ashley!

This whole journey started not so long ago. It was a dark and stormy night, and I looked at the leaderboard of the CTF I was doing. I see an unfamiliar team: “THEM?!” Oh, the aura emanated from that name. Checking the Discord server of that CTF, I saw some members spamming recruitment for this team. “THEM?! on top!” was a common phrase I was observing. My curiosity piqued, and I decided to join their server. Immediately, you are welcomed with roles glazing FMC (Friendly Maltese Citizens) and WWF (World Wide Flags) to state a few examples. I was surprised. Was this a good team?

From my friends, I heard that this team thinks they’re in a merger with FMC! Unironically, they flex this. With this in mind, I started my journey of trying to get into THEM?!

Before you begin, I recommend you read this with at least 200% zoom. I’m sorry I couldn’t make the pictures bigger, as it would take up too much space.

Figure 1: Initial Application of ashley!

Here is what the application refers to:

Some questions

While you wait for someone to respond, if you could answer the following questions now, it would make the process go much quicker:

• What category of challenges do you want
• What CTFs have you done before
• Tell us a little about yourself
• Track record

For this team, I decided to say I was not on any other teams in the past and that the main category I did was OSINT. Why? Because OSINT is relatively easy, and I just wanted to see what this team was about.

Figure 2: Me answering the OSINT challenge. For application safety, I have decided not to attach the picture they gave me.

Immediately, you could tell something was off. How does the moderator not know the answer?
By the way, if anyone wants to give any Victoria’s Secret body spray recs, dm cacti.

Figure 3: Me answering the other OSINT challenge. For application safety, I have decided not to attach this picture as well.

I “taunted” Pavel, as the quality of the image was quite horrendous.

Figure 4: I randomly get rev?

Well, this is a surprise. They decided to just give me REV. Keep in mind ashley! is not a rev main at all.

Figure 5: Apparently, my OSINT was wrong. It’s ok. They apparently make all of their own challenges..

Figure 6: Pavel corrects Nitai.

Low-key, Pavel was a real fella here. He admitted that they didn’t make the challenge. Also, how do I know they gave out blargh before? Thanks to <redacted>, I found out about how “original” they are.

Figure 7: I give the flag for rev.

At this point, <redacted> thinks it is a good idea to ask for a pwn, because we wanted to see if we would get blargh. They also asked for write-ups, so I just gave them a random write-up.

Figure 8: The challenge they gave me, as well as a random write up online.

Figure 9: Write up complete, and Pavel tells me he needs to sleep. Why?

Figure 10: I decided to ask a question to the team. According to Starry, this is Nitai’s “own” challenge.

For those who do not know, the information of whether or not ASLR is enabled is not embedded within the binary. PIE was not enabled, meaning the binary’s code had a constant base, but if ASLR was enabled, the stack and libc would be randomized. (This was kind of a dumb question, as I knew ASLR is 99% of the time on, but at the same time I wanted to gauge their response.)

Figure 11: They finally told me if it was enabled.

Also, the whole team got added to my ticket. I don’t know why. 0day over here advocating for me, what a nice fella.

Figure 12: Nitai is laughing when I said I have a solve but won’t tell him to see if he did it.
Also, let’s shout out damwan21 for their good anime taste. I personally enjoy this anime a lot, and I recommend you all watch it. Additionally, keep note of Aaaaaa?!

Figure 13: The team is in my ticket.

Aaaaaa confesses to me. Do we have a potential pedophile? Nitai thinks I am funny.

Figure 14: They like talking to me. damwan21 accurately says they need another challenge for OSINT.

damwan21 has some braincells.

Figure 15: The whole team is here. Pavel makes a joke about my username and admits that nitai didn’t make the challenges. They want my solution, and think they are better at OSINT.

Figure 16: I get asked about Victoria’s Secret, my solution, and how I am an OSINT main.

Let’s note cacti?! She is a good person who really likes perfumes. Honestly, I do not know that much, but I just said what I knew.

Figure 17: Me stating the real source of the pwn they gave me. Big props to <redacted>, they spent hella time on it and almost got it.

I also shit talked the OSINT, but that was because it was horrendous. But for safety, I cannot expose the pictures.

Figure 19: I talk about Victoria’s Secret’s scents.

I had to keep my cover here, and I didn’t know what else to do.

Figure 20: I ask a question, and leak the source of their pwn challenge.

Aaaaa?! was kind of scary. Why was bro trying to e-date me without knowing anything? Also, Nitai is really good at OSINT, according to himself, but the results don’t show it.

Figure 21: I show them more screenshots.

I ask why Starry lied to me, and this guy Aaaaaa?! really wants me on the team. I don’t understand how down bad one has to be.

Figure 22: Surprise.

Taokyle is surprised they stole pwn challenges. However, they assert that they make their own rev and osint challenges. Do I doubt that? Not really. From <redacted>, “whenever they make their own challenges, they’re completely shit”.

Figure 23: My ticket was closed, so I make a new one.

My ticket was closed, probably by Nitai. So I made a new one. Here, we see Pavel?! being a good guy. He agrees that they lied, and reads the past messages to analyze what exactly happened.

Figure 24: <redacted>’s wrong, but convincing solve, and Pavel.

He agrees that Nitai was out of line, and is potentially interested in having me on the team.

Figure 25: Pavel message.

He directly messages me and apologizes for his partner’s behaviour. Honestly, props to him. He realized the other people’s mistakes and genuinely seems like a good guy. I just wish he stopped spamming “THEM?! on top” everywhere.

Figure 26: Uh..

So somehow we still got Ms. Victoria Secret in the conversation. I kind of feel bad as I barely know shit, but she was pretty nice so I just left it going. I think the team is really nice as people, but there are some prominent issues.

Figure 27: Nitai is clearly pissed.

Figure 28: Random mod who is chill.

Remaining figures: Pavel wants me on the team, and I guess I did enough work to get on it. God’s work.

Conclusion:

Honestly, this team ain’t even that bad. They seem chill, but they have to stop spam advertising everywhere, and their “application” is a complete fucking joke. IF you wanted to, at least make real, hard challenges, and know how to solve them. Props to some people who were really nice to ashley!, but some people need work.

Anyways, I wanted to end this with a quote from <redacted>:

“waitt this is basically just the ctf fraud watch equivalent of jidion’s EDPwatch. The team starts apologizing after they get revealed as frauds like how the preds start apologizing when jidion catches them in 4k. All in hopes that they dont end up on tv. our version of “tv” here is the writeup”

bless up.

– ashley!