HC's Capture the Flag site
Capture the Flag at Easterhegg 2008

EasterHegg 2008 CTF rules

Preamble

The intention of this CTF is to learn about security vulnerabilities and how to constructively deal with them. Therefore, all teams must try to find and fix vulnerabilities in custom services while keeping them alive for as long if possible, as well as write advisories to inform others about potential software flaws and how to fix them. Teams may also try the exploits they find on other teams' machines and report flags they found that way, to prove they correctly understood the impact of the weaknesses they found. In addition to implementing and posting fixes, teams are encouraged to implement replacements for the hosted services from scratch and publish them for everyone to use.

Schedule

TBA

Scoring

Each team can collect flags, defend flags and report advisories.

One defense point is awarded for each flag that was successfully stored and (at a later point) retrieved by the scorebot. We do not distinguish between complex/simple services. However, the distribution/collection interval may be smaller for more complex services.

One attack point is awarded for each successfully reported flag of another team. You may not report your own flags! However, the attempt is not punished. You do not have to run your own services in order to score attack points. Note, however, that a team concentrating on attack only will never be able to outscore teams that defend themselves and write advisories.

An arbitrary amount of points can be awarded for advisories. Advisories must contain exact source line specifications (service name, filename, line number) or they cannot be processed. This rule is necessary because the moderators (probably) have not written the reported services themselves and need a way to verify the validity of your advisory.

Furthermore, advisories should contain a general expolit description or (preferred) a functional exploit, as well as a patch.

Advisories are published immediately after their filing. Advisories not related to the CTF may be deleted without notice.

Ranking

Teams are ranked for each category. The team with the most points in a category is ranked 100 (top). Teams with no points in a category are ranked 0. All others lie in between.

Each team is awarded 0-100 score points. Each category weighs a quarter for the calculation of score points.

Teams are ranked from 1 to n where n is the number of teams. The more score points a team has, the higher is it ranked.

Duration

The CTF will last 4 hours, with one half hour interruption.

Discouraged actions

This is an exercise with emphasis on application layer security. Any action outside that scope is discouraged. This includes, but is not limited to:

Packet sniffing
arp cache poisoning
IP/MAC address based packet filtering
Usage of system layer attack prevention tools (unless, of course, you or your team hacked a kernel module from scratch, which is explicitely allowed ;-)
Destructive behavior on other teams' computers (including, but not limited to: data relaying, deletion of files, changing the routing tables, spying private data)

Note: DoS attacks of any kind are strictly forbidden and will lead to immediate team disqualification.

Extra tasks

No extra tasks will be avaiblable this time.

Miscellaneous

Vulnerabilities can occur anywhere at the application-layer (timing attacks, buffer overflows, logical errors, race conditions,...)
Services marked as broken do not get you points
Flags can be reported once only
Flags expire after some time