This weekend InfoSecIITR participated in TAMUctf 2024 which is a very competitive CTF event. At the end of the competition, we managed to secure a good position, the admins made a public post claiming that we had cheated, and were disqualified from the competition, due to a person from our team requesting help from other members in Discord.
We've successfully addressed all the challenges in a legitimate manner, and we've provided screenshots and scripts showcasing the solutions for all the challenges solved by us. All the related screenshots and scripts can be found here. Additionally, we achieved three first bloods, with two in cryptography and one in forensics.
It was discovered that a first-year student with the Discord handle r4d4r_b, who had joined our team as a provisional member in March 2024, was found requesting help from other teams on Discord, of which the team was not aware. We do not encourage any such activities involving flag or hint sharing, and we are totally against it.
At 7:19 PM IST (8:49 AM CDT), r4d4r_b sent a screenshot with a flag. Immediately after seeing the screenshot at 7:20 PM IST (8:50 AM CDT), we instructed them to refrain from submitting the flag with a strict warning. Additionally, we were not aware that r4d4r_b asked other users for hints. We were only aware about him receiving a flag from a random user name j4ck5p4rr0w.
However, regardless of our warnings, another first-year student with the Discord handle f4lc0n, who had also joined our team as a provisional member, submitted the flag at 7:24 PM IST (8:54 AM CDT) that was given to r4d4r_b by the admins using a fake account, despite strict warnings from us to refrain from doing so.
Both the accused in this malpractice have been permanently removed from all InfoSecIITR related activities, and further investigation is ongoing in collaboration with other teams and our alumni. We would also like to extend our thanks to TAMUctf administrators for their assistance with technical information.
We would like to reiterate the fact that InfoSecIITR CONDEMNS malpractices and cheating in CTF events. CTFs are meant to be fun and educational and such activities ruin the experience for all the participants. We solemnly believe that the hacker spirit is about understanding software and their potential vulnerabilities and NOT breaking/bending the rules. Our previous participations are a testament to this, where we have secured varying positions based on performance without resorting to unfair means.
Nevertheless, we believe it is our responsibility to thoroughly investigate this issue and track down every detail to prevent such an incident from occurring again. We have kept our CTF community in university open to all the students (especially those who WISH to be a part of the core team) to promote CTF participation and encourage knowledge transfer. HOWEVER in doing so we have failed to monitor unethical activities among these students. We are taking strict measures to rectify this issue.