DefCon CTF 2007 Overview

Kenshoto handed out small flyers to explain the game to people wandering through the CTF area at DefCon. It said...

WarGamez

Capture the Flag 2K7
Dr Kenneth Shoto proudly presents the ultimate in cyber-ninja warface, WarGamez: Capture the Flag (dubbed CtF by those having been to ~~Fedcon~~, er... Defcon before). Each brave team is assigned a server of their own to defend (and a color so we can tell 'em apart). Each server is chock-full o' custom services riddles with vulns ranging from skr1p+ k1dd33 to ub3r h4x0r (courtesy of your friendly neighborhood Kenshoto code gnomes, of course). The goal is to score the most points by exploiting vulns on other teams' servers. Points? What you say!?!?
Steal -- Breaking into a service and getting read access to a secret token. Submit your steal for a point.

Overwrite -- Breaking in with write access and overwriting the target's key with yours. Each overwrite will trigger a point.

Breaththru -- First team to exploit a new vuln gets a mad bonus (auto-scored and scaled for difficulty). Later teams get points, but the value drops exponentially.

SLA -- Percentage of time that your services have been up (we have a polling monkey that checks every few minutes). This scales your final score.

Penalties -- Seriously? You're reading the definition for 'penalty'?!?! While you're at it: there is no Santa Clause.
There's so many more aspects to the game than what's here, so stop on by and check it out (caveat lector: ask permission before you hover over a team too intensely of you may wind up in a kung-fu death grip). Go let's review...
The goal IS NOT to:

Create secure enterprise SOA data architectures suitable for Web 2.0 paradigms

Audit compensating controls relevant to risk-averse business verticals

Demo your company's latest, greatest, whizz-bang snake oil

The goal IS to:

Conjure aethereal machine-code into laser-guided bombs

Unleash the blackhat within and actually break into something

Pwn. 'Nuff said.

photo by Jimp79 (cc:by)

Each team has a color-coded table. The tables are set up in a "U" shape, with the open end facing the wall. The organizers, Kenshoto, are at the center of the room at their circular black table, and had run cables to each of the teams' tables.

One RJ45 cable is the uplink switch port, and the second is the link to the server you must defend. This year, we've been given the option to firewall our servers. The network was 10.0.TEAM.0/24. For example, team 3 is on 10.0.3.0/24, with a default route of 10.0.3.254.

Each team is given access to their "team server" (on the network as 10.0.TEAM.1) and the "root" password. Many vulnerable services are running here, and it is the center of the contest.

Traffic is all random source NAT'd, so it isn't possible to distinguish traffic sources to tell a rival team's attack apart from a Kenshoto service poll.

On each server are a large number of services (web applications, network services of unknown function, console applications, etc). Each server's services are nearly identical to each other, so if a team can understand what their own server is doing, they have an insight into what the other teams' servers are doing.

For example, services might be a web application where you can order software, the "finger" daemon, or a console-based "mail" too.

Within each service is a "token". It can be one of three possible kinds of tokens: "public", "private", or "overwrite".

A "public" token is one that is "normally" visible. It's not special if you can see it, but if you can compromise the service, it can be overwritten.
A "private" token is one that is not normally visible. If you can compromise the service in some way, you can read a private token. Additionally, some private tokens can also be overwritten.
An "overwrite" token is team-specific and is used to overwrite the contents of another team's service's token.

This year, tokens were a long string of alphanumeric characters (base64 encoding). Each team is given a different "team token" to use for overwrites.

To keep the teams from just turning off their server and declaring themselves immune to attack, Kenshoto polls each of the teams' services, and keeps a running record of each team's "Service Level" (SL). This is a percentage of "successful polls" vs "total polls". The idea being that as a team tries to work to patch their vulnerable services, if they accidentally make the service non-functional, their SL will drop. Also, outside attackers may accidentally disrupt a service while trying to gain access to it. By default, each of the servers pass all Kenshoto service polls, so at the start of the contest, every team has a 100% SL.

During each Kenshoto scoring phase, Kenshoto also updates all the "private" tokens with new token values. As the contest goes forward, a team can repeatedly steal tokens from vulnerable services, getting more and more unique tokens.

The contest is scored based on "Breakthroughs", "Steals", "Overwrites", and "Service Level". ("Penalties" can also be levied for breaking rules, etc.)

To earn a "Breakthrough", a team must be one of the first to earn a point from exploiting a service that other team's haven't exploited yet.

To earn a "Steal", a team must exploit a vulnerable service and record a private token. To prove that they saw a private token, the team must submit the token to Kenshoto for scoring.

To earn an "Overwrite", a team must exploit a vulnerable service and overwrite the service's token with the "team overwrite token". Kenshoto is monitoring token locations and automatically notices when a service token has been overwritten by a rival team (and also restores the token to it's original state so other teams can continue stealing from that service).

If a team does something against the contest rules (like performing any kind of intentional Denial of Service), Kenshoto "fines" them with Penalty points.

Total score is ( SUM(BT values) + Steals + Overwrites ) * SL - Penalties.

The tricky issue with scoring is that Breakthrough points are not public. Each service has an associated Breakthrough value, depending on how hard Kenshoto thinks it is to find and exploit a given service. For example, finding how to exploit a network service that accidentally runs commands following a ';', is going to have a small Breakthough value. Finding how to exploit a flaw in a network protocol specifically designed to be obfuscated is going to be worth a great deal more.

To submit a Breakthough, the team has to log into the Kenshoto scoring website (written in Shockwave), enter their tokens into the form, and just click "submit". They get feedback on how many were accepted and how many were rejected (e.g. public tokens aren't worth any points).

The contest is intended to be about measuring hacking skill. To make sure things stay on course, Kenshoto makes several rules clear:

No intentional denial of service (electronic, physical, psychological, anything). If someone breaks a service in the process of trying to gain access to it, that's not considered intentional. (Though Kenshoto has designed the services to be resilient, so this is uncommon.)
Unlimited team size, but only 8 people at a time are allowed at a given team's table (fire marshal will shut down CTF if it gets crowded). This count includes groupies and visitors. (This year, the limit was raise to 10 on Saturday, and unlimited on Sunday.)