Overview

The objectives of the game is for teams to gain as many points as possible by defending their servers, and attacking other teams’ servers. Teams will be given identical pre-configured vmware image of a Gentoo Linux installation. There will be custom services running on the server. This services contain vulnerabilities, such as buffer overflows, format string and so on. The teams’ objective is to analyze the services, find vulnerabilities and write exploits. As such, the following skills are needed:

- Reverse engineering
- Binary analysis
- Debugging
- Exploit writing

The ability to write a working exploit will enable the team to attack other servers, retrieving the flag associated with each service running on the server and thus scoring an offensive point. The ability to keep the services running will enable the teams to score a defensive point.

Prerequisites

Prior to the actual game day, registered teams will be given a binary that needs to be cracked. Cracking the binary will provide the team with a code which they must give to the CTF organizing team in return for root access to the vmware image. This binary will be emailed to all participating teams on 2nd September, 3 days prior to the game. Failure to crack the binary does not mean teams will be disqualified - it just means they will not have root access to their own servers during the game day and risk losing.

Scoring

Offensive Points: Gained by hacking into other team’s server and retrieving their flags.
Defensive Points: Gained by keeping your server’s services running.

In order to score an offensive point, all that a team needs to do is hack into other team’s server, retrieve the flag, and submit it to the score server. In order to get defensive score, teams must keep their services running and accessible to the ScoreBot. The ScoreBot will periodically connect to the team’s server and perform either two actions: set new flags on the services and/or retrieve flags from the services. Failure of the ScoreBot to complete either of these 2 actions when it connects will result in point deductions.

More points are given for offensive attacks as opposed to defensive score. Defensive scores are the same for all services, while offensive scores vary depending on the complexity level of the exploit needed to hack the service. During the course of the game, the score server will randomly set new flags on each teams’ services. This means that a service can have as many as 10 unique flags throughout the game - so if a particular team has an exploit against this service, they can get 10 times the points multiplied by the number of teams.

Rules

- No flooding and/or DoS attack. Teams will be penalized by disqualification, points deduction or time penalty.
- No harassment of other opponents.
- All participants must obey PIT STOP calls. PIT STOP calls are rest intervals where all players must leave the game area to facilitate for the CtF judges to update the score, and/or do maintenance work etc.

Teams

1.) Padocon (Korea) - DEFENDING CHAMPIONS
2.) Army Strong (US Army)
3.) Scanit ME (UAE)
4.) Qb1t (Singapore)
5.) DTF07 (Malaysia)
6.) Powerhacker (Korea)
7.) WsLabi (Switzerland)
8.) Stealther (Malaysia)
9.) t3nth (Singapore .edu)
10.) SaoVang (Vietnam)

Final Judgement

At all times, the decision of the CtF Organizing Team is final on any matter in question.

Prizes

1st Place - USD3,000
2nd Place - USD2,000
3rd Place - USD1,000

All prizes are sponsored by SCAN ASSOCIATES BHD

Source Code

The CTF organizing team reserve the rights to release or not to release the source code of the services during the game.

Acknowledgements

The HITBSecConf organizing committe would like to give shoutouts, ninja greetz and ghetto loves to The Ghetto Hackers, who came out with the attack and defense concept for the CtF game. Much love also to the current organizers of Defcon’s CTF, kenshoto!

REGISTRATION FOR CTF IS CLOSED AS WE HAVE REACHED THE MAX NUMBER OF TEAMS IN THE COMPETITION.