Thanks for putting this together. Was very educational working through each level (and felt great to capture the flag). Loved that it was spread out across node.js/python/ruby/php/javascript.
Were any unexpected security vulnerabilities found (or patched mid-game by you) in the overall infrastructure?
Not sure if this was intentionally left open-ended but for example in Level 6 I exploited a Ruby session/cookie bug to gain access to the target user, before realizing that the easier way was just a simpler JavaScript XSS vulnerability.
There were a few unintentional vulnerabilities in the levels. Only one actually made the levels significantly easy enough that it was worth patching -- namely, the session cookie bug you reference (it actually affected three levels). There was also a bug in the CTF architecture where you could set your user's URL to a javascript: URL. But to my knowledge no one has found vulnerabilities in the rest of the infrastructure :).
And the ruby regex newline vulnerability that featured in one of the later XSS levels was also present in an earlier level, but wasn't necessary for the intended vector, so I wondered if it was an unintentional oversight, or left as an alternate exploit, or just a red-herring? (being intentionally vague so as not to spoil it for anyone...)
I was one of the ones who went through those three levels with the session cookie bug. How many people reported it? Do you have a problem with me posting a write-up on the bug somewhere (now that it's fixed)?
I also used that bug for the three levels. At that time I was more concerned in catching up (I started late) and the thought of it being an unintentional bug never crossed my mind. Though hours later I thought it was a bit strange that all three levels had to be solved in a similar way.
There was the unintended XSS on level02 - granted, you could only XSS yourself, but having a space in the filename you could inject whatever you wanted. :)
It looks like homakov had a little fun with it (the guy who griefed github a bit half a year ago with their whitelisted attributes vulnerability and got the rails core team to put whitelisting on by default).
Thought for a minute after seeing the headline maybe the CTF was closed... I'd have thrown many (more) monitors out the window if I didn't get to finish lvl8 after spending so long on it...or at least ditch a few more monitors trying to finish it.
You guys did an awesome job, great stuff to waste some evenings on. It's nice to read about all these measures, especially since I've already noticed most of them while capturing the flag :)
Really enjoyed the CTF, thanks for hosting it! Had to run my code twice to get the last chunk on level 8, not sure why though... Was it jitter? Also, will you be sending confirmation e-mails for the t-shirts?
I'll avoid posting spoilers here, but feel free to shoot me an email (gdb@stripe.com) if you want to discuss more. We will indeed send out confirmation emails for the shirts -- you'd be surprised by how many people typo their addresses.
Assuming you used the same strategy I am using now for level 8 (and which seemed popular on the IRC channel), I think the method for determining the other chunks doesn't work for the last one, since it is the last one in the series.
Great job on the CTF, had only minor issues with level 8 because of the traffic (which made it more of a challenge) and I was wondering how you guys did the XSS vulns, really nice job!
A commenter in another thread on CTF recommended io.smashthestack.org. It's very well done - I only got through a half-dozen levels or so before my attention wandered but I really enjoyed it.
While they're not great, chroots are much more powerful than most people give them credit for. The trouble comes when people think you can keep a root user contained in a chroot.
Were any unexpected security vulnerabilities found (or patched mid-game by you) in the overall infrastructure?
Not sure if this was intentionally left open-ended but for example in Level 6 I exploited a Ruby session/cookie bug to gain access to the target user, before realizing that the easier way was just a simpler JavaScript XSS vulnerability.