HackEire 2009 - Capture the Flag Competition 

As part of the 2009 IRISS Conference on Cybercrime we will be hosting Ireland's first Cyber Security Challenge, HackEire, to identify Ireland's top cyber security experts.  HackEire will see 10 teams, up to a maximum of four people per team, compete against each other in a controlled environment to see which team will be the first to exploit weaknesses in a number of systems and declare victory.  The purpose the HackEire competition is to demonstrate how attackers could gain access to your systems and allow you to learn from the event on how to prevent such attacks from impacting your network.

Competition Details

The ‘Bhratach ‘company has an interactive web presence on the Internet. This presence is hosted within the company and is connected to the company's internal corporate LAN. There are a number of servers located within the external DMZ and they connect to additional servers via the DMZ back to the LAN. The system hosts various bits of commercial and potentially sensitive data throughout the infrastructure.

The ‘Bhratach’ organisation requires a penetration test of their network. The test will be done on a black-box basis, i.e. you will not be provided with advance information on the target systems such as operating system, IP addresses or a network diagram.

There will be four servers with each running various services, for example a web-server, a mail server or customized services. The services contain publically known security vulnerabilities that allow enable the server to be compromised.  Each of the servers will have "flag" that must be collected.  These flags will be in the form of a keyring pair.  Additionally, the “final flag” is located on one of the four target servers.  This final flag is in the form of a file which has been encrypted four times and is located in one of the temporary directories on one of the servers.  This file contains Personally Identifiable Information (PII) and its name begins with ‘pii’. 

The goal of the competition is for the first team to find the file, decrypt it and from the contents of the file obtain the list of names and corresponding ID Numbers.

The winner will be the first team/person with the highest points. If there is a draw, the winner will be the team who has successfully decrypted the PII file and if both teams have achieved that objective the winner will be the team achieved it first. Please announce the successful obtaining of flags to an IRISS handler so that it can be recorded. 

The winning team will be the team that can capture all of the flags and provide the best description of how access to each server was gained and ultimately how each flag was captured. 

Entry

If you would like to compete please email info@iriss.ie. Entry is free of charge.  There will be a maximum of 10 teams consisting of up to 4 members per team.  If you do not have a team of four people you can enter either as an individual or IRISS will try to facilitate you on other teams.  Places for the competition will be allocated on a first-come, first-serve basis with preference given to IRISS members.

Event Schedule 

  • The exercise is scheduled for Thursday, November 19th, 2009. It will start at 13:00 and last until 18:00 – followed by a wash-up and prize winner presentation.

  • The exercise is open to both individual and teams (up to a max of 4).

  • It is recommended that competitors document their progress throughout as a short, technical presentation will be required to claim the prize.

  • All competitors should register for the competition by contacting IRISS directly.

  • The time-line of the event is as follows:

Time

Description

12:00

Each competitor receives brief instructions

12:05

Access for competitors to test network connection

12:30

IRISS team explain the scenario & answer any outstanding questions

13:00

CTF Starts

13:00

IRISS staff on-hand for support, tech issues

13:00-17:00 on the hour

Hourly server reboots (VM images)

Every 15-30 minutes

Regular updates by MC

18:00

Exercise is over

18:15

Declaration of Winners & Presentation

18:30

Presentations by IRISS & Winners

Scoring

The scoring for the challenge will be based on the following;

  1. What is the version of the DNS server within the ‘Bhratach’ organisation? (5 points)

  2. What is the version of the mail server within the ‘Bhratach’ organisation? (5 points)

  3. Copy the keyring pair for each of servers to your system (5 points for each keyring pair)

  4. What database version are the ‘Bhratach’ administrators running? (5 points)

  5. What is root password on the ‘Bhratach’ mail server? (5 points)

  6. What version of webserver are the ‘Bhratach’ administrators running? (5 points)

  7. What is the IP address of the database server in ‘Bhratach’? (5 points)

  8. Copy the PII file to your system. (15 points)

  9. The decrypted PII file (15 points)

  10. The complete list of users and ID numbers. (15 points)

Maximum Points on Offer = 100

Highest point score at the challenge wins. If two contestants have the same points at the end of the challenge, the first to accumulate their point total wins.

Rules of Engagement

Violation of these rules will lead to immediate expulsion from the exercise.

  • You can exploit any vulnerability you find on the servers, however, you shall not run any penetration test via the Internet.

  • Internet Access is not permitted to access the testing network.

  • No denial of service attacks.

  • Do not try to bring the servers down.

  • No arp spoofing of the connection to the target network.

  • Be conscious of hogging the system – remember you should treat these systems as if they are in ‘production’

  • You can create new user accounts but do NOT change the passwords of existing accounts

  • Only attack the target subnet (10.1.1.2-253) as detailed in the scope. The following are out-of-scope-

  • Fellow competitors.

  • VMware hosting software.

  • Routers.

  • Switches.

  • If you want to install software on the target servers, that is fine as long as it does not break the existing application or require a reboot

  • Play nicely with team-mates and fellow competitors. Some people will move faster than others – that’s ok :)

  • You can use any tool you have (for commercial tools, you must have a license).

  • If you need to download a new tool, please disconnect from the test network and do so through your own wireless/3G set-up.

  • Please note that each system will be rebooted on the hour every hour and the original VM image will be restored. You should use this time to review/update your documentation and discuss your progress with fellow team members.

  • When you gain access DO NOT:

  • Harden the system or close the security holes on that particular system–others still need to learn after you get in;

  • Plant false flags;

  • Install rootkits.

  • During the conference DO NOT:

  • attack the hotel network.

  • connect our target network to the Internet.

Prizes

We are delighted that Syngress  have agreed to sponsor a number of prizes for the winning team.

Recommended Tools

Competitors should provide their own computers and utilise whatever tools they wish.  Below is a recommend recommended list of tools that you can use – please feel free to add your own.

  • Nmap (version 5 is recommended)

  • Enum

  • Metasploit

  • John the Ripper,Cain & Abel, THC Hydra, Ophcrack

  • Pwdump3/Fgdump

  • *Nix Command-Line knowledge

  • Tcpdump

  • Wireshark

  • Stegonograpy (no preference on the tool)

  • Browser – Internet Explorer, Firefox, Safari

  • Netcat

  • Web App – W3AF, Burp, Paros

  • GNUPG for either Windows or Linux

  • Backtrack 4 USB/DVD should have everything that you need