Posted on 2022-07-11
title: Impressions from FAUST CtF 2022
language: en

We participated in the 2022 FAUST CtF. Here are a few impressions from the point-of-view of a team organiser. Everything I state here obviously is tainted by the environment we setup ourselves.

FAUST organised a smooth running event, services where running on time as was the network. And thus we had no excuses left and had to get down to work.

I was enjoying myself with leading-by-example, searching for vulnerabilities in emacs lisp, when the actual attack was code injection into emacs org-mode. Success thus was limited, as I took the existing blacklist-filter, as proof that this vector was closed. Thus our team was, in this challenge, able to only achieve “second blood”, a term I want to use instead of observing adversaries’ actions and replaying their findings. (And it sounds much nicer than “stealing”.) Kudos to the teams that did not run after a collection of red herrings.

On our side everyone I observed was deeply submerged in solving riddles, tracking control flows and recalling lost knowledge from Mathematics 1, i.e. RSA and residue classes.

It is always a good sign, when the end of a CtF is approaching (subjectively) fast. I barely remember thinking of getting some food, realising that the nearest bakery already had closed shop and returning to the contest.

The team achieved a placement in the roughly at the middle of all teams above Zero-Points, which seems fair, and reflects the feeling of a strong competition. I guess this hasn’t been the last CtF for us.