Removing the negative-point component to CTF flags turned out to be both a blessing and a curse.
In the past, flags were (mostly) obvious and always followed a “flag=” tag. That made them easy to find with some REGEX magic. But it also sucked to get docked points if you accidentally entered the same flag twice, left some whitespace in your submission or otherwise submitted a non-flag.
Along with no more negative point flags came some unexpected changes. Such as not-so-obvious flags. Flags that were tagged as flags, but not in the expected format. Think “Fl.4gISwhatever,” which was a big departure from “flag=”. That also made flags a little harder to recognize for what they were if you weren’t paying attention.
The first thing I did upon registering as a participant for CTF was throw a few flags at the scoreboard to see if any stuck. Surprisingly (or not), password was worth 20 points. I tried a few more potential flags like “DerbyCon” and the like since I had to wait 60 seconds in-between submissions.
Someone else took advantage of no negative points to an entirely new level and wrote a script to submit potential passwords to the scoreboard every 61 seconds. With the fear of going into the red removed, I thought “brute forcing” the scoreboard was a pretty novel way to potentially pick up a few points. I’m not sure what he was using as a wordlist (text scraped out of files found on the network?) or how effective it was but in the end they were one of the top-finishers.
I did hear Scott say during the closing ceremonies that there was a domain controller which had 900 1-point flags on it, so I suppose if you managed to crack that, you could at least be picking up points to the tune of 1 every minute while you were busy hacking elsewhere. I believe I’ll be filing this trick away for a future CTF. (Assuming I haven’t ruined it by blogging about it.) 🙂