1 00:00:01,870 --> 00:00:11,650 Well, now we are going to welcome seven guys, who are nothing more and nothing less than the winners of the European Cyber Security Challenge. 2 00:00:11,810 --> 00:00:15,610 And besides, we are going to have both Raúl and Antonio to interview them. 3 00:00:15,610 --> 00:00:23,150 They are going to tell us how the contest was, how they prepared for that contest, for the competition, and how the competition itself was. 4 00:00:23,330 --> 00:00:27,950 But if you like, first of all, we see a video of how their preparation was. 5 00:02:38,190 --> 00:02:47,590 The Spanish team that is going to represent our country in the European Cyber Security Challenge 2016 in Düsseldorf. 6 00:03:13,130 --> 00:03:18,150 Well, if you like, boxers and coaches, to the ring! 7 00:03:18,590 --> 00:03:20,690 Come on, a big round of applause for them. 8 00:03:33,470 --> 00:03:36,530 Well, thank you all for being here. 9 00:03:36,970 --> 00:03:59,870 And this is the beginning of a pretty nice story, because we are talking about 2016, but it has to be said that in 2015, the General Directorate of INCIBE entrusted a group of people with a group of talents, who are very good technically, to generate a team that was able to win the European Cyber Security Challenge. 10 00:03:59,950 --> 00:04:02,590 In 2015, the team was a revelation. 11 00:04:03,010 --> 00:04:10,750 And this 2016, Spain, in its second year, has won the gold medal, the first place for Spain. 12 00:04:10,750 --> 00:04:12,870 And this is the team, right Raúl? 13 00:04:12,870 --> 00:04:13,350 Yes. 14 00:04:13,410 --> 00:04:15,590 That has done that part. 15 00:04:16,430 --> 00:04:18,670 I don't know if you want to ask them something. 16 00:04:18,670 --> 00:04:32,790 Yes, well, as you can see, they have worked as a team, but they have not competed together last year, but each one has competed just like you or many of you individually, they have competed among themselves. 17 00:04:32,890 --> 00:04:34,270 And this year they have been a team. 18 00:04:34,270 --> 00:04:40,550 But I also have to tell you that even being a team, it costs us a lot, you may have seen it in the photos, to put on the same shirt. 19 00:04:41,530 --> 00:04:48,110 So, well, I wanted to ask you a question, and it is precisely related to that. 20 00:04:48,250 --> 00:04:53,190 What have you found a little more difficult to work as a team? 21 00:04:53,190 --> 00:04:56,170 You can answer any of them, you have microphones here on the tables. 22 00:04:56,170 --> 00:05:01,610 Come on, José. 23 00:05:02,230 --> 00:05:12,950 The most difficult thing to work as a team has been coordination and communication. 24 00:05:12,950 --> 00:05:24,870 Because each one of us is used to work individually, and every time we get some information, we keep quiet about it and we continue to work until the end. 25 00:05:24,870 --> 00:05:31,250 And maybe to work as a team it is better to communicate and that the whole team works together on those advances. 26 00:05:31,290 --> 00:05:34,410 It is what has cost us the most to say it, but in the end we got it. 27 00:05:34,410 --> 00:05:40,870 That part of the magic, of the young people who have been here, many will surely be in the Spanish national team next year, right? 28 00:05:40,870 --> 00:05:46,730 But there is also the part of the training where we make people suffer and go to the gyms and other things, right? 29 00:05:46,730 --> 00:05:52,730 Borja, for example, what did you like the most about the training period where you have had different instructors? 30 00:05:52,730 --> 00:05:55,190 Even ex-teammates from 2015. 31 00:05:56,750 --> 00:05:58,730 Thank you, Borja Portaporte. 32 00:06:00,850 --> 00:06:04,950 For me, the best thing has been how well we have taken all the teammates. 33 00:06:04,950 --> 00:06:07,670 From the first day we have always had a lot of coordination. 34 00:06:07,670 --> 00:06:13,850 As José says, it was difficult for all of us to coordinate, but it has always been a team of people who are always in the world. 35 00:06:13,850 --> 00:06:20,190 We like to investigate forums and it has not been difficult for us to be a good team. 36 00:06:20,190 --> 00:06:26,870 Well, that's what they say now, because you have to see them the first day when they come in, until they start coordinating. 37 00:06:27,170 --> 00:06:29,130 But well, I believe you. 38 00:06:29,290 --> 00:06:34,830 What would you say to those who are competing today or who are going to compete tomorrow? 39 00:06:34,830 --> 00:06:37,730 What would you say about this competition? 40 00:06:39,830 --> 00:06:41,310 Let's see, captain. 41 00:06:41,990 --> 00:06:45,410 Basically, to those who have competed today, don't be afraid. 42 00:06:46,250 --> 00:06:49,830 Keep competing and compete against anyone, at any level. 43 00:06:49,830 --> 00:06:54,770 They are capable and they have proven to be capable and they will always learn something new. 44 00:06:55,430 --> 00:06:58,830 And to those who will compete tomorrow, more of the same. 45 00:06:59,070 --> 00:07:02,090 Don't be afraid and go for it. 46 00:07:02,450 --> 00:07:07,070 And well, we also had a person who we thought was not going to do much, his name is Pablo. 47 00:07:07,070 --> 00:07:12,030 The young man who came from the... what are they called? 48 00:07:12,330 --> 00:07:13,230 Cyber Olympics. 49 00:07:13,230 --> 00:07:14,570 The Cyber Olympics. 50 00:07:14,670 --> 00:07:18,630 But really, Pablo was able to integrate perfectly into the group. 51 00:07:18,670 --> 00:07:22,310 And I would like to know, on the day of the competition, what do you feel? 52 00:07:22,630 --> 00:07:24,490 That adrenaline and such. 53 00:07:24,490 --> 00:07:27,550 What did you like the most about facing 10 teams? 54 00:07:28,890 --> 00:07:30,110 Well, I don't know. 55 00:07:30,510 --> 00:07:35,010 Especially because I didn't have much practice in this, in the CTFs. 56 00:07:35,010 --> 00:07:36,270 I hadn't participated in many. 57 00:07:36,270 --> 00:07:41,990 So, we had participated in both the Cyber Olympics and this year in some practices. 58 00:07:42,150 --> 00:07:45,670 But it's true that it has nothing to do with a real competition, with that pressure. 59 00:07:45,670 --> 00:07:52,050 Above all, you are with the 10 teams that have the 10 best hackers in each country. 60 00:07:52,050 --> 00:07:54,010 So, it's something quite serious. 61 00:07:54,710 --> 00:07:56,910 And totally stressful. 62 00:07:56,910 --> 00:08:02,330 From minute one, continuously trying to solve answers, put the flags, get points. 63 00:08:02,330 --> 00:08:06,090 Then there were many times that, for whatever reason, the markers didn't work well. 64 00:08:06,870 --> 00:08:10,010 So, continuously going to the jury, putting pressure. 65 00:08:10,010 --> 00:08:13,130 So, it was from minute one, pressure until the end. 66 00:08:13,130 --> 00:08:16,390 Although we were winning a lot, with a lot of difference. 67 00:08:16,430 --> 00:08:19,390 But well, it's true that there is a lot of pressure and continuously. 68 00:08:20,410 --> 00:08:22,610 And the worst minute of the competition? 69 00:08:22,610 --> 00:08:25,150 Because I think there was someone who got ahead of us for a while. 70 00:08:26,970 --> 00:08:27,910 Juan Carlos. 71 00:08:30,070 --> 00:08:31,930 I know you don't like it much. 72 00:08:31,930 --> 00:08:33,630 The worst minute of the competition? 73 00:08:33,670 --> 00:08:35,570 When Romania gets ahead of us. 74 00:08:36,090 --> 00:08:38,630 I don't know. 75 00:08:41,730 --> 00:08:45,910 But you thought, we are going to win, right? 76 00:08:46,110 --> 00:08:46,690 Evidently. 77 00:08:46,690 --> 00:08:47,090 Why? 78 00:08:47,090 --> 00:08:48,250 Because we always win. 79 00:08:48,430 --> 00:08:49,090 Of course. 80 00:08:50,170 --> 00:08:51,110 I like that. 81 00:08:51,110 --> 00:08:55,810 I have to admit that there was one thing that helped a lot, which was the motivation that was given to the team. 82 00:08:55,810 --> 00:08:57,650 We were unmotivated, or not. 83 00:08:57,650 --> 00:09:04,250 When we got there, we found ourselves in a room of one person, two bunk beds and an extra bed in the middle. 84 00:09:04,250 --> 00:09:07,190 Five people in a room, no towels, no soap. 85 00:09:07,770 --> 00:09:15,570 Then we got there to the competition and we found teams with servers, when apparently the maximum budget had to be 300 euros. 86 00:09:15,570 --> 00:09:18,450 And he said to me, no, if it's a server, it's already old. 87 00:09:18,450 --> 00:09:19,470 No, look, it's a play. 88 00:09:19,470 --> 00:09:21,610 I mean, this is worth much more than 300 euros. 89 00:09:21,650 --> 00:09:23,050 You can imagine the faces of the team. 90 00:09:23,050 --> 00:09:23,990 Raúl, fight for that. 91 00:09:24,070 --> 00:09:24,970 Antonio, fight. 92 00:09:24,970 --> 00:09:25,910 It can't be. 93 00:09:25,910 --> 00:09:30,170 We go to the vote and in the end it is voted in favor of those who have brought the server. 94 00:09:30,170 --> 00:09:30,810 Keep it. 95 00:09:30,810 --> 00:09:32,230 The team was sunk. 96 00:09:32,230 --> 00:09:33,230 It was destroyed. 97 00:09:33,530 --> 00:09:41,070 There was a very important strategy of Antonio, which was to encourage the team by shouting at the Spaniard, even when the team had not achieved anything. 98 00:09:41,230 --> 00:09:44,710 And then there was a second goal with that, right? 99 00:09:44,710 --> 00:09:48,170 Not only to encourage them, but to discourage the rest of the teams. 100 00:09:48,170 --> 00:09:49,750 And then they told us at night. 101 00:09:49,750 --> 00:09:50,770 That it worked. 102 00:09:50,770 --> 00:09:51,890 We said, this is Spanish. 103 00:09:51,890 --> 00:09:55,190 There were already people who said, well, it would be good to give the second and third. 104 00:09:55,190 --> 00:09:59,710 We did not have flags at that time, but anxiety was generated. 105 00:09:59,830 --> 00:10:03,970 Yes, it is true that many times when they called us to the jury, we thought, what have we done? 106 00:10:03,970 --> 00:10:11,550 Because I, the truth, going with this team out there, we did not trust them much because they are good, but as good as they are, they are scary. 107 00:10:11,710 --> 00:10:19,710 So, my question is going to be, really, what have we not found out here now that we are in public, Antonio and I, that you have done? 108 00:10:19,970 --> 00:10:21,330 If you have done something. 109 00:10:21,850 --> 00:10:23,010 It can't be told. 110 00:10:23,350 --> 00:10:24,670 They disqualify us. 111 00:10:24,670 --> 00:10:26,550 Well, better not then. 112 00:10:26,590 --> 00:10:27,470 No, well. 113 00:10:28,250 --> 00:10:33,490 It is true that Raúl has commented that I took people and went with their blades for cracking the password. 114 00:10:33,830 --> 00:10:37,810 You know how they are, those from up north, they structure their heads too much. 115 00:10:37,810 --> 00:10:41,710 Spanish is good at one thing, at always solving yes or yes, at the end. 116 00:10:42,010 --> 00:10:46,510 But Adrián, what secret weapon did we have? 117 00:10:46,910 --> 00:10:52,510 When that secret weapon comes out, you know, Europe trembles. 118 00:10:52,910 --> 00:10:53,750 Dani's notebook, clearly. 119 00:10:53,750 --> 00:10:54,930 Dani's notebook. 120 00:10:57,910 --> 00:10:59,010 Dani's notebook. 121 00:10:59,010 --> 00:11:00,810 Maybe people don't know what Dani's notebook is. 122 00:11:00,810 --> 00:11:02,290 No, you don't know what Dani's notebook is? 123 00:11:02,290 --> 00:11:09,730 Yes, Dani is a guy who, from a notebook with a pencil, you know, does the same work as a cracking server. 124 00:11:09,990 --> 00:11:15,370 So, when Dani takes out his notebook, Europe trembles, you know? 125 00:11:16,030 --> 00:11:17,550 But I have a question for Dani. 126 00:11:18,310 --> 00:11:20,490 Dani, what is the best thing you have experienced? 127 00:11:21,170 --> 00:11:21,990 What did you like the most? 128 00:11:22,850 --> 00:11:24,250 What I liked the most? 129 00:11:24,250 --> 00:11:28,170 Well, everything in general, there is nothing that I liked more or less. 130 00:11:29,250 --> 00:11:31,430 The competition, the training, everything. 131 00:11:31,430 --> 00:11:34,810 The competition, of course, everything related to the competition. 132 00:11:35,030 --> 00:11:36,130 What I liked the least? 133 00:11:36,130 --> 00:11:37,090 The hotel room. 134 00:11:41,890 --> 00:11:42,370 And... 135 00:11:42,370 --> 00:11:45,210 For the rest, for having won, above all. 136 00:11:46,630 --> 00:11:48,250 Yes, because it is a pride, really. 137 00:11:48,250 --> 00:11:51,090 The thing is that I only said last year. 138 00:11:51,390 --> 00:11:53,450 This is something they should do. 139 00:11:53,530 --> 00:11:58,930 You always do things in life for yourself, for your family and for your country, you know? 140 00:11:58,930 --> 00:12:02,410 And in this case, it was played for Spain. 141 00:12:02,670 --> 00:12:11,730 And I don't know if it would also be good to talk, for Hector to comment on how the parties are, to encourage people, how the parties are when you win, later. 142 00:12:12,410 --> 00:12:14,770 Well, here is the image that is being given to me. 143 00:12:15,690 --> 00:12:17,650 No, no, well, the truth is that very well. 144 00:12:17,650 --> 00:12:23,570 In the end, the Spanish team, not only technically, but we earned the respect for that very reason. 145 00:12:24,050 --> 00:12:26,170 For that, for Spain, the party, man. 146 00:12:26,470 --> 00:12:34,510 And we knew how to guide the rest of the countries to have fun, even the one that had the worst result. 147 00:12:34,510 --> 00:12:40,970 In the end, the important thing is to know people from other countries who have the same tastes as you and that. 148 00:12:40,970 --> 00:12:42,130 And we had a great time. 149 00:12:42,130 --> 00:12:43,970 In the end, after the competition, no. 150 00:12:43,970 --> 00:12:47,050 I recommend that you try to go because it is worth it. 151 00:12:47,790 --> 00:12:50,790 Well, and as you can see, we also had a good time. 152 00:12:51,070 --> 00:12:52,950 And we also did a lot of things. 153 00:12:52,950 --> 00:12:58,450 I, if you like, because it seems that, well, in the end, technically we have not taught you anything. 154 00:12:58,570 --> 00:13:07,570 We had prepared, people from the team had prepared, a small presentation about some of the cases, examples that you can find, for example, next year in this competition. 155 00:13:07,650 --> 00:13:20,590 And if you like, Antonio, we can give way to two of the team members, so that they get ready, which are Josi and Dani, and they will teach you a little, technically, about some of the challenges we had there. 156 00:13:22,670 --> 00:13:26,890 Well, I am Josi Ignacio Rojo, he is Daniel Fernández. 157 00:13:26,890 --> 00:13:38,130 We are going to give a small presentation about the competition itself and a couple of examples of challenges with which we have encountered and a specific category of scoring, which is that of Pauna. 158 00:13:40,610 --> 00:13:43,050 Basically, the team that you have already seen. 159 00:13:44,050 --> 00:13:55,170 And, well, there were a series of categories that were scoring and we are going to differentiate what is the attack and defense and I lost and achieved. 160 00:13:56,530 --> 00:14:12,230 On the one hand, we had the central part of what was the competition, which was a CTF of attack and defense, where several categories were scored, for example, availability, code patching, attack, defense, and then there was a special category, which was Paunes, 161 00:14:12,230 --> 00:14:17,170 which was to do something that supposedly could not be done, a hole in the organization. 162 00:14:19,010 --> 00:14:32,330 Then, in this part, it consisted of attacking the servers of the other teams, while we had to defend our server so that the other teams did not attack it, and, in turn, patch the code to cover the vulnerabilities. 163 00:14:33,450 --> 00:14:39,070 Then, the job party part is a capture the flag, like the one that has been given today or the one that is going to be given tomorrow. 164 00:14:39,070 --> 00:14:43,030 These are challenges of different categories that have to be solved to add points. 165 00:14:43,030 --> 00:14:48,850 Then there is the part of achievements, which was called achievements, which was basically to perform a task. 166 00:14:48,850 --> 00:15:03,770 That task was to configure an intermediate CA from a CA that they give you, an entity of certification, and develop a small application that managed the permissions based on the certificates signed by that CA. 167 00:15:07,040 --> 00:15:11,540 The architecture of the CTF consisted of... 168 00:15:12,020 --> 00:15:17,260 Each team had a VMWare server with virtual machines, one for each challenge. 169 00:15:18,740 --> 00:15:22,520 There were two servers in each of the challenges, there were four. 170 00:15:22,520 --> 00:15:28,380 Ours, which was inside our machine, and another, which was one of the servers that we did not have access to. 171 00:15:29,300 --> 00:15:34,020 Access to that server was achieved through a GUI to correct vulnerabilities. 172 00:15:34,020 --> 00:15:39,460 The deployment was done automatically, because we only had root access in our own server. 173 00:15:40,360 --> 00:15:46,160 Then, the strategy we did was, in our server, to defend everything we could. 174 00:15:46,160 --> 00:15:49,940 In fact, we replaced the web server to each machine. 175 00:15:49,940 --> 00:15:50,980 They had an Apache. 176 00:15:51,440 --> 00:16:01,320 And what we did was to put forward an Nginx, and in that way see all the requests that arrived and have control over all the attacks that we received. 177 00:16:02,140 --> 00:16:07,040 And, on the other hand, the issue of code parsing and so on. 178 00:16:07,540 --> 00:16:10,140 We also took care of this a little bit. 179 00:16:11,200 --> 00:16:15,300 Well, I'm going to present a small cryptography challenge with which we found ourselves. 180 00:16:15,300 --> 00:16:23,440 Basically, they gave us a private RSA key, but they covered, so to speak, a large part of the private key. 181 00:16:24,840 --> 00:16:31,520 We see there that we have access to a part of base64, and that base64 itself is valid. 182 00:16:31,520 --> 00:16:38,280 Therefore, we can extract information from that base64, which we are now going to break down to briefly explain the challenge. 183 00:16:39,600 --> 00:16:40,400 Ok. 184 00:16:40,960 --> 00:16:43,980 Do you know the format of the private keys? 185 00:16:43,980 --> 00:16:46,940 The format of the... Does it sound familiar? 186 00:16:47,640 --> 00:16:48,360 No? 187 00:16:48,360 --> 00:16:49,280 Nobody? 188 00:16:52,300 --> 00:16:58,920 Basically, this information we see on the screen is the number in hexadecimal format of what we have seen before. 189 00:16:58,920 --> 00:17:02,680 That is to say, what can be read in asterisks is equivalent to this. 190 00:17:04,720 --> 00:17:14,640 So, the format of the key is a specification for how to define the parameters of the RSA key in a private key. 191 00:17:15,140 --> 00:17:20,040 So, the last part of the private key that we had is what appears on the screen. 192 00:17:21,160 --> 00:17:27,780 Well, if you look at how the RSA key works and so on, you know that they are prime numbers and so on. 193 00:17:27,780 --> 00:17:39,940 So, what we had in the end of Q, which was not complete, not only the end, but that also helps us, we had dp, dq and qi, which I will now explain better what this is about. 194 00:17:40,760 --> 00:17:42,600 Basically, we have the number... 195 00:17:42,600 --> 00:17:50,140 well, a small final part of the number Q' we have dp, which is the CRT exponent. 196 00:17:50,220 --> 00:17:57,100 In dp, we have the CRT exponent of Q and qi is the CRT coefficient of... 197 00:17:57,780 --> 00:17:59,240 of the inverse of Q. 198 00:17:59,260 --> 00:18:02,620 So, CRT means Chinese Reminder Theorem. 199 00:18:02,620 --> 00:18:06,620 It is how to find the opposite of the module operation. 200 00:18:06,920 --> 00:18:12,400 And basically, it is a small optimization to be able to find it in a reasonable time. 201 00:18:12,640 --> 00:18:14,800 So, what do we need from this information? 202 00:18:14,800 --> 00:18:18,360 We need to obtain the prime numbers p and q that make up the private key. 203 00:18:18,680 --> 00:18:32,640 And to get to them, we use mathematical formulas that define RSA, which are the ones we can see at the top right and developed at the bottom right. 204 00:18:32,640 --> 00:18:39,900 Playing with them, we have p and q based on the last digits of q. 205 00:18:39,900 --> 00:18:47,360 So, we have a small script in Python that will help us to find these numbers. 206 00:18:48,400 --> 00:18:49,900 What did we do? 207 00:18:49,900 --> 00:18:58,220 We made a Python script that, using these mathematical formulas, solved the equations and we could obtain the original prime numbers. 208 00:18:59,380 --> 00:19:10,360 So, we can say that the function you see here that says isPrime is not really a function to check that it is prime, but to check that it is a valid candidate for the coefficient. 209 00:19:11,640 --> 00:19:18,760 To sum up, we needed to obtain the prime numbers p and q that make up the private key and, using mathematical formulas, we were able to obtain them. 210 00:19:18,760 --> 00:19:20,180 So , that was the challenge. 211 00:19:20,520 --> 00:19:23,880 It is one of the ones we liked the most and that is why we put them here. 212 00:19:24,220 --> 00:19:32,060 So, we are going to show now, in attack and defense in particular, one of the applications and how we managed to get the total control of the system. 213 00:19:32,740 --> 00:19:36,220 It was an application that could upload images. 214 00:19:36,220 --> 00:19:45,440 It was like an image platform where you could upload an image and a kind of platform for images and so on. 215 00:19:46,120 --> 00:19:51,220 So, we had the information of the challenge and we were told that there was a bug in the application. 216 00:19:51,560 --> 00:19:53,020 So, what did we do? 217 00:19:53,020 --> 00:20:11,800 We looked at everything that was on the server, we found it, and it turns out that in the image, if there was information embedded in the least significant bits of the image pixels, that information was extracted and executed as if it were Python code. 218 00:20:12,360 --> 00:20:15,080 So, of course, it was an execution of the code. 219 00:20:16,720 --> 00:20:21,240 Of course, the problem is that we had a limited access to the Git. 220 00:20:21,360 --> 00:20:25,000 We did not have full access to all the code of the application or everything. 221 00:20:25,100 --> 00:20:28,380 And we did not know how we were supposed to fix it. 222 00:20:29,160 --> 00:20:36,040 Of course, a solution would be to modify the image, but the ideal solution would be to remove the bug. 223 00:20:36,200 --> 00:20:38,160 And we could not get to remove it. 224 00:20:38,160 --> 00:20:44,640 So, what we decided was to attack ourselves and remove it from the server. 225 00:20:45,480 --> 00:20:49,080 And, well, we do not know why, the rest of the teams did not do the same. 226 00:20:49,380 --> 00:20:51,140 And they left it open. 227 00:20:53,060 --> 00:20:59,400 Well, basically, the Pawn category, as I said before, usually comes from a remote code execution, an RCE. 228 00:20:59,440 --> 00:21:08,120 So, it is a special category with its own score, although it really was not worth it, but it is more because of the satisfaction of having achieved it. 229 00:21:08,120 --> 00:21:15,200 Last year, although the Spanish team did not win, they were the first to achieve this category, this Pawn, and to control a system. 230 00:21:15,200 --> 00:21:19,960 This year, we repeated it again, and that gives us a lot of satisfaction in that sense. 231 00:21:19,980 --> 00:21:29,440 So, once we have the RCE, the Remote Code Execution, we have to be able to get a privilege scaling. 232 00:21:29,440 --> 00:21:32,000 We have to get root access, so to speak. 233 00:21:33,680 --> 00:21:34,160 So... 234 00:21:35,320 --> 00:21:39,880 There are different ways to do it, and , of course, you never know. 235 00:21:39,880 --> 00:21:41,340 You never know if it is possible. 236 00:21:41,340 --> 00:21:53,820 So, we worked hard to do it, and recently, a month ago or so, there was a vulnerability that had a lot of impact, so to speak, a lot of repercussion, and we did a preview of the event, and the team said, have they fixed it? 237 00:21:55,320 --> 00:22:05,240 But, of course, it takes 20-30 minutes to test it, because it is tedious to run the tests, and it is worth spending time on it, I am sure they have fixed it. 238 00:22:05,240 --> 00:22:09,860 I mean, this vulnerability was very sound, but what if they haven't fixed it? 239 00:22:12,140 --> 00:22:18,680 So, here, it was the moment when we were testing this. 240 00:22:18,680 --> 00:22:21,040 Let's see if they have fixed it or not. 241 00:22:21,600 --> 00:22:26,620 So, about the vulnerability, well, does this sound familiar to you? 242 00:22:27,840 --> 00:22:29,100 Does it sound familiar to anyone? 243 00:22:31,580 --> 00:22:34,120 Some of you know what it is. 244 00:22:34,460 --> 00:22:36,000 Have they fixed it? 245 00:22:36,000 --> 00:22:38,320 We assumed so. 246 00:22:38,320 --> 00:22:40,460 Is it worth spending time on it? 247 00:22:41,280 --> 00:22:44,680 Well, as we can see, they haven't fixed it. 248 00:22:44,680 --> 00:22:48,360 They had an updated kernel in September, so it was vulnerable. 249 00:22:49,760 --> 00:23:01,460 DTK is a vulnerability that came out a month and a half ago, which consists of a kernel load condition in Linux, which allows you to write arbitrarily on any hard disk file, with any user. 250 00:23:01,460 --> 00:23:04,800 So, how do you get root? 251 00:23:04,800 --> 00:23:09,540 You overwrite a binary with the sub-id, you run it, and you get root. 252 00:23:10,560 --> 00:23:14,560 So, the problem we have with this exploit is that it is unstable. 253 00:23:14,580 --> 00:23:16,080 Very unstable. 254 00:23:16,360 --> 00:23:28,600 Well, the exploit itself is not unstable, but the examples of proof of concept leave the machines in an unstable state, because they are not well implemented, so to speak. 255 00:23:28,600 --> 00:23:36,200 So, this exploit leaves the machine in an unstable state, and if anyone uses it, accidents can occur. 256 00:23:36,240 --> 00:23:42,180 I remember that one of the fundamental rules of this competition was that you can't sabotage others. 257 00:23:42,680 --> 00:23:53,660 Yes, we had root access to all the servers of a specific application, but we couldn't sabotage them, we couldn't spy on them, we couldn't read their code, we couldn't monitor them in that sense. 258 00:23:53,660 --> 00:23:59,000 The jury explicitly came to ask us that, please, you have already scored, stop, you can't use this. 259 00:23:59,460 --> 00:24:02,960 And, I insist, very unstable. 260 00:24:06,230 --> 00:24:13,550 The problem that it is unstable, on the one hand, can be solved with what you see up here. 261 00:24:16,010 --> 00:24:27,290 So, to take advantage of this current condition in the kernel to run arbitrary code, the first thing to do is to disable this phrase of the kernel that you see up here. 262 00:24:28,190 --> 00:24:38,010 So, in this way, it is avoided to try to overwrite the file in memory, which is corrupt, and that's what causes a kernel panic, with the implementations that are normally out there. 263 00:24:38,010 --> 00:24:42,930 Well, there are some that already solve that problem, but most fail. 264 00:24:44,770 --> 00:24:54,670 So, of course, the problem was that we use this way and we don't break anything, we don't leave the server unstable and nothing happens. 265 00:24:55,030 --> 00:24:57,490 But in the case of the English, it was not like that. 266 00:25:00,480 --> 00:25:20,340 Well, to say that we managed to perform the PAUM in the first instance and then the English team was able to replicate it, but, of course, they replicated it against Linzstein in this case, but they didn't do it very well, they didn't know or weren't able to leave the machine stable and they denied Linzstein's machines. 267 00:25:20,340 --> 00:25:23,840 For that reason, an emergency committee was organized to fix the situation. 268 00:25:23,840 --> 00:25:30,820 I mean, there has been a sabotage, it is legal that this team penalized Linzstein's team. 269 00:25:31,460 --> 00:25:41,040 And, well, I remember that it goes against the rules, so it was delivered and the captain of the English team had to swear that there was no bad intention, that it was an accident, let's say. 270 00:25:41,900 --> 00:25:49,940 And, well, basically the example was set that the Spanish team has made this same exploit, but nothing bad has happened. 271 00:25:49,940 --> 00:25:52,780 I mean, they have been able to know how to use it well. 272 00:25:52,780 --> 00:25:53,540 I mean, it is possible. 273 00:25:53,540 --> 00:25:56,980 If you have enough knowledge, you can do it well. 274 00:25:57,240 --> 00:26:04,240 And also here, the people, the envoy of NISA, of the European agency, were totally against this category. 275 00:26:04,240 --> 00:26:11,540 I mean, their philosophy was no, no, no, we want to train professionals who adjust to the rules, we don't want people to do evil. 276 00:26:11,540 --> 00:26:15,080 So this category had a little bad reputation for that. 277 00:26:15,960 --> 00:26:27,760 And this example was precisely bad, it gave a part of the reason and luckily another team, ours, knew how to use it correctly and according to the rules, etc. 278 00:26:28,680 --> 00:26:33,220 And then, lately, I would like to put this formula, so to speak. 279 00:26:33,220 --> 00:26:40,440 If we all act as a team, we can really achieve much more, which is what we achieve, than if we act individually. 280 00:26:40,440 --> 00:26:45,600 There were very powerful teams, but they were not able for their talents to act together. 281 00:26:45,600 --> 00:26:50,340 I mean, they acted individually, they did not communicate, they wanted to do it alone, etc. 282 00:26:50,340 --> 00:26:53,580 And that was a burden for many teams, many countries. 283 00:26:54,360 --> 00:27:10,840 Yes, well, for my part, I can say that last year I was also in the Spanish team, this would be the second year that I participate, and a big difference that I have found from last year to this year, is that last year we had less organization, as a team we were less organized. 284 00:27:10,840 --> 00:27:14,940 Maybe there were talents, but maybe the organizational part failed. 285 00:27:14,940 --> 00:27:27,480 This year we have improved a lot, especially the organizational part, that each one had well-defined tasks, we formed a team that each one had its function, and that we had it well in the game. 286 00:27:27,480 --> 00:27:34,920 And that was what made us get points until we reached victory. 287 00:27:35,940 --> 00:27:38,440 Well, thank you very much for your attention. 288 00:27:40,360 --> 00:27:41,620 Thank you. 289 00:27:45,280 --> 00:27:46,100 Hello? 290 00:27:46,180 --> 00:27:46,740 Yes? 291 00:27:46,760 --> 00:27:47,320 Hello? 292 00:27:47,960 --> 00:28:01,480 Well, as an image is worth more than a thousand words, all this that has been told to you, and thanks to the realization here of our cameras, we are going to show you, we are going to put a video about this experience, so that everyone can experience it firsthand. 293 00:28:03,140 --> 00:28:03,580 Video? 294 00:30:08,290 --> 00:30:20,070 And to finish, well, you have seen that there are more members of the team than here, they have not been able to come, Pablo, Jimeno, Ángel, and besides, there are many people behind this, we are not alone, okay? 295 00:30:20,090 --> 00:30:26,830 So I would like to call here to the stage that the rest of the team could come, so that you also know them, and to give them a round of applause. 296 00:30:26,850 --> 00:30:38,010 Therefore, Tatiana, Susana, Beatriz, Alberto, Calron, Remote, Moncho, Juanjo... 297 00:30:49,040 --> 00:30:50,100 Stand up, please. 298 00:30:52,320 --> 00:30:57,200 As you can see, even our cameras have done a commendable job, and nothing else. 299 00:30:57,200 --> 00:31:14,260 I just want to tell you that we believe that it is a very good experience, that you can all participate in it, that next year we have the challenge not only to try not to be too far behind, maybe winning is already very difficult, but also with your help we will try to stay in a good position, 300 00:31:14,260 --> 00:31:17,140 but possibly it is you who are in this team, okay? 301 00:31:17,380 --> 00:31:29,440 So, just tell you that next year it will be in Spain, we have to organize it, and as I say, in addition to the challenge of trying to stay in a good position, we have the challenge of organizing it, so nothing else, thank you very much, and a very strong applause for the rest of the team. 302 00:31:45,870 --> 00:31:46,170 A photo? 303 00:31:46,950 --> 00:31:51,970 Wait a second, a photo, you leave very quickly, a family photo we have to take, right? 304 00:31:56,000 --> 00:31:57,480 Come on, a family photo. 305 00:31:57,480 --> 00:31:59,160 Alberto, did you hear me? 306 00:32:11,840 --> 00:32:13,440 More forward. 307 00:32:18,520 --> 00:32:24,000 More forward, more forward. 308 00:32:24,000 --> 00:32:26,820 More forward, more forward 309 00:32:30,780 --> 00:32:31,020 . 310 00:32:31,020 --> 00:32:33,360 Come on 311 00:32:40,780 --> 00:32:42,040 , the one of three, patata. 312 00:32:43,680 --> 00:32:44,360 Patata. 313 00:32:44,380 --> 00:32:45,260 Patata. 314 00:32:47,200 --> 00:32:48,440 Strong applause for them. 315 00:32:48,440 --> 00:32:49,020 Thank you.