Sign in

This article describes the steps to solve the Web-Card task designed for CTFZone 2019. The task is a kind of tribute to the XML format and contains a 0-day (as of the competition dates), an unusual way to exploit XXE and a remarkable chain of vulnerabilities.

This write-up was drafted back in December 2019, but we couldn’t publish it until the vendor fixed the vulnerability. Better late than never. Have fun reading!

The landing page of this task has a form, which is used to send the information about a participant to generate a “truly original” card.

Fig. 1. Landing

Under the hood…

By Roman Shemyakin

Part I: CTFZone Paper: Trust Area — Backend Part
Part II: CTFZone Paper: Trust Area — Client Part

Apps bootstrap

We had an emulator and a clean snapshot. Every round, we did a reset to the initial ‘clean’ state and installed the teams’ applications.

We grabbed the teams’ APK files from their backends ten times per round, but deployed only the latest version once — at the beginning of a new round. This layout appeared to confuse the players, resulting in many questions along the lines of, ‘I saw my APK grabbed, but not deployed’. This solution was aimed…

By Oleg Petrakov

Part I: CTFZone Paper: Trust Area — Backend Part
Part III: CTFZone Paper: Trust Area — Infra

About application architecture

The primary task of the Android client was to proxy the calls from other clients in the emulator, including the checker, to the team’s respective backend server. For this purpose, the following was implemented on the client side:

  • caching to reduce the backend load,
  • ability to create data backups.

The client architecture is presented in the diagram below:

Fig. 1. Android client architecture

How we developed the client and the problems we bumped into

The service client was written in Kotlin, which is used for the development of real mobile apps. …

By Arkadiy Litvinenko

Part II: CTFZone Paper: Trust Area — Client Part
Part III: CTFZone Paper: Trust Area — Infra


We had long aspired to create a task for attack-defense CTF competitions involving the detection and exploitation of vulnerabilities in Android-powered mobile applications. However, we had many doubts concerning the task architecture, since we lacked an understanding of how it was supposed to work. It was only recently — during the preparation for CTFZone Finals 2020 — that we finally decided to implement this idea. In this article, we compile the technical details of what we ended up with :)

Task architecture

By Innokentii Sennovskii

It’s widely known that the best way to make a student study a boring subject is to transform learning into a game. A long time ago someone came up with a game of this sort in the field of Cybersecurity — Capture the Flag or CTF for short. CTFs motivated lazy students to learn how to reverse engineer binaries, where best to place an apostrophe and why using proprietary encryption is a more sophisticated way of jumping on a rake.

The university students that took part in those old CTFs have grown up, so now the competitors…

Hey, Medium! Interesting times we are living in: deepfakes, trade wars, political games, Greta (bless her) Thunberg, and if that wasn’t enough for you, have some fun with the coronavirus infection COVID-19.

The coronavirus pandemic has also taken its toll on our Conference on Practical Cybersecurity OFFZONE 2020. It had to be postponed until better times.

Unfortunately, this means that the PCB badge that we had been developing since December will not take flight in its current form. This article is a kind of epitaph of its concept. …

Despite the postponement of the OFFZONE 2020 conference, there will be a CTFZone final! This year it will be held online for the first time and will be actively broadcast on social networks.

We will announce the details later, but for now we suggest reviewing the web-task write-up from the qualifying stage. The analysis of the solution was sent to us by Devand MacLean from Canada. We invite you to find out, which vulnerability chain the participants have encountered and what the chicken has to do with.

General Information:

Author: Pavel Sorokin
# of teams solved:
Helpful links:


The third international conference on practical cybersecurity OFFZONE 2020 is just 71 days away. While the organisation of the event is in full swing, the attendees are welcome to kill the wait with some fun activities. In today’s post, we’ll talk about a chip that will allow OFFZONE attendees to secure a member’s badge for themselves with unique design and configuration.

When preparing for the conference, we pay close attention to the concept of the badge. Last year’s badge functioned as an interactive printed circuit board resembling the form of a 3.5-inch floppy disk. It was possible to tweak the…

Writeup “In the Shadows”

This is a writeup on one of the tasks prepared for the CTFZone qualifying stage, that took place in late November. You can also read about how we organized the qualifying stage as a whole in this story.

You start with two files: and ntfs_volume.raw.

Let’s take a look at the script.

It takes a file called “key.bin” and then tries (in a loop) a binary string of 34 bytes from every offset within this file as input data for the PBKDF2 function with a really high number of iterations. …

The CTFZone qualifying stage took place from November 30th to December 1st with 1043 teams from around the world registering for the event. Judging from our data, the competition reached even as far as Zimbabwe (26 unique IPs). Digging a little deeper, we would find out it was a team of college students from Bulawayo.

This year CTFZone became the qualifying event for DEF CON CTF, and the winners of the final stage, which will take place at OFFZONE on April 16–17, 2020, are going to the tournament in Las Vegas. DEF CON CTF is the world’s oldest and most…


International community conference for cybersecurity researchers and professionals. No suits, no business — only hardcore research.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store