HC's Capture the Flag site
Camp 07 CTF

CCCamp '07 CTF preliminary rules

This is preliminary information and subject to change.


The intention of this CTF is to learn about security vulnerabilities and how to constructively deal with them. Therefore, all teams must try to find and fix vulnerabilities in custom services while keeping them alive for as long if possible, as well as write advisories to inform others about potential software flaws and how to fix them. Teams may also try the exploits they find on other teams' machines and report flags they found that way, to prove they correctly understood the impact of the weaknesses they found. In addition to implementing and posting fixes, teams are encouraged to implement replacements for the hosted services from scratch and publish them for everyone to use.




Flags are 32 byte values represented by their hexadecimal values. The following statement would match most flags:

 cat `find .` | sed 's/\([0-9a-f]\{64\}\)/flag: \1/g'

A scoring bot distributes flags to services (for example, by sending an email using an SMTP service) and later collects them (in our example, by connecting to a POP service).

Note that flags may be split before they are stored; in this case you have to concatenate the parts before you report them. (These flags also wouldn't be matched successfully by the sed script shown above)


Each team can collect flags, defend flags and report advisories.

One defense point is awarded for each flag that was successfully stored and (at a later point) retrieved by the scorebot. We do not distinguish between complex/simple services. However, the distribution/collection interval may be smaller for more complex services.

One attack point is awarded for each successfully reported flag of another team. You may not report your own flags! However, the attempt is not punished. You do not have to run your own services in order to score attack points. Note, however, that a team concentrating on attack only will never be able to outscore teams that defend themselves and write advisories.

An arbitrary amount of points can be awarded for advisories. Advisories must contain exact source line specifications (service name, filename, line number) or they cannot be processed. This rule is necessary because the moderators (probably) have not written the reported services themselves and need a way to verify the validity of your advisory.

Furthermore, advisories should contain a general expolit description or (preferred) a functional exploit, as well as a patch.

Advisories are published immediately after their filing. Advisories not related to the CTF may be deleted without notice.

Coding is fun

Don Knuth was pissed by available typesetters, Linus Torvalds was pissed by minix, Dan Bernstein was pissed by sendmail's security. They all wrote their own code from scratch to solve the problems they saw.

If you think a service is poorly written, insecure by design, unflexible, inefficient or you just think you can do it better, feel free to do so. Services meeting the following criteria will be awarded one point in the hacking category.

All submitted services are made available for general download by other teams.

Note: If it later turns out that all or part of your code was not written by you, your team is immediately and permanently disqualified.


Teams are ranked for each category. The team with the most points in a category is ranked 100 (top). Teams with no points in a category are ranked 0. All others lie in between.

Each team is awarded 0-100 score points. Each category weighs a quarter for the calculation of score points.

Teams are ranked from 1 to n where n is the number of teams. The more score points a team has, the higher is it ranked.


The CTF will last 12 hours.

Discouraged actions

This is an exercise with emphasis on application layer security. Any action outside that scope is discouraged. This includes, but is not limited to:

Note: DoS attacks of any kind are strictly forbidden and will lead to immediate team disqualification.

Extra tasks

Some extra tasks will be assigned to two or more teams. These tasks will not be related to the actual CTF or even IT security. The winning team will gain some advantage over the other CTF participants. Possible awards may be:

Only one extra task will definitely take place and is to take between 2/1/2 and 3 hours. More ideas are welcome!



Feedback for these rules is welcome. Please send your feedback directly to "echo hcathcespererdotorg|sed 's/at/@/'|sed 's/dot/./'"

$Date: 2008-04-08 16:28:27 +0200 (Tue, 08 Apr 2008) $ (C) 2007, Hans-Christian Esperer. Impressum