HackEire 2009 - Capture the Flag Competition
As part of the 2009 IRISS Conference on Cybercrime we will be hosting Ireland's first Cyber Security Challenge, HackEire, to identify Ireland's top cyber security experts. HackEire will see 10 teams, up to a maximum of four people per team, compete against each other in a controlled environment to see which team will be the first to exploit weaknesses in a number of systems and declare victory. The purpose the HackEire competition is to demonstrate how attackers could gain access to your systems and allow you to learn from the event on how to prevent such attacks from impacting your network.
The ‘Bhratach ‘company has an interactive web presence on the Internet. This presence is hosted within the company and is connected to the company's internal corporate LAN. There are a number of servers located within the external DMZ and they connect to additional servers via the DMZ back to the LAN. The system hosts various bits of commercial and potentially sensitive data throughout the infrastructure.
The ‘Bhratach’ organisation requires a penetration test of their network. The test will be done on a black-box basis, i.e. you will not be provided with advance information on the target systems such as operating system, IP addresses or a network diagram.
There will be four servers with each running various services, for example a web-server, a mail server or customized services. The services contain publically known security vulnerabilities that allow enable the server to be compromised. Each of the servers will have "flag" that must be collected. These flags will be in the form of a keyring pair. Additionally, the “final flag” is located on one of the four target servers. This final flag is in the form of a file which has been encrypted four times and is located in one of the temporary directories on one of the servers. This file contains Personally Identifiable Information (PII) and its name begins with ‘pii’.
The goal of the competition is for the first team to find the file, decrypt it and from the contents of the file obtain the list of names and corresponding ID Numbers.
The winner will be the first team/person with the highest points. If there is a draw, the winner will be the team who has successfully decrypted the PII file and if both teams have achieved that objective the winner will be the team achieved it first. Please announce the successful obtaining of flags to an IRISS handler so that it can be recorded.
The winning team will be the team that can capture all of the flags and provide the best description of how access to each server was gained and ultimately how each flag was captured.
If you would like to compete please email firstname.lastname@example.org. Entry is free of charge. There will be a maximum of 10 teams consisting of up to 4 members per team. If you do not have a team of four people you can enter either as an individual or IRISS will try to facilitate you on other teams. Places for the competition will be allocated on a first-come, first-serve basis with preference given to IRISS members.
The scoring for the challenge will be based on the following;
Maximum Points on Offer = 100
Highest point score at the challenge wins. If two contestants have the same points at the end of the challenge, the first to accumulate their point total wins.
Rules of Engagement
Violation of these rules will lead to immediate expulsion from the exercise.
We are delighted that Syngress have agreed to sponsor a number of prizes for the winning team.
Competitors should provide their own computers and utilise whatever tools they wish. Below is a recommend recommended list of tools that you can use – please feel free to add your own.