Smyler.net

The 404 CTF hacking competition was back in April 2024 for its third edition. Already the largest online capture the flag competition in France in 2023, It grew even larger in 2024.

After playing a significant role in the CTF organization last year, I was happy to focus on creating challenges this time, leaving the task to newer HackademINT members who did an amazing job.

I created 5 challenges for the CTF, focusing on Forensics and Threat Intelligence:

• De bons croissant au beurre was hard forensics challenge, for which players had to analyze the encrypted disk image of a Linux installation to find a PAM backdoor, leveraging BTRFS snapshots.
• Darts Bank was a medium forensics challenge built upon an idea from my good friend mh4ckt3mh4ckt1c4s. It involved a malicious powershell script that was eventually used to decrypt TLS traffic from Chrome.
• Coup de circuit was a series of three easy threat intelligence challenges.

I tried to make these challenges in a constructive and pedagogical way, and was thrilled by players' feedback on that regard.

A helm chart to deploy CTFd in a Kubernetes environment. The chart aims to be as versatile as possible and is able to configure CTFd to use both external dependencies (typically SaaS solutions), or to deploy its own inside the Kubernetes cluster.

This includes:

• a MariaDB database,
• a Redis cache,
• a MinIO S3 server.

The chart was initially developed for HackademINT, as we use CTFd quite regularly. It was first used in production in June 2023 on OVHcloud for the second edition of the 404 CTF, and was open-sourced in September 2023.

I still have improvement ideas, but the chart is already good enough most use-cases and is no longer a priority for me.

The 404 CTF is one of France's largest hacking competitions, organised jointly by the French ministry of defense, Télécom SudParis, its cybersecurity club HackademINT, and OVHcloud. It takes place online between June and July and usually gets around 2500 active participants, the best of which are invited to Vivatech for the price ceremony.

I was involved in the organization of the 2023 edition as HackademINT's vice-president for the year, mainly be managing the Kubernetes-based infrastructure and by overseeing the creation of the 102 challenges by HackademINT's members.

I also created a few challenges myself for the cloud and forensics categories, which in one case involved deploying an Active Directory infrastructure on Vagrant and developing a DNS reverse-shell in Microsoft C++ (Le Cracken).

This year-long project is probably one of the most valuable experience I ever lived.

In 2022, I had the opportunity to contribute to the organization of the first edition of the 404 CTF. I was tasked with the creation of the Discord server along with the development of the associated bot and its companion CTFd plugin. I also helped deploy some challenges on the competition's Kubernetes cluster, which was a valuable experience for the 2023 edition.

I also created 6 challenges in total,

• one introduction challenge for the Forensics category, where participants had to recover a deleted file from a floppy disk image,
• four steganography challenges involving nested PNG files with techniques of gradual complexity (beginner to insane),
• and one insane level challenge, involving a partially blind exploitation of CVE-2021-44228 (log4shell) in a Java 17 application to retrieve the content of a private field.

This was a very fun experience, which was also a great occasion to learn from HackademINT's, senior members before walking in footsteps the next year with the 2023 edition.

Hodos is a school project I worked on with a few friends. Our goal was to create a web-based fantasy map generator, and we took on the occasion to explore technologies like WebGL, and technics like Voronoi diagrams. I was mainly responsible for the WebGL renderer and the general architecture of the application.

Terramap is a map interface based on OpenStreetMap for the game Minecraft. It is specifically tailored to assist builders of the Build The Earth project in their endeavor to rebuild the Earth in Minecraft. Its high versatility and wide range of features has allowed it to build a solid user base and to be translated to 9 languages,

Terramap is a passion project I work on in my free time.

Litemapy is a Python library that provides support for the litematic file format used by technical Minecraft players. These files are based on NBT and store voxel data in a bit-packed array using a palette.

Litemapy's user-base is mainly made of Minecraft hobbyists with often very little programming experience, so I try to keep the library as high level as possible and to abstract away the complexity of underlying file format as much as possible.

I originally developed Litemapy for a friend because of the lack of viable alternatives. It is mostly feature complete and well documented, and now only requires occasional maintenance over on GitHub.

StegPNG is a Python library that implements the PNG specification in a way that makes it easy to manipulate files at a low level from a Python shell. This is mainly useful to explore steganography technics that take advantage of the file format, and often comes in handy during CTF competitions.

I initially started working on stegPNG as I was solving a challenge involving a corrupted PNG file on DefendTheWeb, and refined it to create the PNG steganography challenges from the 2022 edition of the 404 CTF.