On the development of the upcoming CTF with offline quest for the all-Ukrainian battle of hackers
Hi, Habrovchane! I hope many of you know and attend cozy hacker conferences, forums and meetings, not only for the sake of an after-party, but also to stretch your mind and wit on CTF (Capture The Flag). Organizing an event in which all of the above will be combined, I would like to share the experience of our team on choosing a platform for CTF and the development itself.
CTF - competitions related to the search for vulnerabilities and hidden data, which are conventionally divided into classic and task. Classic competitions are also called Attack-Defense: the point is to analyze the image of the system, find vulnerabilities, fix them and run on the servers of other teams. It will be about task tasks.
At Habrahabr there are quite a few people who are keen on CTF games, so the question: why are there many websites with rating teams and participants, scoreboards and analytical articles, many have already found the answer. After all, this is almost the only occupation in which there is a spirit of rivalry, and each “Bezopasnik” can measure his dignity, albeit in artificial, and only in some kind of conditions close to reality.
')
It’s one thing to participate in the CTF, completely different, with which I will introduce you - to create and organize this event.
Platforms for CTF are of two types: ready and self-written. Ready-made platforms are good for their "features" that are being finalized over the years and tested by many competitions. Samopisnye actually guarantee the safety of the site. They will be written by people who know more about it than the average programmer-layout designer (which we cannot guarantee in the case of ready-made platforms, it all depends on direct hands). Therefore, personally, our choice fell on the Facebook CTF platform - an interesting system with the following settings:
Different types of tasks:
And there are also tips, when opened, which is removed a certain number of points. Not a small plus: Facebook has one of the most exciting interfaces among platforms.
The Facebook CTF platform was first used in CTFs such as Facebook CTF at Csu San Bernardino and at the BruCON 2014 conference. Subsequently, Facebook began to promote the OpenSource software policy. This also affected their CTF platform.
And in May 2016, they opened its source code on github . But, as you can guess, the product was unfinished, but the developers did not sleep, and by September they had already made about 401 edits to their code from the moment of publication. We hope that they will continue to upgrade their product at the same pace :)
And here we are faced with the first difficulties: it turned out that the platform is only in beta testing and has many shortcomings. We faced the task of correcting and correcting some bugs. I will not describe the whole process of fixing andcrutches , let me just say that we wanted to change the platform several times, but nevertheless decided that we would be the first to conquer Facebook CTF.
We made all the edits based on our three-year experience of participating in CTF competitions. It took into account all the shortcomings made by other competitions, such as the absence of a bugbounty and points for it, communication with the creators of the task and much more! Also, this was influenced by the ctftime platform, on which, among other things, many WTAs are laid out with feedback from participants on any ongoing competition.
And this is one of the most interesting stages in the development of CTF'a! Consider the areas we have touched:
And for those who want to try their hand at creating tasks, we have made a task competition.
Further, about the task contest: this is a real opportunity for you to practice creating your own tasks in virtually all categories! In case your task passes on CTF, then you get a free ticket to the conference, respect is honored. So far they have sent few tasks, so the chance of being selected is high! Applications are accepted by mail: ctf@hackit-ukraine.com
In addition to 12 prepared categories with interesting tasks, designed for both beginners and pros in each of the areas, the top 10 teams expect an offline tour with non-standard and interesting competitions, more entertaining, but still not without wit, genre ( what a secret :)).
Online tour will be held from September 23 to October 2 . And every day several tasks from various categories will open. According to the results, the best teams will be invited to the offline tour on October 7th to the HackIT-2016 conference. In the finals, the team will expect a haunting CTF, but in real life with non-standard contests, blackjack andqueens . Our team is preparing exciting quests in reality with breaking webcams, RFID, locks and much more.
Analysis of the most interesting tasks for the suffering will be published after the event.
And a discount on the event itself for habrovchan: promotional code for 10%, can someone come in handy:
HABR0710
CTF - competitions related to the search for vulnerabilities and hidden data, which are conventionally divided into classic and task. Classic competitions are also called Attack-Defense: the point is to analyze the image of the system, find vulnerabilities, fix them and run on the servers of other teams. It will be about task tasks.
At Habrahabr there are quite a few people who are keen on CTF games, so the question: why are there many websites with rating teams and participants, scoreboards and analytical articles, many have already found the answer. After all, this is almost the only occupation in which there is a spirit of rivalry, and each “Bezopasnik” can measure his dignity, albeit in artificial, and only in some kind of conditions close to reality.
')
It’s one thing to participate in the CTF, completely different, with which I will introduce you - to create and organize this event.
Platform Selection
Platforms for CTF are of two types: ready and self-written. Ready-made platforms are good for their "features" that are being finalized over the years and tested by many competitions. Samopisnye actually guarantee the safety of the site. They will be written by people who know more about it than the average programmer-layout designer (which we cannot guarantee in the case of ready-made platforms, it all depends on direct hands). Therefore, personally, our choice fell on the Facebook CTF platform - an interesting system with the following settings:
Different types of tasks:
- Quiz is the same as common questions that need to be answered (word, phrase)
- Flag - task (file, link, etc.) the answer to which is a flag in the appropriate format (our format is h4ck1t {text}).
- Bases - an analogy of the game "King of the Hill", who is the first to decide a task, he gets the most points (and so descending)
And there are also tips, when opened, which is removed a certain number of points. Not a small plus: Facebook has one of the most exciting interfaces among platforms.
The Facebook CTF platform was first used in CTFs such as Facebook CTF at Csu San Bernardino and at the BruCON 2014 conference. Subsequently, Facebook began to promote the OpenSource software policy. This also affected their CTF platform.
And in May 2016, they opened its source code on github . But, as you can guess, the product was unfinished, but the developers did not sleep, and by September they had already made about 401 edits to their code from the moment of publication. We hope that they will continue to upgrade their product at the same pace :)
Platform setup
And here we are faced with the first difficulties: it turned out that the platform is only in beta testing and has many shortcomings. We faced the task of correcting and correcting some bugs. I will not describe the whole process of fixing and
We made all the edits based on our three-year experience of participating in CTF competitions. It took into account all the shortcomings made by other competitions, such as the absence of a bugbounty and points for it, communication with the creators of the task and much more! Also, this was influenced by the ctftime platform, on which, among other things, many WTAs are laid out with feedback from participants on any ongoing competition.
Creating Tasks
And this is one of the most interesting stages in the development of CTF'a! Consider the areas we have touched:
- Admin / Misc - tasks close to the daily problems of system administrators.
- Cryptography - tasks that are based on the features of cryptographic algorithms.
- PWN - search for vulnerabilities and the subsequent operation of the service running on some port.
- Exploit is similar to PWN, but we still have the source code for this binary.
- Forensics - incident investigation, analyzing various dumps, etc.
- Joy - you need to be periodically distracted by frivolous tasks :)
- Network - network tasks.
- PPC - programming tasks.
- Reverse - analyzing binaries and then studying the algorithms used in the program to get flags
- Steganography - search for hidden channels of information transfer.
- Web - web security.
And for those who want to try their hand at creating tasks, we have made a task competition.
Tasking competition
Further, about the task contest: this is a real opportunity for you to practice creating your own tasks in virtually all categories! In case your task passes on CTF, then you get a free ticket to the conference, respect is honored. So far they have sent few tasks, so the chance of being selected is high! Applications are accepted by mail: ctf@hackit-ukraine.com
Offline Tour H4ck1t CTF
In addition to 12 prepared categories with interesting tasks, designed for both beginners and pros in each of the areas, the top 10 teams expect an offline tour with non-standard and interesting competitions, more entertaining, but still not without wit, genre ( what a secret :)).
Competition
Online tour will be held from September 23 to October 2 . And every day several tasks from various categories will open. According to the results, the best teams will be invited to the offline tour on October 7th to the HackIT-2016 conference. In the finals, the team will expect a haunting CTF, but in real life with non-standard contests, blackjack and
I hope they do not consider it a commercial advertisement, you can register on CTF here.
Analysis of the most interesting tasks for the suffering will be published after the event.
And a discount on the event itself for habrovchan: promotional code for 10%, can someone come in handy:
HABR0710
Source: https://habr.com/ru/post/308270/
All Articles