Axis was a challenge deployed during DEF CON Capture the Flag finals on August 9, 2025. It’s an Elixir Phoenix app, mostly using Phoenix LiveView as the user interface layer, with an intentional CWE-94 Improper Control of Generation of Code flaw that allows flag disclosure.

Getting it deployed was a gigantic pain. I spent quite a bit of time fighting Puppeteer and then Playwright for browser automation, Docker’s x86-64 emulator for arm64, but the most interesting issue was the Erlang Port Mapper Daemon, or “EPMD”.

Erlang Distribution

In languages running on the Erlang runtime system (“ERTS”) like Erlang and Elixir, applications are generally a collection of small processes running in a single Erlang node. This Erlang node is normally a single beam.smp (or just “BEAM,” for “Bogdan’s Erlang Abstract Machine”) host process. You’re encouraged to use high level abstractions like “generic servers,” “agents,” or “finite state machines;” those abstractions are built on asynchronous messaging betwen those small processes. In Elixir, this is done with the send(destination, message) function, which uses the Erlang Destination ! Message syntax. The message can be any Erlang term, and the destination is an atom representing a named process on the current node, an Erlang Pid (which could be local or remote), an Erlang Ref that might be a process alias, or a pair of {ProcessName, NodeName}.

What goes into a node name? Since they can be on different physical machines, a network address is going to be part of it. However, given that a single machine may have multiple Erlang nodes on it, instead of letting them fight over well-known ports, what you really want is for nodes to be named, take random ports, and have an independent host process map those names to ports.

CTF Infrastructure

Nautilus Institute ran our CTF finals on containers, but with krun instead of runc like normal Docker to support challenges that bring their own pwnable kernel. While runc does some network and process namespacing tricks to let container guest processes coast off the host’s kernel for the sake of performance (Legitimate Business Syndicate had per-connection containers for quals starting up in under a second a decade ago), krun uses full on virtualization to let a container guest bring and run in their own kernel. We originally looked into this for the opportunity to run kernel challenges a few years back, and kept it for the better process isolation.

It also lets you do some tricky stuff with networking. We had a proxy setup that let us restrict VMs to a single listen socket and no outbound sockets (to keep teams from replacing a challenge with a proxy that lets them sidestep our container patch restrictions).

How Axis Starts

Axis was distributed as a release image generated through the normal Phoenix mix rel process. Assuming you don’t run into build issues with prim-tty while trying to build an x86-64 image on an arm64 machine, you get an OCI image that starts a BEAM process via a bunch of shell scripts.

1. Shell scripts grab information from environment variables to set arguments to the erl command that kicks off BEAM, which on a modern machine names itself beam.smp
2. The beam.smp process starts with a file of arguments for the VM available, traditionally in a file called vm.args
3. The BEAM process loads VM arguments.
4. BEAM kicks off an EPMD process.
5. The EPMD process tries to bind port 4369 on the zero IP address (i.e. 0:4369, every interface). If that fails, it dies, since that probably means an EPMD is running and it doesn’t need a second.
6. BEAM tries to bind port 0 on the zero IP (0:0). This tells the kernel “give me any port that’s available on every interface.”
7. BEAM tries to connect to EPMD to register its name and the port from the previous step.
8. BEAM starts running the application.

How to Deploy a CTF Challenge

I started working on Axis in September 2024. In March 2025 we switched it from a quals to a finals challenge, and in June 2025 I really started finding a route to finish it. Because I’ve had a lot of experience with running Elixir Phoenix apps in containers, I felt like I could focus on getting it done with a poller and known proof-of-vulnerability and not spend a lot of time on integration. There’s usually time the week of DEF CON for that.

And then I spent two weeks fighting (first) Puppeteer and (then) Playwright. By the time I had a poller I was happy with, it was Friday afternoon and our infrastructure team was busy with a bunch of other services. Some of the issues that popped up in this last sprint were:

• my computer is arm64 and we deploy on x86-64
• this compose.yml doesn’t do what you want it to on arm64:

  services:
    web-prod:
      build:
        context: .
        dockerfile: Dockerfile
      platform: linux/amd64
  

• the mix local.hex --force step to install the normal Elixir package manager doesn’t like the x86-64 emulator my Docker desktop app runs
• if you make an arm64 machine on EC2 out of habit it can’t build x86-64 images
• once we got a built x86-64 image that the infrastructure could actually start, it would open ports we weren’t expecting and immediately die

We spent a few minutes with strace trying to solve this mystery. The tell-tale sign to put us on the right track was the 4369 bind call. This introduced me to EPMD, which I’d previously been fuzzy on, and helped get to the issue that was killing BEAM before it could open the expected port 4001.

The rub comes when BEAM tries to bind 0:0. Because of a bug in our krun setup, it would, instead of returning 0 for success, it returned a failure condition (that we didn’t bother triaging at the time).

I spent a minute trying to coax a couple commercial LLMs to help, but then I remembered the VM arguments concept from a previous job.

After some research on the flags and arguments for erl (the command line tool that kicks off BEAM), I tried a few different combinations of arguments.

--no_epmd on its own didn’t help. It looks like that requires more configuration than I was willing to learn about in the rush to deploy.

--dist_listen false did work! It tells BEAM to just not open a listen port for distributed Erlang, and lets the app continue to boot and work.

Once that was in, we got the poller running (it was pretty unreliable, since I’m either not experienced with browser automation or browser animation is simply terrible) at a reliability we were comfortable with, and decided to enable it in the scoreboard and post about it in #ctf-announcements-text

Conclusion

Shout out to the teams that spent time hacking and patching Axis! I hope you had fun, and I’m glad I was able to finally bring a challenge to a CTF at DEF CON, even if it was web sqli.

Incredible thanks to itszn for your patience with me getting this disaster out the door.

Finally, huge thanks to Josef! Our time riffing on how this would work and your time helping develop it are why it happened at all.

You can find up-to-date qualifying information at https://nautilus.institute/dc2025/ .

Qualified So Far

Four contests have qualified teams so far:

1. DEF CON CTF 2024 Finals: Maple Mallard Magistrates
2. HITCON CTF 2024: Friendly Maltese Citizens
3. hxp 38C3 CTF: kalmarunionen
4. 0ctf: r3kapig

Plaid CTF

PlaidCTF, held April 4 21:00 UTC - April 6 21:00 UTC will qualify a team for DEF CON CTF 2025 finals.

Qualifiers

Nautilus Institute will be hosting qualifiers for DEF CON Capture the Flag starting at midnight UTC at the start of April 12, 2025, and ending 48 hours later at midnight UTC at the start of April 14, 2025.

This contest will qualify the remainder of teams we bring to DEF CON.

Registration will open closer to the contest.

If you’re interested in seeing the stream from the LiveCTF mini-tournament that was hosted as a “challenge” within our game, please check out the links on the LiveCTF website.

The full, final scores:

Most of the pictures here aren’t resized. If you want a better look, open them in a new tab.

Policies

DEF CON’s policy since 2023 is roughly that photography with consent is allowed. Being on stage implies consent, being in the CTF room is explicitly not consent, and blurring out non-subjects with “portrait mode” is encouraged. Press and official DEF CON photo goons are also expected to follow these policies.

Techniques

Going Fast

Fast primes are great for these kinds of events, both because they pull in more light and work better in the dark, and they give you a ton of control over what’s in focus.

Shooting them wide open gets you that “portrait mode;” you also get to use a faster shutter or lower/less-noisy ISO in the same light. Sometimes you get vignetting, weirdly-shaped bokeh balls, lens flare, and other aberrations wide open. I lean into it.

Going Slow

In the hard opposite direction, you might try some long exposures. Every time I do this, it takes me way too long to remember that time-priority mode is a thing, and it’ll automatically solve aperture and ISO for the duration of exposure you want.

Long exposures are pretty good at removing people, since we move.

Mixing this with a flash is fun too.

For Toorcamp 2024 and DEF CON 32 I brought a couple handheld multicolor LED lights. I used the hell out of ‘em at Toorcamp and never turned ‘em on once at DEF CON.

Getting Consent

I still find it awkward to ask “is it alright if I take a picture of you?” I feel like I overthink the vibes of the situation, but it means that the worst I’ve gotten is a “no.” Sometimes (if it’s loud or busy) I’ll tap on the camera and make a thumbs-up thumbs-down gesture.

If it’s a group you’re spending lots of time with, you can definitely have a longer conversation about what you’ll do with the photos, and what situations are alright ahead of time.

Worst case, you can always delete the photo while they watch.

Shooting Film

This is way more dicey and annoying than digital. I shot a roll at DEF CON 31 and two rolls at Cccamp 2023. There’s suddenly inventory management and decisions to be made about what film stock to load.

I realized at the airport on the way to DEF CON 31 that I only brought 50mm lenses, with the FD 50mm f/1.8 on the film camera. It’s nice and fast, which paired well with the Kodak Ultramax 400 I loaded.

I brought a slow roll of CineStill 50D and a super-slow roll of Lomography Babylon 13 to camp. I had the digital for night shots, so these were for natural light.

Final

It’s hard to get the time to attend these events, and they’re all big enough that you have to really pick and choose how what you see and experience. Choosing to spend that time staring through a camera is a choice! You can use photography as a way to meet new people, see things a new way, and remember things once the summer’s over.

Registration will open closer to the contest.

Computer security Capture The Flag contests (CTFs for short) are fundamentally about getting secrets out of computer programs. Sometimes the secrets are locked inside or behind a complex binary requiring a decompiler or disassembler and hours of analysis, and this frustrates players who want “web” challenges. Web challenges are often synonymous with SQL injection challenges, which are a particular flavor of CWE-94 Improper Control of Generation of Code.

Unfortunately, sqlmap is a really useful tool for finding and exploiting SQL injection vulnerabilities in web applications. It’s absurd how trivial it is. You point it at a URL and can get the complete database back. Ridiculous.

However, many technologies in the modern web aren’t compatible with the very ’90s view of the web sqlmap assumes. It doesn’t puppet a browser, just parses HTML and makes normal HTTP requests. This means that we can use a JavaScript-based system speaking WebSockets or some other weirdo HTTP subset to handle the user interaction in a way that sqlmap can’t interact with.

The other problem with SQL (or really, any flavor of persistence) injection challenges is that mischief is incentivized. Even if you don’t solve the challenge, there may be opportunities to make it more difficult for other teams through resource consumption attacks or just straight up vandalism that are hard for game organizers to track down or fix during the game.

Hack-A-Sat, in addition to being the first CTF in space, also had a system of tickets and receipts (yes I did come up with it on a train ride) to provide traceability and unique experiences per team. Tickets contain an RNG seed and a per-team key. This allows different instances of a challenge (with no communication between them, good for operations!) to provide either a new random experience per connection or a consistent but random experience per team. Nautilus Institue also uses tickets and receipts for our quals game.

I came up with the “Raw Water” challenge right at the beginning of 2023:

<vito> with the quals service i’ve been thinking about, “raw water” (sqli using websockets so you can’t just sqlmap it), not having to worry about a shared sql instance would be nice
<vito> oh god i have a bad idea though
<vito> handle the ticket myself in the http server and have a named sqlite per slug on a shared fs

I wanted to minimize the processing done on the client; you can’t trust them normally, even less when only scary hackers will use it. (j/k ilu :3) I started working with raw WebSockets in Phoenix (using Phoenix.Socket.Transport) and was on the verge of starting the client JS for it when I realized I was just reimplementing Phoenix LiveView (which is the well-supported and pretty good system for receiving events from the client, processing them on the server, and sending redirects and HTML changes back to the client).

So, I built “Hellform,” which uses the seed from the ticket to make a consistent form of 100 fields, about half required, with one injectable “party” field and one “landmine” field that rejects any single quotes (i.e. attempts at SQL injection). It’s broken into 10 pages of 10 fields each, because that let me hide the page navigation on the first page (because it was funny, to me.) The in-progress form just lives in the LiveView process, and the actual submission of the form is also done over the LiveView too, which sqlmap can’t interact with.

exqlite, an Elixir library wrapping sqlite3, solved the shared resource problem. Sqlite3 databases have a pretty efficient file representation, files are just an array of bytes, and PostgreSQL has a column type just for those. The “Minibase” part of Raw Water really just implements two things: saving an order and loading an order. Wrangling the Postgres data is done elsewhere, with Ecto.

Saving the order is kinda complicated:

1. Receive either the whole byte array or a big fat NULL from Postgres.
2. Open a :memory: datbase with Exqlite.Sqlite3.open/1
3. Deserialize the database with Exqlite.Sqlite3.deserialize/2
4. Validate the schema
5. If any of the above failed, reopen :memory and create the flags and orders tables.
6. Generate and insert a flag into flags.
7. Run the SQL statement to insert the order into orders.
8. Delete the flag from flags with the SQL statement DELETE FROM flags;
9. Serialize the database with Exqlite.Sqlite3.serialize/1

Loading the order is much simpler, deserialize and SELECT and just 404 if it fails.

Minibase (or the Minibase concept) is intended to be reused in future challenges. If you’re interested in it or something like it, have a look at the source code, and hit me up for questions, either via email or on Mastodon.

If you’re interested in seeing the stream from the LiveCTF mini-tournament that was hosted as a “challenge” within our game, please check out the links on the LiveCTF website.

The full, final classification of all the teams is below:

If you’re interested in all of the data from this year’s game, you can find it on this page.

The top 11 teams from this year’s qualifier, plus last year’s winner (Maple Mallard Magistrates), will be invited to play in the final event. This will be held later this year from August 11-13 in Las Vegas at DEF CON 31. If any teams decline our invitation, we will move further down the list to ensure we have 12 total teams.

This was the top 20 for this year’s event:

1. Blue Water - 3753 points
2. The Parliament of Ducks - 3499 points
3. orgakraut - 3466 points
4. SuperDiceCode - 3398 points
5. TWN48 - 3236 points
6. Straw Hat - 3204 points
7. Norsecode’23 - 3090 points
8. mhackeroni - 2920 points
9. P1G BuT S4D - 2745 points
10. Shellphish - 2500 points
11. undef1ned - 2481 points
12. HypeBoy - 2417 points
13. PTB_WTL_0T - 2156 points
14. Katzebin - 2112 points
15. if this doesn’t work we’ll get more for next year - 2083 points
16. Never Stop Exploiting - 2078 points
17. untitled - 1590 points
18. Team Baguette - 1369 points
19. JMP FS:[RCX] - 1284 points
20. tasteless - 1211 points

For this year’s final event, we are limiting the number of qualified teams to 12. As is tradition, our winner from last year, MMM, will be automatically qualified which leaves 11 spots up for grabs. We’ll see you all starting at 0 UTC on May 27!

DEF CON CTF Pre-qualification registration is live!https://t.co/BTAjMwDCOv

Come try to qualify for DEF CON CTF starting Friday, May 26th!

— Nautilus Institute (@Nautilus_CTF) May 10, 2023

If you’re interested in seeing the stream from the mini-tournament that was hosted as a “challenge” within our game, please check out the links on the LiveCTF website.

The full, final classification of all the teams is below:

1. Maple Mallard Magistrates - 24394 points
2. Katzebin - 22818 points
3. StarBugs - 22363 points
4. Water Paddler - 21788 points
5. perfect r✪✪✪t - 21654 points
6. the new organizers - 20496 points
7. Straw Hat - 20087 points
8. PTB_WTL - 18575 points
9. Balsn.217@TSJ.tw - 18550 points
10. DiceGuesser - 18229 points
11. ./V /home/r/.bin/tw - 18191 points
12. CP-r3kapig - 17974 points
13. Shellphish - 17782 points
14. Sauercloud - 17348 points
15. 侍 - 16462 points
16. OSUSEC - 15648 points

Update (2022-09-26): All source code to the challenges from the game have been placed on GitHub!