SibirCTF 2015: how it was

For the second year in a row, in the city of Tomsk, SibirCTF information security competitions have been held. This year, twice as many teams came to us than in that year, which we certainly did not expect. Therefore, we would like to talk about this event to the community.

Event Summary

For the second year already, in the spring, we are holding information security competitions SibirCTF with the support of Tomsk State University of Control Systems and Radio Electronics (TUSUR), the Administration of Tomsk Region, the interregional public organization "ARSIB", the Siberian Regional Branch of the Educational and Methodical Association (SibROUMO) information security education.

Competitions were held from 22 to 23 May as part of the activities of the Forum of Young Scientists U-NOVUS - 2015. The format of the game has become a traditional Attack-Defense. This year, 14 teams from different cities of the Siberian Federal District participated: Novosibirsk, Omsk, Krasnoyarsk, Barnaul, Tomsk. We even wanted to come teams from Samara and the Far East, but for some reason they did not succeed. However, the competition was so high.


')

Competition Organization

For the second year in a row, the keva team took over the technical part of the competition. The team consists mainly of students and graduates of TUSUR. For the creation of services, the organization and configuration of the network, the setting up of the jail system, as well as other technical questions were answered by 10 people.

All work began 3 months before the event. It was decided to use the HackerDom jury system of the Yekaterinburg team (after the competition, it was decided not to use it anymore). Each team was given access to the virtual machine on which the gaming services were running. The juicing system was also running on a virtual machine.

Equipment

It took a lot of equipment. But the desire to optimize the budget has borne fruit. As a result, they managed with one server for virtual machines (last year there were 2 of them: gaming and backup). The server configuration is as follows: 2 four-core Xeon, 64 GB of RAM, a RAID array of 8 TB. Mikrotik RB1100X2AH was used as the head router. Aggregate Switch - Mikrotik CloudRouter Switch Series. As access switches - scattering of various D-link and 3Com. Last year, all switches and routers were Cisco (this year we supported the import substitution program).

Services

The core of any CTF Attack-Defense competition is services. Their quality, originality in many determine the success of the competition.

We started the preparation of services 3 months before the start. We wanted to make services easy to understand (because the level of commands is different), but also quite complex in finding and fixing all vulnerabilities.

As a result, it was decided to develop 4 services: CryChat, O'Foody, CTFGram, EasyAs. Further detail about each of them.

Crychat

Service written in PHP. I wanted to create an anonymous chat for two users to send messages and files to each other. What is relevant today. Video parsing service:

O'foody

Service written in Perl. There were 4 vulnerabilities in the service. Perl was chosen because of the high speed of development, and also because of the desire to show participants that you can write beautiful code in this language. PostgreSQL was used as a database. Video parsing service:

CTFGram

Service written in Javascript. The main idea of ​​the service is Instagram-a. You could register, upload your photos, put likes. Video parsing service:

EasyAs

Service written in Python. This service was intended as the initial and easiest. If you look at the code, you will understand why. Video parsing service:

Video

Video from our partners from ARSIB:

results

The results are as follows:

1. SuSlo.PAS
2. Failers
3. Fts
4. Life
5. Mustang
6. OMAVIAT
7. Sharlike
8. SibirTSU
9. Zanyato
10. Tio
11. Luck3rz
12. Shikata ga nai
13. Hell zip
14. n57u n00bz

The Mustang and Shikata ga nai teams participated outside the standings.

SibirCTF 2016

Next year we want to do a lot, we have a lot of ideas, new formats that are close to real situations. If you have any suggestions, we will be happy to hear them out.

See you next year.

Repository link: SibirCTF

Special thanks I would like to say ARSIB for the photos provided.

PS I would like to hear the opinion of Habrasoobschestva about services, as well as hear the impressions from the participants of the competition.