DefCon CTF 2007 Overview
Kenshoto handed out small flyers to explain the game to people wandering
through the CTF area at DefCon. It said...
Capture the Flag 2K7
Dr Kenneth Shoto proudly presents the ultimate in cyber-ninja warface,
WarGamez: Capture the Flag (dubbed CtF by those having been to
Fedcon, er... Defcon before). Each brave team is assigned
a server of their own to defend (and a color so we can tell 'em apart).
Each server is chock-full o' custom services riddles with vulns ranging
from skr1p+ k1dd33 to ub3r h4x0r (courtesy of your friendly neighborhood
Kenshoto code gnomes, of course). The goal is to score the most points
by exploiting vulns on other teams' servers. Points? What you say!?!?
Steal -- Breaking into a service and getting read access to a secret token.
Submit your steal for a point.
Overwrite -- Breaking in with write access and overwriting the target's
key with yours. Each overwrite will trigger a point.
Breaththru -- First team to exploit a new vuln gets a mad bonus
(auto-scored and scaled for difficulty). Later teams get points, but the
value drops exponentially.
SLA -- Percentage of time that your services have been up (we have a
polling monkey that checks every few minutes). This scales your final score.
Penalties -- Seriously? You're reading the definition for 'penalty'?!?!
While you're at it: there is no Santa Clause.
There's so many more aspects to the game than what's here, so stop on by
and check it out (caveat lector: ask permission before you hover over a team
too intensely of you may wind up in a kung-fu death grip). Go let's review...
The goal IS NOT to:
The goal IS to:
- Create secure enterprise SOA data architectures suitable for Web 2.0
- Audit compensating controls relevant to risk-averse business verticals
- Demo your company's latest, greatest, whizz-bang snake oil
- Conjure aethereal machine-code into laser-guided bombs
- Unleash the blackhat within and actually break into something
- Pwn. 'Nuff said.
Each team has a color-coded table. The
tables are set up in a "U" shape, with the open end facing the wall. The
organizers, Kenshoto, are at the center of the room at their circular black
table, and had run cables to each of the teams' tables.
One RJ45 cable is the uplink switch port, and the second is the link to the
server you must defend. This year, we've been given the option to firewall
The network was 10.0.TEAM.0/24. For example, team 3 is on 10.0.3.0/24,
with a default route of 10.0.3.254.
Each team is given access to their "team server" (on the network as
10.0.TEAM.1) and the "root" password.
Many vulnerable services are running here, and it is the center of the contest.
Traffic is all random source NAT'd, so it isn't possible to distinguish traffic
sources to tell a rival team's attack apart from a Kenshoto service poll.
On each server are a large number of services (web applications, network
services of unknown function, console applications, etc). Each server's
services are nearly identical to each other, so if a team can understand
what their own server is doing, they have an insight into what the other
teams' servers are doing.
For example, services might be a web application where you can order software,
the "finger" daemon, or a console-based "mail" too.
Within each service is a "token". It can be one of three possible kinds
of tokens: "public", "private", or "overwrite".
- A "public" token is one that is "normally" visible. It's not special
if you can see it, but if you can compromise the service, it can be
- A "private" token is one that is not normally visible. If you can
compromise the service in some way, you can read a private token.
Additionally, some private tokens can also be overwritten.
- An "overwrite" token is team-specific and is used to overwrite the
contents of another team's service's token.
This year, tokens were a long string of alphanumeric characters (base64 encoding).
Each team is given a different "team token" to use for overwrites.
To keep the teams from just turning off their server and declaring
themselves immune to attack, Kenshoto polls each of the teams' services,
and keeps a running record of each team's "Service Level" (SL). This is
a percentage of "successful polls" vs "total polls". The idea being
that as a team tries to work to patch their vulnerable services, if
they accidentally make the service non-functional, their SL will drop.
Also, outside attackers may accidentally disrupt a service while trying
to gain access to it.
By default, each of the servers pass all Kenshoto service polls, so at
the start of the contest, every team has a 100% SL.
During each Kenshoto scoring phase, Kenshoto also updates all the "private"
tokens with new token values. As the contest goes forward, a team can repeatedly
steal tokens from vulnerable services, getting more and more unique tokens.
The contest is scored based on "Breakthroughs", "Steals", "Overwrites", and
"Service Level". ("Penalties" can also be levied for breaking rules,
To earn a "Breakthrough", a team must be one of the first to earn a point
from exploiting a service that other team's haven't exploited yet.
To earn a "Steal", a team must exploit a vulnerable service and record a
private token. To prove that they saw a private token, the team must
submit the token to Kenshoto for scoring.
To earn an "Overwrite", a team must exploit a vulnerable service and overwrite the
service's token with the "team overwrite token". Kenshoto is monitoring token locations
and automatically notices when a service token has been overwritten by a
rival team (and also restores the token to it's original state so other teams
can continue stealing from that service).
If a team does something against the contest rules (like performing any kind
of intentional Denial of Service), Kenshoto "fines" them with Penalty points.
Total score is ( SUM(BT values) + Steals + Overwrites ) * SL - Penalties.
The tricky issue with scoring is that Breakthrough points are not public.
Each service has an associated
Breakthrough value, depending on how hard Kenshoto thinks it is to find and exploit
a given service. For example, finding how to exploit a network service that
accidentally runs commands following a ';', is going to have a small Breakthough value. Finding how to exploit a flaw in a network protocol specifically designed to be
obfuscated is going to be worth a great deal more.
To submit a Breakthough, the team has to log into the Kenshoto scoring
website (written in Shockwave), enter their tokens into the form, and just
click "submit". They get feedback on how many were accepted and how many
were rejected (e.g. public tokens aren't worth any points).
The contest is intended to be about measuring hacking skill.
To make sure things stay on course, Kenshoto makes several rules clear:
- No intentional denial of service (electronic, physical, psychological, anything). If someone breaks a service in the process of trying to gain access to it, that's not considered intentional. (Though Kenshoto has designed the services to be resilient, so this is uncommon.)
- Unlimited team size, but only 8 people at a time are allowed at a given team's table (fire marshal will shut down CTF if it gets crowded). This count includes groupies and visitors. (This year, the limit was raise to 10 on Saturday, and unlimited on Sunday.)