First ctf here too. Though some people are claiming people were posting answers to irc, I didn't see that happen once. Though, I didn't start lurking until I got stuck on level 5.
What I did see was an awesome group of folks willing to help nudge others in the right direction. Many folks would stick around in prior level channels once they solved the level and offer pointers as to what to look for and where to look for it. Awesome.
I convinced myself it wasn't "cheating" because a) I'm a total noob, and b) sometimes pentesting happens with a team where people bounce ideas off one another.
I spent probably 20 hours trying to finish level 8, and even though I didn't end up getting it, this was a great experience. I'm fully inspired to get better at python and actually ctff next time.
Also, again, awesome how cool the people in irc were.
I spent a lot of time on IRC in #level8, but people were good enough to not just post the answer. Somebody let me bounce my ideas off of them, and they helped me just step back and think clearly, which was all I needed to get it.
Most of the time, folks on IRC made this sound way harder than it actually was (my mistake!). That threw me off as I started premature optimizations with threads, pipelining and multiple async webhooks. Spent a lot of time there, and eventually I couldn't get it working on the production machine. Then I just wrote the 'naive' solution and that just worked fine.
I saw the full solution (not the code, of course, but the idea) posted in #level8 several times when I was hanging out there on Friday. There was also another channel called #level8spoilers or something that posted the full solution with even more frequency.
I received an explanation of the level 8 vulnerability via private chat, after hanging around in IRC for ~10 hours. By that point, I knew about (and easily implemented) SSH, and had inferred several other useful tidbits, but didn't quite understand the port-counting vulnerability. Partly, as I had a mental block against "timing attacks" based on the instructions ... this was not technically a timing attack, but was certainly very timing dependent.
I jumped in the irc on level8 to see if people were hitting the same issues as me. It struck me that people were conducting themselves very well.
Awesome data for Stripe to hire against - they have a list of very technically competent people and a log of how they conduct themselves in a public forum.
Agreed, the IRC channels were fantastic while I was still working through the levels, but when I joined much closer to the end (the last few hours before it ended), there seemed to be a fair amount of people just asking for code to run, and a few people obliging. It was really kind of disappointing after working all weekend on level 8, to see someone complaining that they only had two hours to get someone else's script working and needed help.
Heh... admittedly I didn't spend much time in irc in the waning hours. Was trying desperately to get my code to work. But yeah, that's kind of a bummer.
What I did see was an awesome group of folks willing to help nudge others in the right direction. Many folks would stick around in prior level channels once they solved the level and offer pointers as to what to look for and where to look for it. Awesome.
I convinced myself it wasn't "cheating" because a) I'm a total noob, and b) sometimes pentesting happens with a team where people bounce ideas off one another.
I spent probably 20 hours trying to finish level 8, and even though I didn't end up getting it, this was a great experience. I'm fully inspired to get better at python and actually ctff next time.
Also, again, awesome how cool the people in irc were.