It has come to the attention of the Society that some individuals within the community display poor sportsmanship regarding CTF etiquette. Specifically, we have identified a player who joined teams (The Flat Network Society and Wreck The Line) solely to acquire their hard-earned flags or exploits.
While the figure of Robin Hood might be inspiring to some, such behavior is unacceptable in a competitive environment. We aim to raise awareness about this issue among our fellow competitors.
This document is not intended to shame teams who may have (hopefully unknowingly) benefited from this scheme, nor is it to shame those who were deceived (including us). Instead, the goal is to ensure that all teams are vigilant and that bad actors are ostracized.
First contact
A player named qwertboy submitted an application to the Society. The application seemed legitimate, containing several write-ups from past CTFs demonstrating strong reverse engineering skills. These write-ups were hosted on flower-mouse-568[.]notion[.]site.
Real World CTF 6th
During the Real World CTF 6th, a member of the Society noticed qwertboy playing with WreckTheLine.
Application Accepted
After careful consideration, the Society accepted qwertboy's application. When questioned about his participation with WreckTheLine, he responded: last week I was taken in the WreckTheLine team for the Real World CTF, but I didn't like it there as they have a principled stance in terms of ctf and only go to certain ones. In this respect I am very attracted to your team, as you participate a lot of places:)
- qwertboy
Tip from WreckTheLine
A member of the Society met with a member from WreckTheLine. The subject of qwertboy emerged during the conversation. WreckTheLine suspected him of sharing exploit scripts with other people because the Telegram bot made queries to callbacks located in some of their exploits. They promptly kicked him after confronting him about it.
The Society shared this information among a select few to avoid unfounded accusations and maintain a positive spirit within the group. Subsequently, the Society began investigating the previous weekend's TAMUctf but found no concrete evidence. Attempts to contact the TAMUctf organizers were unsuccessful due to the absence of contact details on their website; the registrations emails were sent from a noreply@ address.
Sharing with PPP and Hacking for Soju
The decision to inform the Plaid Parliament of Pwning, the organizers of the PlaidCTF 2024 and Hacking for Soju, the organisers of the Midnight Sun CTF was made. The Society asked help to PPP and Hacking for Soju in order to confirm or clear the suspicions against qwertboy. The Society layed a few traps by changing flags for high-values challenges on CTFNote during the PlaidCTF 2024 and asked Hacking for Soju for some help in the future.
Results from PPP
When the PlaidCTF 2024 ended, the organisers told the Society that somebody created a new team (`testing`), from a public proxy, and submitted one of the fake flags, presumably to check if the flag was valid or not. This team did not submit any other flags. These information were not sufficient to start accusing anybody.
Midnight Sun CTF 2024 Quals
Prior to the Midnight Sun CTF 2024 Quals, Hacking for Soju and the Society came up with the plan of swapping actual flags with unique flags that would still be valid when submitted in the hope of catching the culprit team red-handed and therefore gaining information about the leaker. A few challenges were replaced with these aliased flags, including the following:
baby kernel
sourceless
These unique fake flags were submitted close to the end of the competition by one other team:
baby kernel: Sun 21 Apr 09:37:07 UTC 2024
sourceless: Sun 21 Apr 09:53:22 UTC 2024
The organisers gave us enough information to precisely identify qwertboy as the culprit: the flags were submitted by an IP address he used to connect to the Society's CTFNote instance. It is unknown whether the person who created the `testing` team at PlaidCTF 2024 was qwertboy using a VPN or somebody else.
List of CTF
qwertboy played with the Society at the following events:
DiceCTF 2024 Quals
GoldCTF 2024
bi0sCTF 2024
Cyber Apocalypse 2024: Hacker Royale
KalmarCTF 2024
TAMUctf 2024
PlaidCTF 2024
Midnight Sun CTF 2024
There may have been foul play during these events, however, there is not enough concrete evidence to accuse any teams of wrongdoing. If you are part of the organising teams for one of these events and would like to check with the Society, feel free to contact us at the e-mail address listed below.
Furthermore, if you think your team has been in contact with qwertboy recently and would like to have a check-up, you can make an appointment with the Flat doctor at the e-mail address below.
Please rest assured that the invidiual has been unplugged from the Society's flat network.
Conclusion
The CTF scene has always been self regulated, making this kind of situation difficult to handle. Despite this unfortunate event, we still believe that the CTF community is in the vast majority welcoming and respectful of the CTF etiquette. The Society regrets that it has been fooled and will be more careful in the future, once again.
The Society would like to thank people from the following teams for helping the investigation:
WreckTheLine
Plaid Parliament of Pwning
Hacking for Soju
Steganographically yours, The Flat Network Society.
P.S.: on an unrelated note, the Society now has a vacancy, preferably somebody with a strong reverse-engineering profile.
