Challenges in Informatics: Patching, Hacking and Exploiting - Cipher4
C.I.P.H.E.R. 4: Challenges in Informatics: Patching, Hacking and Exploiting, aRrrrgh ;-) .Hosted by the IT-Security Group of University Siegen and the Security and Privacy Research Group of the RWTH Aachen University.
The exercise took place on AUGUST, 1st, 2008.
CIPHER is a Capture The Flag-style exercise in IT security for teams of students from universities. The task is to maintain a server running multiple services, while simultaneously trying to get unauthorized access to the other team's servers. Each successful penetration gains points, as well as keeping the own services up and functional during the course of the game.
The exercise is co-arranged by the IT-Security Group of Univeristy Siegen and the Chair for Communication and Distributed Systems of the RWTH Aachen. The event is coordinated by Lexi Pimenidis.
Description
The exercise consists of multiple teams, each hosting a server that has multiple services running, like e.g. a webserver, a mail server, or customized services. The services contain typical security vulnerabilities that allow to compromise the server to a certain extend.The goal is to maintain the services up, functional and uncompromised for the duration of the game. Additional scores can be gained by patching the vulnerabilities of the services and exploiting the knowledge of the found weaknesses at the other team's servers.
The focus of the exercise is on application layer security.
Registration and More Information
For more information send a mail to 
.
Registration phase is preliminaryly stopped. Sorry - we reached the current limit of teams. I will accept more registrations, but these will be put on a waiting list in case either one of the teams drops out, or we consider to allow more slots. Again: we're really sorry for not being able to provide you with more slots... maybe next year.
NEW If you are a single person, or if you just want to have a sniff of adventure and therefore join the contest without all the work of being an actual particpant: please check the section third party access on the bottom of this page!
Organisational Details
- The exercise is scheduled for August, 1st, 2008. It will start at 6pm CEST and last until 1am CEST (GMT+2, UTC+2) on the next day.
- Only teams of up to 5 members from a single university are allowed to sign up. The limit is hard and includes everybody actively participating in defense and offense.
- Each team needs to have a contact person that does not actively take part in the exercise and is responsible for the team's ethical behaviour.
- Each team needs to have a contact person that is responsible for technical stuff, esp. the VPN connection and the machine setup. This person should answer to emails within 8 to 10h or faster. Presence in the IRC or Instant Messenger are a plus.
- Professionals should contact us, before subscribing. Please note that we will reserve the majority of slots for university teams. However we will make sure that at least one or two slots will be free for non-univeristy teams to enter the competition.
- These teams have already pointed out their interest to the contest:
- 1: University of Regensburg, Germany
- 2: UCSB, USA
- 3: Ruhr University Bochum, Germany
- 4: Universita degli Studi di Milano
- 5: TU Vienna, Austria
- 6: University of Nebraska at Omaha
- 7: Technische Universität Berlin
- 8: Technische Universität Darmstadt
- 9: University of South Florida
- 10: Amrita University, India
- 11: Rensselaer Polytechnic Institute, US
- 12: Katholieke Universiteit Leuven, Belgium
- 13: FH OOE, Campus Hagenberg, Austria
- 14: University Mannheim, Germany
- 15: Ural State University, Russia
- 16: Hochschule Niederrhein
- 17: UGATU, Russia
- 18: Universidad Nacional de La Plata, Argentina
- 19: Ecole de technologie superieure, Canada
- 20: Tomsk State University, Russia
- 21: Taganrog Institute of Technology, Russia
- 22: South Ural State University, Russia
- 23: mwcollect.org
- 24: University of Florida, US
- 25: Seoul, South Korea
- 26: University/Naval Postgraduate School, US
- 27: Cynops GmbH + x, DE
- 28: University of Applied Sciences Ingolstadt
- 29: Iran hackerz security team, Iran
- The timeline of the event is as follows:
CEST,
UTC+2EDT,
UTC-4PDT,
UTC-7Event as early as possible each team sets up its VPN and the test image according to the instructions July, 31st, 20:00 July, 31st, 14:00 July, 31st, 11:00 distribution of the encrypted VMWare image August, 1st, 17:00 August, 1st, 11:00 August, 1st, 8:00 all teams should have their VPNs running to check pairwise connectivity (please don't block pings!) August, 1st, 18:00 August, 1st, 12:00 August, 1st, 9:00 Game start: the key to the encrypted image is published in the IRC and by e-mail. The game starts :-) Teams decrypt and setup the image August, 1st, 19:00 August, 1st, 13:00 August, 1st, 10:00 the score bot starts checking for services Main contest is here August, 2nd, 01:00 August, 1st, 19:00 August, 1st, 16:00 the exercise is over, declaration of the winning team
Technical Details
The contest will consist of multiple teams, each hosting a server that has multiple services running, like e.g. a webserver, a mail server, or customized services. The services contain typical security vulnerabilities that allow to compromise the server to a certain extend.
We recommend to use two different host systems for routing and the vulnerable image due to robustness reasons. The router, i.e. a team's gateway, can be any kind of hardware - any machine with two network interfaces will do the job. Note that this machine should still be able to run at least one instance of openvpn. The host machine carrying the vulnerable image should have at least 1GHz and 512MB of RAM, more is preferred, and at least 1GB of RAM is recommended. If the VMWare image will run on the gateway, the box should have at least 1.5GHz and 1GB RAM minimum. In addition to these two machines every player will need a terminal to access the services of their own server and the other teams' servers. Whatever the students can work with, will suffice here.
For local participation only (place to be determined at some later point): there's Internet access with enough bandwidth, tables and seats. You'll have to bring with you: a LAN-switch, network cables, power cords, multipliers, and computers as described above.
The vulnerable image will be for x86-architecture with 32bit.
As in CIPHER2 and CIPHER3 we will add an additional server to the game which will serve the same services as the other servers. In contrast to the team servers, this one will not be maintained by players but serve as a mere target without an defending team.
More details can be found here.Differences to previous CTF Contests
This section contains some ideas that will likely differ from previous contests.
Third PARTY aCCEss: For testing purposes, we will allow a limited and registered set of interested individuals take part
in the contest as third parties. These will not get scored, neither will they host images, but only
be allowed access to the VPN in order to attack the hosts.
If you are interested in participating this way, please contact the organizors of the contest
directly by mail.
Random Subnet Assignment:The teams will be assigned random sub nets -- this should make a little bit more difficult to determine, which teams you are currently attacking.
Prizes:We're trying to organize a set of prizes for the winning teams. If you're a player, please send us suggestions for prizes, if you're a sponsor, send us cool gadgets ;)
The scoring system will get much simpler this time. Currently we're thinking along these lines:
- A flag is considered defended and gets scored with 1 point, if
- it was successfuly retrieved by the gameserver (after around 2 min).
- it wasn't submitted by another team by the end of its expiry time (about 15min).
- A flag is considered caught and gets awarded with 1 point, if
- the submitting team has the same service actively running, of which the flag originates
