Challenges in Informatics: Patching, Hacking and Exploiting - CaptureTheFlag

















More on the organizor

Last updated on 06.11.10 20:24

CTF-style hacking challenges

On several occasions I host Capture The Flag-style exercise in IT security for teams of students. The task is to maintain a server running multiple services, while simultaneously trying to get access to the other team's servers. Each successful penetration gains points, as well as keeping services up and functional during the course of the game.


The exercise consists of multiple teams, each hosting a server that has multiple services running, like e.g. a webserver, a mail server, or customized services. The services contain typical security vulnerabilities that allow to compromise the server to a certain extend.

The goal is to maintain the services up, functional and uncompromised for the duration of the game. Additional scores can be gained by patching the vulnerabilities of the services and exploiting the knowledge of the found weaknesses at the other team's servers.

The focus of the exercise is on application layer security.

Technical Details

  • The contest will be held within a VPN. We will use openVPN to authenticate the teams and make sure that the exercise will have no effect on the remainder of the internet.
  • All traffic will be logged.
  • The traffic will be anonymized on the IP-layer, i.e. it's not easily possible to decide between other team's requests and the game server based on the IP. Thus filtering based on the IP is useless. However, any other other mechanics to decide between game server and other team on the TCP/IP-layer are forbidden.
  • All computers in a team's VPN-subnet are legible targets for attacks.
  • The services will be part of a VMware-image. This image will be encrypted and distributed ahead of time. The key will be published at the begin of the exercise.
  • The image will contain some mean for the gamemaster to log on and check if the team is adhering to the rules. It is not allowed to de-activate this account.
  • There will be an IRC-channel for discussion and answering technical problems.
  • Necessary tools to participate in this contest include per team:
    • one or two boxes as router and team-host
    • one computer per participant
    • a stable internet connection with a minimum of 1Mbit/sec that is able to send and receive UDP-packets (we make use of openVPN)
    • we estimate that the complete setup takes about 1 day, including checks for safety and security
    • no commercial licenses are needed to participate, there are no fees to be paid

Game Details

  • The vulnerable services will be custom services, i.e. the software that is subject to the scoring system is written specificly for this contest. There will be no standard software that deliberatly contains error. On the other hand, the organizers will not guarantee that the other software on the provided image is free of errors, but it is quite safe to assume that the standard software should be secure, unless one team owns unpublished zero-day exploits
  • The game server will contact each service on each server in variable intervals to check them for functionality. Points are awarded for keeping the services up and running during the exercise.
  • The server will also do some actions that leaves back a flag, i.e. a certain string, and tries to retrieve the flag it left there last time. If all of this is possible and the flag got not submitted by other teams to the scoring system, a team gains points for having an uncompromised service.
  • A team may gain additional points by compromising a remote machine and gaining access to the stored flags. Each flag is worth an amount of points, if submited to the scoring system within a few minutes after it got deposited.
  • The following is discouraged and is possibly fined with negative scores:
    • Filtering connections based on the connection layer is not allowed (regardless of IP-anonymization).
    • Filtering requests on the application layer is not allowed with means which are outside the actual CTF-service.
    • Automated scanning (ports, IPs, etc.) or usage of vulnerability scanners.
    • Attacks like Denial-of-Service, Distributed-Denial-of-Service or Bandwith Exhaustion.
    • Changing the routing on any compromised host.
    • Destructive behaviour (e.g. deleting vital system files).
    • Intentionally supporting other teams is considered bad sportsmanship and will be fined (esp. if both teams belong to the same affiliation).
    • In the IRC-channel: Swearing, flooding, and similar.
    • (this list is not complete)
  • The following is discouraged and is possibly fined with negative scores and/or immediate dispension from the game:
    • The game server and all hosts in the organisator's network are off-limits.
    • Attacking systems outside the VPN is not allowed. All traffic has to happen within the VPN. Each team has to ensure themselves that other teams can't accidently harm other hosts in their networks.
    • Relaying data through other team's networks into the internet.
    • Cheating on the team's size leads to immediate disqualification.
    • (this list is not complete)

Scoring details

  • The scoring system may still change in small details until the start of the contest. All changes will be published here. There will be no more changes after the beginning of the contest.
  • The scores for defense are given according to these rules:
    • Each service of each team will get checked once per interval. An interval will be (most probably) between 60 seconds and 5 minutes.
    • If a service can be contacted and seems to works, the team receives possibly some defensive points for the uptime.
    • If the service works correctly, i.e. if the service delivers the data and the flag that the gameserver asked for, the team receives defensive points for having a "running" service.
    • The gameserver will, in addition to just leave and retrieve the flag, check separate functionality of the services, which might not be important for setting or reading the flag per-se. If this functionality is not there, the gameserver might consider tha players intentionally pruned the code in order to have a smaller attack vector.
      This is considered a foul. Within the next 5 to 10 minutes the team will not receive any more scores for this service. Then, the services is checked again, if the functionality is back.
      Note that in case fo repeated and heavy fouls, a team is destined to loose ethical scores, too.
    • The gameserver will provide a limited error analysis, if the service is not up:
      • Wrong Flag: the service returned the wrong or no flag, but otherwise everything was OK
      • Output garbled: the output was so garbled, the gameserver could not even recognize where the flag could have been
      • Network: there were problems on the network layer, the remote host was unreable, the network was down, or whatever
      • Timeout: everything just took to long to respond (note that we sometimes cannot distinguish between actual network and timeout errors...)
      • Foul: see above
      • Generic Error: everything else or unknown
    • If a valid flag is submitted by another team, all defensive points awarded for this flag are immediatly cancelled.
    • The score board will only display the relative amount of points to the leading party, instead of the absolute scores.
  • The scores for offensive attacks are given according to these rules:
    • All flags are valid for submition for a limited period only. After this period, submitting a flag will result in no effect.
    • A team can only submit flags from a service, if their own service of this type is considered "up" by the gameserver.
    • Each time, a team submits a flag, it receives a number of points according to the difficulty of hacking the resp. service.
    • The score board will only display the relative amount of points to the leading party, instead of the absolute scores.
  • In addition to defensive and offensive scores, the game features ethical scores.
    • Each team has 10 ethical scores at the start of the game.
    • For violations of the rules, teams may loose ethical scores. Regardsless of possible gains in ethical scores, teams are exlcuded from the game, if they lost 10 or more ethical scores bue to rule violations.
    • Teams can gain ethical scores for publishing advisories.
    • Each advisory is scored 0 to 5 ethical scores, depending on the quality of the text and the level of difficulty of the described bug. We assign scores for each disclosed vulnerablity only once, in a first come, first served fashion.
    • An advisory will only get scored, if it contains at least a short description of the bug, an exploit and a patch to remove the bug.
    • If an advisory scores X points, it will be disclosed to all other players after X * 30 minutes of time.
  • The total score is calculated as follows: for each of the categories defensive, offensive, and ethical scores a team is assigned a value of relative scores to the team with the most scores in each respective category. These three relative scores are then added and normalized, such that the leading team has 100%.
  • Note that there are some actions that are allowed but not awarded with scores. These include: breaking into a team's router, breaking into other player's computers, and submitting own flags.

Setup Details

Typically, each team is assigned a class-c subnet to setup their computers and the server. Often there are some fixed addresses that need to be used:

  • 10.X.Y.1 : the team's router
  • 10.X.Y.2 : PC serving the vulnerable image (if using an extra computer, otherwiese leave empty)
  • 10.X.Y.3 : vulnerable image
  • 10.X.Y.10- : players

Teams are strongly advised to setup and test the configuration as soon as possible. Sometimes there's an empty test image released to test connectivity.

All routing is done via the central VPN-server. Check the following image for an overview of a typical network structure. In this example, team 2 and 3 have a dedicated server carrying the vulnerable image, while team 1 hosts the image on the router (beware CPU load!).

Valid HTML 4.01!   best viewed with telnet to port 80