Root the Box
The Button

CactusCon is a great annual security conference in the Phoenix area. 2016 is my third and it’s been fun to watch it grow and change locations, eventually expanding into the Phoenix Convention Center. The past two years have seen all-day capture the flag contests in the form of Root the Box, an event and scoring engine of the same name developed by some locals.


The Button.

This year one Root the Box exercise was The Button, easily the most fun challenge I’ve yet seen. It’s a CAPTCHA, a countdown timer, there’s a big red button, and a scoreboard that updates in real time via web sockets - that’s it. Fill in the CAPTCHA, hit the button, and your score starts to change. Hit the button again and things change again - whether for the better or worse… that depends. Eventually you realize the CAPTCHA can be defeated programmatically and an intensely fun duel between scripts written by different teams ensues. An interesting meta-game follows. It was awesome.


My button script in action (click for YouTube).

the button

Unfortunately at some point I threw away the virtual machine I made for this Root the Box and that work was lost along with my screencaps of the scoreboard, etc. We, Savage Submarine, came in 2nd this year behind team bearwolf (congrats!).

Good times, looking forward to ‘17.