The objectives of the game is for teams (maximum of 3 participants per team) to gain as many points as possible by defending their servers, and attacking other teams servers. Teams will be given identical pre-configured vmware image of a Gentoo Linux installation. There will be custom services running on the server. This services contain vulnerabilities, such as buffer overflows, format string and so on. The teams objective is to analyze the services, find vulnerabilities and write exploits. As such, the following skills are needed:
- Reverse engineering
- Binary analysis
- Exploit writing
The ability to write a working exploit will enable the team to attack other servers, retrieving the flag associated with each service running on the server and thus scoring an offensive point. The ability to keep the services running will enable the teams to score a defensive point.
Offensive Points: Gained by hacking into other team’s server and retrieving their flags.
Defensive Points: Gained by keeping your server’s services running.
In order to score an offensive point, all that a team needs to do is hack into other team’s server, retrieve the flag, and submit it to the score server. In order to get defensive score, teams must keep their services running and accessible to the ScoreBot. The ScoreBot will periodically connect to the teams server and perform either two actions: set new flags on the services and/or retrieve flags from the services. Failure of the ScoreBot to complete either of these 2 actions when it connects will result in point deductions.
More points are given for offensive attacks as opposed to defensive score. Defensive scores are the same for all services, while offensive scores vary depending on the complexity level of the exploit needed to hack the service. During the course of the game, the score server will randomly set new flags on each teams services. This means that a service can have as many as 10 unique flags throughout the game - so if a particular team has an exploit against this service, they can get 10 times the points multiplied by the number of teams.
1.) Proj3ct 7ango (MALAYSIA)
2.) f.n0rd (MALAYSIA) - PULLED OUT
3.) Warning2JC (KOREA)
4.) PadoLoveDokdo (KOREA)
5.) e1ght (SINGAPORE)
6.) Blue Moon (VIETNAM)
7.) Bandwidth Killers (SINGAPORE)
8.) Metaspin (KOREA)
9.) ECHO (INDONESIA) - PULLED OUT
10.) MitDac (VIETNAM)
- No flooding and/or DoS attack. Players will be penalized by disqualification, points deduction or time penalty.
- No harassment of other opponents.
- All participants must obey PIT STOP calls. PIT STOP calls are rest intervals where all players must leave the game area to facilitate for the CtF judges to update the score, and/or do maintenance work etc.
Prizes - Sponsored by Sourcefire
1st Place - MYR3000
2nd Place - MYR2000
3rd Place - MYR1000
At all times, the decision of the CtF Organizing Team is final on any matter in question.
The CTF organizing team reserve the rights to release or not to release the source code of the services during the game.
The HITBSecConf organizing committe would like to give shoutouts, ninja greetz and ghetto loves to The Ghetto Hackers, who came out with the attack and defense concept for the CtF game. Much love also to the current organizers of Defcon’s CTF, kenshoto!