DefCon CTF 2008 Overview
2008 CTF was nearly identical to CTF 2007
Each team has a color-coded table. The
tables are set up in a "U" shape, with the open end facing the wall. The
organizers, Kenshoto, are at the center of the room at their circular black
table, and had run cables to each of the teams' tables.
One RJ45 cable is the uplink switch port, and the second is the link to the
server you must defend. As done last year, we've been given the option to firewall
The network was 10.0.TEAM.0/24. For example, team 3 is on 10.0.3.0/24,
with a default route of 10.0.3.254.
Each team is given access to their "team server" (on the network as
10.0.TEAM.1) and the "root" password.
Many vulnerable services are running here, and it is the center of the contest.
Traffic is all random source NAT'd, so it isn't possible to distinguish traffic
sources to tell a rival team's attack apart from a Kenshoto service poll.
On each server are a large number of services (web applications, network
services of unknown function, console applications, etc). Each server's
services are nearly identical to each other, so if a team can understand
what their own server is doing, they have an insight into what the other
teams' servers are doing.
For example, services might be a web application where you can order software,
the "finger" daemon, or a console-based "mail" too.
Within each service is a "token". It can be one of three possible kinds
of tokens: "public", "private", or "overwrite".
- A "public" token is one that is "normally" visible. It's not special
if you can see it, but if you can compromise the service, it can be
- A "private" token is one that is not normally visible. If you can
compromise the service in some way, you can read a private token.
Additionally, some private tokens can also be overwritten.
- An "overwrite" token is team-specific and is used to overwrite the
contents of another team's service's token.
This year, tokens were a long string of alphanumeric characters (base64 encoding).
Each team is given a different "team token" to use for overwrites.
To keep the teams from just turning off their server and declaring
themselves immune to attack, Kenshoto polls each of the teams' services,
and keeps a running record of each team's "Service Level" (SL). This is
a percentage of "successful polls" vs "total polls". The idea being
that as a team tries to work to patch their vulnerable services, if
they accidentally make the service non-functional, their SL will drop.
Also, outside attackers may accidentally disrupt a service while trying
to gain access to it.
By default, each of the servers pass all Kenshoto service polls, so at
the start of the contest, every team has a 100% SL.
During each Kenshoto scoring phase, Kenshoto also updates all the
"private" tokens with new token values. As the contest goes forward,
a team can repeatedly steal tokens from vulnerable services, getting
more and more unique tokens. The token files' content (the "private"
token value for that team, service, and token refresh cycle) are retained
even after an overwrite. Kenshoto uses a custom kernel patch to notice
overwrites and restore the private token value. This is done so that there
isn't a race to read a token before another team overwrites the token
with their team "overwrite" token value.
The contest is scored based on "Breakthroughs", "Steals", "Overwrites", and
"Service Level". ("Penalties" can also be levied for breaking rules,
To earn a "Breakthrough", a team must be one of the first to earn a point
from exploiting a service that other team's haven't exploited yet.
To earn a "Steal", a team must exploit a vulnerable service and record a
private token. To prove that they saw a private token, the team must
submit the token to Kenshoto for scoring.
To earn an "Overwrite", a team must exploit a vulnerable service and overwrite the
service's token with the "team overwrite token". Kenshoto is monitoring token locations
and automatically notices when a service token has been overwritten by a
rival team (and also restores the token to it's original state so other teams
can continue stealing from that service).
If a team does something against the contest rules (like performing any kind
of intentional Denial of Service), Kenshoto "fines" them with Penalty points.
Total score is ( SUM(BT values) + Steals + Overwrites ) * SL - Penalties.
The tricky issue with scoring is that Breakthrough points are not public.
Each service has an associated
Breakthrough value, depending on how hard Kenshoto thinks it is to find and exploit
a given service. For example, finding how to exploit a network service that
accidentally runs commands following a ';', is going to have a small Breakthough value. Finding how to exploit a flaw in a network protocol specifically designed to be
obfuscated is going to be worth a great deal more.
To submit a Breakthough, the team has to log into the Kenshoto scoring
website (written in Shockwave), enter their tokens into the form, and just
click "submit". They get feedback on how many were accepted and how many
were rejected (e.g. public tokens aren't worth any points).
The contest is intended to be about measuring hacking skill.
To make sure things stay on course, Kenshoto makes several rules clear:
- No intentional denial of service (electronic, physical, psychological, anything). If someone breaks a service in the process of trying to gain access to it, that's not considered intentional. (Though Kenshoto has designed the services to be resilient, so this is uncommon.)
- Unlimited team size, but only 10 people at a time are allowed at a given team's table (fire marshal will shut down CTF if it gets crowded). This count includes groupies and visitors. (The limit was lifted on Sunday.)