Challenges in Informatics: Patching, Hacking and Exploiting - Cipher2


CaptureTheFlag

FAQ

Gameserver

HowToPlay

Player'sClosedArea

ReleaseNotes

Cipher1

Cipher2

Cipher3

Cipher4

Cipher5

Cipher6

Cipher7

Contact

Email

Index


More on the organizor

Last updated on 06.11.10 20:24

C.I.P.H.E.R. 2: Challenges in Informatics: Programming, Hosting and ExploRing. .

Co-arranged by GI SIG SIDAR and the Security and Privacy Research Group of the RWTH Aachen University.

The exercise took place during DIMVA 2006 on JULY, 14th, 2006.

Click here for the final results!

CIPHER is a Capture The Flag-style exercise in IT security for teams of students from universities. The task is to maintain a server running multiple services, while simultaneously trying to get unauthorized access to the other team's servers. Each successful penetration gains points, as well as keeping the own services up and functional during the course of the game.

The exercise is co-arranged by the Special Interest Group SIDAR (Security - Intrusion Detection and Response) of the German Informatics Society (GI) and the Security and Privacy Research Group of the RWTH Aachen. Technical organization and hosting is provided by the Security and Privacy Research Group and is coordinated by Lexi Pimenidis. CIPHER 2 co-executes with the international Conference on Detection of Intrusions and Malware & Vulnerability Assessment - DIMVA 2006 (July 13-14). On-site participation of conference attendees is planned as well as a score board in the lecture hall.

Description

The exercise consists of multiple teams, each hosting a server that has multiple services running, like e.g. a webserver, a mail server, or customized services. The services contain typical security vulnerabilities that allow to compromise the server to a certain extend.

The goal is to maintain the services up, functional and uncompromised for the duration of the game. Additional scores can be gained by patching the vulnerabilities of the services and exploiting the knowledge of the found weaknesses at the other team's servers.

The focus of the exercise is on application layer security.

Organisational Details

Note that the contest is over.
  • The exercise is scheduled for July 14th, 2006. It will start at 8am CEST and last until 4pm CEST (GMT+2, UTC+2).
  • Only complete teams of up to 5 students from a single university are allowed to sign up. The limit is hard and includes everybody actively participating in defense and offense.
  • Each team needs to have a contact person that does not actively take part in the exercise and is responsible for the team's ethical behaviour.
  • Each team needs to have a contact person that is responsible for technical stuff, esp. the VPN connection and the machine setup. This person should answer to emails within 8 to 10h or faster. Presence in the IRC or Instant Messenger are a plus.
  • Professionals should contact us, before subscribing. Please note that we will reserve the majority of slots for university teams. If room remains, any groups can apply for the remaining slots.
  • These teams have already pointed out their interest to the contest:
    AffiliationNote
    Ruhr University Bochum, Germanyconfirmed, 2 teams, university slot
    RWTH Aachen, Germanyconfirmed, 2 teams, university slot
    nCircle Canada1 team, corporation slot
    Technical University of Darmstadt, Germanyconfirmed, 2 teams, university slot
    Katholieke Universiteit Leuvenconfirmed, 1 team, university slot
    University of Berlinconfirmed, 1 team, university slot
    University of Cologneconfirmed, 1 team
    University of La Plata, Argentiniaconfirmed, 1 team, university slot
    University of South Floridaconfirmed, 1 team, university slot
    BUSLab, Brno, Czech republicconfirmed, 1 team, university slot
    Politecnico di Milano, Italyconfirmed, 1 team, university slot
    University of Hamburg, Germanyconfirmed, 1 team, university slot
    Naval Postgraduate School, Montereyconfirmed, 1 team, university slot
    Niederrhein University of Applied Sciences, Krefeld, Germanyconfirmed, 1 team, university slot
    Universita degli Studi di Milanoconfirmed, 1 team, university slot
    University of Regensburgconfirmed, 1 team, university slot
    University of Jos, Nigeria
    University of Nebraska at Omaha, USA
  • The timeline of the event is as follows:
    Date and TimeEvent
    as early as possibleeach team sets up its VPN and the test image according to the instructions
    7/13, 20:00 CESTdistribution of the encrypted VMWare image
    7/14, 08:00 CESTall teams should have their VPNs running to check pairwise connectivity (please don't block pings!)
    7/14, 09:00 CESTthe key to the encrypted image is published in the IRC and by e-mail. The game starts :-)
    7/14, 10:00 CESTthe score bot starts checking for services
    7/14, 16:00 CESTthe exercise is over, declaration of the winning team

Technical Details

The contest will consist of multiple teams, each hosting a server that has multiple services running, like e.g. a webserver, a mail server, or customized services. The services contain typical security vulnerabilities that allow to compromise the server to a certain extend.

We recommend to use two different host systems for routing and the vulnerable image due to robustness reasons. The router, i.e. a team's gateway, can be any kind of hardware - any machine with two network interfaces will do the job. Note that this machine should still be able to run at least one instance of openvpn. The host machine carrying the vulnerable image should have at least 1GHz and 512MB of RAM, more is preferred, and at least 1GB of RAM is recommended. If the VMWare image will run on the gateway, the box should have at least 1.5GHz and 1GB RAM minimum. In addition to these two machines every player will need a terminal to access the services of their own server and the other teams' servers. Whatever the students can work with, will suffice here.

For local participation only (at the conference): there's internet access with enough bandwidth, tables and seats. You'll have to bring with you: a LAN-switch, network cables, power cords and computers as described above.

The VMWare image will be for x86-architecture with 32bit.

For CIPHER2 we plan add an additional server to the game which will serve the same services as the other servers. In contrast to the team servers, this one will not be maintained by players but serve as a target without an defending team.

More details can be found here.

Links

Acknowledgements & Greetings

To Giovanni Vigna, Ulrich Flegel, Spida, Chrissi, Raoul König and a lot of others. (Mail me, if I forgot to put your name in here).

Valid HTML 4.01!   best viewed with telnet to port 80