Challenges in Informatics: Patching, Hacking and Exploiting - Cipher6
CaptureTheFlag

FAQ

Gameserver

HowToPlay

Player'sClosedArea

ReleaseNotes

Cipher1

Cipher2

Cipher3

Cipher4

Cipher5

Cipher6

Contact

Email

Index


More on the organizor
Last updated on 16.01.10 00:31

CIPHER 6

Co-Hosted by Lexi Pimenidis and GI SIG SIDAR, co-executed with DIMVA 2010

The exercise will take place at July 8th, 2009. Participation is possible from all over the world.

 

CIPHER is a Capture The Flag-style exercise in IT security for teams of students from universities. The task is to maintain a server running multiple services, while simultaneously trying to get unauthorized access to the other team's servers. Each successful penetration gains points, as well as keeping the own services up and functional during the course of the game.

The event is co-hosted by Lexi Pimenidis and the Special Interest Group SIDAR (Security - Intrusion Detection and Response) of the German Informatics Society (GI). Cipher 6 co-executes with the international Conference on Detection of Intrusions and Malware & Vulnerability Assessment DIMVA 2010 (July 8th -- 9th). Hardware, bandwidth and personal ressources have been gratiously donated by the University of Bonn. On-site participation of conference attendees is possible.

Description

The exercise consists of multiple teams, each hosting a server that has multiple services running, e.g., a webserver, a mail server, or customized services. The services contain typical security vulnerabilities that allow to compromise the server.

The goal is to maintain the services up, functional and uncompromised for the duration of the game. Additional scores can be gained by patching the vulnerabilities of the services and exploiting the knowledge of the found weaknesses at the other team's servers.

Registration and More Information

For more information send a mail to this picture shows an email address.

We will preliminary stop registration, if we have 40 teams. So if you consider participating, don't hesitate too long! Slots usually fill up quickly.

Also, we will only accept a single team from each affiliation - multiple teams will only get accepted, if there are less than 40 teams registered by the end of the official registration phase.

NEW If you are a single person, or if you just want to have a sniff of adventure and therefore join the contest without all the work of being an actual particpant: please check the section third party access on the bottom of this page!

To register your team, please fill in the following form:

Affiliation/University
Country
Team's Nickname
Contact person (name and email address, (*) see below)
Technical contact (name and email address)
Number of participants
Public GPG-Key (the key must be capable for signing and encryption, e.g., DSA+Elgamal)
Additional information

(*)only registrations with official university email adresses are allowed. Also, the contact person should be an employee of the university, i.e. a lecturer or professor. Any other registration will be silently dropped.

Organisational Details

  • The exercise is scheduled for July 8th (date is still subject to possible changes). It will start at 6pm CEST and last until 1am CEST (GMT+2, UTC+2) on the next day.
  • Only teams of up to 7 members from a single university are allowed to sign up. The limit is hard and includes everybody actively participating in defense and offense.
  • Each team needs to have a contact person that does not actively take part in the exercise and is responsible for the team's ethical behaviour.
  • Each team needs to have a contact person that is responsible for technical stuff, esp. the VPN connection and the machine setup. This person should answer to emails within 8 to 10h or faster. Presence in the IRC or Instant Messenger are a plus.
  • Professionals should contact us, before subscribing. Please note that we will reserve the majority of slots for university teams. However we will make sure that at least one or two slots will be free for non-univeristy teams to enter the competition.
  • These teams have already pointed out their interest to the contest:
    • 1: Amrita University, India
    • 2: University of Kaiserslautern, Germany

  • There are currently 0 persons/teams registered for third party access.
  • The timeline of the event is as follows:
    CEST,
    UTC+2    		EDT,
    UTC-4    		PDT,
    UTC-7    		Event
    as early as possible each team sets up its VPN and the test image according to the instructions
    July, 6th, 20:00 July, 6th, 14:00 July, 6th, 11:00 Teams must have succesfully connected to the VPN and run a full connectivity test at least once. Failing team will be excluded from contest.
    July, 7th, 20:00 July, 7th, 14:00 July, 7th, 11:00 distribution of the encrypted virtual image (if applicable) using bittorrent
    July, 8th, 17:00 July, 8th, 11:00 July, 8th, 8:00 all teams should finally connect their VPNs to the central hub
    July, 8th, 17:30 July, 8th, 11:30 July, 8th, 8:30 Game start: the key to the encrypted image is published in the IRC and by e-mail. The game starts :-)
    July, 8th, 19:00 July, 8th, 13:00 July, 8th, 10:00 the score bot starts checking for services
    Main contest is here
    July, 9th, 01:00 July, 8th, 19:00 July, 8th, 16:00 the exercise is over, declaration of the winning team

Technical Details

The contest will consist of multiple teams, each hosting a server that has multiple services running, like e.g. a webserver, a mail server, or customized services. The services contain typical security vulnerabilities that allow to compromise the server to a certain extend.

We recommend to use two different host systems for routing and the vulnerable image due to robustness reasons. The router, i.e. a team's gateway, can be any kind of hardware - any machine with two network interfaces will do the job. Note that this machine should still be able to run at least one instance of openvpn. The host machine carrying the vulnerable image should have at least 1GHz and 512MB of RAM, more is preferred, and at least 1GB of RAM is recommended. If the virtual image will run on the gateway, the box should have at least 1.5GHz and 1GB RAM minimum. In addition to these two machines every player will need a terminal to access the services of their own server and the other teams' servers. Whatever the students can work with, will suffice here.

As we did in CIPHER2, 3, 4 and 5 we will add an additional server to the game which will serve the same services as the other servers. In contrast to the team servers, this one will not be maintained by players but serve as a mere target without an defending team.

More details can be found here.

Differences to previous CTF Contests

This section contains some ideas that will likely differ from previous contests.

(nothing here, yet -- but there will be significant changes. stay tuned!)

Links

Acknowledgements & Greetings

To Danilo, Lorenzo, Tilo, Giovanni Vigna, HC, Chrissi, Angel, Spida, and a lot of others. (Mail me, if I forgot to put your name in here).
Valid HTML 4.01!   best viewed with telnet to port 80