Homepage of Lexi Pimenidis - CaptureTheFlag
CaptureTheFlag

Cipher

Cipher2

Cipher3

Contact

Ctf22c3

Email

Gameserver

Hacking

Index

Publications

Research

Teaching

Tools

Whatsmyip


To the group's page

To the chair's page
Last updated on 04.05.06 20:16

CTF-style hacking challenges

On several occasions I host Capture The Flag-style exercise in IT security for teams of students. The task is to maintain a server running multiple services, while simultaneously trying to get access to the other team's servers. Each successful penetration gains points, as well as keeping services up and functional during the course of the game.

The following text was created for the specific challenge CIPHER. It is thus not possibly not general enough to cover all possible situations of a CTF.

Description

The exercise consists of multiple teams, each hosting a server that has multiple services running, like e.g. a webserver, a mail server, or customized services. The services contain typical security vulnerabilities that allow to compromise the server to a certain extend.

The goal is to maintain the services up, functional and uncompromised for the duration of the game. Additional scores can be gained by patching the vulnerabilities of the services and exploiting the knowledge of the found weaknesses at the other team's servers.

The focus of the exercise is on application layer security.

Technical Details

  • The contest will be held within a VPN. We will use openVPN to authenticate the teams and make sure that the exercise will have no effect on the remainder of the internet.
  • All traffic will be logged.
  • The traffic will not be anonymized on the IP-layer, i.e. it's possible to decide between other team's requests and the game server based on the IP. Thus filtering based on the IP is strictly forbidden. The same applies to other mechanics to decide between game server and other team on the TCP/IP-layer. We will provide a proxy on the game server to allow teams sending queries with the game server's IP. However this does still not allow filtering.
  • All computers in a team's VPN-subnet are legible targets for attacks.
  • The services will be part of a VMware-image. This image will be encrypted and distributed ahead of time. The key will be published at the begin of the exercise.
  • There will be an IRC-channel for discussion and answering technical problems.
  • Necessary tools to participate in this contest include per team:
    • one or two boxes as router and team-host
    • one computer per participant
    • a stable internet connection with a minimum of 1Mbit/sec that is able to send and receive UDP-packets
    • we estimate that the complete setup takes about 1 day, including checks for safety and security
    • no commercial licenses are needed to participate, there are no fees to be paid

Game Details

  • The vulnerable services will be custom services, i.e. the software that is subject to the scoring system is written specificly for this contest. There will be no standard software that deliberatly contains error. On the other hand, the organizers will not guarantee that the other software on the provided image is free of errors, but it is quite safe to assume that the standard software should be secure, unless one team owns unpublished zero-day exploits
  • The game server will contact each service on each server in variable intervals to check them for functionality. Points are awarded for keeping the services up and running during the exercise.
  • The server will also do some actions that leaves back a flag, i.e. a certain string, and tries to retrieve the flag it left there last time. If all of this is possible and the flag got not submitted by other teams to the scoring system, a team gains points for having an uncompromised service.
  • A team may gain additional points by compromising a remote machine and gaining access to the stored flags. Each flag is worth an amount of points, if submited to the scoring system within a few minutes after it got deposited. The number of points is multiplied with the number of services that the attacker's teams has running.
  • If multiple teams submit the same flag, the scores are divided between those teams.
  • The following is discouraged and is possibly fined with negative scores:
    • Filtering connections based on the IP (or similar mechanics) is not allowed (regardless of IP-anonymization).
    • Automated scanning (ports, IPs, etc.) or usage of vulnerability scanners.
    • Attacks like Denial-of-Service, Distributed-Denial-of-Service or Bandwith Exhaustion.
    • Changing the routing on any compromised host.
    • Destructive behaviour (e.g. deleting vital system files).
    • Intentionally supporting other teams is considered bad sportsmanship and will be fined (esp. if both teams belong to the same university).
    • (this list is not complete)
  • The following is discouraged and is possibly fined with negative scores and/or immediate dispension from the game:
    • The game server and all hosts in the organisator's network are off-limits.
    • Attacking systems outside the VPN is not allowed. All traffic has to happen within the VPN. Each team has to ensure themselves that other teams can't accidently harm other hosts in their networks.
    • Relaying data through other team's networks into the internet.
    • Cheating on the team's size leads to immediate disqualification.

Scoring details

  • The scoring system may still change in details until the start of the contest. All changes will be published here. There will be no more changes after the beginning of the contest.
  • The scores for offensive attacks are given according to these rules:
    • All flags are valid for submition for a limited period only. After this period, submitting a flag will result in no effect.
    • Each time, a team submits a flag, it receives a number of points according to the number of "correct" services the submitting team currently has. This score is divided by the number of teams that submit this spexifix flag.
      Example: assume that team A has currently 2 services up and running and team B has 4. If both submit a flag of team C, then team A will gain 2/2=1 point, while team B will gain 4/2=2 points.
    • The score board will only display the relative amount of points to the leading party, instead of the absolute scores.
  • The scores for defense are given according to these rules:
    • Each service of each team will get checked once per interval. An interval will be (most probably) between 60 seconds and 5 minutes.
    • If a service can be contacted and seems to works, the team receives one defensive point for the uptime.
    • If the service works correctly, i.e. if the service delivers the data and the flag that the gameserver asked for, the team receives a second defensive point for having a "correct" service. If a service is "up" and not "correct", it's called "broken".
    • The scoreboard will display the status for each service of each team. The status is either "down", "broken", or "up".
    • If a valid flag is submitted by another team, all defensive points awarded for this flag are immediatly cancelled.
    • The score board will only display the relative amount of points to the leading party, instead of the absolute scores.
  • Fines are subtracted from both defensive and offensive scores.
  • The total score is calculated as follows: the relative scores of defense and offense are added. Again, only the relative amount of points to the leading team will be displayed.
  • Note that there are some actions that are allowed but not awarded with scores. These include: breaking into a team's router, breaking into other player's computers, and submitting own flags.

Links
Valid HTML 4.01!   best viewed with telnet to port 80