advertising to chrome hey we don't support deflate and as a fallback happens again to the working version so this was kind of the strategy trying to get the websocket proxy working but now let's have a look at my screen because i start investigating something and i learn something as you can see i also have opened here the json map raw file and i'm looking here at different values and i find out that there are these toggle switches and they are related to for example the object sky 18 and sky 18 is one of the doors in the bottom left in this area where the there are a lot of these doors oh let me struggle with tiled oh my gosh but yeah i'm kind of like zooming in and trying to understand really what is referenced here so as you can see it says here name door toggle the type is string and then the value is sky 18 so whatever this object here is referencing here it seems to be the door toggle for the door sky 18 so i try to figure out where is that door toggle where is that switch that i have to press to open that sky 18 door and i'm not familiar with tile this is the first time that i ever use tiled and that's the first time i ever see this map format and this is like typical ctf stuff you have a new technology you have never used before and you need to kind of like figure out a way to get the information you need i mean obviously this is referencing some kind of object that is in here maybe if you knew tiled very well you would immediately know ah this is this object here it is i found it but i'm unsure so i think i remember me looking for some kind of like search functionality if there's a way to like filter through all the objects and filter all their properties and attributes basically but i i just can't find it so i've been a bit struggling with this and right now you can see me looking at the x and y coordinates because i figured if this door toggle in this json format is referenced then in my then it should also have a location and i should be able to go to that location the problem is i can't find the functionality entire to basically jump to this coordinate like show me that object at this coordinate or so this functionality doesn't seem to exist in tile so i don't know but then i also saw that the objects have a uid and i figured oh that's a global identifier i should be able to find that object with that id entitled and so i'm searching for that but also that doesn't seem to work no chance but it was kind of like hiding in plain sight because there was a type called control and when i now search for control i actually can find these control units here and now i'm basically very very close to figuring out that these control units are actually what control the doors now now actually two things happened in parallel and i need to rewind just a little bit because while i was looking in these controls and discovering those flow discovered a different secret and it really happened in parallel so flow right now realized that there are almost invisible collisions they are not invisible they are just very very tiny almost like just single pixels large and that you can actually jump up on the blue tower and we didn't see that until now we were speculating that maybe you have to fly up there or something like that like we didn't know but flo discovered now that we can just jump them up we just very carefully need to i guess also plan the route for that anyway now is my time to shine again because i figured out now how you can see which control unit is responsible for which door to toggle and i decided i should probably document that in the wiki so i was also telling our head of production or director to switch over the stream to me because i am now like working through each individual control and map them to which door it belongs to basically i want to figure out which are the controls i need to press to open all the closed doors and i assume that if i would accidentally press the control for an open door i would close it so that's why it's very important that we map out the correct doors now i also think you should look at the time and remember when i started with this we are now in one hour and five minutes of this ctf i will probably show other stuff that other people are doing because this will take me ages okay this is a very basic basic basic task and it will take me ages just again hopefully i'm able to push through some wrong expectations that this is some crazy hacking stuff it's literally not i'm just literally looking at information entitled and then writing it down in wick in the wiki there's no magic at all as you can see localo is still like there just mapping out routes and so forth and so everybody was then obviously saying hey local you need to map out this blue tower that flow figured out that there are these pixel perfect jumps because that is really annoying but that took a while so that was a little bit confusing or which tower is it now and so forth and i mean yeah but the point is you know like somebody discovers something and tells them local who seems to be the person right now creating these routes that this is an important route to create in the next like two minutes or so not much is actually happening i'm still just like copying down writing down the information about the toggle doors flow you can see it's just exploring the map a bit more and as you can see flow also has now set up his game client so that he has the hacks as well that's why he can see the red collision detection if you remember earlier flow didn't have that and only thomas had that but because everything is working now flow can have it too and can now use this to explore more things about the map but now something magical happened check out thomas up here he has the game on the right and our collaborative web tool on the left and remember what i told you about being able to sync the player position this is how it's supposed to look like and this is actually because the proxy is working management was able to fix the proxy with some help i think from old code that flow wrote to strip the deflate option from what the server is advertising and this way they can still operate the proxy basically downgrading the websocket connection and now it's working he can walk around and the game is sending the ticks with the position through the proxy to the server and so the proxy knows where the player is located and it can be nicely updated in our collaborative tool so you know right now everything is looking fine it seems like our proxy and everything is working and we are really on a good track you can also see some bugs with like the overlay sometimes when you move the map around the collision doesn't match up with the actual map that that happens when you are like actually all the way at the border of the map but it's fine it's not that important you can also see here flow executing one of the respawn killing bugs to get into this one area like he's falling down and has to die at a specific moment and then he is spawning inside of this area here we just need to wait until you are not dead anymore and then you are in here you can also all the way on the right see the flag console this is where you can submit flags when you have one and you can see here a terminal which would give you information about a challenge maybe for certain map challenges so maybe for example in this case where you have to exploit this falling buff maybe it would even give you an in-game flag for that and that flag you can then hand in somewhere else could be we don't know yet now we were also talking again about the console inputs and the doors and possible ways how this could be solved because like with a lot of ctf changes and especially something as creative as game hacking there are a lot of ways how this could be solved so i'm mapping out right now like which control switch belongs to which door so that i can basically say go to the first the third the fifth and the ninth or so and that would then open all the doors but if you have looked closely at the features that we have in our hex client we can also zoom out so i was saying you know maybe my documentation is worthless because we could simply walk up to a control toggle it and have it like zoomed out and simply look if we opened the correct door and if we accidentally close the door we could just simply like revert it and that would be super super easy but then another team member told me that actually the zooming out breaks these interactive objects they are not rendered anymore so you can't like zoom out and then press all the control buttons the zooming out is really more like just figuring out with which path you have to take in in the map itself so this doesn't work but somebody else was suggesting hey we could actually write a small patch for the actual client that just prints out which door was opened and tell you the state is the door open or not that should be fairly simple to do and then you just look at like the console output or whatever and see if all the doors are now open but nobody was going for that route yet but i do think that would have also been a really really good solution for now i'm still just like documenting everything because once it's documented we can then always like use the documentation to solve that challenge even though if maybe there are more efficient things but you know maybe we can like do more efficient solutions later if we haven't been to that place yet but at least i got the documentation done we are also maybe roughly like 10 minutes away from getting access to the real server so the preparation round is almost done localo is now thinking about mapping out the blue tower but is unsure about the invisible collision map so he's asking like can somebody create me a map with all the collision elements in it or whatever i'm i'm actually not quite understanding i never looked into the implementation of these very small collision maps because one person was saying no no they are there and local was saying no they are not there they are like dynamically created or something so so i don't know what the deal is but you will see in just a few minutes local will start mapping out the tower so no clue what happened there but it's something that is being worked on around this time also management joined us now in our voice channel again he was the person who was working on the proxy and trying to fix the issues but now the proxy is working so all the issues are fixed and he wants to get like a rough update about what is going on so we are telling him about the control points and the doors that have to be opened and that that is probably one of the challenges that can be solved and that i'm working on mapping that out we are then also starting to discuss what are actually the challenges that are available from the start like what is reachable immediately from the start we you know get the red key open that first door and then there are these other two keys we can open like where are all the areas we can go to to immediately like figure out what the challenges are that we can then solve them and for example the control units are accessible from the start you just have to like jump up and then go to that entrance to the respawn killing trick get up there and then you add the control units to open all the doors so that is one of the challenges that is accessible from the start but you know maybe it's not the best strategy to start with that maybe it's better to go for one of the other terminals first most importantly are actually i guess the offline challenges because the offline challenges are things that we can delegate to the other players who are not actively playing the game right now and so that is probably more important than the in-game challenges but we will see now for a moment there's not much happening but you can start looking at localo's screen because in just any moment he will start mapping out the jumping puzzle i guess if you want to call it like that in the blue tower and you can see here the cool feature again of our routing planner because it doesn't really matter like how these jumps are the editor is like simulating the movements and the jumps so you can just by simply adding like one movement like jump this direction or whatever you can see if he would keep jumping where he would like jump to and so forth so it's pretty easy so oh man this this routing feature is just so cool so let's see what's happening next um thomas right now is playing the start again so it's like picking up the red key and walking then all the way up to the door and handing in the key this is actually also showing mana gama like what we have figured out with the keys because as i said menegama was in the other voice chat fixing the proxy so he didn't even know like what we found out about the game and even the stuff that we found out very early like the keys he doesn't even know so you know was a good moment to also show him now if we go back and have a quick look at local screen you can see that he tries to map out the jumps in the blue tower and this is actually really tricky because they are invisible you can't see them there's only a collision map but there's no like texture for them so he's kind of complaining and saying that like blindly jumping around and trying to figure out where platforms are is really really hard and annoying and somebody else was then suggesting do some research and see if i can like change the texture of them so they become actually be visible for you then also an issue came up regarding if our editor of with the routes is actually supporting keys like space because space is used to pick up or place down the key so if we would automate rounds where like automatically the player would pick up the correct keys and place them in so we wouldn't have to do that would that even work and then it turns out no this was not implemented in the editor because in the demo client where all the software was developed this was not actually a feature but you know there are some ways around it you could implement the short sleep and then you know the player who is actually controlling the player in this moment just has to then press space when when the automatically controlled player is just waiting for a moment we are also now slowly getting a little bit nervous because we are only a few minutes away from receiving the actual server and that's obviously a little bit nerve-wracking but of course not everything is going perfect and thomas just realized something that might be a little bit of an issue for us so let's have a look at his screen homers said that there seems to be some issues with the route planning stuff like the routes doesn't seem to be properly applied if you look closely you can see that the route is very different from what the player is actually like jumping and doing so that's not really good so oh yeah we are all getting a bit anxious now yeah so this is not looking too good but oh well we will see okay now there are again like two three minutes where i'm not sure how to fill the dead air so i'm just like talking a little bit nonsense but at roughly one hour and 19 minutes we will receive the actual server credentials or the actual server ip to connect to and then the real ctf race actually starts i mean then it's really going with all the flags and everything so yeah i just have to bridge basically the time until 119 and then there will be a bit more action and a bit more nervousness in the meantime maybe let's check out flow screen again we haven't really looked at him for a while and he seems to be keep digging into this actual source code and as it looks like he is looking here at the door opening stuff the key receptacle so this is not the door toggles i think that you can toggle from the control units but these key receptables are where you can bring the key so i'm not really sure what he's thinking here i don't know if he's just like trying to understand a little bit better the source code and the capabilities or if he's looking for some kind of bugs or so i really can't tell but i mean whatever like this is ctf it's very normal that individual players just keep focusing on something that they want to like dig into and follow down the rabbit hole and maybe they at the end come out and have a flag or something you never know so this is great right it doesn't make sense for him to just wait around like i might be doing or so he just keeps investigating keep reading code keep digging in you know maybe he will stumble over something sorry for stalling a bit but there's just not much really happening right now i'm also not sure what i'm looking at right now i think i'm done with documenting the control units and the doors and that's why i also just like randomly explore the game a little bit i think i try to get up to the control unit so i can see what i have to press to enable a door or not it would be good to know what like the actual key is to to toggle them now around this time somebody comes into the discord and says hey the server is up but actually the server is not quite up yet but they did send us some additional information basically give us an ip and port and we should check if we can connect to it if it's accessible to us and this way we can verify that you know the server works and yeah that's the case so uh we give the feedback that everything seems to be working for us and then just in about a moment you know one two minutes or so we get the actual server access though everybody was a bit confused because as i said like the person came in and said the server is available now so people were yelling hey thomas why are you not playing the actual game why are you like not connecting yet and then other people are saying no no it's not the real server open yet it's just connection test i was also then suggesting the first thing we should do is run to an offline challenge terminal so we can get a ctf challenge to do offline and then somebody else was saying oh for the first challenge here we need the purple key but there's an easy way to get to the purple key and then management said that he's currently working on an automated route that first gets the red key at the spawn you know you know it already saw it a couple of times and then walks to the purple key to get that one and then with that we can open one of the doors and get to the offline challenge so this is kind of like the game plan for the start though i'm a bit skeptical if management gets the route ready before we have actually the server but we will see if that works out or not you might also think that we all like really understood the game concept but once in a while somebody would like ask hey can we not just collect all the keys already that when the real game starts we have like all the doors open or let's already run to all the terminals like everybody walks to a different terminal waits for the game to start and then we can quickly get the challenges and then you have to say again no no that's not how it works like we just have a local setup right now we actually have to do all that stuff again when we have the real game which we are about to receive like in in just a couple of minutes i'm just highlighting that because i think it shows that these things are complex and not everybody always has all the information and maybe the rules are not so clear and maybe people get confused and so forth all of this stuff happens like we are not some five head mega iq people that like are more intelligent than everybody else like we we constantly have like i guess dumb ideas if you want to call them like that but i think that is crucial to being creative and being good in hacking and i.t security to just like have these you know weird strategy thoughts or so and they might be dumb they might be the wrong direction but it doesn't matter it's very very important to keep thinking about like what could we do uh what what what would improve our way of solving it also but i have a question for you if you are still watching this this video here you have seen now basically our whole setup and our preparation phase and we are just about to enter the actual race do how do you feel about our setup do you think like we are well prepared do you think we should have done something else that we didn't do so yeah let me know if if you're at this point what you think what how you feel about this do you think this was incredible what we did or do you think it's like no it's actually relatable understandable doesn't look anything fancy and crazy it's just like regular teamwork i guess yeah let me know uh just a minute ago or so uh goodwill also informed us that the game will be ready in about two minutes and we are getting now ready to kind of like prepare the game so thomas again is like verifying hey i just have to change the proxy ip to the real ip right and then management who actually wrote the proxy said yes that's exactly the only thing you need to do just making sure the game plan is like on point also around this time benno joined us benno is a real hard hitter for the lsctf team benno is like so smart and so good at ctf challenges and solving them and he hasn't been like part of the ctf until now and he just joined the voice chat so of course we also don't have a recording of his screen but you know him also for example from traveling to the real world ctf he was part of the team i traveled to china with he's incredibly good really crazy dude so everybody was really excited to hear that benno joined the voice chat now about this time we got like a false alert allah was like constantly checking the server and port that we were given to see if the game is now available and he was like saying oh it's up it's up but then it was like a false alert for some reason like some somehow the server responded with something we have no clue what exactly happened but the server like triggered like a file download when he went to that url but when then thomas went on there again you can see that that port is still not available and reachable so it was a fluke we don't know but we were also wondering if google implements some kind of ip white listing and that's why they wanted that we tried to access this one ip first and maybe they collect collected all the ips and now they whitelist it and now everybody was like worrying oh what if they whitelisted and lost ip because he was a person like last accessing it and that would then be a problem because thomas is the one that actually needs to have access to the ip but yeah they they also then confirmed again on discord that uh it will open soon like it could happen now basically any time in the meantime also somebody was again asking about the invisible tower and if somebody has mapped out the routes but local was saying oh no i didn't do this yet because we were like waiting for like the actual game or something i i don't know exactly what the problem was but then uh toby said oh i'm actually sitting in the editor and mapping out the route for the invisible tower i'm like halfway up also but now i have issues the route seems broken the auto jump is not working anymore so so i don't know what the problem is but uh i have issues now and then local said oh no worries save the route which i mentioned earlier you can save this route as a json file and send them somebody else so he said please save it send it over i will fix it because local was the one building the editor ikea has probably a better idea to resolve any issues and finish the route for the invisible tower okay now we are actually less than a minute away from the game so let's actually go to thomas's screen because in just a moment he will see that the game server is up you see him like refreshing the browser waiting basically any second that the game would come online he's also opening a terminal trying using netcat to connect to the server and port maybe the browser has an issue or something but yeah it also doesn't seem to be working with netcat right right away and then without realizing of course the browser in the background keeps refreshing the page and there it is the game is live now we are connected to the server that google is hosting for us and it has now all the flags and everything involved and we are logged in the timer starts just seconds in and we are seeing now thomas's first steps to get this game up and running with all the hacks now the first thing that thomas is doing he's using a plugin called resources saver and it allows to one click download all the files that this server is using again we didn't get these files now we already got the client and server but these are now the files that the actual real server uses and you know there could be some differences between the files we previously received and now the actual live file so he downloads them and then he opens them on a second screen so it's not really visible what he's doing and the second thing he's doing in just a moment he will open the the javascript console in the browser and then he traverses the objects where he basically wants to output the map that is loaded here the map is a json structure and he knows that there is like a function he can call to get the actual map file he knows this because he has been reading the game file sources for the past week and so he knows exactly like what he has to call to extract that and he copies out that map into a new file that he then will also add to a git repository so it can be shared later the next few steps that he will be doing is basically just get again the local client running because we want to be able to modify these files that's why they are put into the git repository so he will soon serve all the files from localhost instead of loading the files from the remote server by loading the files from localhost we can then apply all the hacks and the patches and so forth and then you know proceed with the game so that's basically what he's working on but before we check back with him i want to quickly switch to my screen because i have started to map out the control inputs for the door challenge i didn't really know what i could do in the meantime you know i i did document all the controls that are necessary to open the doors but i also thought i could maybe save some time if i already prepared the route that would walk to each of the correct controls and and press the door buttons in the beginning i didn't really know what button it is necessary to toggle those controls so my first version was just to simply wait and let basically the player then press the correct button in the correct moment but then i also eventually figured out that you need to press it down to activate the door toggle so i also implemented it in a route but basically that was my task because at this point otherwise i would be idle and wouldn't really be doing much of anything and and i figured that could help us if that is solved then later he can just load the route activate all the doors and and we are golden there now we can also switch back to thomas really quick again and you can see now in the url of the game that he is now accessing the game from localhost and using then this websocket get parameter to point to the proxy but you can already see something is not working yet the game doesn't load the time doesn't start something is broken there are also some errors in the websocket proxy but it's unclear to me because i'm not familiar with the websocket proxy if those are actually expected errors or if they are problematic i don't know also we split up in different rooms again so um i don't know the conversation that was going on during this time because somehow this web proxy didn't work anymore even though it worked for the test client before and you know i i think they start to realize that something is wrong and they start to debug and try to figure out what is wrong with the websocket proxy now i'm still kind of like debugging my route that i created because i want to play it and see if it like works what i intended to implement somehow the editor is broken for me and i can't really test it so i've had issues with that ask people on the discord again how exactly the editor works how i can execute the route that i have and i'm showcasing it as well you know discord has the stream your current window feature so i streamed also my interface and showed them what what actions i'm doing and showing that somehow the editor is not working for me and it's broken and yeah you can also still see thomas struggling with the websocket proxy the game just wouldn't run using using the websocket proxy basically we have still not actually played the game at this point we are still standing at the start of the game didn't move around at all nothing now see what thomas is doing he is taking the original ip instead of the localhost proxy ip and now the game actually loads so the game client is currently modified in a way that it takes the websocket get parameter uses that as the server to connect to typically you wanted to point to your localhost websocket proxy which then connects to the real server but because the web circuit proc is not working right now you can now specify here the original server and then the game still works so this also shows that it's not the client that is broken there's definitely something wrong with the websocket proxy itself and also unfortunately you can see that we are already like five minutes into the game and we have not moved away from the spawn area we are still standing in the spawn area we have not tried to solve any of the challenges or get any of the challenge descriptions or so forth we are still kind of stuck in the entrance because we still try to figure out the websocket proxy while i'm still struggling with the editor and showing it to other people thomas is actually loading a route for the first key the red key so let's have a look at how this works so he selects a json file which is loading a route and you can see that here these red dots those are the nodes in this route are going all the way to the top and i think this is not quite the route he wanted to select in this case so yeah it was the wrong route and so thomas now wants to load the correct route instead so you can see here now the red points for the notes they go to the left so this looks more correct and now he executes it and the character is walking he even activates the speed tag and walks over but unfortunately the pickup of the key failed and so he has to stop the execution of the rod and now he has to do it by hand after all so the pre-programmed route what we have prepared wasn't helpful at all but now seeing how he struggles here with jumping maybe it would have been good to load the route again and restart it so he has to now go up to the left but where are you going that's the wrong way you need to go to the left okay so this looks better you can also again obviously see the green line which are separating the respawn regions here you can basically see the overlay and then he's also handing in the the key to open the door but then also he is choosing now to go the other route to the right up to the control inputs which is where i start to prepare the routes so i i don't remember if this is actually where we then solved those uh control inputs already i felt like that was a bit later so let's see what's happening here he reaches the top and he goes for the purple key actually so the purple key is obviously required for another door for a challenge and that door can be found when you walk through the passage that was opened by the red key and this is actually important because this is a direct access to one of the challenges and of course we want to have a challenge that we can start solving and here down here is the door he opens it and here's the terminal the challenge is located at this url here so of course the url is immediately sent over to this code so people can start solving it so this turns out to be a web challenge actually a php web challenge and here you can see me obviously jumping onto this challenge right away getting burp ready opening the browser and going to that site and then starting investigating benno was also immediately on it and i mentioned before benno is a really hard hitter for us so he can see a directory listing and already some files and you know just exploring everything and here on flow screen you can see that the source code of this php script is also immediately exposed so you know it's a typical web security challenge where the source code is there and there must be some kind of intricate trick to exploit this challenge so let's see if we can catch the different strategies of the different players here i also know that benno is obviously working on it who is not here on stream so i'm not actually sure who figured out the bug immediately but if you look at the code it's actually pretty clear because you always have to just look at what you control and you obviously control the post parameters which are passed into this function create function and that's obviously an interesting function but the function that is created from this call is not executed so somehow you have to pass in some malicious input into create function that for some whatever reason like leads maybe to an actual like code execution or maybe some error messages that could then leak maybe content of deflect.php file or so forth we don't know exactly yet what's possible with create function but it's very easy to google for because this looks like a very basic thing that should be maybe be covered already in some write-ups or some stack exchange or something so yeah we we also google for that of course if we have a quick look on flow screen i was curious to see that he uses a very different tool to play around with http requests my go-to tool is burp suit but flo is using some kind of different tool that i don't even know but i guess it's usable at this moment we are still just talking about uh this challenge and that it seems kind of like straightforward yes the function that is created is not called but uh you can immediately find some write-ups and how this create function function is behaving and what are these kind of oddities so it's not a big deal also of course we are starting to use our ctf pad with our shared notepads to document this challenge and document our progress so let's maybe have a look at ivan's screen who will be looking at our wiki let's see what's already documented here the first link here is a link to the official php documentation about the create function function and then the second link is linking to the security stack exchange and you can see here the title it's php command inject in their create function function and it's like an evolve you can already see you can find a lot of information about it online and then of course somebody also documented here the source code of the challenge just so that everything is in one place and everything is properly documented and so we don't forget anything then at the bottom you can also see like a first analysis so to say you see that the string dollar flag is the arguments and then the post parameter c is the actual code and below it there's a potential strategy that we maybe have to find code which arrows and prints the flag without having it being executed but then also somebody finds here a german write-up as it seems so let me translate really quick it says this function internally calls eval and so this function is basically the same as if you would call a valve directly but apparently it also depends on the php version so we were also not sure if it maybe would even work or if there are other tricks involved oh also as you know management's screen is broken but in this moment actually the main stream that we are streaming to google switched over to management screen so welcome back management your screen was dearly missed it looks like he also is looking into the web challenge a little bit which actually i'm a bit wondering about because he should be fixing the proxy as you can see thomas is still struggling and debugging stuff there are a lot of errors going around the game is not really working right now our collaborative tool where where the view is synced and where you can see the player and you can see the terminal outputs and all that stuff the cool amazing collaboration web app that was built is not working yet so i'm a bit curious about that unfortunately in the next few minutes not so much will be happening at least like in the screens that you can see right now to be honest i have no damn clue what i'm like clicking around i did not work on the ctf web challenge because like a lot of other people were already working on it so i guess i figured there's something else i could do with my time that would be better so not sure you can see ibn is working on the web challenge he's looking at the php documentation right now thomas and flo are both apparently debugging and trying to get the proxy set up and working i also know that management and allah and beno are also working on the web challenge so yeah they are on a good track i mean they will definitely solve this it will just be a matter of a couple of minutes to figure out the small details of that code injection vulnerability you already have seen that we like easily find like some kind of documentation online about this that this should be easily possible so the challenges in the ctf are not hard because we only have 90 minutes so they were not designed to be like big show stoppers they were designed to be a bit fun write quite a little bit of like hacking around researching some stuff maybe but like nothing hard like all of these should be very very simple because of the limited time because i have the wiki open with the doors and the door toggles i do think i'm just thinking about maybe how i could improve on the in-game challenge with the all the control inputs you can see i've been just researching around for solutions i also know allah and benno are like talking about that command injection that you can do like closing records and i don't know what not like i can show you later uh what the solution exactly was that we apparently used oh by the way mslc most monthly chicken and pasta solved already one challenge i don't know which challenge it was but here was the announcement on discord but it's also not really a problem right we still have enough time we are just roughly 10 minutes in or so so you know we still have a good chance like no problem i have also pretty much finished my route planning and everything for the control inputs and so i asked like what is the best way to share it with thomas later and they said just put it into the repository he can then open the route and here you can see me trying to use the sublime merge git client i really love the sublime editor and when i saw that they have a cool new merge git client in the sublime style i thought oh my gosh that's an awesome client so let's check that out that should be easy i know gits i mean i if i have an interface with buttons i should be easily able to navigate in this git repository and not gonna lie i think it took me like five minutes trying to figure out how i can commit and then push my changes before i just use the old github client how can i not get this client i don't understand now we enter a period of time where we don't really see much on the screens here as you can see thomas is apparently still struggling with the websocket servers still putting a lot of time into that i know others are working on the web challenge and make small progresses and share like their stuff i think i'm still struggling with git at this point but uh soon i think i will just switch to the official github client you know again a good example you know like that even the dumbest stuff can like stop somebody who seems to be experienced with it stuff okay like this is dumb stuff that happens all i hope throughout this whole two-hour video whatever you've realized that there's like not a lot of magic like actually happening here to be honest i have no clue what lucado is up to or what jerry worm is up to they have been like sitting idle on these screens for a long time so no clue what's up there i think lokato is using a vm so he might be doing a lot of work and stuff on his host machine but not on his windows machine also i think at this point we start to slowly accept that the web socket proxy is broken and can't be fixed i don't know the details that what led to ultimately the decision to like stop investing time into that but you will see in thomas now slowly starting and switching over again to the actual server and just like starting to play the game a little bit more now two things will be happening you can see that uh thomas up here is kind of like preparing the game again uh because we realized maybe we should play a bit more and i think he knows that i said that i have my route almost ready or have it ready for the control input challenge which is you know in the top area so i think he's like preparing to walk over there now which takes a little bit now with the route that i created the thing is that i didn't know how to actually activate the control once because i wasn't able to walk there at the start i was just like making the route and so i made the route with a weight operation which waits at each control input for four seconds which is then enough time for thomas to press the correct key but because nothing was literally progressing we weren't really playing the game i figured i guess i have the time to redo now the uh the route because i also walked up there and i was able to see that pressing down actually executes the control input the switch toggle and then i could create a new route that just like presses down on the correct one which then obviously also would make it a little bit easier so here you can see me loading the route that i previously created again the json file and now you can see here the nodes and basically now i change every node instead of just like walking to the right there i press down and right so this so the arrow to the bottom right means i'm pressing the down button and the right button to keep walking to the right which essentially results in you press down when you reach that one computer here you can also see the bugs i had with the editor for whatever reason in my client the editor wasn't working properly and it would have these glitches as you could see where like the map is not correctly moving anymore so no clue why this happened the others were also very confused but doesn't matter much the only problem was i couldn't really test my route but i mean the route editor is really great so i was confident that it would work parallel to me doing all that something else very important happened to thomas so he actually loaded a route somebody else prepared that jumps through all these annoying jumps in this area where also the control inputs are and he gets all the way up to one of the terminals where he gets another terminal and so now we have here another out of game challenge that we can start working on okay so now back to our actual progress of course this challenge was immediately shared in discord in our team as well and i think flow has here the challenge open the file was a dot vim file so this was like a vim plug-in or something and i think it was some kind of like crypto related just like a little cipher implemented in like ugly whim plug-in code i did not work on this challenge because as you can see i'm just like finishing up the new route with the button-down presses which in just a moment i will save and then also hand over to thomas to then execute those door toggles we haven't actually seen much from cherry warm the past half hour or so and he is also now looking at the wimp challenge so both flo and nico just get a quick overview of the challenge and you can also see that they start researching flow is for example just you know searching on google how to vim execute stuff and cherry warm will also in just a moment start researching about it you can see you know they are both extremely extremely good ctf players and still they google seemingly easy questions on google the biggest talent or skill ctf players have is being able to research new topics and quickly getting into it we are now 20 minutes into the ctf and something crazy happened check out this this is the discord channel where all our four teams are in and where their points are announced and you can see here ginville announcing that paston suddenly has four solves we haven't even reached the 20-minute mark for the challenges we were a little bit shocked because we were still at zero but at least we also have some progress now uh we should be soon solving the web challenge we are a bit slow with that and we also got you know the other challenge and the in-game challenge with the control inputs should also be basically done in just any moment so you know we are on a good path as well and then check this out just a moment later spq updated that mslc scored a point and just a moment later paston has another solve with five oh man but in the meantime like my route is basically almost ready and we could uh soon solve the control inputs all the way at the top which then opens the doors that are you know just like on the left side of this area you can see here on the left so you know still good right but in the meantime you know not even like really time in between look at the update another solve by paston can this be real but good news because we also finally have now the flag for the web challenge but i believe the flag has to be handed in where the purple door was opened which is in a completely different area so we can't hand it in right now and i believe to get out of this area here we would have to like jump like crazy jumps up anyway so it's not really like the ideal thing to do right now but we were obviously like talking about the different options we have should we hand in that flag or whatever what like what's going on what what should we be doing now here's also the solution that benno shared so i believe banner was the person that ultimately uh was able to solve it um i remember allah succeeded to get a php info output and then i guess uh beno really pulled it off and leaked the flag and here's the post request and you can see the post request simply uh sets the code to return minus one and then a bar dump in the multiplication i have no clue why that is to be honest um this is like very weird why it would be this kind of like string beforehand but then he's like closing this uh function but then he's like reading the flag.php file and then outputting it with echo so i don't really know why this return -1 var dump like is necessary i don't get it this kind of looks like it would be triggering an arrow and so i wonder if the trick is here to trigger an error but really i i don't know so if you are curious how this works you should probably research a bit more the create function function and typical exploits and how you can get actual code execution with it now we were just about to run the route to solve the input door toggles when we saw this on discord puston has seven solves and finished the game in just a bit over 20 minutes absolutely insane well what a shock this is not what we expected that paston would just like run through this and solve in 20 minutes which we thought was insane because we knew like the preparations that were necessary and and so forth and we did not expect that any team would be so fast with it which also made us a bit question like our general strategy but anyway here is my route my beautiful rod that i created and thomas just executing it and you can see here the character just walking to every spot pressing down activating it and i'm just praying that i didn't make a mistake and that it indeed opened all the doors because if that's not the case then we have to go all the way back and figure out the correct door and that would be that would be crazy so in the meantime let's look what ibn is up to because he started to look into the wim challenge so as you can see he is simply executing vim going into the editor and then calling source loading that wim script file and it just shows that output so i guess he was also surprised and was thinking oh i don't know what to do so he opened the bim file itself so it doesn't seem like that it could be executed with the command source but to be honest and i don't really know what he's thinking because i actually don't know how to approach a challenge like this i've never like had to encounter like a wimp script like this i don't know where i would start i i don't even understand like what the goal here could be like it's how can you pass some input into this or i i don't know like for me i'm like completely lost with something like this and maybe i've been his two i don't know now we are entering a period again where not much is happening i think flow is still working on the web proxy right now i guess also because he doesn't know what else to do maybe he can fix it he seems to change some code and then run it again but yeah still like not working and then also if you look at thomas he keeps trying to jump up these platforms he wants to either get to the terminal or i guess he wants to get to the portal to get out of this area and he does this by hand i have no clue why i don't know if there's just no route available for this section or what the reason is but he keeps trying by hand and keeps falling if you look at my screen i am also not doing anything i'm basically just waiting hoping that my door thing worked because i'm not really capable to help with that vim challenge or let's say i've never done it i would need to research so much already that it's probably better in this race to let some other people who might have a bit more of a clue take the lead here you can also still see ivan staring at the vim code and i know from the discord conversations around this time that localo who is unfortunately not streaming his screen is apparently trying out the wimp challenge so is nico cherry worm in the bottom right corner and they are asking around if somebody has experience with vim and they ask for example flow because flo is a crazy ctf player and he responded that maybe a printf at just the correct point in the script might be enough but i'm not sure if he also looked at it as well and just a moment ago thomas reached that portal and traveled back basically to the spawn so now he's on his route to hand in the web challenge flag which is all the way after this uh passage just up here so let's go through the tunnels this is a little bit the issue with the commentary there's just some passages that just always take time and now it's a game we can't hand it in quickly we need to walk the walk it's not that simple and then let's walk over to the terminal and hand in the flag come on thomas hand in the flag just remember if our collaborative tool would have worked then the flag would have been auto submitted as soon as he reaches the terminal but unfortunately it's not working and that's why we have to wait for thomas's slow copy and paste and you can see here now there's one green orb lighting up meaning alice has solved a challenge and now thomas readjusted the map on the left to know where the doors are and all the doors are open i didn't screw it up and here is the flag for this in-game challenge woohoo i contributed something i'm not useless i did something so let's go and hand it in and to hand in the flag we just have to walk all the way out here and there's a terminal right there where we can hand in the flag alice solved a second challenge now just in case you are wondering how this works because we did get the client and server right you could assume that maybe we should have already these flags in in the files that we got but of course this is something that a server can check and the server we got did not include the real flags so we were only able to get them here with the real server now we want to progress a bit further in the game so to the left now you can see a key receptacle again and a door which means we need a key for the door and that key is here on the right so it's very simple so now you just have to pick up the correct color let's hope you're on a color blind and with that key we can then go again to the left and open that door so now it's a question do we need that other key or should we move up and i think now we were asking again and talking hey should we grab that green key as well is that required or is it the yellow key i have a little bit of issue with colors that's hard for me to tell oh no actually thomas loaded a route to jump up this pathway here so he doesn't have to do it by himself so here you can see the awesome pathing tool again you are dead oh this was again another teleport spawning kill yourself trick somebody really invested into that route it's still going isn't this awesome and here's i guess another respawn trick here to teleport somewhere else again everything was pre-loaded as a route it's still going wow now you are probably curious what all the other people are working on here so let's quickly check on the others while thomas is still traversing the map and reaching some of the other places but it still looks the same i'm still doing nothing because i can now chill because i contributed to one challenge just kidding i just had a hard time to know what to do also around this time flo kind of like gave up or was done with whatever he was doing and so he joined again the whim fraction trying to help solving the vim challenge but let's quickly switch over to thomas because he reached another terminal which just gives you another in-game flag but of course we still need to hand it in somewhere so where where do we have to hand it in so maybe you know you can also imagine that you know getting the flag is not necessarily a challenge but handing in could be the challenge and i think to hand in the challenge we have to get up onto this tower with these basically invisible collisions it's kind of clever right that getting the flag is not the challenge but handing in the flag is the challenge i never thought about this this is probably very unique to this ctf here interesting and there's also route for it so thomas will also load the route for the blue tower and you can see here now the nodes being loaded and then he can of course execute that route and let him solve this and jump up but thomas is greedy he will activate the speed tag which breaks the auto jumping route feature so he has to do it again sometimes the speed tag breaks stuff i'm not sure we i don't think we are sure to know why that exactly is but yeah i can happen let's see hopefully it works now oh uh i think the bug was not necessary with the speed feature but maybe there's some inaccuracy with the route itself it seems like that the route is broken at this particular point up there so i guess we need to jump up to that point where it works and then make sure to stop the execution and then do that step by hand or something while thomas is still struggling with this tower let's have a look at all the others again and again not much to see here but just to catch you up again the only thing that is missing right now is that vim challenge and generally just traversing the game getting into different areas so these are basically the two things that people can keep working on and so maybe let's have a quick look at flow screen here who should be working on the wim challenge as well and see a little bit about his approach so of course he's also googling around and found a stack exchange article with some commands so let's see what he will be doing with that but before we go there we just quickly need to check in on thomas again because he's about to hand in the flag for the jumping up the tower challenge and so here it is alice solved another challenge now let's quickly switch back to flow deck exchange article was a question about how to execute vim scripts in a non-interactive mode so he tries to call vim minus s with that script but for whatever reason it didn't seem to work like the output was still the same i think similarly to i've been trying to execute it it just didn't seem to do anything and you can see here flo now checking his vim version i think he wants to make sure if he actually has vim that like supports maybe this minus s command or if he has some kind of weird other vim version or maybe it's like some link to vi or something i don't know what he's thinking right now but at least it's not what he was expected what would happen but now quickly switch over to thomas again because he's executing the kill yourself spawn trick again he's falling down and killing himself at the right moment to get into this otherwise inaccessible area and in there there are quite a few terminals and flag consoles so let's see what they show us okay so that's a flag input so what's the other thing okay this is a terminal that gives us another challenge and this looks like some python code so very quickly thomas uh copies that code into discord so somebody else can start working on it this looks really like some math or crypto [ __ ] so really also not my domain and in this other terminal there's another flag basically this trick to spawn in here was the challenge and thomas solved the challenge but there is also a portal in here to get out of here but unfortunately it's not possible because the flag he received here is not the flag for this flag input which means he can't activate this portal we are stuck now i believe we need to solve this python challenge to be able to get out here either that is the flag or the vim challenge flag i don't know which one it was but we are stuck now so this python challenge is basically a math challenge i think it's just basically some math calculations but i'm out of university for a while so this kind of level of math is now a little bit over my head but there are some others who are in school right now i believe or at least maybe early university or so they are obviously like way better with that and flow i think is still working on some more of the wim stuff researching a bit more and still trying to figure that one out so here he is reading the vim man page just like trying to figure out how exactly it could work and then he opens it again and then he's like playing around with certain whim commands and seeing what happens he will also start like creating some debug output like an echo high because i think he still has trouble like executing this film script and maybe with an echo it helps to see if it actually prints high but it still looks like it's not really working so again this is typical ctf stuff very frustrating it's a new technology he apparently also never had used this before or at least not on this deep level so there's just a lot of struggle and experimenting needed but let's also switch over to nico now because he already announced that he will start working on the math challenge or let's say he will solve the math challenge because apparently he immediately knows what he has to do so many smart people so here you just saw him looking up the numpy documentation about a function that is used in that script now he wants to make a calculation on that big list of numbers that you saw which actually is obviously not a list it's a matrix of numbers so he wants to get this matrix into a wall from alpha so he can then perform calculations with that matrix easily well from alpha is a great tool if you need to do some math stuff so he's not using numpy or sage or something like this directly right now he's simply going forward from alpha but he seems to have to fix some of this matrix definition because uh word from alpha didn't interpret this format as a matrix look in a ctf write-up or so like this step would just be skipped there would just be one sentence saying and then you have to change the form into you know the format that well from alpha accepts but you don't realize that this stuff just takes time then doesn't work but you know the point is here it's not that he struggles a little bit with wolfram alpha he just struggles to use the tool a little bit but using tools you can figure out you can always like read documentation all that stuff that's not the issue the important thing is that he has actually a plan and knows what to do so it's easy he just installs now numpy directly and then uses you know the actual python line except that in this moment along on discord wrote that he has a solution here this just has to be transformed into ascii in this moment nico also switched over to cyber chef he tries to convert these numbers with cyber chef into ascii really quick but this kind of fails then he goes over into python and wants to copy and paste this matrix into python to then quickly write a loop over the stuff but then the copy and paste failed and screwed up so that's annoying but also ivan just solved it himself he just modified his code a little bit to basically convert these numbers as well then he executes it and gets the flag so he sends the flag over on discord and then thomas can hand it in and this will open up the teleporter right next to it and we can continue now before we continue i just want to show you here the discord of the challenge with the other teams because you can see us rocking those flags we are up now at four flags and you can see here we have just been handing them in handing them in and no other team in between and we are just about to hand in the next flag now thomas is loading here a route because even though the jump is fairly simple the timing is a little bit tricky at the right moment to like keep falling to the left and falling straight down and so forth because like you need to like very precisely land on here and there it is and so here is another flag input where we can hand in one of the flags this is actually the flag from the locked in area which was basically just on the right from here and there we go five flags solved now there are two more to go so where do we need to go next this is a little bit here though the question with routing just keep in mind that we are still missing the flag for the bim challenge i think we still haven't solved it yet now comes another phase of a little bit of down time there's not much happening here on the screens as you can see flow has still opened the wim challenge and is experimenting around with it i guess trying to solve it not exactly sure what he is thinking or where he is at right now but you know he's working on that i have no clue what i'm doing probably i'm procrastinating as i always do and then thomas and some others are working on where to go next it's it's a pretty long walk so it will take a little bit i think it also looks like ivan might also still working on the wim challenge if i see that correctly and yeah i guess let's have a look at what floor and ivan are doing so it looks like flo is still playing around with the script and you can see he did some changes to it with like echoes and ivan also seems to just kind of like stare at it now you remember we do have a wiki where we are sharing progress so flow seems to be stuck and it's now going into one of the pads seeing if there is any progress but it doesn't look like it doesn't seem like anybody made like progress or at least nobody really documented it i also know that none of those two will solve the challenge it will actually be benovs who unfortunately is not streaming so unfortunately like we don't see like how they solve it here now thomas reaches like a tower where he needs to jump and he's looking up if he has a route for it but i think they realize they don't have a route for it but it's also not a complicated tower so he decides to jump it by hand ivan is researching a bit more about the vim challenge flow is also staring at it and me i'm just staring at the map i guess really have nothing to do cherry bomb still has like cyber chef open from earlier which also means i guess he's not really doing much anything right here but let's look at tomas again because he reaches now the top of the tower so this will again take a little bit just traversing this tower here just in case you forgot the red overlay you can see here is the collision map which is one of our hacks of course and you can also see here too portals that would be go down but they are inactive right now and now he needs to traverse this area up here which is a little bit like it's not really a labyrinth but it's better to have obviously a map like on the left to figure out exactly where he needs to jump and how he needs to jump and the first thing is that he needs to go all the way to the left of this area because there's another terminal which means there's another challenge so it's just right up here needs to jump up and there we go so this is another challenge here and you can see a lot of binary output and if you look all the way at the start here binary data starts you see pk which is an indication that this is a zip file so somehow we need to get this binary data now out and i guess unzip this file or just like figure out what is up with the zip file so how can we get out this binary data ideally we would have now our collaborative tool that i showed you all the way in the beginning where you could like get the hex output and so forth that would be so easy and so comfortable to get that binary data out but we don't have it right now so thomas is looking now into the game source code again because i believe he looks up how he can access this binary output and he's looking here for code related to terminal so i assume there's maybe like a terminal or object also just a reminder again like i have not really looked into the game source code thomas was one of the people who was heavily involved in building the tools beforehand i have really not participated in the preparation phase when thomas now finds the code where you know terminal output is handled he will patch that code and add a console console.log and of course if then this is called again and the code reaches in here it would just print out the binary data in something that can be easily converted and dumped as a raw binary so here he is opening up the console and of course he also has to have refreshed the game that the new files are loaded and then he can interact with the terminal again and gets the hex output that represents the raw bytes so he simply has to copy that now into a script or something that simply converts this we don't see this because it's on the second screen but he will just then immediately send this file over discord to everybody else also in this moment benoff solves the wind challenge and he sends us the flag for it as you can see it was just basically a rod three so very very easy crypto if you can even call it crypto now thomas also briefly shows the zip file here on screen which turns out to contain an a dot out file which means this is a compiled binary most likely compiled with gcc also now of course a binary is something that i also can work with and you can see for example cherryworm opening ida immediately and i will be opening gitra in just a moment when i look at flow screen he's still looking at the wim challenge even though basically the wimp challenge got solved so i assume he saw the solution from benovs and wants to understand what the solution was which is a crucial part of ctf as well he has spent time trying to solve it wasn't able to do it and somebody else was faster and now looking at it seeing the solution comparing it that's important while thomas is picking up here a key for another area on the map to open up basically one of the last doors to access the controls we can have a look at cherry worm looking at the challenge in ida so here it is and with the power of f5 you can see here the decompiled source code which is just a bunch of sleeps and then it might look like that it could maybe print the flag at the end so you can't really execute it because the sleeps will take too long i guess so there should be multiple strategies to solve this now either you reverse engineer and look up like the print that shows then the flag i mean it has to be implemented in here or you patch the sleeves so that it doesn't take that long anymore you could also maybe fairly easily maybe do this with like an ld preload of sleep and then it would just run through those are the kind of ideas that immediately come to mind i know in discord that cherry worm is riding there are a lot of sleeps in just a moment later benovs already has a solution so i don't know exactly how van of solved it but you know it's it's a very basic binary it should be quick either way but benefits is just on another level so fast i barely have gydra opened jerry warm could barely press f5 to decompile and and banos already has the solution but now let's have a look at thomas screen he is the person playing the game and he has to now hand in the two last flags that we already have we have the flag out of the zip file which was the binary and we also have the flag from the wim challenge all we have to do now is run to the terminals head in the flag and then run to the exit of the game so we are all just anticipating the end we are like on a good run here as a reminder these are the flags that we have already handed in and compared to the other two teams we are doing actually really really well because we are now on the final stretch so here we reach one of the terminals and we hand in the flag from the zip file or the binary with the sleeps so let's go for the last flag we are really speedrunning at this point go go go go go unfortunately the sad thing is that paston already won our complete round which means we will not go into the final competition against the other three winning teams which really sucks because i feel like we really prepared really really well but somehow paston is just out of this world and it's just so good and yeah we just can't compete with that we were just so unlucky with our team picks i think we did finish fairly fast compared to all the other teams as well so i think if we were in the other group we had really really good chances that we would have won those rounds and of course if we could have gone into the finale which was a week later we would have had enough time to fix our proxy and then our tool would be there and then of course we would win anyway you can see uh the last terminal is super far away we are still running there oh man but it's just the last stretch it's kind of cool that we have to run through the whole map again just before the end now to reach that other terminal it's again in this annoying jumping place but there's a route for it so thomas can load here another round and let the character automatically jump and solve this jumping puzzle and there we go it never gets old to watch this automatic jumping tool it's so like precise it's like really as if it's like a world record speedrun or something and we are almost there just down there and here we can hand in the flag the last flag from the whim challenge and you can see we solved them all pretty much exactly 15 minutes into the game and now we just have to finish it and the finish was at the entrance of the game but to get there we need to get into the portal which is just like on the left here and thomas tries to jump from here now but no it's a bit too far and so now we have to jump all the way up there again and he decides to do this by hand because you know why not it's not like you could fall down and then waste more time or anything like that it's no problem because thomas is an experienced gamer and he will have no issues with this jump and run here i'm glad we picked the god gamer for playing this part almost there and then i can finally stop making this video you know this video took longer than i anticipated oh my god he screwed it up oh my god you know making this video here took way longer than i anticipated would take similar to how long thomas needs here to jump all the way up there again i thought it would be so easy to just take the recording from all of us and just add some commentary but when i started i realized i'm terrible at commentary and i constantly had to pause look what's happening think about what i could say and then record stuff and then edit all the like zoom ins and so forth and suddenly out of a video which i thought was a low effort easy video it took me like three or four times as much as for a regular video it was it's actually insane and i know already that almost nobody will watch this video so if you actually watch this video up until this point please please please write square bear into the comments anyway this time i hope he got it he needs to carefully jump down just right here and he reached it and now the entrance is just a few drops away almost there and we reach the spawn and the door is open and there we go match completed here's how the last flag and our completed game was announced on discord now i know what you want to hear you want to hear the incredibly explosion of excitement on our discord channel we finally solved everything so here it is nice yeah endless nice [Music] gigi [Music] fighter [Music] you

Info

Channel: LiveOverflow

Views: 610,682

Rating: 4.9298329 out of 5

Keywords: Live Overflow, liveoverflow, hacking tutorial, how to hack, exploit tutorial, live ctf, live hacking, real hacking, reallife hacking, real time hacks, real-time, alles ctf, allesctf, google ctf, ctftime, ctf writeup, shoulder surfing, hackceler8, pasten, ghidra, ida, python, javascript, game hacking, game hacks, overlay

Id: DGuRI_SPZYg

Channel Id: undefined

Length: 151min 13sec (9073 seconds)

Published: Sat Nov 07 2020