DEF CON CTF 22 Final
From August 7 to 10, the largest information security conference, DEF CON, was held in Las Vegas (USA). The event is already 22 years old. We took part in the final stage DEF CON CTF. At the conference itself a lot of people. At first I heard something about 6 thousand people, then about 15. Transitions between the halls for the reports during the day were similar to those in the Moscow metro. But first things first.
Corridor one hour before the conference
Traditionally, during the conference, information security team competitions DEF CON CTF are held. In general, this CTF consists of 2 stages: The final is held in Las Vegas, and an online qualifying round is held in front of it, following which 12 best teams are selected. The winner of last year automatically gets a place in the final, as well as the final can be reached by winning one of the 7 other prestigious CTFs during the year. So, our team reached the final, taking third place at Positive Hack Days CTF in May of this year (the PHDays CTF winner had already reached the final at the expense of another CTF, and the int3pids team, which finished second, refused the invitation).
The team that conducts DEF CON CTF changes once every 3 years. This year, the Legitimate Business Syndicate team is holding its second defcon.
')
These are the badges for all conference attendees and CTF participants:
About the conference itself I can only say what happened:
There was a Tesla electric car in the vendor hall, which you could even try to hack:
In the photo d0znpp , taken from SadieSv
But neither the reports nor Tesla, we, unfortunately, did not hit. because…
Final DEF CON CTF is held in Attack / Defense format (also known as Service-based). Commands get the same server with a set of pre-installed services. The services have a certain functionality that is constantly checked by organizers bots. Also, the services contain vulnerabilities that need to be found and preferably fixed. Exploiting vulnerabilities in services on servers of other teams, you need to get the so-called "flags". Flags are, as a rule, some kind of secret information in the context of a service. Let's say the service is a mail server. Flags are in the mailboxes created by the bots of the organizers. If you have learned to read other people's letters, you can search for flags and pass them on.
Flags are updated every round. Round lasts 5 minutes. Flags have a limited lifetime (usually 1-2 rounds). That is, if at the end of the game you read all the flags from the opponent's server, then only 1-2 of them will pass effectively. For the remaining points will not be credited.
When a flag is received from a vulnerable service, the teams that pass this flag get 19 points, which are equally divided depending on the number of such teams. The injured team, respectively, loses 19 points. At the beginning of the game, all teams have 2500 points each.
If your service is turned off or the functionality embedded in it is violated, the service is in the Offline status, and the SLA indicator drops for the team. SLA - the proportion of game time during which the service worked correctly. Usually this indicator is multiplied by the number of points to form the final score. Honestly, exactly how the final rating at the DEF CON CTF final was considered was not understood. The organizers did not give a clear set of rules with formulas. I believe that this is one of the defcon chips, because at the PHDays CTF finals, for example, all the rules were clearly written and presented to the teams a few days before the competition. There was even an excel spreadsheet showing scores for different scenarios.
Our team is called BalalaikaCr3w . Most of our participants are students and graduates of the Moscow Engineering Physics Institute, and some of them are MSTU. Bauman, one graduate of the Moscow Institute of Physics and Technology and one graduate of the BSTU (Bryansk). In the photo, not all participants, but only those who went to the DEF CON. The team was formed just over a year and a half ago. How it was formed and how it developed is a separate story, someday I will write a separate article about it, if such information may be interesting.
At the DEF CON CTF final, the maximum number of participants in one team is 8 people. There were only 7 of us at the finals, because due to financial problems or problems with obtaining a visa, several people could not go.
By accepting an invitation to participate in the final, the first problem was obtaining a visa in the United States. People of our profession to obtain an American visa is not entirely easy, especially in a short time frame. We received an invitation to the DEF CON CTF final at the end of June, we had to fly to the United States at the beginning of August, and we also had a trip to Korea for the SECUINSIDE CTF final in July. The result of the visas is the following: out of 10 attempts, 6 visas were received. In this case, one visa was obtained at the second attempt, and one more only after additional verification. One of our participants from the second attempt got an additional check and did not have time to go through it, but someone simply refused. One of the team members already had a valid visa, but it was previously obtained only after additional verification.
What's the catch? As soon as the officer at the embassy realizes that your activity (and / or education) is related to information security (exactly like with some other areas of science and technology that are critical for the state), he will send you for an additional check. Verification can last up to one year. Well, in addition to inspections, an officer can simply tell you “denied” at the end of an interview, give out some explanatory paper and say goodbye to you without giving reasons.
The DEF CON CTF organizers provide participants with 2 rooms for 3 nights at the Rio All-Suite Hotel & Casino, where DEF CON takes place. Each room has 2 large beds and a sofa. For 30 bucks a day, you can order an extra bed like a folding bed (although it is by the way more comfortable than a sofa). All other expenses of the team are paid by themselves: flight, road, food (even during CTF), equipment, etc.
Here is the CTF zone
It turns out that participation in the final DEF CON CTF is the most expensive among all the finals for the Russian teams. For example, travel budgets for the Facebook CTF finals to Barcelona or SECUINSIDE CTF to Seoul range from 100 to 200 thousand rubles. To travel to DEF CON only for tickets you need about 450-500 thousand. Therefore, the issue of raising funds has become quite acute for our team - after all, there are a lot of trips in a year, and most of us have just graduated from the university.
We appealed to several of the largest Russian companies involved in information security with a request to support our team in one way or another and to offer cooperation so that the interaction would be beneficial for both parties. But, alas, someone immediately refused, someone showed interest and then refused a little more politely, and someone started in a very positive way, and then still refused. It turned out that the small support of the Russian hackers team is not interesting to anyone. Well, yes, we are not a Formula One team, which can be useful for us to information security companies.
It's funny that in Germany it is the opposite. Volkswagen allocated 20 thousand dollars to the German CTF team StratumAuhuur for a trip to the DEF CON CTF final. This is indeed true that Russian is good, then German is death.
However, it is necessary to thank for the feasible support of some members of our team by their employers: the company “Aktiv” and the FSUE “GlavNIVTS” . Thank!
If someone has the desire and opportunity to cooperate with our team, then you are welcome, write to info (at) ctfcrew.org, we will not be in debt.
Final DEF CON CTF is divided into 3 days. Each team is allocated:
Each new day, the teams plant at different tables in different parts of the CTF zone.
On the first day a scorbord was available with an absolute score of points. True, the organizers recalculated it at night, because two teams (one of which was ours) had a memory card burned in the server, and while the server was replaced, it was of course unavailable. On the second day the scorbord was available, but the number of points was not displayed, only the places of the teams in the rating.
In general, there were a lot of fakaps from the organizers. On the second day, for example, one guy with an eccentric red hairstyle stupidly knocked out our server. Or not stupid. But when we complained that the server was already unavailable for 15 minutes, the comrade apologized and said that it was his fault that he accidentally did so. In general, I heard 10 times in 3 days that the SLA will be corrected, and the rating is recalculated.
Some teams organized DoS, which is prohibited by the rules, for which they were punished by lowering the SLA. In the end, after the finals, the organizers didn’t post the final results for almost a week, because all counted.
ODROID-U3 + was used as servers. Although after the competitions we saw that our server was different from others (it was changed on the first day after the memory card was burned), so it is possible that other teams had a different piece of hardware.
Servers were installed by the organizers. Commands accessed via ssh. At the same time, there was no root access, which is another defcon trick. That is, there is no opportunity to listen to traffic. Once every 5 minutes on sftp, the organizers post a traffic dump from the server for each team. The delay between the moment when the game began, and when the first dump is available, is 15 minutes. All IP addresses in the dump are randomized, except for the addresses from the command subnet. It is impossible to determine by addresses with whom a particular connection was established (one of the teams or the organizers' bot).
Another feature is that all services are provided in binary form. No source, no scripts. Only binary, only hardcore. Maybe once there were exceptions, but not this time.
The processor architecture is not announced in advance. It was possible for last year to assume that ARM would be (that year he was at DEF CON for the first time), but reliably this became known only at 9:30 of the first day.
A total of 7 services were announced, but the organizers laid out only 5 during the competition.
At the beginning of the first day on the command servers there were 2 services each:
A few hours later the third appeared:
CTF zone at the end of the first day
The initial vulnerabilities were fairly simple. For example, for the wdub service, you could read the flag with a query like this:
And in imap, it was enough to overflow the SELECT command parameter by at least one byte. Then the command LIST worked on the directory higher than it should, and you could see all the boxes (LIST "" *) and messages (LIST "" * / *), and then read them using FETCH.
Then each team received such a badge:
firmware to it and a script for uploading the firmware to the badge. All badges in the CTF zone communicate with each other over the air and send messages, including the flags that the organizers fill in (as it turned out, the messages were sent in clear text).
The goal, as in all other services: to find a vulnerability, close it in oneself, exploit other people's badges, read the flags and hand them over. If the badge is turned off or in debug mode, then the service is considered down, and the SLA falls. By the end of the second day / beginning of the third, most of the teams scored on the badge, but the Routards team finished it off . It is a pity that they learned to drag the flags only to the last round. This is really cool.
upd : on the second day the PPP team wrote an exploit for the badge, but because of the organizers' error, they failed to get points with it:
We would like to apologize to the two-year champions, PPP. For all id id backs (PPP) to score correctly. It’s not a problem.
On the second day, another service appeared:
The organizers promised to lay out all the services and other stuff as a type of testing system in September. For those who are interested, we post the original versions of the binaries .
Atmosphere - that is necessary. The light is muffled, there are quite a few people in the room, journalists are run a couple of times a day in 15-minute sessions, after informing all the teams about this. On large screens, the organizers constantly include all sorts of thrash clips like:
On the central screen, first showed the scoreboard, and then a simple visualization of the attacks of the teams against each other.
In general, time flew by.
A short video shot in the last minutes of CTF:
We finished at the 17th place. This is, of course, a weak result, but let it be the starting point for our next DEF CON CTF finals. Many conclusions have been made which of our internal tools need to be finished, and which tools we lack.
Our more experienced compatriots More Smoked Leet Chicken (MSLC) took 12th place. I believe that the guys themselves are also not very satisfied, because in that year they finished in the fourth.
Americans from the Plaid Parliament of Pwning (PPP) team win for the second year in a row, traditionally for DEF CON performing together with the famous hacker George Hotz (geohot), who is famous for his iPhone hacking experience (the author of the first jailbreaks and unlockes) and proceedings with Sony for the PlayStation jailbreak. To whom if not him to drag on CTF, where all tasks, except one, on binary operation under ARM. Although in July he won the SECUINSIDE CTF final in Seoul as part of his team tomcr00se. In fairness it should be emphasized that the tomcr00se team consists of one person.
Extremely positive. Next year we will definitely try to get to the final and definitely go if we pass. DEF CON CTF is unique. This is the longest in time, the most prestigious and, perhaps, the most difficult CTF among all existing ones. I would compare it with the Olympic Games for athletes. This is the level to be sought, and the victory in the DEF CON CTF is the highest possible achievement.
It was nice to see old friends and chat with new ones.
For information on the following DEF CON CTF, I recommend to follow the site LegitBS .
Information about upcoming CTFs and in general about all events in the CTF world is on the main resource of all CTF TIME teams.
Corridor one hour before the conference
DEF CON CTF
Traditionally, during the conference, information security team competitions DEF CON CTF are held. In general, this CTF consists of 2 stages: The final is held in Las Vegas, and an online qualifying round is held in front of it, following which 12 best teams are selected. The winner of last year automatically gets a place in the final, as well as the final can be reached by winning one of the 7 other prestigious CTFs during the year. So, our team reached the final, taking third place at Positive Hack Days CTF in May of this year (the PHDays CTF winner had already reached the final at the expense of another CTF, and the int3pids team, which finished second, refused the invitation).
The team that conducts DEF CON CTF changes once every 3 years. This year, the Legitimate Business Syndicate team is holding its second defcon.
')
These are the badges for all conference attendees and CTF participants:
About the conference itself I can only say what happened:
- many reports
- many master classes
- Social Engineering Village
- Lockpick village
- Hardware hacking village
- Wireless village
- Packet Hacking Village (with traditional Wall Of Sheep)
- much more
There was a Tesla electric car in the vendor hall, which you could even try to hack:
In the photo d0znpp , taken from SadieSv
But neither the reports nor Tesla, we, unfortunately, did not hit. because…
Capture The Flag
Final DEF CON CTF is held in Attack / Defense format (also known as Service-based). Commands get the same server with a set of pre-installed services. The services have a certain functionality that is constantly checked by organizers bots. Also, the services contain vulnerabilities that need to be found and preferably fixed. Exploiting vulnerabilities in services on servers of other teams, you need to get the so-called "flags". Flags are, as a rule, some kind of secret information in the context of a service. Let's say the service is a mail server. Flags are in the mailboxes created by the bots of the organizers. If you have learned to read other people's letters, you can search for flags and pass them on.
Flags are updated every round. Round lasts 5 minutes. Flags have a limited lifetime (usually 1-2 rounds). That is, if at the end of the game you read all the flags from the opponent's server, then only 1-2 of them will pass effectively. For the remaining points will not be credited.
When a flag is received from a vulnerable service, the teams that pass this flag get 19 points, which are equally divided depending on the number of such teams. The injured team, respectively, loses 19 points. At the beginning of the game, all teams have 2500 points each.
If your service is turned off or the functionality embedded in it is violated, the service is in the Offline status, and the SLA indicator drops for the team. SLA - the proportion of game time during which the service worked correctly. Usually this indicator is multiplied by the number of points to form the final score. Honestly, exactly how the final rating at the DEF CON CTF final was considered was not understood. The organizers did not give a clear set of rules with formulas. I believe that this is one of the defcon chips, because at the PHDays CTF finals, for example, all the rules were clearly written and presented to the teams a few days before the competition. There was even an excel spreadsheet showing scores for different scenarios.
Team
Our team is called BalalaikaCr3w . Most of our participants are students and graduates of the Moscow Engineering Physics Institute, and some of them are MSTU. Bauman, one graduate of the Moscow Institute of Physics and Technology and one graduate of the BSTU (Bryansk). In the photo, not all participants, but only those who went to the DEF CON. The team was formed just over a year and a half ago. How it was formed and how it developed is a separate story, someday I will write a separate article about it, if such information may be interesting.
At the DEF CON CTF final, the maximum number of participants in one team is 8 people. There were only 7 of us at the finals, because due to financial problems or problems with obtaining a visa, several people could not go.
Visa
By accepting an invitation to participate in the final, the first problem was obtaining a visa in the United States. People of our profession to obtain an American visa is not entirely easy, especially in a short time frame. We received an invitation to the DEF CON CTF final at the end of June, we had to fly to the United States at the beginning of August, and we also had a trip to Korea for the SECUINSIDE CTF final in July. The result of the visas is the following: out of 10 attempts, 6 visas were received. In this case, one visa was obtained at the second attempt, and one more only after additional verification. One of our participants from the second attempt got an additional check and did not have time to go through it, but someone simply refused. One of the team members already had a valid visa, but it was previously obtained only after additional verification.
What's the catch? As soon as the officer at the embassy realizes that your activity (and / or education) is related to information security (exactly like with some other areas of science and technology that are critical for the state), he will send you for an additional check. Verification can last up to one year. Well, in addition to inspections, an officer can simply tell you “denied” at the end of an interview, give out some explanatory paper and say goodbye to you without giving reasons.
Security
The DEF CON CTF organizers provide participants with 2 rooms for 3 nights at the Rio All-Suite Hotel & Casino, where DEF CON takes place. Each room has 2 large beds and a sofa. For 30 bucks a day, you can order an extra bed like a folding bed (although it is by the way more comfortable than a sofa). All other expenses of the team are paid by themselves: flight, road, food (even during CTF), equipment, etc.
Here is the CTF zone
It turns out that participation in the final DEF CON CTF is the most expensive among all the finals for the Russian teams. For example, travel budgets for the Facebook CTF finals to Barcelona or SECUINSIDE CTF to Seoul range from 100 to 200 thousand rubles. To travel to DEF CON only for tickets you need about 450-500 thousand. Therefore, the issue of raising funds has become quite acute for our team - after all, there are a lot of trips in a year, and most of us have just graduated from the university.
Sponsorship
We appealed to several of the largest Russian companies involved in information security with a request to support our team in one way or another and to offer cooperation so that the interaction would be beneficial for both parties. But, alas, someone immediately refused, someone showed interest and then refused a little more politely, and someone started in a very positive way, and then still refused. It turned out that the small support of the Russian hackers team is not interesting to anyone. Well, yes, we are not a Formula One team, which can be useful for us to information security companies.
It's funny that in Germany it is the opposite. Volkswagen allocated 20 thousand dollars to the German CTF team StratumAuhuur for a trip to the DEF CON CTF final. This is indeed true that Russian is good, then German is death.
However, it is necessary to thank for the feasible support of some members of our team by their employers: the company “Aktiv” and the FSUE “GlavNIVTS” . Thank!
If someone has the desire and opportunity to cooperate with our team, then you are welcome, write to info (at) ctfcrew.org, we will not be in debt.
Main process
Final DEF CON CTF is divided into 3 days. Each team is allocated:
- several tables made up of a rectangle so that you can sit next to each other. Honestly, it was cramped. We saw how those who came in full force had to move tables to be able to sit without touching anyone.
- one Ethernet cable with access to the gaming network (each team has its own subnet 10.5.N.0 / 24) and the Internet
- one outlet for connecting to the electrical network (adapters for European plugs and extension cords also had to be carried along)
Schedule:
- 9:00 - commands run in the CTF zone, setup starts
- 9:30 - teams get access to their servers
- 10:00 - open network between segments of teams. You can connect to other servers and attack them
- 20:00 - the network is closed. Teams must collect items and leave the CTF zone. On the third day, the network closed at 14:00 and the CTF zone could not be left, as it was afterparty
Each new day, the teams plant at different tables in different parts of the CTF zone.
On the first day a scorbord was available with an absolute score of points. True, the organizers recalculated it at night, because two teams (one of which was ours) had a memory card burned in the server, and while the server was replaced, it was of course unavailable. On the second day the scorbord was available, but the number of points was not displayed, only the places of the teams in the rating.
In general, there were a lot of fakaps from the organizers. On the second day, for example, one guy with an eccentric red hairstyle stupidly knocked out our server. Or not stupid. But when we complained that the server was already unavailable for 15 minutes, the comrade apologized and said that it was his fault that he accidentally did so. In general, I heard 10 times in 3 days that the SLA will be corrected, and the rating is recalculated.
Some teams organized DoS, which is prohibited by the rules, for which they were punished by lowering the SLA. In the end, after the finals, the organizers didn’t post the final results for almost a week, because all counted.
Tasks
ODROID-U3 + was used as servers. Although after the competitions we saw that our server was different from others (it was changed on the first day after the memory card was burned), so it is possible that other teams had a different piece of hardware.
Servers were installed by the organizers. Commands accessed via ssh. At the same time, there was no root access, which is another defcon trick. That is, there is no opportunity to listen to traffic. Once every 5 minutes on sftp, the organizers post a traffic dump from the server for each team. The delay between the moment when the game began, and when the first dump is available, is 15 minutes. All IP addresses in the dump are randomized, except for the addresses from the command subnet. It is impossible to determine by addresses with whom a particular connection was established (one of the teams or the organizers' bot).
Another feature is that all services are provided in binary form. No source, no scripts. Only binary, only hardcore. Maybe once there were exceptions, but not this time.
The processor architecture is not announced in advance. It was possible for last year to assume that ARM would be (that year he was at DEF CON for the first time), but reliably this became known only at 9:30 of the first day.
A total of 7 services were announced, but the organizers laid out only 5 during the competition.
At the beginning of the first day on the command servers there were 2 services each:
- eliza: initially ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU / Linux 2.6.24, not stripped. It was launched by car on the ARM
in a drug-addictedway through qemu-i386-aslr. Then the organizers finally decided to rebuild and uploaded: ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU / Linux 2.6.32, not stripped. - wdub: initially ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, for GNU / Linux 2.6.32, stripped. Later ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU / Linux 2.6.32, stripped. The service was a web server.
A few hours later the third appeared:
- imap: ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU / Linux 2.6.32, stripped. The service was an IMAP mail server.
CTF zone at the end of the first day
The initial vulnerabilities were fairly simple. For example, for the wdub service, you could read the flag with a query like this:
GET /../../../home/wdub/flag HTTP/1.0\r\n\r\nAnd in imap, it was enough to overflow the SELECT command parameter by at least one byte. Then the command LIST worked on the directory higher than it should, and you could see all the boxes (LIST "" *) and messages (LIST "" * / *), and then read them using FETCH.
Then each team received such a badge:
firmware to it and a script for uploading the firmware to the badge. All badges in the CTF zone communicate with each other over the air and send messages, including the flags that the organizers fill in (as it turned out, the messages were sent in clear text).
The goal, as in all other services: to find a vulnerability, close it in oneself, exploit other people's badges, read the flags and hand them over. If the badge is turned off or in debug mode, then the service is considered down, and the SLA falls. By the end of the second day / beginning of the third, most of the teams scored on the badge, but the Routards team finished it off . It is a pity that they learned to drag the flags only to the last round. This is really cool.
upd : on the second day the PPP team wrote an exploit for the badge, but because of the organizers' error, they failed to get points with it:
We would like to apologize to the two-year champions, PPP. For all id id backs (PPP) to score correctly. It’s not a problem.
On the second day, another service appeared:
- justify: ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU / Linux 2.6.32, stripped.
The organizers promised to lay out all the services and other stuff as a type of testing system in September. For those who are interested, we post the original versions of the binaries .
Atmosphere
Atmosphere - that is necessary. The light is muffled, there are quite a few people in the room, journalists are run a couple of times a day in 15-minute sessions, after informing all the teams about this. On large screens, the organizers constantly include all sorts of thrash clips like:
- DJ Snake & Lil Jon - Turn Down for What
- Major Lazer - Bubble Butt
- many lonely island
- many die antwoord
- other strange videos and songs and even rap from Geohot himself, while he was dragging for PPP!
On the central screen, first showed the scoreboard, and then a simple visualization of the attacks of the teams against each other.
In general, time flew by.
A short video shot in the last minutes of CTF:
results
| Place | Team | Score |
|---|---|---|
| one | Plaid Parliament of Pwning | 11263 |
| 2 | HITCON | 7833 |
| 3 | Dragon sector | 4421 |
| four | Reckless abandon | 4020 |
| five | blue lotus | 3233 |
| 6 | (Mostly) Men in Black Hats | 2594 |
| 7 | raon_ASRT | 2281 |
| eight | StratumAuhuur | 1529 |
| 9 | [CBA] 9447 | 1519 |
| ten | KAIST GoN | 1334 |
| eleven | Routards | 1262 |
| 12 | More Smoked Leet Chicken | 1248 |
| 13 | Binja | 1153 |
| 14 | CodeRed | 997 |
| 15 | w3stormz | 987 |
| sixteen | [SEWorks] penthackon | 979 |
| 17 | BalalaikaCr3w | 937 |
| 18 | Gallopsled | 921 |
| nineteen | shellphish | 899 |
| 20 | HackingChiMac | 546 |
We finished at the 17th place. This is, of course, a weak result, but let it be the starting point for our next DEF CON CTF finals. Many conclusions have been made which of our internal tools need to be finished, and which tools we lack.
Our more experienced compatriots More Smoked Leet Chicken (MSLC) took 12th place. I believe that the guys themselves are also not very satisfied, because in that year they finished in the fourth.
Americans from the Plaid Parliament of Pwning (PPP) team win for the second year in a row, traditionally for DEF CON performing together with the famous hacker George Hotz (geohot), who is famous for his iPhone hacking experience (the author of the first jailbreaks and unlockes) and proceedings with Sony for the PlayStation jailbreak. To whom if not him to drag on CTF, where all tasks, except one, on binary operation under ARM. Although in July he won the SECUINSIDE CTF final in Seoul as part of his team tomcr00se. In fairness it should be emphasized that the tomcr00se team consists of one person.
Impressions
Extremely positive. Next year we will definitely try to get to the final and definitely go if we pass. DEF CON CTF is unique. This is the longest in time, the most prestigious and, perhaps, the most difficult CTF among all existing ones. I would compare it with the Olympic Games for athletes. This is the level to be sought, and the victory in the DEF CON CTF is the highest possible achievement.
It was nice to see old friends and chat with new ones.
For information on the following DEF CON CTF, I recommend to follow the site LegitBS .
Information about upcoming CTFs and in general about all events in the CTF world is on the main resource of all CTF TIME teams.
Source: https://habr.com/ru/post/234191/
All Articles