I made a chat service where you can have CTF related conversations using ctftime MCP!
Oh but it's still in beta so I haven't actually applied MCP to the service yet and am just testing.. there shouldn't be any problems right?
- MCP server may take some time to start up (3-5 seconds)
- Challenge can be solved without Claude API key
- Use "localhost" instead of container names in the instance server
First, I would like to express my sincere gratitude to all players who attempted the CTFinder challenge! Actually, after creating this challenge, I expected it would be quite difficult.
However, more teams solved it than I anticipated, and after checking most solvers, I realized that the intended solution I had in mind didn't come out. (When I last checked, there were no teams that solved it with the intended solution. But if there are teams who solved it with the intended approach after I checked, I would like to express my great gratitude to those teams!)
I had a lot of concerns during the process of creating the challenge. There were parts where I suspected unintended solutions might exist, but I thought the challenge would become very messy if I patched all those parts. And I thought that even if unintended solutions occurred in the challenge, the unintended solutions themselves wouldn't be simple.
Eventually, unintended solutions actually occurred in the vectors I suspected, and I think many teams approached the challenge in the unintended direction because of this.
Therefore, I originally considered quickly releasing a revenge challenge with unintended solutions patched when only 2-3 teams had solved the challenge. However, after much consideration, I ultimately decided not to release a revenge challenge.
Even after checking the code with unintended solutions patched, I could still see parts that could potentially be bypassed, and there was insufficient testing time to definitively patch the unintended solutions.
Yes, so in the end, I died.
I thought that if I didn't block all potential unintended vectors, it would ultimately be like giving double points to teams that had already solved the challenge. Additionally, I actually had to be away for about 20 hours during the CTF period. (I had to take a flight from Korea to LA.)
So ultimately, I judged that there was insufficient time to adequately test and deploy/review a revenge challenge, and decided not to release a revenge challenge..
Therefore, I wrote this writeup in detail to explain the original intended solution of the challenge to as many people as possible. (There were some people saying this challenge was guessing, but I guarantee that I didn't put even a single guessing element in this challenge.)
This challenge was created with the concept of a chat-based web service where users can directly communicate with LLM in streaming format using Claude API.
The challenge has a custom-implemented MCP server, and the main function of this server is to perform the role of helping conduct all CTF-related searches (team search, upcoming CTFs, rating-based CTF comparison, CTF event detailed descriptions, etc.) using the ctftime API.
The challenge consists of a total of 4 containers with a web server (web), administrator bot server (bot), and MCP server (mcp-server). Additionally, a redis server (redis) for caching work is connected to the service.