Bad CTF. Some challenges were modified after we started working on them, then they announced that they were recompiled, we restarted the work, then they quietly changed them AGAIN, no announcement at all. For a reversing challenge, after 12 hours they released a hint saying "you need this: [some_url]"; well is it a hint or something required to solve? As you can imagine, after some time they gave out more of the "hint", then they changed the "hint" with something completely new. Actually this was a challenge that also appeared in Defcamp CTF in 2013 and 2015 finals (exact same task), but this time they changed something and made it unsolvable (the second hint was that they forgot to add the ciphertext to the task, the third hint was to undo the change that made it unsolvable)
Misc150 was purely guessing, until the "hint" was added no one achieved the necessary mind-reading skills to figure it out. Hint added=> instant solves. Good job... And to top it all off, exp400 was released just a few hours before the ctf ended, and the so-called "author" went to sleep. Yep, it wasn't solvable. This is a recurring theme for Defcamp CTF, "one of the most shattering and rebellious security CTF competition in the Central Eastern Europe. ". So rebellious that they don't even have working solutions for their tasks. We participated in the finals last year and it was the same story: unsolvable tasks, countless recompilations with the promise that "now i think it should work", but they didn't have exploits written and tested (why bother when you are rebellious?). I really would have liked to enjoy this CTF being Romanian myself but the quality is just horrible.

@Sin__ while there were some technical issues, I wouldn't be that harsh.
For Rev400 if you could reach the stage 2 you would instantly realise that the ciphertext was missing (as we did) and the admins instantly added the missing data. Since no-one contacted them before we did I presume no-one got even that far (which was not an easy thing to do). The fix was marked as [UPDATE] and not as hint, and was announced. It's true the task was broken, but again it was quite obvious to spot and admin posted another update when we contacted him to clarify this. While the last part of the task was similar to the one from previous editions, the first 2 stages were new, and rather hard on their own. So while there were issues with the task (fixed by admins) the level of this task was really nice.
Misc150 was just broken, hints had nothing to do with it. Once it got fixed people got instant solves because it was that easy to solve.
As for Exp400 I don't know if it was solvable or not. We didn't manage, neither did any other team, but that doesn't mean it was impossible.

It's true, however, that admins should have solvers/exploits ready and prepared to be run against deployed tasks to confirm they are working and can be solved. At the very least there were always some admins in the IRC channel and they fixed the reported issues right away.

@Pharisaeus. Ok, you are correct, it was posted as UPDATE not hint, I just rechecked. But that doesn't explain the "234" to "128" change. As I said, this task was also used in 2015 finals and 2013 quals (when some other tasks were taken from wechall sites). So i suspect the "author" just modified the number without checking for an actual solution (had he tested the task beforehand and knew for sure it is solvable he wouldn't have reverted the change right?). As for the exploit challenges, last year in the finals do you really not remember the challenges that were not solvable and were recompiled a dozen times? We asked them if they have working exploit scripts and they said they don't need any. Ok, you're talking about exp400 which may or may not be solvable (i tried even symbolically and it didn't yield anything), but what about exp100 and exp200? The initial versions were not solvable (exp100 had fortify source enable), moreover, exp200 was a task intended to be solved using ssh (it took parameters from argv) and they just dropped it into socat. For me at least, this is clearly the work of someone who doesn't know what he's doing.

@Sin__ as I said for Re400 the last step was re-used (we even pointed this in our writeup, just linking to the previous solution), but then again we played most of CTFs this year and a lot of tasks are very similar / have identical "core" part. Also technically this was solvable even with 234, however we would require much more ciphertext for the attack, few MB at least ;)
I remember what was happening at the finals last year. In comparison this year's quals were actually a huge improvement, binaries were recompiled only once or twice! ;)
As for Exp100 and 200 as I agree with you that they should have had exploits ready and check if it still works before releasing the challenges.

I guess the biggest issue with "broken" challenges is always that you simply don't know if it's broken or you're just not good enough, and you waste time trying to find a solution, which is simply not there.

Dear @Sin__,

I'll do my best to answer your "constructive" feedback:
- "Exp100 & Exp200 were recompiled and different" - Actually the binaries were mixed up, so you basically didn't have to start all over again. Updates were online on all the communication channels.

- "For a reversing challenge, after 12 hours they released a hint" - As Pharisaeus said previously, we haven't realised this until a team notified us. That's why we had irc & telegram support - to fix if something is broken/or crashes during competition. And we did all our best to do that.

- "this was a challenge that also appeared in Defcamp CTF in 2013 and 2015 finals" -> this was similar, agree, but why reusing/changing challenges ?

- Misc150 was guessing until at some point, totally agree

- "exp400 was released just a few hours before the ctf ended [...] it wasn't solvable" - i can tell you that you don't know how unfair is to launch a competition on the opposite timezone of the teams - this was one of the reasons we've launched the problem so late; if it's unsolvable or not, we will see, but that is just a challenge

- Summing up, Exp100+Exp200+Misc150+Exp400 were "incredibly worse" from your perspective. 4 out of 16. Moreover, 2 of 4 were "unsolvable" only in the first 2-3 hours of the competition when all shitty things are happening. What about the rest of the challenges?

- "I really would have liked to enjoy this CTF being Romanian myself but the quality is just horrible." - I'm totally agree that you are a 100% Romanian with your previous attitude. We always had better support and constructive feedback from foreign teams, comparing to local "experts" and we did literally all our best to make it better, even with limited human resources we have.

- you should know that DCTF is done because it's challenging, it's fun and usually we come up with cool challenges that overall give a great experience even though sometimes it happens to fail some of them. It would be cool to see people like you who come up and tell us that we are doing a really bad job but also offer their help to do improve next time. But is easier to throw with shit without doing anything to make it better.

To sum up, I'm totally agree with you that we shouldn't have untested challenges in the production environment and we don't have any excuses for those challenges which didn't worked as expected from the beggining, but I'm totally against this kind of "feedback" and I strongly recommend you one of the following:
1. come and help us to do it better next time
2. do not play at d-ctf if you know it's bad, you are the owner of your decisions; moreover, there are some guys behind this shitty ctf which each year voluntarily come and build everything as better as they can with their limited time & resources and is very depressing when they see this kind of feedback
3. build your own better ctf and I promise will learn from you and even support your contest

Mr. @Sin__,

I, personally, am very grateful for your feedback and I'm looking to find some more time and effort to invest into improving the quality of this CTF so that you will be pleased next time. You must understand that we are offering you a CTF for free and besides that, the chance to win some good cash (as you almost did in last year's final) so be grateful for what's given to you or please pick something of better quality to train and/or earn money. So, Mr. Radu (CA)ragea [hint: 10/3 = ?], I hope to see you in the final round where I can personally assure you there will be no such minor problems as the ones from the qualifying round where our resources were extremely limitated so we had to do our best as we were able to, like reusing challenges who's decryption key was just like "we love players that read writeups or have a good memory" ... so guess what, nobody was trying to hide the fact it was a slightly modified and reused problem.

Yours sincerly,
Daniel

@andrei, you seem to have misunderstood me. "But is easier to throw with shit without doing anything to make it better. " throwing with shit would have been to rate this 1 and to say "it's shit, the organizers are stupid, don't ever play!". It wasn't my intention to do this, nor did I transmit this message through my comments. My frustration comes from the fact that you do not seem to learn from mistakes and feedback. As I told you last year in the finals in person: you need to have working exploit scripts PRIOR to releasing challenges (actually, multiple teams came to you and told you the same thing); and reusing challenges does not make a CTF good: it only favours the people that have had lots of experience :it discriminates against the new people in the community who get discouraged by the fact that teams already have full solutions lying around while they have to waste time and build them from zero. I will say it again: I would have liked to enjoy this CTF (Defcamp CTF 2012 was my first CTF and what got me into this community) but it doesn't seem to improve and rise to its potential. If you use the same people you will only get the same results, you should know this by now.

@andrei
Now to answer your comments regarding challenges.

- "Actually the binaries were mixed up, so you basically didn't have to start all over again. Updates were online on all the communication channels." . The LAST update on exp100 and exp200 was at " Sep 24 2016 08:12:01 UTC". I redownloaded them at 08:15. After this, there was no further announcement on these tasks. Flags started pouring in when you modified them again later (for example exp100 around 10:00, you can check the first blood scores, I just did! ) So your explanation is simply not true here. Moreover, task2 was completely replaced, not just recompiled, mixed up.

- "As Pharisaeus said previously, we haven't realised this until a team notified us." Fair enough

- " this was similar, agree, but why reusing/changing challenges ? " I explained this already. I assume you as a promoter for the security scene, want more (new) people to get into this. If you give the same challenges, new people don't stand a chance.

- " this was one of the reasons we've launched the problem so late; if it's unsolvable or not, we will see, but that is just a challenge" . When I asked him regarding another challenge (Misc 100 to be exact) he said that he was still working on exp400, so your reason does not count. Whether it's unsolvable YOU should be the one to know this. Releasing a challenge that you have no solution to is an insult to the players. Seriously, you can't be of a different opinion here! If you really want to see whether it's solvable or not label as such (solution unknown) or similar.

- "What about the rest of the challenges? " I played mostly alone in this CTF, so as for the Web tasks I have no idea. I only touched the Reversing and the Exploit challenges and Misc100. (regarding Misc150 I only judged from outside, seeing the announcements and flag submissions increasing drastically from a moment on). Rev100 200 and 300 were ok. Exploit 300 was really good. On the others you already know my opinion.

- "We always had better support and constructive feedback from foreign teams". Yep, but the feedback I saw them giving you (like having working exploit scripts) you have not integrated it. So is it actually useful to spend time to give you feedback?

- "is very depressing when they see this kind of feedback" . Trust me, it is depressing for me too to see this local CTF not taking off and making it into the top CTFs.

@hertz, I'm not sure what you're trying to prove by posting my full name online. Also, sending me threats as private messages will not work as well. It's just digusting. If you want to continue this childish behaviour you know where to find me.

@andrei, I forgot to add: for the Web tasks the team mate who worked on them (I am fairly certain that he) has already given the author his feedback.

always good CTF

Well that escalated quickly!

http://imgur.com/gallery/8T2VUv8

the nice <a href="http://google.com/">game</a> post thanks