Challenges in Informatics: Patching, Hacking and Exploiting - Cipher5
Last updated on 06.11.10 20:24
C.I.P.H.E.R. 5: Challenges in Informatics: Programming, Hosting and ExploRing. .
CIPHER is a Capture The Flag-style exercise in IT security for teams of students from universities. The task is to maintain a server running multiple services, while simultaneously trying to get unauthorized access to the other team's servers. Each successful penetration gains points, as well as keeping the own services up and functional during the course of the game.
The event is co-hosted by Lexi Pimenidis and the Special Interest Group SIDAR (Security - Intrusion Detection and Response) of the German Informatics Society (GI). Cipher 5 co-executes with the international Conference on Detection of Intrusions and Malware & Vulnerability Assessment DIMVA 2009 (July 9th -- 10th). Hardware, bandwidth and personal ressources have been gratiously donated by the Universita degli Studi di Milano. On-site participation of conference attendees is possible.
DescriptionThe exercise consists of multiple teams, each hosting a server that has multiple services running, like e.g. a webserver, a mail server, or customized services. The services contain typical security vulnerabilities that allow to compromise the server to a certain extend.
The goal is to maintain the services up, functional and uncompromised for the duration of the game. Additional scores can be gained by patching the vulnerabilities of the services and exploiting the knowledge of the found weaknesses at the other team's servers.
The focus of the exercise is on application layer security.
Registration and More Information
For more information send a mail to .
We will preliminary stop registration, if we have 30 teams. So if you consider participating, don't hesitate too long! Slots usually fill up quickly.
Also, we will only accept a single team from each affiliation - multiple teams will only get accepted, if there are less than 30 teams registered by the end of the official registration phase.
NEW If you are a single person, or if you just want to have a sniff of adventure and therefore join the contest without all the work of being an actual particpant: please check the section third party access on the bottom of this page!
To register your team, please fill in the following form:
The contest will consist of multiple teams, each hosting a server that has multiple services running, like e.g. a webserver, a mail server, or customized services. The services contain typical security vulnerabilities that allow to compromise the server to a certain extend.
We recommend to use two different host systems for routing and the vulnerable image due to robustness reasons. The router, i.e. a team's gateway, can be any kind of hardware - any machine with two network interfaces will do the job. Note that this machine should still be able to run at least one instance of openvpn. The host machine carrying the vulnerable image should have at least 1GHz and 512MB of RAM, more is preferred, and at least 1GB of RAM is recommended. If the virtual image will run on the gateway, the box should have at least 1.5GHz and 1GB RAM minimum. In addition to these two machines every player will need a terminal to access the services of their own server and the other teams' servers. Whatever the students can work with, will suffice here.
The vulnerable image will be for x86-architectures with 32bit.
As we did in CIPHER2, 3 and 4 we will add an additional server to the game which will serve the same services as the other servers. In contrast to the team servers, this one will not be maintained by players but serve as a mere target without an defending team.More details can be found here.
Differences to previous CTF Contests
This section contains some ideas that will likely differ from previous contests.
Third Party Access: We will allow a limited and registered set of interested individuals take part
in the contest as third parties. These will not get scored, neither will they host images, but only
be allowed access to the VPN in order to attack the hosts.
Virtualization: we will use Virtualbox instead of VMWare this year..
Random Subnet Assignment:The teams will be assigned random sub nets -- this should make a little bit more difficult to determine, which teams you are currently attacking.
Prizes:We're trying to organize a set of prizes for the winning teams. If you're a player, please send us suggestions for prizes, if you're a sponsor, send us cool gadgets ;)
The scoring system will get much simpler this time. Currently we're thinking along these lines:
Acknowledgements & GreetingsTo Danilo, Lorenzo, Tilo, Giovanni Vigna, HC, Chrissi, Angel, Spida, and a lot of others. (Mail me, if I forgot to put your name in here).