0-Days and Tokens and Salts, Oh My! (An overview of my DEFCON AIV CTF Challenges)


For Defcon 30, the AI Village organized an AI Capture The Flag competition hosted on Kaggle. The goals of a CTF are usually to hack/break a system to uncover a hidden flag somewhere within the system. For the AI CTF, the goals were generally less focused on vulnerabilities and more on adversarial samples and model poisoning. The competition ran between the 12th of August and the 12th of September 2022. It ended up with 3,555 individuals joining the competition, with 668 participants making a submission. Kaggle also put up $25,000 in prizes which was incredible.


I’m JankhJankh, I’m a Penetration Tester from Aus where I specialize in red teaming and infrastructure level web attacks. AI hacking research has been my hobby for a few years now, I’ve given a talk and ran a workshop on pentesting ML with a goal of helping to build maturity

My Challenges

I provided the the following challenges for the DEFCON 30 AI Village CTF:

  • Forensics
  • Theft
  • Salt
  • WAF
  • Token


While you can do this by just running strings on the file and grepping for a flag, the goal was to give intro level people a flag for just loading a model and looking at what it has inside it.

Veiewing the config for a Keras Model


This challenge was initially built as a web app so users have to retrieve the encrypted model and then decrypt the model to retrieve the pickle file from within it (It’s AES-CBC with a password in rockyou). The server also returns confidences so you can just do an online attack rather than an offline attack if you want to circumvent the decryption stage.

Unmodified image on the left and the adversarial sample on the right
Submitting the modified image


The secret sauce on SALT is that the randomness added to each image is reasonably small, just big enough to break most solutions to Theft. By cranking up the randomness you can make your changes outperform the random changes the application makes.

Unmodified image on the left and adversarial sample on the right
Submitting the modified image


Combining the solutions to Theft and Salt leaves you with one of my all time favourite tables:


Token was originally designed to be an white-box CTF challenge, with participants being given the source code. This challenge is based off of a bug I found in another challenge of mine while making it.

Observing the tokenizer created from the CSV dataset
Row 337 containing the word blank twice
Row 493 containing the word blank twice
Deleting these two rows from the CSV and reusing the tokenizer shows that the labels for secretkey and blank have been swapped
Submitting lines 493 and 337 to the server is unsuccessful
Viewing the CSV in a text editor
Submitting lines 492 and 336 succesfully returns the flag


As discussed in the challenge, a model has been trained to identify an 0-Day vulnerability. The goal of the challenge was to identify the payload the Web Application Firewall(WAF) is built to block, and then bypass this WAF.

Base64 decoding the starting payload
Base64 Encoding bash to retreive a payload to test
Submitting the new payload that is also blocked
Safe request by prepending any character other than “Y”
Code to try every character prepended to the known bad string
Confidences returned by the server, noting YmFza is the only sample to have a different confidence
Looping this previous code 30 times and adding any newly found bad chars to the list
Code execution output
Decoding the full payload to reveal shellshock
URL encoding bypassing the WAF
URL encoding the final payload
Submitting the encoded paylod to get the flag


The CTF went incredibly smoothly for the first time the AI Village has ever ran one, and a lot of infrastructure was set up that will make future CTFs run a lot smoother.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Professional Pentester and hobbyist AI unenthusiast.