SibSUTIS CTF 2015: How we held our student competitions

Good day!

52 participants, 11 teams, 8 hours - these are the main figures of the information security competition SibSUTIS CTF 2015, which was held for the first time on February 21 at the Siberian State University of Telecommunications and Informatics (Novosibirsk).

I would like to tell you about the preparation of these competitions on behalf of the organizers.

Little about CTF

CTF (Capture the Flag) - team competition in information security.
')
There are several formats, the main ones are:

• Tasks - teams are given a list of tasks from different categories, each of the tasks is estimated at a certain number of points given for the decision. According to the results, the team that wins the most points wins. In case of equality of points above, the team that has solved the tasks in less time is estimated;
• Classic - commands are given access to identical virtual machines available on the local network. Usually this is some kind of Linux distribution that runs various web services. Teams need to fix all found vulnerabilities and conduct attacks against servers of competing teams. For attacks and defenses give a certain number of points. The winner is the team with the most points for successful attacks and defenses.

In Russia, this movement is rapidly gaining momentum, from major events worth noting RuCTF Positive Hack Days.

About the organizers and format of the competition

Basically, the organizers were students of the 2nd and 3rd courses of the SibSUTI Departments of BiUT (Department of Security and Management in Telecommunications) and PMiK (Department of Applied Mathematics and Cybernetics) in the amount of 7 people.

We had enough experience of CTF competitions as participants (in the Siberian Federal District), but for the first time we performed the role of organizers. With the format of the competition, we settled on Tasks-based, as it was somewhat easier for us to implement, and we didn’t know exactly how many participants and what knowledge they would have.

Preparing for the competition

For all the training we had about the 21st day. First of all, the competition regulations were drawn up, which determined the format of the competition, the number of participants (from 3 to 7 people in a team), the rules for participants and the categories with tasks.

We have compiled the following categories of tasks:

• Reversing - research and reverse processing of application software;
• Web - research of web scripts on vulnerabilities (blackbox);
• Crypto - cryptographic tasks;
• Forensic - tasks in the field of computer crime research;
• Joy - common interesting tasks, tied mainly to logic.

In each of the categories there were 3 tasks, which were estimated from 100 to 300 points depending on the difficulty of the task.

Next was the distribution of responsibilities, who will do what for the preparation, namely, it was necessary (by priority):

• Agree with the administration of the university on the place and time of the competition, as well as prizes for the winners;
• Configure the server and raise the system on it to check the answers, as well as the command registration page;
• Create 15 tasks in all categories;
• Competition logo, advertising in social. networks, glue flyers at the university;
• Prepare a venue for the competition;
• Well, a bunch of little things ...

I was setting up the server and making up tasks. Talk a little about the intricacies. We had a “lamp” server, I’ll not mention the exact configuration, but something like 4-core Intel Xeon is 3.2Ghz and 16Gb of RAM. It is Debian 7, it has a static IP address that goes to the external network.

For our tasks, it was necessary to raise a web-server, which was implemented through Docker virtualization. Until that time, I had no business with the docker, and therefore raising the container with the server and port forwarding to the external network brought me a couple of happy sleepless nights before I finally figured out how it works.

As a result, the standard set was installed in the container: Ubuntu + Apache + MySQL + PHP .

Further, in a very short time, a simple registration page was made for the participants and the “CTF Managment System” with a rather modest functionality:

• Adding Tasks (title, description, number of points for the correct decision, correct answer to the task);
• Rating table;
• The ability to publish news;
• And a spy thing to look at what answers are trying to substitute commands to the task.

The rest of the time there was an emphasis on the development of tasks.

A week before the competition, the registration page was open for participants and in the first 4 days only 4 teams were registered - about 15-20 people in general (we honestly didn’t expect more), but in the last 2 days something terrible happened: we registered 7 teams and in the general account we had 52 people as participants.

The reading room of the library of our university was chosen as a place for conducting, and, to everyone's happiness, all the teams were placed in this room.

But besides this, as it turned out, the day before the competition there are some problems with the Internet in the library - only 1 Wi-Fi access point (ideally designed for 20 people) and 4 Internet sockets. But that's not all. For some reason unknown to us, our server was unavailable from this most unfortunate library.

The war with our universal Internet provider did not lead to anything - they insisted that the server problems (if anything, the server worked absolutely everywhere and even the Host-Tracker confirmed it), so we had to solve the problem bypassing the provider - we did proxying through our friend's Malaysian VPS.

We also added another Wi-Fi access point to the library and installed 2 network switches.

Competition day

Competitions were held on Saturday - February 21. The opening took place in the assembly hall, where the administration and the organizers said a few introductory words to the participants. Then all the participants went to the venue and at 10:00 am Novosibirsk time, the competitions were open.

The teams showed a fairly high level of knowledge - 6 teams decided more than half of the proposed tasks and passed the bar for 2000 points. All the teams were for a fair game, while holding some of the vulnerabilities in the checker were given an advantage, but this was immediately reported to the organizers. In the course of the competition, all vulnerabilities were fixed.

Also, to our happiness, there were no critical problems with the Internet, there was a slight hitch at the start of the competition - it fell by 1.5 minutes, and then it worked steadily.

A small photo report:









By the end of the day, the bitter struggle continued until the close of the competition. The team that occupied the second place decided the task that would lead them to the 1st place, but they did not have time to send the answer in 1 minute. The system has already been closed.

All participants were satisfied. After the competitions, we talked with them, conducted analyzes of some tasks that were difficult to solve.

UPD: Tasks and Answers Archive