RT @cor_ctf: Here is our 0day for kernelCTF🩸.- 82k bounty.- quickest submission ever.- all instances pwned😎. Discl….

RT @hgarrereyn: Got 5th with @dicegangctf at Google ctf quals last week — did my first write up in 3 years for the circo challenge by @sird….

That's it 😄 20/20 🧵.

I also gained some more scepticism about LLMs, and I think most players enjoyed the challenge up to the first unintended solution. I'll try to design a few more challenges and see how to model them so they are fun and have a better balance of frustration and satisfaction. 19/🧵.

Now, fortunately only one team discovered this afaik (and they noticed it near the end of the task), so it didn't spoil the challenge for other players. However it could have been worse!. I am in any case grateful I learnt something about bash (-:. 18/🧵.

The bug is just that you can inject a bash expression (which gives you command injection) on the HTTP_RANGE header because of the use when calculating size_val. While I can imagine an LLM making the same mistake, this was an organic hand-made artisanal bug. 17/🧵

However, at the very beginning of the task, I left a horrible terrible unintended solution that the FCM team noticed. I needed to let players interact with the Circo binary so I made a simple CGI script. I could have made python, but I used bash (I know, I know). 16/🧵.

The bug left by ChatGPT made players miss a satisfying insight around building a weird machine out of a random circuit. The intended solution was fun and difficult. The unintended solution was just tedious. However, it only happened near the end of the task. 15/🧵.

But I don't want the message you get is that LLMs suck and leave hard/impossible to find vulnerabilities by casual observation. Because I was responsible for a more egregious unintended solution. 14/🧵.

Most players that solved the task used an unintended solution left by ChatGPT when implementing AES on assembly 🫣. I didn't notice it, and didn't care too much because it "looked" right. Turns out it allowed key recovery due to how the key scheduling was done, lol. 13/🧵.

Anyway, the intended solution was (afaik nobody did this):. 5. A (very? satisfying) a-ha! moment that K1/K2 allows to build a CMAC collision. 6. A (obvious but tedious) task to use the "trash" block generated by the collision to read far out of bounds. 12/🧵.

Now, I must break here. While many players got this far, they then found a few different ways to solve the task from here on. One of the unintended solutions looks more fun than the intended solution which involved an int16 int overflow. I hope to read a writeup about it! 11/🧵.

3. A (satisfying) a-ha! moment that the out of bounds can also be used to read "old" data from the stack after reversing the binary. 4. A (obvious but tedious) reverse engineering task of figuring out what's on the stack. 10/🧵.

So, the task was:. 1. An (obvious but tedious) out of bounds through game of life circuit (required coding, probably an ACM ICPC-style algorithms problem). 2. A (frustrating) realization that the out of bounds wasn't far enough to read the flag (now what!?). 9/🧵.

One important aspect of the exploratory tasks is to make the end goal clear, and the immediate next steps clear, but hard to figure out the whole problem before you solve all intermediate steps. What I was hoping was to give players multiple a-ha! moments (aka insight). 8/🧵.

I am actually very interested in puzzle design! I spent some time a few years ago working on which (I hoped) would help CTF authors write non-guessy challenges. So I decided to make a "exploratory" style challenge (a collection of a few easy problems) 7/🧵.

CMAC works in such a way that if you can observe the intermediate state of the algorithm, you can also create collisions. While we didn't need that for EntrySign, I thought it would be a cool CTF challenge. So I made it a proper challenge. 6/🧵.

Some time after that we discovered EntrySign. Or actually, we figured out how to extract the CMAC key from AMD CPUs (we already found out that it was CMAC because of AMD IBS). While we could get the key directly, another avenue we explored was reading some intermediate state 5/🧵.

I then was going to implement AES but given my impressive experience with RSA, I decided to ask ChatGPT to implement it for me. Why waste an hour when an LLM can do it better and faster? So I did. And it looked like it worked so I stopped working on it. 4/🧵.

I did it! It took me a long time and the code was awful. haha then I used an LLM to do the same task, and it did it super quickly and their code was a lot better than mine. I was very impressed, because this was the 3rd time I implemented modexp, and was hard but not for AI 3/🧵.