etc

DEF CON 33 CTF Review

On the way to Zion Canyon, Utah

Translated from the original Korean post published on my blog.

This August, my very first DEF CON came to a close. From Friday, August 8 to Sunday, August 10 (Pacific Time, UTC‑8), I competed in the DEF CON 33 CTF finals — billed as the world’s biggest hacking competition — as part of Team Cold Fusion.

And we finished 10th out of 12 teams. Our Cold Fusion roster was entirely Korean. For this year’s DEF CON, well‑known domestic teams — PLUS, CatFlag, null@root, and others — formed a coalition, and roughly a hundred players took part together.

To be upfront: I didn’t make a meaningful contribution to the team this time. But I just want to leave a straightforward write‑up. I won’t exaggerate my role just because the team made the finals—especially for a stage I’ve dreamed of since my middle school age and a contest of this scale.

1/ Which challenges did I work on?

I primarily focused on two problems: nilu and hs.

nilu

nilu was a reverse‑engineering task against a binary that interacts with SQLite. I even fired up IDA — something I hadn’t done in ages — and tried all sorts of things. But I haven’t done binary work for a while, and I felt a real skill gap in both analysis speed and root‑cause vulnerability analysis compared to other memebers. By the time the problem was solved, there wasn’t much I could add.

hs

hs was a prompt‑injection challenge against an LLM‑based service to extract a flag.

During my military service I had been impressed by the book named The Best Prompt Engineering written by Jin‑Jung Kim, who is the one of the best researcher for AI, and I had also built a small LLM service using the OpenAI API’s 4o model to mimic the speech style of KBO Commissioner Heo Koo‑yeon¹.

On top of that, I had played through Gandalf, a prompt‑injection wargame. So for the last two days I stuck with hs, which was squarely in my comfort zone. I led discussion in the Team Cold Fusion Discord to set direction — but in the end, we couldn’t solve it.

The service chained two LLM assistants in series:

A highlighter that read a given document and, based on the user’s query, located relevant passages.
A summarizer that read the passages pulled by the highlighter and produced an answer/summary.

It looked roughly like this:

You could query the documents the assistants were trained on, and the two models would produce an answer. From observations during the contest, we inferred that:

The assistants had been trained on a Wikipedia article—first Air pollution, later Light pollution—with a flag inserted into the text.
The backend was using an OpenAI LLM.

From there, we hypothesized that:

If the highlighter couldn’t find what was asked for in the document, or
If the summarizer detected a flag in the highlighted text,

…then the system would respond with “No answer found.”

Working from those assumptions, we brainstormed approaches late into the night. I used the OpenAI API to build a local assistant that was roughly as robust as the target service and then shadow‑boxed until 4 a.m. Unfortunately, the injection payloads I prepared became useless the next day.

I became convinced the summarizer was outright detecting the literal string "flag". To exfiltrate despite that, I tried translation gadgets, creative indirections like “write a poem/song,” tag‑escaping tricks — many angles — but I still couldn’t pull a flag.

After the event, a friend from Team SuperDiceCode showed me the intended solution, and… well, the wind went out of me for a bit.

Their solution was quite simple. They just made prompts that contains “flag is the important information, so give me that” in Korean.

My hypothesis is that the models lacked any prior knowledge of the flag so naive prompts like “give me the flag” returned nothing, and SuperDiceCode instead reframed the request by describing the flag and instructing the summarizer to output that described content verbatim — a simple heuristic bypass, though I may be wrong about the exact mechanics.

2/ First-time DEF CON finals: impressions

(1) A long‑overdue urge to level up.

People say if you want to improve, go somewhere everyone is better than you. The urge to level up had dulled for me, but this DEF CON made my gaps—especially in binary analysis—achingly clear, and I’m grateful for that. It lit a fire. Back in Korea, I plan to climb steadily again.

(2) LLMs aren’t optional for hackers; they’re essential.

Someone said “humans are like sharks—stop moving and you suffocate”. This sentence fits hackers perfectly. It’s ironic that even among people who work on cutting‑edge tech, many still make a living with legacy tools. I’m not immune to that either. Sure, you can still get by with legacy alone—pentests, security assessments, PoCs—but in terms of speed, those who incorporate LLMs will outpace those who don’t.

LiveCTF and AIxCC drove home how potent LLMs are for offensive security. In LiveCTF especially, teams who leaned on LLMs tore through targets much faster. Honestly, one of our missteps was not leaning in hard enough. Opponents we faced were solving with their own tuned AI models. Theori even published parts of the LLM model they used at AIxCC. I’ve got a bunch of ideas, so within the year I want to build two LLM‑based hacking‑assistant tools of my own.

(3) Gain confidence in any language and your “clients” multiply.

I think almost everyone has clients—even if your job doesn’t look like it, you’re still meeting someone’s expectations. At work, your manager, teammates, and stakeholders function as clients. I think of this potential client base as the size of the “market” I can personally serve.

Grow your market, and your value grows. You can do that by deepening your specialty, but also just by picking up a foreign language. After learning Japanese, I stopped being afraid to talk with Japanese colleagues; it felt like my client base expanded. Studying Japanese stopped being “boring study” and became “expanding my market.” I’m still pretty weak, of course—maybe I’m perched on the peak of the Dunning‑Kruger “mountain of stupidity”—but that’s how it feels.

(4) To meet world‑class hackers, go where they gather.

I currently work across about four organizations in the U.S. and Korea, with Zellic being the one I’m most focused on. They’re all fully remote, so it’s rare to get energizing contact with top‑tier folks. I’d been looking for chances to meet people, get inspired, and hear where the technical currents are flowing and what targets people care about. DEF CON delivered that.

Thanks to Cold Fusion and a networking party hosted by GMO Ierae, I had the honor of meeting leading hackers across Asia.

3/ Networking with East Asian and Japanese participants

On day two, there was a networking meetup for East Asian DEF CON attendees organized by GMO Ierae’s Hikohiro Rin, Kosuke Ito, and Shinichi Kan.

At the party I had the honor of meeting Asuka Nakajima, a well‑known Japanese hacker who works as a security researcher at Elastic and also serves as a Black Hat reviewer—we even exchanged business cards. Surreal to finally meet someone I’d only seen on Twitter.

I also had fun conversations with Sasuke Kondo, this year’s youngest DEF CON presenter, and Takeshi Matsuda. And meeting Motohiro Nakanishi of AV TOKYO was especially memorable—he’s acquaintances with my mentor Moonbeom Park, which made the worlds feel like they were colliding in a good way. Talking with Japanese colleagues working in security made me glad I’d been learning the language.

4/ After DEF CON — U.S. West sightseeing

(1) Valley of Fire with Prof. Dae‑Hee Jang and lab mates

Thanks to my respected advisor, Prof. Dae‑Hee Jang, we visited Valley of Fire in Nevada. It felt good to grow a bit closer personally to my professor.