2008 CTF was nearly identical to CTF 2007.

photo by Jimp79 (cc:by)

Each team has a color-coded table. The tables are set up in a "U" shape, with the open end facing the wall. The organizers, Kenshoto, are at the center of the room at their circular black table, and had run cables to each of the teams' tables.

One RJ45 cable is the uplink switch port, and the second is the link to the server you must defend. As done last year, we've been given the option to firewall our servers. The network was 10.0.TEAM.0/24. For example, team 3 is on 10.0.3.0/24, with a default route of 10.0.3.254.

Each team is given access to their "team server" (on the network as 10.0.TEAM.1) and the "root" password. Many vulnerable services are running here, and it is the center of the contest.

Traffic is all random source NAT'd, so it isn't possible to distinguish traffic sources to tell a rival team's attack apart from a Kenshoto service poll.

On each server are a large number of services (web applications, network services of unknown function, console applications, etc). Each server's services are nearly identical to each other, so if a team can understand what their own server is doing, they have an insight into what the other teams' servers are doing.

For example, services might be a web application where you can order software, the "finger" daemon, or a console-based "mail" too.

Within each service is a "token". It can be one of three possible kinds of tokens: "public", "private", or "overwrite".

• A "public" token is one that is "normally" visible. It's not special if you can see it, but if you can compromise the service, it can be overwritten.
• A "private" token is one that is not normally visible. If you can compromise the service in some way, you can read a private token. Additionally, some private tokens can also be overwritten.
• An "overwrite" token is team-specific and is used to overwrite the contents of another team's service's token.

This year, tokens were a long string of alphanumeric characters (base64 encoding). Each team is given a different "team token" to use for overwrites.

To keep the teams from just turning off their server and declaring themselves immune to attack, Kenshoto polls each of the teams' services, and keeps a running record of each team's "Service Level" (SL). This is a percentage of "successful polls" vs "total polls". The idea being that as a team tries to work to patch their vulnerable services, if they accidentally make the service non-functional, their SL will drop. Also, outside attackers may accidentally disrupt a service while trying to gain access to it. By default, each of the servers pass all Kenshoto service polls, so at the start of the contest, every team has a 100% SL.

During each Kenshoto scoring phase, Kenshoto also updates all the "private" tokens with new token values. As the contest goes forward, a team can repeatedly steal tokens from vulnerable services, getting more and more unique tokens. The token files' content (the "private" token value for that team, service, and token refresh cycle) are retained even after an overwrite. Kenshoto uses a custom kernel patch to notice overwrites and restore the private token value. This is done so that there isn't a race to read a token before another team overwrites the token with their team "overwrite" token value.

The contest is scored based on "Breakthroughs", "Steals", "Overwrites", and "Service Level". ("Penalties" can also be levied for breaking rules, etc.)

To earn a "Breakthrough", a team must be one of the first to earn a point from exploiting a service that other team's haven't exploited yet.

To earn a "Steal", a team must exploit a vulnerable service and record a private token. To prove that they saw a private token, the team must submit the token to Kenshoto for scoring.

To earn an "Overwrite", a team must exploit a vulnerable service and overwrite the service's token with the "team overwrite token". Kenshoto is monitoring token locations and automatically notices when a service token has been overwritten by a rival team (and also restores the token to it's original state so other teams can continue stealing from that service).

If a team does something against the contest rules (like performing any kind of intentional Denial of Service), Kenshoto "fines" them with Penalty points.

Total score is ( SUM(BT values) + Steals + Overwrites ) * SL - Penalties.

The tricky issue with scoring is that Breakthrough points are not public. Each service has an associated Breakthrough value, depending on how hard Kenshoto thinks it is to find and exploit a given service. For example, finding how to exploit a network service that accidentally runs commands following a ';', is going to have a small Breakthough value. Finding how to exploit a flaw in a network protocol specifically designed to be obfuscated is going to be worth a great deal more.

To submit a Breakthough, the team has to log into the Kenshoto scoring website (written in Shockwave), enter their tokens into the form, and just click "submit". They get feedback on how many were accepted and how many were rejected (e.g. public tokens aren't worth any points).

The contest is intended to be about measuring hacking skill. To make sure things stay on course, Kenshoto makes several rules clear:

• No intentional denial of service (electronic, physical, psychological, anything). If someone breaks a service in the process of trying to gain access to it, that's not considered intentional. (Though Kenshoto has designed the services to be resilient, so this is uncommon.)
• Unlimited team size, but only 10 people at a time are allowed at a given team's table (fire marshal will shut down CTF if it gets crowded). This count includes groupies and visitors. (The limit was lifted on Sunday.)