This is a relatively common pattern in CTF (and probably, other competitive activities). Being a top-level CTF competitor takes a big time investment, both in terms of maintaining your skills, and actually competing.
It's hard for an individual to maintain that level of commitment over time, especially if their personal responsibilities increase (getting a full-time job, starting a family, etc.). Responsibilities aside, people also just get bored and/or burnt out (after a point, most challenges are just variations on something you've seen before).
For a team to stay competitive over time, they either need enough members to fill the gaps, or a sustainable influx of new members.
In general CTF problems are limited in the sense that they need to be solvable withing the tournament time frame (usually 48h), and also the process is simpler - you don't have to be quiet, you grab the flag and that's it; no need to think beyond that point (i.e. no need to worry about backdooring, C2, hiding the traffic, lateral movement, detection, etc).
Also CTF problems might be super specific, to the extent of being unlikely to be encountered in a real world. The real world is a bit different - a lot of systems have same old boring issues. On the flip side when dealing with 0-days in stuff like modern browsers you are likely to exceed the level of complexity of even top CTF pwn challenges - mostly due to the aforementioned time constrain in CTFs.
That said, a lot of technical skills would be transferable between both areas. Regardless which way one would switch, there would still be a decent amount of learning (e.g. learning the CTF metagame, learning to think beyond getting a shell).
CTF challenges typically do not involve zero days as their intended solution, due to time constraints. Often they will inject a vulnerability into e.g. Chromium by patching it in a way that might approximate a real bug, then hand you the patch so you save the weeks, months it takes to find stuff like this normally. So from there it becomes purely a test of being able to exploit the bug, although still your constraints are a bit different as you can be loud and only really need to succeed once when an actual state-level actor will want something better than that. But again, this is a result of time constraints.
Also a lot of the time they are they can be the same people. Just one set of targets for your day job, one set of targets for fun at the CTF. (and the ctf challenges are probably easier)!
The first comment explains why they didn’t win one competition in 2014:
2022-07-23 18:58:31 = -ENOCHEAT
> I also saw once a player trying to swipe a piece of paper with configuration (user/password) details of another team on an Attack&Defense style CTF. They were caught in the act and their team got some penalty for it.
We did exactly that at the Nuit du Hack CTF finals in 2014 to snatch the win against you folks (Dragon Sector). Since there was a flag specifically designed around shoulder surfing (taped to the network switch on each team's table) we asked organizers whether swiping the config credentials was fair game, and they said it was completely fine. Absurd, but hey, I don't make the rules :)
Dunno, many of those things are occasions for learning.
Back in like 2014 we were competing in RuCTF and some other team hacked our vulnbox and just shut down the rng, making the box effectively inaccessible via ssh and slow as molasses on tls-enabled services (besides capturing all of our flags).
It was an enlightening experience.
Now granted, ructf was pf a particularly spectacular violence… but still, it’s been an experience that has taught me a lot.
CTF is kind of like the security equivalent to what a cooking drama show (think Gordon Ramsey and a bunch of contestants) might be to being an actual chef.
There's been a number of in person ctfs where hacking infrastructure was fair game... And did not have static arp entries set, and I ended up mitming all the traffic to the score server.
>(or rather: fun factor after a couple of years passed and folks stopped being annoyed or down right furious at the perpetrators)
Poor sports, I’ve always struggled to understand people who’d partake in hacking competitions and then get upset because someone got onto their computer and took all the flags.
> Poor sports, I’ve always struggled to understand people who’d partake in hacking competitions and then get upset because someone got onto their computer and took all the flags.
The sport is about everyone racing to solve the same puzzles. If one team is sabotaging the puzzles in the process, it's a different kind of competition than the players expected. Frustration is warranted.
It would be like signing up for the 100m dash but then having your competitors throw obstacles into your lane. That wasn't the intent of the competition.
CTFs are not free-for-all competitions, they are clearly time-bounded and designed for enjoyment. Having a team show up with a zero day chain for Linux that they designed for a year spoils the enjoyment of everyone else.
rming the CTF infra spoils the enjoyment of everyone else, winning because you’re the best and showed up with a cool exploit chain isn’t spoiling anything for anyone.
Right, so my point is that hacking everyone playing the CTF or the infrastructure is similar to running rm. Using a zero day on a challenge to get a flag is often allowed and even seen as amusing.
If you hack the infra to get all the flags it's really pretty close to just nuking the competition then and there isn't it? What's the point for everyone else to continue after that?
"Poor sports, I've always struggled to understand people who'd partake in a foot race and then get upset because someone walked out of bounds to skip part of the race"
Simply because the context is hacking does not mean that performing additional hacking outside of the context of the competition is in the same spirit. Breaking the rules isn't hacking better than another team, it's breaking the rules.
> There were probably multiple common logic bugs. However one that sticks out in my memory was when the submission system would first check if the team already submitted that flag (fast check in session) and if not, it would check the flag in the database (slow), award points (slow), and finally add the flag to the session (fast). Yup, that's a race condition.
How is "insert into found_flag (team_id, flag_id, found_at) values ($1, $2, now()) on conflict do nothing" slower than this 4 step race-condition-prone operation? (To get the score, "select count(1) from found_flag where team_id=$1".) You don't even need transactions for this, as long as you can't transition from found to not found somehow ("delete from found_flag where team_id=$1 and flag_id=$2").
The only problem I see with this is where validating the correct answer is expensive; without another piece of data to show that validation has started, you can overload the checker by submitting your answer before the first validation routine succeeds. But that is also easy to track, with a timeout even, and you still don't need transactions.
>However there are stories of teams going a step further and hacking home routers from random IPs located in various countries. I guess that's trading in ethics and legality for CTF points.
Is finding a single proxy in a country that hard that you need to do that? I would assume proxy lists including each country would already exist.
Basically the first 50 countries were easy using whatever methods. The next 50 were doable. But then the struggle really began and some teams started getting desperate/creative I guess.
Note that I'm using 50 as a random example number here, not an actual measurement.
I've been playing shooters for almost 30 years now, and that includes a lot of CTF on top of tons of duel and TDM. Quake, UT, TF2 (just got back to it after a decade).
That said, I have no idea what this guy is talking about. I thought he was talking about gaming but the more I read, the more confused I get. Especially the facebook part. What is going on here?
If you like that, HackFortress is a CTF that combined both sides, the video game playing and the hack style CTF. Looks like they're going to be back this year for defcon, I ran a team for several years.
I found it to be some of the most fun ctfs I played, partially because it was extremely time-bound. Rounds were 20 to 30 minutes each. It meant that you still had the rest of your conference time for other activities, rather than taking over your entire weekend.
Until 2020 they were almost always around top3 and a few times top1 teams in the world according to https://ctftime.org/
but in 2021/2022 I don't see them