	Challenges in Informatics: Patching, Hacking and Exploiting - FAQ

CaptureTheFlag FAQ HowToPlay Player'sClosedArea ReleaseNotes Cipher1 Cipher2 Cipher3 Cipher4 Contact Email Index More on the gameserver More on the organizor	Last updated on 29.06.07 18:58 Frequently Answered Questions Rules the main rules can be found on this web page FAQ and clarifications Does the use of automated tools include software like nessus, nmap and hydra? In a way: yes. But then you'll probably don't need them anyway (see point 3 below). In the rare opportunities where you might find them useful, you can apply them in your local network without any restrictions but you shoudln't use them extensively on other team's network. If you do, limit their bandwidth and aggresiveness so that you don't DoS other parties or the VPN-server (as it's the routing bottleneck). A rule of thumb(!) is, that you may use them as long as you don't start more than 10 TCP/Connections per second and don't waste the VPN-server's bandwidth (bottleneck), i.e. try to use less than 1MBit/s for scanning and such. But again: you'll most probably don't need scanning because experience says that hacking into other team's workstations and routers is typically impossible unless you own an unpublished zero-day exploit. In addition, hacking into those machines doesn't get awarded with scores. Anyway, you're free to do that if you want to. Is password cracking allowed? Yes. Will there be standard applications or custom for the competition? Completly custom. That's why you probably don't need nessus and such anyway. Will the source code be provided so that our programmer can apply patches as needed? For most service there will be source code available. But it's possible that there will be minor number of challenges without source code. Will it be ethically wrong to utilize google for this competition? Not at all. Can we attack the workstations of the other team's users? Can these machines be firewalled? Workstations can be firewalled, that's no problem. You may also attack other team's workstations - but these actions are not scored ;-) Can we do Layer 7 filtering (watching for buffer overflows for example) and then using the L7 NetFilter plugin to filter related attacks? Or do we have to do this without any sort of filtering on the server. In contrast to former CTF events, we do not allow L7-Filtering any more. In fact, any kind of filtering that is not done in the applications themselves is considered against the rules. So, how about filtering at all? ANY kind of context based checks are against the rules - that goes also for any other information provided in IP, TCP, or if that matters, HTTP-headers. Or more generally speaking: any filtering that tries to distinct between players and gameserver is against the rules, as are filters that work on OS- or network level. Filtering is only allowed either in the application themselves, or for a particular application - and only if it filters for "attack"/"non attack". Can the kernel be recompiled with the openwall or grsec security patches in place... patching that would limit/prevent buffer overflows? Recompiling the kernel is allowed. BUT: patches that would limit/prevent buffer overflows are not allowed. Remember that the exercise is about application layer security and not about creating an OS that works around insecure applications. Note however, that all kernel level measures that are active due to our configuration are considered OK.

Challenges in Informatics: Patching, Hacking and Exploiting - FAQ

Rules

the main rules can be found on this web page

FAQ and clarifications

Does the use of automated tools include software like nessus, nmap and hydra?
In a way: yes. But then you'll probably don't need them anyway (see point 3 below). In the rare opportunities where you might find them useful, you can apply them in your local network without any restrictions but you shoudln't use them extensively on other team's network. If you do, limit their bandwidth and aggresiveness so that you don't DoS other parties or the VPN-server (as it's the routing bottleneck).

A rule of thumb(!) is, that you may use them as long as you don't start more than 10 TCP/Connections per second and don't waste the VPN-server's bandwidth (bottleneck), i.e. try to use less than 1MBit/s for scanning and such. But again: you'll most probably don't need scanning because experience says that hacking into other team's workstations and routers is typically impossible unless you own an unpublished zero-day exploit. In addition, hacking into those machines doesn't get awarded with scores. Anyway, you're free to do that if you want to.
Is password cracking allowed?
Yes.
Will there be standard applications or custom for the competition?
Completly custom. That's why you probably don't need nessus and such anyway.
Will the source code be provided so that our programmer can apply patches as needed?
For most service there will be source code available. But it's possible that there will be minor number of challenges without source code.
Will it be ethically wrong to utilize google for this competition?
Not at all.
Can we attack the workstations of the other team's users? Can these machines be firewalled?
Workstations can be firewalled, that's no problem. You may also attack other team's workstations - but these actions are not scored ;-)
Can we do Layer 7 filtering (watching for buffer overflows for example) and then using the L7 NetFilter plugin to filter related attacks? Or do we have to do this without any sort of filtering on the server.
In contrast to former CTF events, we do not allow L7-Filtering any more.
In fact, any kind of filtering that is not done in the applications themselves is considered against the rules.
So, how about filtering at all? ANY kind of context based checks are against the rules - that goes also for any other information provided in IP, TCP, or if that matters, HTTP-headers.
Or more generally speaking: any filtering that tries to distinct between players and gameserver is against the rules, as are filters that work on OS- or network level. Filtering is only allowed either in the application themselves, or for a particular application - and only if it filters for "attack"/"non attack".
Can the kernel be recompiled with the openwall or grsec security patches in place... patching that would limit/prevent buffer overflows?
Recompiling the kernel is allowed. BUT: patches that would limit/prevent buffer overflows are not allowed. Remember that the exercise is about application layer security and not about creating an OS that works around insecure applications.
Note however, that all kernel level measures that are active due to our configuration are considered OK.