Challenges in Informatics: Patching, Hacking and Exploiting - HowToPlay
How To Play CTF-style hacking challenges
High Level Description
The exercise consists of multiple teams, each hosting a server that has multiple services running, like e.g. a webserver, a mail server, or customized services. The services contain typical security vulnerabilities that allow to compromise the server to a certain extend.The goal is to maintain the services up, functional and uncompromised for the duration of the game. Additional scores can be gained by patching the vulnerabilities of the services and exploiting the knowledge of the found weaknesses at the other team's servers.
The focus of the exercise is typically on application layer security.
How To Play
If a team decides to participate in a CTF, it should first check whether it can assemble enough hardware, a room, a fast Internet line and cool beverages.
Before the contest each team setups up and tests their VPN-connection and VMWare. Some days before the start of the contest, the final image will be released to the teams for download in an encrypted form.
At the beginning of the exercise, the key to the encrypted VMWare-image is released and the teams have typically 60mins to decrypt the image and configure it according to their subnet configuration. If time remains, the teams are already allowed to look for weaknesses.
The central gameserver will check the services for functionality by leaving small pieces of secret information (flags) and trying to retrieve them later on. Teams get score for providing functional services wihtout downtime.
In the course of the game, the teams are expected to analyze the services running on their own server. Vulnerabilities should be fixed and analyszed. If a team managed to write an exploit for a servcie, it should try to gain access to other teams' servers.
Once a team has (limited?) access on other teams' servers it is allowed to collect the other teams' flags and submit them to the gameserver. Each submitted flag gains the submitting team additional scores, while the team which lost a flag will loose scores.
At the end of the game, the gameserver will calculate the final standings and a winner is declared.
Submitting Flags
It is left to the players, to find out which of the services on the vulnerable image receive flags, where they are stored and how they are encoded. Since each team has administrative privileges on their own server, this will be the easy part.
Once a team has captured flags from another team, it should submit the flags as soon as possible to a central submit server. This is because flags are valid for scoring only for a limited amount of time.
CIPHER CTFs use a dedicated piece of software with a simple human readable protocol for submitting flags. Each team is assigned a number to identify itself to the submit server. Using this number, a team connects with telnet, netcat or similar methods to a host/TCP-port announced prior to the start of the game. The submit server welcomes the team with a banner and expects the numerical ID of the submitting team. Then the team can submit the flags, one per line and terminate the connection with the string quit.
This is an example session, how such a connection would look like:
(it also shows two examples of typical flags)
< Please identify your team with its numerical team-number > 2 < Welcome 'team 2'. Enter one flag per line, or QUIT when finished > 12533a26f625cd7f903eab8e100c4988 < Congratulations, you captured a flag! > ac9172a11ebde0c64b6661d7fb74162a < Congratulations, you captured a flag! > 12533a26f625cd7f903eab8e100c4988 < Sorry, you already submitted this flag > quit
A full list of answers to submitted flags and their descriptive meaning:
| Line | Description |
|---|---|
| Sorry, don't recognize your team | The server doesn't recognize your numerical team-ID. Please check back to the game master. |
| Sorry, is this a flag? | The string submitted as a flag does not match the regular expression for valid flags. Check length of string. |
| Sorry, timeout | You're too slow with your input. Usually you have 5 seconds per line to send input to the server. |
| Sorry, game not started | You shouldn't have any flags at that point in time anyway. |
| Sorry, game over | Game is over. You can't submit any more flags. |
| Sorry, flag not in database | Although the input looks like flag, the gameserver did not use this value as a flag for some team. |
| Sorry, flag is your own | This is one of the flags submitted to your own team's server (you should definitely start thinking, if you got this one from another team's server) |
| Sorry, flag expired | This flag is too old. No scores for this one, sorry! |
| Sorry, internal error #1 | Should never happen ;-) |
| Sorry, your team does not have the corresponding service up | If this message appears, the game is configured to only accept flags as captured, if your own team has this service marked as 'up'. |
| Sorry, you already submitted this flag | You or someone else with your team id already submitted this flag. |
| Congratulations, you captured a flag! | :-) |
Additional remarks: You can help save ressources by
- pooling/batching flag submissions.
- avoid submitting flags that are too old
- avoid submitting flags twice
- avoid submitting garbage/random data or flags within their context
