Personal tools


From 25C3 Public Wiki

Jump to: navigation, search

We're organizing a Capture the Flag contest at 25c3. It will be an international event; we will have both local and remote teams.


[edit] News

Jan 2nd 2008: More information is available.

Dec 31st 2008: We will publish more information and statistics in a few days. The vulnimage and testscripts as well.

Nov 16th 2008: VPN certificates have been mailed to the first seven teams. If you didn't receive a certificate, check your spam folder. If you can't find it there, complain on the CTF mailing list!

[edit] General Information

[edit] What is a CTF and how does it work?

A Capture The Flag-contest it a practical IT-security contest. Teams compete against each other trying to crack into the other teams' machines, while securing their own. When we say machines, we do not mean the computers of the team members, but specially crafted ones, usually hosted in a virtual machine on one of the teams' machines, using virtualization technologies such as vmware, virtualbox or qemu/kvm. The virtual machine image is called vulnerable image or vulnimage for short. The virtual machine running that image is called vulnbox. The CTF organizers prepare a vulnimage in advance to the CTF. For that purpose, internet services such as a webserver, an irc server or an ftp server are written from scratch by the organizers. Then, they add vulnerabilities of all sorts to these services. They are installed on the image, making it vulnerable ;-)

Once all teams got the vulnimage and set it up, the CTF contest starts. A gameserver regularily checks all vulnimages for their services and awards defensive points to teams depending on how many services they got running. In addition to that, the gameserver distributes confidential data fragments to the services, called flags in CTF jargon. If a team hacks into another team's vulnbox and gains access to some of its flags, it can report them to the gameserver, receiving offensive points in return.

Perhaps the most funny thing of a CTF are the advisories that can be written and published by the teams. The organizers read and rate the advisories, awarding the reporting teams advisory points; the better the advisory, the more points. Advisories are standardized texts describing a vulnerability in detail and proposing workarounds and/or fixes. During a CTF, reported advisories are made available to all teams, allowing to fix bugs and vulnerabilities other teams have found.

[edit] Local teams

Local teams simply need a switch, a long (25 meters) network cable to connect to the CTF network, and a computer per team member; we will host the vulnerable image for you. Also, for local teams, no registration is required. Just come by a couple of hours before the CTF starts and tell us you want to participate. The CTF will take place at Dec 29th 2008 (3rd conference day) at 6PM CET. CTF image keys will be released one hour earlier. Encrypted images will be distributed via CD/DVD at the congress area. We will also have unencrypted image DVDs available; those will be distributed just before the CTF starts.

Even though registration is not required for local teams, you may want to familiarize yourself with

- the flag submission interface,
- the advisory reporting tool.

If you are not familiar with these things after the CTF started, it will be harder for your team to win. Of course, you can still participate just for fun!

There's a python flag submission script which can be used as a python module or from the commandline. The commandline version locally filters already reported flags using sqlite.

Note: while local teams are not required to register, we do have a limited number of slots for local teams (10). We are able to host the vulnimages for 4 teams. First come, first served. So please add your team to the List of local teams if you already know you want to play at the CTF as a local team.

In any case, please check with the CTF team no later then 4PM at Dec 29th 2008 if you want to play. You'll need to know your team name at that time.

[edit] Remote teams

If you do not have the chance to come to Berlin this year but still want to fight in the CTF: no problem! We will set up a VPN network allowing you and your team to participate remotely. All you have to do is register. Also, you will need two dedicated machines:

-One acting as routing gateway. The job of this machine is to connect your team to a) the internet and b) the CTF network. -The other dedicated machine hosts the vulnerable image. The vulnerable image is a disk image containing an operating system that can be run with vmware or qemu. We prepare an operating system together with internet services and distribute it to all participating teams.

More information is sent to you via email when you register as a remote team.

[edit] CTF VPN

Remote teams connect to the CTF VPN to participate. Individual certificates are periodically sent out to registered teams. The general configuration files are required by all teams. There's a neat image of a VPN-only CTF network layout. Ours will be more complex this time, as we have local teams as well, but the subnet stuff on the image still applies.

[edit] Scorebot commands

To report a flag, use this command:

 reportflag(TEADMID, "FLAG")

Possible responses are:

-Sorry, you do not have that service running yourself, or your version of the service is broken.
-This flag is not valid anymore!
-Team ID [0-9]+ invalid!
-Flag "[A-Za-z0-9]{64}" does not exist!
-Flag "null" does not exist   <-- this happens when you didn't enclose your flag in quotation marks.
-You successfully reported a flag for service [A-Za-z 0-9]+ from team [A-Za-z0-9 ]+. You now have [0-9]+ offensive points.

To report an advisory, use the advisory reporting script. Using this script, you can write advisories with your favorite text editor. (Set the EDTIOR environment variable accordingly.) This script requires python2.5.

You may test your flag reporting scripts and the advisory reporting script with the scorebot by using the test installation at There's also a status page where you can see the VPN connection status and reported advisories.

[edit] Contact us!

Mail: You may subscribe to the CTF discussion list, an unmoderated public mailing list about the 25C3-CTF. If you've got any questions about the CTF, ask on that ML!

IRC: Join our irc channel #25c3-ctf in hackint; use the server to connect to the network.