attempts to test a security administrator's ability to secure a complex system
with unknown but required functionality. While this task seems rather odd, this
is similar to a day job as a security consultant: a customer has a large dot.com
site, they don t know what it does (the IT staff have all left), and they want
it to be secure. And don't turn it off, there is live traffic running on it. The
HITBSecConf CtF game models this situation as follows:
provided with a table, one 5-point power outlet, and one Ethernet connection.
Players get a
class-C network address space, and all traffic coming to the player s connection
is reverse-NAT'd so that the source of traffic cannot be identified. This
eliminates the obvious defence of filtering all traffic from other teams using a
handed a reference system at the beginning of the game. The reference system is
guaranteed to provide all the Services required by the Score Server. The Flags
which the Score Server is looking for have already been implanted in each team's
reference system. This becomes the Home Flag of the team.
Services required by the Score Server are secret, and subject to change
throughout game play.
system is riddled with security vulnerabilities, and may possibly include
vulnerable Services, such as telnet and FTP.
To score a
home point, a team's server must fully satisfy the Score Server's requested
interactions, and the team's Flag must be intact on their server.
To score an
own3d point, the Score Server must be fully satisfied with the Services on other
team's server, the attacking team's Flag must be present on other team s server,
and the attacking team's server must also be fully functional. This is to
prevent a team from deploying only attackers, and not bothering to defend.
DoS attacks and lazy bulk scanning, each team is charged a penalty for bandwidth
coming from their connection. This penalty may include temporary disconnection
from the network and thus the loss of home points as the Score Server will not
be able to score the team.
both simultaneously defend the home position and at the same time to plant your
Flag in an opponent's server to score 0wn3d points makes the game much more
challenging and even handed. In addition to making the game more interesting,
the format of the game tries to mirror situations as it would happen in the real
the security expertise needed, some measure of intuition and creative
investigation would be required to guess the Services and Flags the Score Server
is looking for. Having an attack-only strategy would thus not be beneficial as
the points lost in not being able to fulfil the Score Servers request would be
difficult to regain.
This Capture the Flag will be the fourth CtF game to be held in Malaysia, after
the hugely successful games held during HITB Security Conference in 2002 & 2003
and INFOSEC 2003. This year, we're continuing the highly successful format we
deployed last year - whereby each participating team will be given a server to
defend, and at the same time launch penetrative attacks against the other teams.
As such, participants must know how to attack and plant Flags on opponent.s
servers in order to score points, and at the same time, know how to defend their
own box from being compromised and losing points.
this is happening, the CtF Score Server will be keeping track of Services and
Flags running on each team's chosen server, so teams can't totally close all
Services on the box either. If the Score Server does not detect a Service/Flag
on the chosen server, it will deduct points for the team concerned. Teams will
not know which Services/Flags the Score Server is looking for, and will have to
infer this from the game play. This setup duplicates a common computing
infrastructure environment in the enterprise.
Sounds easy? Think again. Prior to the game, teams will be given a reference
distribution server that has been preinstalled. A number of Services will be
running on the server with Flags implanted in some of them. These Flags are
known as the Home Flags. Do note though that the Services may or may not be
vulnerable. Some of the Services may or may not be needed to run at all.
Server that will attempt to establish connections to the Services and ensure
they are running and at the same time check for the presence of the Flags.
Points will be given if the Service is up, or deducted if the Service is down or
a Flag can't be found. The catch is, teams will not know which Services the
Score Server will check before hand. Thus, they must be able to differentiate
between legitimate Score Server connections and attacks from opponents during
the competition itself. Teams however are allowed to patch any Services which
are vulnerable, keeping in place any Flags that the Score Server may be looking
Distributions and Services chosen for each operating system is as follows:
FreeBSD 4.10-RELEASE (released on 27th May 2004)
Fedora Core 2 (released 18th May 2004)
Gentoo Linux 2004.2 (released 27th July 2004, with portage snapshot from the universal live-cd)
These references will be based on the official release distributions of the
operating system's projects without any updated patches and bugfixes. Teams will
be responsible for bringing along their own patches, bugfixes and other
vulnerabilities fixes as they would deem appropriate. There will not be Internet
access during the CtF competition proper.
of network. A 30 minutes NO GAME penalty and points deductions will be given to
teams that who are found to be flooding the network.
NO Denial of
Service (DoS) attack. A 30 minutes NO GAME penalty and points deductions will be
given to teams that are found to be launching DoS attacks
must obey PIT STOP calls. PIT STOP calls are rest intervals where all teams must
leave the game area to facilitate for the CtF judges to update the score, and/or
do maintenance work etc.
of other opponents (verbal abuse, etc).
of Score Servers. Teams that attack Score Servers will be given points
Teams are allocated their own network block.
They must defend one host (the reference server) and keep it running.
Teams attack each other.
Teams will attempt to plant their Home Flag on their opposing team's
servers to replace the opponent's Flag.
Teams with the highest accumulated points at the end of the game wins.
+10 points for each successful Flag/Service request from Score Server.
+20 points for each successful Flag planted on opponent server.
-10 points for each failed Flag/Service request from Score Server.
-20 points if server is compromised and opponent's Flags is detected.
-100 points for DoS attack.
Score server polls are randomized at a regular interval.
NOTE: Keeping Services up and running is vital to get more points. Team scores
are updated after every Service poll. This will give the teams hints as to
what/which Services the Score Server will be polling for.
Teams will be
given reference CDs upon request that will contain the Operating System.
can choose to upgrade port or replace the Services; however Teams must note that
the Score Server may look for specific Flags hidden inside some Services. Any
upgrade/port/replacements of these
Services must include the Flags or the Team will start to lose points very
can choose between these OSes: FreeBSD, Gentoo, Fedora Core 2
Reference Distribution OSes will be as per the last official release of
the operating system by the vendor or OSS project. The Reference Distributions
will not be patched, bugfixed or altered in any way from the stock
sources as released on the date of the official release.
are responsible for bringing their own patches, vulnerability
bugfixes and other tools necessary to patch up the system.
must indicate the choice of OS upon registration.
ARE NOT ALLOWED to run their servers off CDs. This is
absolutely prohibited. Teams that are found to do this will be
eliminated from the game.
ARE NOT ALLOWED to run their servers off honey pots. This is
absolutely prohibited. Teams that are found to do this will be
eliminated from the game.
Party Firewalls ARE ABSOLUTELY outlawed. However, teams may set up any OS
based firewalls (e.g. IPTables, IPChains,
IPFilter) on the server itself.
ARE NOT ALLOWED to bring extra servers.
the Teams have to reinstall their server OS, the Reference Distribution MUST
be used. The Organizing Team will NOT inform the Team what Services are
needed to be run or are being counted by the Score Server. The Organizing Team
will NOT provide the Flags for the Team for reinstallation.
action which causes the Score Server to dislike the Team's Services and Flags
are solely the fault of the team and the Team will lose points for this.
1 team principal. 1 firewall/IDS expert. 1 l33t sysadmin. 1 l33t hacker. 1 code
junky would be a good line up.
learn. Learn what the Score Server wants, and please it.
attack Gentoo, Fedora, and FreeBSD. It is not too late to do so!
OS wisely. If you chose an OS with less security issues, then you will have less
time defending and more time attacking others.
importance of taking backups, in order to restore yourself to a known state in
the unlikely event that your server has been r00ted or 0wn3d.
At all times,
the decision of the CtF Organizing Team is final on any matter in question.
should feel free to work with the CtF Organizing Team to resolve any disputes
that may arise.
The HITBSecConf organizing committe would like to give shoutouts, ninja greetz and ghetto loves to The
Ghetto Hackers, who came out with the attack and defense concept for the CtF game. The Ghetto Hackers have been organizing the CtF game for Defcon since 2002! Much love!