The SAS Finals 2024 blog
The Security Analyst summit (SAS) was a conference organized by the well-known AV company, among other things, Kaspersky. As with many conferences, this one also includes a CTF competition. The conference and CTF finals were held in Bali, Indonesia, from the 22nd to the 24th. This was my first on-site finals, located almost at the antipode of my hometown. In this blog entry, I share a short blog of my experience competing in the finals and visiting Bali, Indonesia.
Arrival to Bali
The Final Countdown Begins: 5 Days to the CTF
Every great adventure begins with a challenge. Our journey to Bali involved two flights: the first from Madrid to Dubai, followed by a short two-hour layover before continuing on to Bali. Unfortunately, our first flight was delayed by two hours, causing us to worry about making our connecting flight. Thankfully, since both flights were with the same airline, we managed to board the second flight just in time.
However, the real issue arose just 20 minutes before landing. We were informed that while we made it to Bali, our baggage did not. We ended up waiting over 24 hours to finally receive our luggage in our hotel.
Initial Team Arrivals
3 Days Left
On this day, Kiona, Moriarty and Ko arrived to Bali. We planned to move to Ubud, and during the car trip we also had the opportunity to explore a coffee plantation, where we tasted a variety of coffees and teas. For lunch, our taxi driver took us to a restaurant that was quite expensive compared to the local restaurants.
Exploration Mode Activated and a New Team Arrival
2 Days Left
To start the day, we took a short walk (around 1h) along the Campuhan Ridge Walk in Ubud to see the sun rise.
After taking a shower, having breakfast and watching our Japanese friends struggle with a knife and fork, we visited the Monkey Forest.
The rest of our plan for the day was to catch a boat to Nusa Penida and wait for another team member, Aali, who was arriving in Bali. To prepare, we grabbed some cheap noodles from a supermarket, took the boat, and then waited for about an hour for Aali to arrive.
The funny part of the day was Aali getting ripped off by paying double for the taxi, and in the other part, my girlfriend and I accidentally got free boat tickets because I forgot to update our birth dates, ending up with child tickets instead of regular ones.
The Day Before: How Not to Prepare for the Finals
On the day before the CTF, we woke up at 7 AM to make our way to the Penida Ferry Port (Number 1 in the map), just a 15-minute drive from our apartments (red point in Nusa Penida), for a snorkeling activity.
After 15 minutes on the boat, with the beach out of sight, we had to turn back because the activity team realized they had forgotten the GoPros (really funny moment). While snorkeling, we didn’t see any turtles or mantas, but we did encounter a variety of colorful fish, despite the sea being quite rough with many waves. At the first spot, we almost lost three of our members (Moriarty, Kiona and Ko) because they didn’t have much experience swimming. After that, for the rest of the spots, only Kiona went snorkeling—of course, while wearing a life jacket! It was my first time doing this kind of activity, and it was really fun! However, I must admit that the water was quite unstable having a bit of seasick, and I had hoped to see some turtles and mantas. At least I did spot some turtles a week later in the trip.
Without any time to rest, we took a car to Kelingking Beach in the southwest of Nusa Penida.
I should mention that I didn’t have much time before the trip to look up information or photos of the places I was going to visit.
This is important because if I had known about the climb required to reach Kelingking Beach, I would have preferred to wait at a bar with a drink instead of making the trek down.
And yes, the beach is one of the most beautiful I’ve ever seen, but we couldn’t even get into the water that day because of the huge waves.
After snorkeling in the northeast and climbing in the southeast, we had to take a taxi back to our apartments, grab our things, and return to the port. We nearly missed our boat, which was the last one of the day. Finally, after an hour of boat travel and another hour in a taxi, we arrived at our apartment in Nusa Dua, close to the conference venue. By this point, it was 9 PM, the night before the conference, and we hadn’t prepared any of the setup. Not all the team members were even in Bali yet; two of our Indonesian colleagues were arriving around 1 AM. An hour later, Satoki, who had a room at the conference hotel because he was also a speaker, joined us at the apartment. We all enjoyed pizza together and started preparing the setup at 10:30 PM the night before.
After having the pizza, we prepared the Farm and the Tulip in Aali’s VPS, discussing how to access the tools—debating whether to use port forwarding, open the port publicly, or implement some form of Nginx proxy pass with HTTP authentication. After all this, and believing everything was set up correctly, we went to bed at almost 1 AM. Around 2 AM, msfir and Vaints arrived in Bali and came to the apartment.
CTF Finals Day
The big day arrived, and we woke up at 7 AM to have time for breakfast and catch a taxi to the conference. We were the first team to arrive, but since we couldn’t access the room yet, the photographer took the opportunity to shoot some videos and photos of us. Let’s hope those videos never see the light of day.
Pre-CTF prep/photos
The room for the competition was stunning, boasting a table for every team along with a chic cube that showcased the team name, logo, and event theme. There was a big screen for the scoreboard, network cables neatly arranged on the tables, and a variety of drinks—water, juices, coffee, energy drinks—as well as food, all complemented by a picturesque view of the beach.
During the hour before the competition, after taking more photos inside the room with the big screen, we set up all the network cables and ensured everything was functioning properly.
CTF Finals
Before I dive into the details of the competition, let me introduce our team, which was composed of the following members in their respective dominant categories: Moriarty (captain), Kiona (infra/crypto), Aali (infra/rev), Vaints (pwn), msfir (pwn), Satoki (web), and myself, Bubu (web). It was awesome to meet and team up with the legendary Satoki, and I was really excited about it! His track record in web security and the research he does is always impressive and super interesting. He’s definitely one of those guys you want to keep an eye on because his work is always top-notch. I should mention that even though my English isn’t great, his English was even worse, which led to some hilarious moments during the CTF. At one point, I had to type something in Discord because he couldn’t understand what I was saying, and Moriarty and I watched as he copied my message, ran it through an English-Japanese translator, wrote his response in Japanese, and then pasted the translated English version back into Discord. It was so random! xD
Not everyone may know, so, let me slightly introduce an A/D ctf. The goal of A/D games is very trivial, participants aim to find vulnerabilities in each service, not only to patch them but also to exploit them in order to capture flags from the opponents’ machines. In these kind of competitions during the first hour of an A/D competition, the network is typically closed. The goal during this time is to check the services running on your vulnbox to answer questions like: What kind of programming languages are involved? What kind of category can be involved (pwn/crypto, web/misc)? What kind of vulnerability we think there is?… For example, the message shown in the picture is the one I sent just ten minutes into the competition, after only a quick check of the services.
During the first hour, when the network was a bit slow, we extracted the code for the services to take a closer look and noticed some issues with the tool setup. I focused on the spacedj service during this time, and it was pretty straightforward to spot the vulnerability. The issue was a local file inclusion (LFI) due to the line os.path.join('/app/uploads', request.query.get('name')). The fix was really simple, and we didn’t lose any points on this service during the competition.
Executing the exploit wasn’t straightforward because the flag was stored in a file whose name was saved in Redis. Once the network opened up, I quickly noticed that other teams were using the file /var/lib/redis/dump.rdb, which they could read to retrieve the names.
I didn’t know that redis by default creates this file.
After that, I wrote the exploit, but we noticed again that the Farm wasn’t working properly. So, Satoki rewrote the script to submit the flags directly in the exploit instead of relying on the Farm. While it sounds like a quick process, it actually took a lot of time. These little mistakes really set us back and ended up putting us at the bottom of the final scoreboard.
Another potential vulnerability I noticed during the competition was the use of a custom dj.so file that the code was utilizing, which could be accessible to an attacker. Aali and I skimmed through the so file but didn’t find much—maybe a possible format string? I implemented a couple of preventive patches to check the data, but I couldn’t spend any more time on this during the rest of the competition because I had to focus on other services, like koshechko. I switched to focusing on koshechko because other teams were exploiting our service, and at some point during the competition, it ended up in a ‘mumble’ state.
This service wasn’t as straightforward as spacedj. First, it was written in Go, which I don’t have much experience with, and second, there was just a lot of code to sift through. After spending quite a bit of time trying to understand the service and going through everything, we noticed that the tulip wasn’t always working properly and was showing old logs. We traced the attack logs to figure out the exploit and the logic behind the issues, and we found some user deletions by attackers that might have caused the ‘mumble’ state. After that, we focused on getting the service back to ‘UP’ status without any issues, so we removed the volumes, I implemented a dirty patch and we restarted the service. My fix to prevent attacks was to drop all requests from attackers by comparing the user-agent to *python*. IIRC, after making these changes, the service ran smoothly and wasn’t exploited again. Unfortunately, for the rest of the competition, we weren’t able to exploit this service against other teams, which might have been because we just copied the exploit without fully understanding it or because the other teams had patched their services or had them down.
After 9 hours of drinking coffee and energy drinks, the CTF finally came to an end. Our team, thehackerscrew, snagged 7th place out of 8 teams. We were close to 6th, and I know we could have done better if it weren’t for stupid issues. Honestly, I’m not super happy with our result, but I think we all learned a lot from this experience and can definitely do much better in the next competitions!
After-ctf
After the competition, they opened up the glass wall of the room, and we enjoyed a buffet dinner and some drinks. Another fun thing the Drovosec guys set up was a live CTF-style competition with 1 vs 1 matches, which, of course, came with vodka shots. So, it’s definitely not just a stereotype after all!
This live CTF was a 1 vs 1 setup where, after getting two volunteers, a random category was picked. Because of this random selection, a web guy from C4T BUT S4D, who was actually a super nice dude, ended up trying to solve a pwn challenge.
After about five minutes of him struggling and having no clue what to do, he decided to just start displaying memes and capybara videos up on the screen!
One of our teammates, Aali—the rev guy—decided to give it a shot. He got lucky with the category random selection and ended up with a Python jail challenge. He tried the classic trick for these situations: using breakpoint. But even though he was so close to winning, he couldn’t pull it off because the server kept crashing every time he used execute inside the breakpoint shell!
The rev challenge was a tricky binary with tons of recursive calls, making IDA unable to display the graph view properly. At some point, one of the participants messed around with IDA’s settings, adjusting the max recursion limit (or something like that—I don’t remember exactly). But it worked, and he ended up getting the flag, as you can see in the picture below!
There was also a web challenge that involved finding an accessible .git directory from the URL, plus a forensic challenge I can’t quite remember. After an hour or two, it started pouring down rain in true Indonesian style, so they packed everything up, and that was the end of the dinner/party.
General thoughts
I had so much fun! Seriously, the organizers thought of everything: the infrastructure, challenges, room setup, drinks… They made the event feel super special with the big screen, those fancy team cubes, and the music when someone got first blood. They even added this silly but funny live CTF after the competition! This was my first finals, all the way on the other side of the world from my hometown, and I really had a really good time! Finally, a big thanks to the organizers (drovosec), my teammates, and last but definitely not least, to our sponsor OtterSec, for making this trip happen!
The SAS conference talks
At this point, our Indonesian team members had already taken off the night before, and after the first talk, Moriarty was leaving too. I really enjoyed the talks! They covered a wide range of topics—from super technical stuff like iOS, PS5, and Chrome to higher-level discussions on cyber threats. Some talks, like Satoki’s, were only 8 minutes long, and I’m still debating whether I love or I hate that format.
We didn’t attend all the talks, but the two I enjoyed the most were Boris Larin’s presentation on a 0-day vulnerability in V8 that was exploited in the wild by impersonating a game company, and Satoki’s short talk on bypassing prompt filtering, which had a very CTF-like vibe.
I have to confess that I skipped a couple of talks to hit up the hotel swimming pool instead.
After returning to our apartment since we, as CTF participants, couldn’t go to the gala dinner, we ordered some pizzas and enjoyed some time in the pool.
The SAS conference Activities
On the final day of the conference, some activities were planned. The only ones left from our group were Kiona, Aali, my girlfriend, and me. We had no clue whether we were invited to breakfast or to participate in the conference activities. When we went to check out the breakfast, the hotel staff quickly stopped us, saying that you had to actually be a hotel guest to eat, and just being at the conference didn’t cut it. They offered us to pay 25 euros for the breakfast – 25 EUROS! That’s nearly the cost of 10 breakfasts back in my hometown, all for just a couple of eggs and some coffee.
After that, kiona and ko left us to buy some souvenirs and didn’t joined the activities. So, after all, Aali was the only one left with us. We weren’t sure if we could join the activities, but we definitely wanted to give it a shot. First off, they’re usually a lot of fun, and second, Aali was planning to head to Sanur while we were off to Mount Batur. If we could save some money on our way to the north, that would be perfect. When we spotted conference attendees at the hotel entrance alongside some minibuses, we decided to check it out. After a few minibuses filled up with people, we hopped onto the third one. It was a bit surprising that, despite being the only ones loaded with all our gear (two large backpacks), no one said anything to us. After an hour on the road, navigating through tolls and getting close to Ubud, we finally stopped to kick off the rafting activity. It was a lot of fun! It was a little less wild and less intense than I expected, but definitely worth it. Once we finished, we took showers and ate on a nice buffet nearby. My girlfriend and I said goodbye to Aali as we headed to Mount Batur.
On our way from Ubud to Mount Batur, near the lake, our driver pulled over at another coffee plantation. I had asked for a cheap spot to grab coffee, but he took us to another touristy place. Luckily, the views were pretty amazing, and we decided to try some Kopi Luwak or Poo coffee for around 4 euros (65,000 rupiah). In my opinion, the coffee was lighter than the typical European brew; it definitely had its own twist.
Volcano
The plan for our couple of nights by Danau Batur lake was to hike up the mountain and have some amazing views of the islands and the sunrise. The plan didn’t quite go as we hoped because my girlfriend was still feeling sore in her legs, and I was just really worn out. Plus, that amazing swimming pool tempted us to just chill and stay at the hotel for the day and both nights. We also needed to book a couple of things for the next few days, like our hotel and the boats.
While hanging out at the swimming pool, we struck up a conversation with some Australians and a Korean girl who was working in Bali. One of the Australians mentioned he was there for a psychologist conference (wtf? how many conference there are in Bali xD). When I told them our plan for the next day was to head to Gili, the Korean girl’s expression completely changed. She told us, that Gili is one of the best things she ever saw in his life. She mentioned the beaches, the turtles, the sea water and the parties. Honestly, like I said before, I didn’t really look into Bali much before the trip, and most of the plans for after the conference were actually made by my girlfriend, even if we didn’t follow all of them. So, I was quite surprised by his facial expression in general.
Gili
For the next two nights, we hopped on a boat and stayed in Gili Trawangan. On the day we arrived, after checking into our apartment, we headed to the beach a bit before sunset. On our first night there, someone in the room next to ours, along with a couple of other people, was singing and shouting at 3 AM! After about ten minutes of waiting for them to quiet down, my girlfriend shouted something like, “Can you turn off their music or something, please?” That’s when it clicked in my mind. Still half-asleep, I decided to take a shot at accessing the router. I tried some default credentials, and to my surprise, it worked! With only one eye open, I changed the Wi-Fi password, and just like that, the music stopped. I could hear them complaining about the Wi-Fi after that! So, we were able to sleep in peace for the rest of the night. In the morning, around 8 AM, we heard her complaining to the guy at the reception about the Wi-Fi situation. Before I could undo my changes, they reset the router with a new name and password. Luckily, I still had access to the router in case there was another issue the following night. Thankfully, it seemed like the girl checked out that day, so we could finally enjoy a peaceful night’s sleep without any interruptions!
Our time in Gili was short but absolutely incredible. During our day there, we spent most of our time at the beach, and it was amazing! You could see tons of fish and turtles right by the shore. It was funny—if you spotted a group of people standing still or moving slowly in the same direction, chances were they were following a turtle. In just 3 to 4 hours in the water, we managed to spot four turtles, and we definitely got sunburned!
Final Days and Returning Home
During our last days in Ubud, we took it easy and enjoyed the slow life. We checked out Ubud Palace and the Ubud Water Palace, which were both beautiful. One night, though, we couldn’t even go out for dinner because it started pouring rain at 7 PM and didn’t let up all night long! We also stumbled upon a rice terrace near Ubud Palace, thanks to a random street sign we followed on our way back to the hotel. It was a beautiful surprise!
Before heading home, we popped into a supermarket and found the same coffee from the plantation priced at five times less! Being coffee lovers, we couldn’t resist picking up a few different types to take back with us. In any case, both the coffee we bought and the Kopi Luwak we sampled at the tourist plantation looked like low quality for sure.
One last random fact: I got pretty bored of wasting time during all the traveling, so I started messing around with the in-flight entertainment tablet. Turns out, I managed to inject some HTML, CSS, and even probably JavaScript! Unfortunately, I couldn’t find a way to see the results of the JS execution or take things any further.
Random Pics
Thanks for reading!
Alberto Fernandez-de-Retana
Security Researcher
Kaixo! I’m a Security Researcher. My research interests include web security & privacy. In my free time I love to be pizzaiolo.