[ :: mainpage :: register :: conference :: training :: call for papers (CFP) :: the venue ]
[ :: capture the flag (CTF) :: press/media :: conference agenda :: contact us :: forum ]
[ :: sponsors :: past conferences :: conference kit (English) ]

CAPTURE - THE FLAG OVERVIEW & RULES

Filed under: Main Page — Administrator @ 1:59 pm

Overview

This Capture the Flag will be the second CtF game to be held in the Middle East region after the attack-only game which was run in Bahrain in April of 2005. The attack-only CTF is different from the game that has been held in HITB Security Conference in 2002, 2003, 2004, 2005 and INFOSEC 2003. Instead of each participant having to attack and defend, participants in the game will be expected to launch penetrative attacks against single or multiple target servers. Each machine is configured with various services (some of which may be vulnerable while others might not be). Participants are required to retrieve pre-configured files or ‘flags’ from the target machine in order to score points. Attendees are not bared from attacking each other however any participant found using denial of service attacks will be removed from the game immediately.

TEAMS

We have space for 20 participants at a maximum - each team can consist of a MAXIMUM of 3 participants ONLY! Although we will not stop single registrant players from joining, we strongly encouraged that you form a team of at least 2 members if you’re really serious about winning.

1.) Army Strong (3 members)
2.) NDMTEAM (3 members)
3.) Eleet (3 members)
4.) OPEN
5.) OPEN
6.) OPEN
7.) OPEN
8.) OPEN
9.) OPEN
10.) OPEN

REFERENCE DISTRIBUTION: GENTOO 2006.1 (Hardened)
Game Play

* This will be a purely reverse engineering and exploit development game.
* There are 6 levels of increasing difficulties.
* Participants progress to the next level by cracking the current level.

Winners are determined as follows:

* 1st prize - The first team to get at least minimum level 4
* 2nd prize - The first team to get at least minimum level 3
* 3rd prize - The first team to get at least minimum level 2

In order to participate, teams must

* Be able to crack a given binary. This binary contains login information for the CTF game server.
* Once they are able to crack the binary, they can then login to the CTF game server with default level 0.
* They are free to do whatever they want on the CTF game server (assuming that the security restrictions allows it). Some actions may be disabled, such as scp’ing the binaries to their laptops.This restriction is up to the CTF organizing committee members. See *Things that may get you disqualified/penalized* below.
* Tools will be provided in the CTF game server, such gdb, objdump, hex editor, Perl, Ruby and Python interpreter, gcc

Game play scenario:

* For the first login, the user will have a uid of level0 and gid of level0
* There will be 6 directories, each belongs to different users and groups corresponding to the levels
* level1 users can’t browse the directory of level2 and so on
* Cracking level1 will enable to user to escalate his privilege to level2 and so on
* Cracking a level will enable the user to reveal the level’s flag. This flag must be submitted to the score server (a Web 2.0 compliant web interface will be provided) for validation and keeping score.

Things we don’t care about

* We don’t care how you get the flags - through pure good luck, copying from other teams, l33t reversing skills or bribery

Things that may get you disqualified/penalized

* DoS, e.g fork() bomb

Tools:

* Of no use: nmap, metasploit, nessus and
* Of use: gdb

Rules

  • NO flooding of network. A 30 minutes NO GAME penalty and points deductions will be given to teams that who are found to be flooding the network.
  • NO Denial of Service (DoS) attack. A 30 minutes NO GAME penalty and points deductions will be given to participants that are found to be launching DoS attacks
  • All participants must obey PIT STOP calls. PIT STOP calls are rest intervals where all players must leave the game area to facilitate for the CtF judges to update the score, and/or do maintenance work etc.
  • NO harassment of other opponents (verbal abuse, etc).
  • NO physical attack.
  • NO attacking of Score Servers. Participants that attack Score Servers will be given points deductions.

    Hints

  • Plan, plan, plan.
  • Learn how to attack the reference distributions.

    Final Judgement

  • At all times, the decision of the CtF Organizing Team is final on any matter in question.

    Prizes

    All Prizes for the CTF competition have been sponsored by Scan Associates Sdn. Bhd.

    1st Place - USD3,000 CASH
    2nd Place - USD2,000 CASH
    3rd Place - USD1,000 CASH

    Acknowledgements

    The HITBSecConf organizing committe would like to give shoutouts, ninja greetz and ghetto loves to The Ghetto Hackers, who came out with the attack and defense concept for the CtF game. Much love also to the current organizers of Defcon’s CTF, kenshoto!

    REGISTER NOW! SEND YOUR DETAILS TO CTFINFO@HACKINTHEBOX.ORG


  • Event Organizer


    Hack In The Box (M) Sdn. Bhd.

    Supported & Endorsed By


    UAE Telecommunications Regulatory Authority(TRA)


    Malaysian Communications and Multimedia Commission (MCMC)


    Malaysian Administrative Modernisation & Management Planning Unit

    Platinum Sponsors


    Gold Sponsors


    Microsoft Corporation


    HP Middle East

    Official Airline Partner


    Official Airline Partner for HITB Crew


    CTF Sponsor


    Scan Associates

    CTF Prize Sponsor


    Scan Associates

    Official Media Partner


    Official Publications



    Our Speakers Are Supported By:


    Telspace Systems

    Telecom Security Task Force - TSTF.net

    Mediaservice.net

    F-Secure Corp

    Mozilla Corporation

    FMA-RMS (Singapore/Malaysia)

    Official Hotel


    Supporting Media:

    InfoSec News

    (ISN) InfoSec News

    XAKEP

    Xakep (Russia)

    Insecure Magazine

    PHRACK Magazine

    Hakin9 Magazine

    Supporting Organizations


    ISECOM - Insititue for Security and Open Methodologies


    IT Underground


    X-Focus China

    Zone-H Defacement Mirror


    Xatrix Security