On October 21, 2011 at midnight the CTF ended with the Blue Team in first place followed by the White Team. I walked into the meeting room late and found the excitement of the crew playing the game. What I absorbed by osmosis from being in the room was that first there was an IP address, a port number, a username and password, which changed over time as TKC members rooted the box and pasted the new password on the whiteboard. After reading the man page for ssh I used the info to become root. The web page for the game was
ssh access was through port 55555 -- I looked around to find a directory dbsynergy. I opened it to find shellcode x\90 * 5 I recognized that to be a nopsled. From the conversation in the room it was apparent that they were monitoring ARP traffic and using scripts or apps to trap the ARP packets and re-route them causing all kinds of havoc on the network.
What would happen is that teams post info to the score server. TKC would find out about it by analyzing tcpdump data and steal data and submit it in replay for points in the game.
They went on to remove the other teams from the server they were assigned by combinations of spoofing IP addreses or MAC addresses.
This session of CTF had started several days ago so when TKC found out about the game there was only 4 hours left Bryce Bearchall won the DefCon oCTF in 2008.