MAIN  :: TRAINING :: CONFERENCE SPEAKER LIST :: CTF & OPEN-HACK :: VENUE MAP :: PRESS/MEDIA :: REGISTRATION :: AGENDA :: CALL FOR PAPERS :: FAQ :: CONTACT :: FORUM :: HITBSECCONF2003 :: MEDIA/PRESS RELEASE

CAPTURE - THE FLAG OVERVIEW & RULES

Overview

The game attempts to test a security administrator's ability to secure a complex system with unknown but required functionality. While this task seems rather odd, this is similar to a day job as a security consultant: a customer has a large dot.com site, they don t know what it does (the IT staff have all left), and they want it to be secure. And don't turn it off, there is live traffic running on it. The HITBSecConf CtF game models this situation as follows:

       Players are provided with a table, one 5-point power outlet, and one Ethernet connection.

       Players get a class-C network address space, and all traffic coming to the player s connection is reverse-NAT'd so that the source of traffic cannot be identified. This eliminates the obvious defence of filtering all traffic from other teams using a simple firewall.

       Players are handed a reference system at the beginning of the game. The reference system is guaranteed to provide all the Services required by the Score Server. The Flags which the Score Server is looking for have already been implanted in each team's reference system. This becomes the Home Flag of the team.

       The actual Services required by the Score Server are secret, and subject to change throughout game play.

       The reference system is riddled with security vulnerabilities, and may possibly include vulnerable Services, such as telnet and FTP.

       To score a home point, a team's server must fully satisfy the Score Server's requested interactions, and the team's Flag must be intact on their server.

       To score an own3d point, the Score Server must be fully satisfied with the Services on other team's server, the attacking team's Flag must be present on other team s server, and the attacking team's server must also be fully functional. This is to prevent a team from deploying only attackers, and not bothering to defend.

       To discourage DoS attacks and lazy bulk scanning, each team is charged a penalty for bandwidth coming from their connection. This penalty may include temporary disconnection from the network and thus the loss of home points as the Score Server will not be able to score the team.

 

Having to both simultaneously defend the home position and at the same time to plant your Flag in an opponent's server to score 0wn3d points makes the game much more challenging and even handed. In addition to making the game more interesting, the format of the game tries to mirror situations as it would happen in the real world.

Apart from the security expertise needed, some measure of intuition and creative investigation would be required to guess the Services and Flags the Score Server is looking for. Having an attack-only strategy would thus not be beneficial as the points lost in not being able to fulfil the Score Servers request would be difficult to regain.

 

Attack and Defend

This Capture the Flag will be the fourth CtF game to be held in Malaysia, after the hugely successful games held during HITB Security Conference in 2002 & 2003 and INFOSEC 2003. This year, we're continuing the highly successful format we deployed last year - whereby each participating team will be given a server to defend, and at the same time launch penetrative attacks against the other teams. As such, participants must know how to attack and plant Flags on opponent.s servers in order to score points, and at the same time, know how to defend their own box from being compromised and losing points.

While all this is happening, the CtF Score Server will be keeping track of Services and Flags running on each team's chosen server, so teams can't totally close all Services on the box either. If the Score Server does not detect a Service/Flag on the chosen server, it will deduct points for the team concerned. Teams will not know which Services/Flags the Score Server is looking for, and will have to infer this from the game play. This setup duplicates a common computing infrastructure environment in the enterprise. 

The Reference Distribution

Sounds easy? Think again. Prior to the game, teams will be given a reference distribution server that has been preinstalled. A number of Services will be running on the server with Flags implanted in some of them. These Flags are known as the Home Flags. Do note though that the Services may or may not be vulnerable. Some of the Services may or may not be needed to run at all.

The Score Server that will attempt to establish connections to the Services and ensure they are running and at the same time check for the presence of the Flags. Points will be given if the Service is up, or deducted if the Service is down or a Flag can't be found. The catch is, teams will not know which Services the Score Server will check before hand. Thus, they must be able to differentiate between legitimate Score Server connections and attacks from opponents during the competition itself. Teams however are allowed to patch any Services which are vulnerable, keeping in place any Flags that the Score Server may be looking for.

 

The Reference Distributions and Services chosen for each operating system is as follows:

  • FreeBSD 4.10-RELEASE (released on 27th May 2004)
  • Fedora Core 2 (released 18th May 2004)
  • Gentoo Linux 2004.2 (released 27th July 2004, with portage snapshot from the universal live-cd)

    These references will be based on the official release distributions of the operating system's projects without any updated patches and bugfixes. Teams will be responsible for bringing along their own patches, bugfixes and other vulnerabilities fixes as they would deem appropriate. There will not be Internet access during the CtF competition proper.

     

    Rules

           NO flooding of network. A 30 minutes NO GAME penalty and points deductions will be given to teams that who are found to be flooding the network.

           NO Denial of Service (DoS) attack. A 30 minutes NO GAME penalty and points deductions will be given to teams that are found to be launching DoS attacks  

           All teams must obey PIT STOP calls. PIT STOP calls are rest intervals where all teams must leave the game area to facilitate for the CtF judges to update the score, and/or do maintenance work etc.

           NO harassment of other opponents (verbal abuse, etc).  

           NO physical attack.  

           NO attacking of Score Servers. Teams that attack Score Servers will be given points deductions.

     

    Game Play

    The Game  

     

    1.   Teams are allocated their own network block.

    2.   They must defend one host (the reference server) and keep it running.

    3.   Teams attack each other.

    4.   Teams will attempt to plant their Home Flag on their opposing team's servers to replace the opponent's Flag.

    5.   Teams with the highest accumulated points at the end of the game wins.  

    Scoring  

    1.   +10 points for each successful Flag/Service request from Score Server.

    2.   +20 points for each successful Flag planted on opponent server.

    3.   -10 points for each failed Flag/Service request from Score Server.

    4.   -20 points if server is compromised and opponent's Flags is detected.

    5.   -100 points for DoS attack.

    6.   Score server polls are randomized at a regular interval.

    NOTE: Keeping Services up and running is vital to get more points. Team scores are updated after every Service poll. This will give the teams hints as to what/which Services the Score Server will be polling for.

     

    Reference Distribution

    1.  Teams will be given reference CDs upon request that will contain the Operating System.

    2. They can choose to upgrade port or replace the Services; however Teams must note that the Score Server may look for specific Flags hidden inside some Services. Any upgrade/port/replacements of these               Services must include the Flags or the Team will start to lose points very quickly.

    3.   Teams can choose between these OSes: FreeBSD, Gentoo, Fedora Core 2  

    4.   The Reference Distribution OSes will be as per the last official release of the operating system by the vendor or OSS project. The Reference Distributions will not be patched, bugfixed or altered in any way from the stock sources as released on the date of the official release.

    5. Teams are responsible for bringing their own patches, vulnerability fixes, bugfixes and other tools necessary to patch up the system.

    6.  Teams must indicate the choice of OS upon registration.

    7.  Teams ARE NOT ALLOWED to run their servers off CDs. This is absolutely prohibited. Teams that are found to do this will be eliminated from the game.

    8.  Teams ARE NOT ALLOWED to run their servers off honey pots. This is absolutely prohibited. Teams that are found to do this will be eliminated from the game.

    9.  External/Third Party Firewalls ARE ABSOLUTELY outlawed. However, teams may set up any OS based firewalls (e.g. IPTables, IPChains, IPFW, IPFilter) on the server itself.

    10.Teams ARE NOT ALLOWED to bring extra servers.

    11. If the Teams have to reinstall their server OS, the Reference Distribution MUST be used. The Organizing Team will NOT inform the Team what Services are needed to be run or are being counted by the Score Server. The Organizing Team will NOT provide the Flags for the Team for reinstallation.

    12. Any action which causes the Score Server to dislike the Team's Services and Flags are solely the fault of the team and the Team will lose points for this.

     

    Hints  

           Plan, plan, plan.

           Be organized. 1 team principal. 1 firewall/IDS expert. 1 l33t sysadmin. 1 l33t hacker. 1 code junky would be a good line up.

           Learn, learn, learn. Learn what the Score Server wants, and please it.

           Learn how attack Gentoo, Fedora, and FreeBSD. It is not too late to do so!

           Choose your OS wisely. If you chose an OS with less security issues, then you will have less time defending and more time attacking others.

           Learn the importance of taking backups, in order to restore yourself to a known state in the unlikely event that your server has been r00ted or 0wn3d.

     

    Final Judgement

           At all times, the decision of the CtF Organizing Team is final on any matter in question.

           Team Leader's should feel free to work with the CtF Organizing Team to resolve any disputes that may arise.

    Acknowledgements

    The HITBSecConf organizing committe would like to give shoutouts, ninja greetz and ghetto loves to The Ghetto Hackers, who came out with the attack and defense concept for the CtF game. The Ghetto Hackers have been organizing the CtF game for Defcon since 2002! Much love!

  •  


    Our Sponsors








    Our Speakers are Supported By:
                                    
     

    Supporting Organizations:
     

    Malaysian Communications and Multimedia Commission


    Special Interest Group in Security & Information InteGrity Singapore


    XFOCUS Team


    Zone-H - IT Security Information Network


    Wireless Security Monitored By


     


    HITB Partner


     


    Media Partners


    Official Media Partner

     
     

    2004 Hack In The Box (M) Sdn. Bhd.
    HTML and PHP by spoonfork (mel at hackinthebox dot org)