CTF write-up for NPST 2020 🎅

Here's a write-up of the challenges of the Norwegian Police Security Service's capture the flag advent calendar for 2020.

Published: Thu, January 7, 2021, 19:10
Updated: Fri, January 8, 2021, 22:50
Category:
Security
Tags:
Behind the news
Challenge

Background 👮 🔗

The Norwegian Police Security Service (with the Norwegian abbreviation PST which I'll use for this write-up) is the police security agency of Norway. They have by now made it a tradition to have Capture the Flag (CTF) style job ads and competitions. This is the fifth time I'm covering them here: 1, 2, 3, 4.

The theme 🎅 🔗

PST added an N in front of their name and created the imaginary Northern Polar Security Service (Nordpolar sikkerhetstjeneste = NPST). NPST's role is supposedly to protect Santa Claus, his elfs and Christmas itself. Like last year, PST posted a fake job ad where they said to be looking for elf officers (="alvebetjent") for a temporary position to help out NPST. A few news outlets wrote about it as well (TV 2, Avisa Oslo). Everything went down on npst.no from December 1st to December 24th.

This time PST reused an acronym from a internship job ad challenge they had earlier this year: DASS - Digitale Arkiv- og SaksbehandlingsSystem. Dass "happens" to be a slang word for toilet. 🚽

Challenges and solutions 🔗

New this year were Easter eggs(!) that worked as extra hidden flags that had to be found to get full score.

Let's jump straight to it. Click on a challenge to expand it.

Scores 🔗

I'm glad the scoreboard was kept open until January 5th. By that time 35 users had managed to get all 240 points, and 29 of those had all 11 eggs. There were 1481 users that successfully submitted at least 1 correct flag, though I suppose there's quite a few non-real users among them.

Enjoy reading about IT security? Check out more of my posts.

Some final thoughts 🔗

👏 It's been yet another great CTF by PST. It's really cool that they do these. I'm sure it's helpful for recruitement. And personally I'm glad more people learn more about anything IT security related.

❤️ This year CTFd was been replaced by a beautiful retro Windows 95 like user interface. Except for missing solve time per challenge I loved this year's user interface.

🙇‍♂️ I'm so happy the challenges were published at 7 a.m. instead of at midnight like last year. I didn't have many minutes to spare at 7 in the morning, but at least I didn't stay up too long and had the brain working overtime while it's supposed to sleep.

😵 What I didn't enjoy was the number of challenges. 24 main challenges + 11 eggs. If you spend on average 1 hour on each you have spent 1 work week through those 24 days. That is just way too much if you have a job, school, exams or a family. The CTF experts of course solve every single challenge in less than 1 hour, but most of us aren't there. I would like to see the workload be cut in half.

📆 There were no days without a new challenge. I couldn't work on the calendar every day. That meant that by the end of the calendar I was several days behind. I was constantly chasing to get even, but I never made it. That was stressful. There should probably be 2 days without anything new every week. If the workload is this big next year I don't think I will prioritze to take part of it.

🥚 The concept with the Easter eggs is ok, but I didn't like how there were eggs which you had no idea where existed. It meant that the moment you were done with the challenges you had to go egg hunting - without any idea where to look. Especially egg #1 with humans.txt was torture, and probably also egg #3 (cupcake.png) for some people. It added what felt like more stress than fun.

🍳 For me it also felt a bit strange that it was the last solve time - regardless of if it was a regular challenge or an egg - that decided your placement on the scoreboard. I would have thought the main challenges were more important than the eggs. Solving eggs wasn't something extra, it was absolutely necessary to be near the top.

🛷 I loved the assembly language SLEDE8 and its great tooling. However, while the e-learning was necessary to get us ready for bigger tasks there were too many algorithms to be implemented. If I want to do algorithms I will find another type of competition. And again, the eggs of all the algorithms didn't give a good feeling. You had finally created an algorithm that worked and got the flag, only to get a message back telling that it isn't good enough to get the egg.

🎅 I hope PST will keep having the storyline with NPST and SPST. It's a nice touch that makes the CTF unique and playful.

🤝 Oh, and for those really competing for the first place I think it's important to never change the time of day of releases of challenges. Yes, I'm thinking about the final day that was released the night before. It was a good thing to do, but it should have been announced.

🤩 Anyways, except the workload, it's just all minor stuff, because I really love PST's CTFs. I'm looking forward to the next one! 😃

Request for comments 🔗

If you have thoughts about my solutions, the CTF, or if I have missed something cool; don't hesitate to comment here or ccontact me in some other way. 🙂

Get notified when there are new posts! :-)