POSITIVE HACK DAYS

ORGANIZER

Circuli Vitae

General Description

At the beginning of the game, the teams are provided with identical servers with preinstalled set of vulnerable services. The teams’ aim is to detect the vulnerabilities, fix them on their servers, and exploit them to obtain sensitive information (capture the flags) of the competitor teams. Teams can also score points by capturing bonus flags or flags from the shared game infrastructure, or by holding down services during the King of the Hill contest.

Each flag represents a 32-character string in the MD5 format.

Note: services for the ‘King of the Hill’ contest are divided into two levels; access to the services of the second level is provided only after the first-level tasks are solved. Holding down the second-level services scores more than that of the first-level services.

A final contest will challenge the competitors’ skills and knowledge of protecting certain infrastructure from Internet attacks. The detailed information about the contest will be provided on the second day of PHDays CTF 2012. Teams’ performance at this contest can influence their final rating.

The game process is constantly monitored by the jury’s supervising system, which regularly modifies the state of the game infrastructure by adding new flags and vulnerabilities to the teams’ servers, and checks the state of the previously added flags and the functioning of vulnerable services. The jury decide the winner on the basis of total points scored by each team.

Scoring Rules

Points are scored for:

  • Sending flags captured from the competitors’ services (the Attack rating) including flags captured for bonus task (the Bonuses rating);
  • Sending flags captured from the shared segment of the game infrastructure (the Attack rating);
  • The hold-down time at the King of the Hill contest (the King-of-the-Hill rating);
  • Winning the bonus contests (the Bonuses rating).

Notes:

All flags on the teams’ servers are distinct and are marked with an identifier unique for each team’ services; each team may capture flags from all competitor services.

Flags on the servers within the shared segment differ in their value according to the sophistication level of the task to be solved.

The value of each bonus task is pre-set for each service according to the sophistication level of the attacks. Samples of probable bonus tasks: taking over AR.Drone, dumpster diving.

The points are deducted from the team for:

Failing to ensure the availability of their own servers and/or functions performed by the vulnerable services (the Availability rating);

Failing to protect flags on their services (the Protection rating);

Failing to ensure protection of the game infrastructure in the final contest.

The denial-of-service penalty calculation formula

Service denial in the main CTF tasks = points for the service flag х4

Service denial in the bonus CTF tasks = points for the service flag х2

Service availability indication:

  • Green indicator means the service is functioning properly;
  • Yellow indicator means the service is malfunctioning (i.e. it is either unavailable or not performing the predefined functions). If the situation has not been fixed by the next check-up, the points will be deducted;
  • Red indicator means that the service is malfunctioning (is either unavailable or not performing the predefined functions). Each new check-up will lead to deduction of points until the situation is fixed.

The loss-of-flag penalty calculation formula

The first three losses of the same flag are scored 100% of the flag’s value each. All subsequent losses of the flag are not included into the penalty total. Thus, the maximum amount of penalty points for a flag is the triple value of the flag. For bonus tasks, flags lost by the team are not counted.

Note: the detailed description and penalty calculation formula of the final contest will be announced on the second day of PHDays CTF 2012.

The points scored by each team are calculated in real-time mode and are displayed on the screen. If a team scores more penalty points than can be deducted, their total score is reduced to 0.

During the game, teams are allowed to:

  • use not more than 5 computers and network devices not lower than the second level of the ISO OSI protocol stack;
  • make any modifications of the provided servers unless it is prohibited by the jury;
  • conduct attacks against the competitors’ servers in order to capture their flags;
  • conduct attacks against the servers of the shared infrastructure segment in order to capture the flags;
  • conduct attacks against the services of the King of the Hill contest in order to keep control over the systems.

During the game, teams are prohibited from:

  • attacking jury’s computers;
  • filtering the traffic to any CTF resource (such as IP addresses);
  • generating unreasonably high volume of traffic (flooding);
  • conducting destructive attacks against the rivals’ servers (such as rm -rf /);
  • intentionally hindering normal functioning of the services, including those of competitor teams and shared game infrastructure;
  • removing flags from the provided servers, rivals’ servers and those of the shared game infrastructure;
  • performing the above actions in the guise of a rival team.

Work of the jury:

  • The jury may specify the rules at any time before the game begins.
  • The jury may impose a penalty/disqualify a team for a foul.
  • The jury decide the winner by calculating the total scores.

Point distribution over the CTF tasks

The task type
Teams’ servicesShared infrastructureKing of the HillBonuses
Maximum scoreMaximum penaltyMaximum scoreMaximum score for the first-level tasks Maximum score for the second-level tasksExtra contests
25%15%30%1 type2 type20%9%
8%8%

Notes:

  • The score distribution over the tasks is expressed as percentage of the total score possible for the CTF.
  • When completing the final task, teams can lose some scores (the details will be provided on the second day of the contest).

Technical Details of CTF

Possible vulnerabilities in the CTF services

Web application vulnerabilities:

  • Authentication errors;
  • Authorization and access isolation errors;
  • Attacks against web applications (Cross-Site Scripting, Cross-Site Request Forgery, etc.);
  • Vulnerabilities resulting in code execution (SQL Injection, OS Commanding, XML Injection, etc.);
  • Sensitive information leakage;
  • System logic errors;
  • Configuration errors in servers and applications.

Network services vulnerabilities:

  • Authentication errors;
  • Authorization and access isolation errors;
  • Vulnerabilities resulting in code execution (buffer or stack overflow, etc.);
  • Cryptography protection errors;
  • System logic errors;
  • Publicly disclosed vulnerabilities with remote exploitation vectors;
  • Administrative errors;
  • Weak passwords.

Application vulnerabilities and vulnerabilities in automation scripts for administration functions:

  • Authentication errors;
  • Authorization and access isolation errors;
  • Vulnerabilities resulting in code execution (buffer or stack overflow, etc.);
  • Cryptography protection errors;
  • System logic errors.

Wireless network vulnerabilities:

  • Unauthorized access points and wireless access clients;
  • Vulnerable configuration of wireless access, including configuration of wireless clients (weak security protocols, etc.).

Network Map