CAPTURE - THE FLAG OVERVIEW & RULES
Overview
This Capture the Flag will be the second CtF game to be held in the Middle East region after the attack-only game which was run in Bahrain in April of 2005. The attack-only CTF is different from the game that has been held in HITB Security Conference in 2002, 2003, 2004, 2005 and INFOSEC 2003. Instead of each participant having to attack and defend, participants in the game will be expected to launch penetrative attacks against single or multiple target servers. Each machine is configured with various services (some of which may be vulnerable while others might not be). Participants are required to retrieve pre-configured files or ‘flags’ from the target machine in order to score points. Attendees are not bared from attacking each other however any participant found using denial of service attacks will be removed from the game immediately.
TEAMS
We have space for 20 participants at a maximum - each team can consist of a MAXIMUM of 3 participants ONLY! Although we will not stop single registrant players from joining, we strongly encouraged that you form a team of at least 2 members if you’re really serious about winning.
1.) Army Strong (3 members)
2.) NDMTEAM (3 members)
3.) Eleet (3 members)
4.) OPEN
5.) OPEN
6.) OPEN
7.) OPEN
8.) OPEN
9.) OPEN
10.) OPEN
REFERENCE DISTRIBUTION: GENTOO 2006.1 (Hardened)
Game Play
* This will be a purely reverse engineering and exploit development game.
* There are 6 levels of increasing difficulties.
* Participants progress to the next level by cracking the current level.
Winners are determined as follows:
* 1st prize - The first team to get at least minimum level 4
* 2nd prize - The first team to get at least minimum level 3
* 3rd prize - The first team to get at least minimum level 2
In order to participate, teams must
* Be able to crack a given binary. This binary contains login information for the CTF game server.
* Once they are able to crack the binary, they can then login to the CTF game server with default level 0.
* They are free to do whatever they want on the CTF game server (assuming that the security restrictions allows it). Some actions may be disabled, such as scp’ing the binaries to their laptops.This restriction is up to the CTF organizing committee members. See *Things that may get you disqualified/penalized* below.
* Tools will be provided in the CTF game server, such gdb, objdump, hex editor, Perl, Ruby and Python interpreter, gcc
Game play scenario:
* For the first login, the user will have a uid of level0 and gid of level0
* There will be 6 directories, each belongs to different users and groups corresponding to the levels
* level1 users can’t browse the directory of level2 and so on
* Cracking level1 will enable to user to escalate his privilege to level2 and so on
* Cracking a level will enable the user to reveal the level’s flag. This flag must be submitted to the score server (a Web 2.0 compliant web interface will be provided) for validation and keeping score.
Things we don’t care about
* We don’t care how you get the flags - through pure good luck, copying from other teams, l33t reversing skills or bribery
Things that may get you disqualified/penalized
* DoS, e.g fork() bomb
Tools:
* Of no use: nmap, metasploit, nessus and
* Of use: gdb
Rules
Hints
Final Judgement
Prizes
All Prizes for the CTF competition have been sponsored by Scan Associates Sdn. Bhd.
1st Place - USD3,000 CASH
2nd Place - USD2,000 CASH
3rd Place - USD1,000 CASH
Acknowledgements
The HITBSecConf organizing committe would like to give shoutouts, ninja greetz and ghetto loves to The Ghetto Hackers, who came out with the attack and defense concept for the CtF game. Much love also to the current organizers of Defcon’s CTF, kenshoto!
