Input from a member of the winning team. (Score 1)

Defcon 9 was my first time with CTF and I must say, it's not exactly what I expected. My buddy Thalakan got recruited to Digital Revelation and he recruited me over there. 90% of the time, everyone hacked systems that were difficult to hack. All the servers on the server segment (x.x.x.250-254) had either chrooted systems, patched servers and for a day and a half, nothing happened. During that time, the most exciting thing was when Dan got social engineered (see above link). However, 2 hacks did happen. I think it was prophet on digital revelation who rooted a win2k box with the unicode exploit. Then, the most exciting hack was the obsd 2.9 local exploit. Someone from the grey team finally setup a server with local access (he gave out login/password) and the race was on to apply the exploit. By this time, we were already merged with ghetto and everyone watched in anticipation. Eugene, from the ghetto hackers worked ferverntly and a bunch of us watched in anticipation. Because of the race condtion, two teams simultaneously rooted the server at the same time and split the points.

Since there was physical access to the box (they were located right next to the operator), I heard that people yanked network cables when they were about to be rooted.

There were many interesting systems and different programs that ran on the network but without source, 2 days is simply not enough time to do anything substantial. I hope next year, Caesar and the Ghetto Hackers will run a better job of providing more interesting hacks. I'm hoping the judges will put up servers that arent locked down. Those roots will be for maybe 10 points. Roots in servers with no known vulnerability (with source provided) will give 100 points. Something like that would provide with more hacks than the 3-5 roots we had. Having each team provide servers that are locked down is plain stupid.

-Nouveaux