Difference between revisions of "Front Range OWASP Conference 2013/CTF"

From OWASP
Jump to: navigation, search
m (Whitespace correction)
 
(12 intermediate revisions by 5 users not shown)
Line 1: Line 1:
SnowFROC 2013 is proud to present a homegrown capture the flag (CTF) hacking competition. Competitors will be provided a series of web applications containing a variety of vulnerabilities. Each discovered vulnerability will earn points. The harder the hack, the more points earned. At the end of the day, the team with the most points wins.
+
==Capture the Flag Overview==
 +
Test your skills with a capture the flag (CTF) hacking competition created specifically for SnowFROC by members of the Boulder OWASP chapter.
 +
 
 +
Competitors will be provided a series of web applications containing a variety of vulnerabilities. Each discovered vulnerability will earn points. The harder the hack, the more points earned. At the end of the day, the team with the most points wins.
 +
 
 +
<!-- Basic plot intro, other background information? -->
 +
 
  
 
==Rules==
 
==Rules==
Line 8: Line 14:
  
 
All contestant machines should have:
 
All contestant machines should have:
* A virtual machine player such as [http://www.vmware.com/products/player/ VMware Player] or [https://www.virtualbox.org/wiki/Downloads VirtualBox].
+
* A virtual machine player that supports .vmdk files, such as [http://www.vmware.com/products/player/ VMware Player], [https://www.virtualbox.org/wiki/Downloads VirtualBox], or [http://www.parallels.com/ Parallels].
* Appropriate penetration testing tool ([http://www.backtrack-linux.org BackTrack], [http://samurai.inguardians.com/ SamuraiWTF], and [[OWASP_Mantra_OS|Mantra OS]] will fit in well).
+
* Appropriate penetration testing tool ([http://www.backtrack-linux.org BackTrack], [http://samurai.inguardians.com/ SamuraiWTF], [[OWASP_Mantra_OS|Mantra OS]], and [[ZAP|OWASP ZAP]] will fit in well).
 
+
<!--
+
SnowFROC will provide:
+
* Tables and chairs.
+
* Power strips.
+
* At least one external IP address per team.
+
-->
+
  
 
===Acceptable behavior===
 
===Acceptable behavior===
 
Competitors are only permitted to attack targets running on their local systems. Network traffic will be monitored to ensure there will be:
 
Competitors are only permitted to attack targets running on their local systems. Network traffic will be monitored to ensure there will be:
* No attacking the scoreboard. Misuse will result in punitive action.
+
* No attacking the [[SnowFROC2013_CTF_Scoreboard| scoreboard]]. Misuse will result in punitive action.
 
* No targeting the VM. Do not mount the VM and harvest flags from within.
 
* No targeting the VM. Do not mount the VM and harvest flags from within.
 
* No attacking other teams, whether through coercion, DoS, theft, sabotage, or other malicious activity.
 
* No attacking other teams, whether through coercion, DoS, theft, sabotage, or other malicious activity.
Line 26: Line 25:
  
 
===Prizes===
 
===Prizes===
Anyone who worked on the project or has access project repositories are ineligible to win prizes.
+
Small prizes will be awarded to winners. Anyone who worked on the project or who has access to project-related repositories is ineligible to win prizes.
  
Prizes will be awarded to:
+
Both team and individual prizes will be awarded based on merit and other achievements.
: (1) The team with the most points;
+
<!--
: (2) The team who completed the story first (or, as a tiebreaker, the team with the most plot-specific points);
+
Team prizes will be awarded to:
: (3-6) The team who took the shortest amount of time to complete Acts I-IV;
+
* The team with the most points;
: (7) The person who solved the hardest challenge (worth the most points);
+
* The team who completed the story first (or, as a tiebreaker, the team with the most plot-specific points);
: (8) The person who solved the most challenges (raw number);
+
* The team who took the shortest amount of time to complete Acts I-IV;
: (9) The person who scored the most points (total sum);
+
 
 +
Individual prizes will be awarded to:
 +
* The person who solved the hardest challenge (worth the most points);
 +
* The person who solved the most challenges (raw number);
 +
* The person who scored the most points (total sum);
 +
-->
  
  
Line 40: Line 44:
 
===Content acquisition===
 
===Content acquisition===
 
<!-- Where to download the competitor VM as well as VM players, etc.. -->
 
<!-- Where to download the competitor VM as well as VM players, etc.. -->
 +
This information will be released closer to the day of the event.
  
===Installation instructions===
+
===Installation and configuration instructions===
 
<!-- How to install the competitor VM, including VM players, etc.. -->
 
<!-- How to install the competitor VM, including VM players, etc.. -->
 +
* Add the following entries to your hosts file:
 +
  10.50.65.12 training.theagency.owasp, theagency.owasp
 +
  10.56.65.87 theagency.owasp, Im.theagency.owasp
 +
  10.50.65.26 www.pla.owasp, secretlogin.pla.owasp, download.pla.owasp, www.pla.pt
 +
  10.50.65.187 shadowcorp.owasp
 +
  198.19.147.198 ctf.snowfroc.com
 +
* The first network adapter must be a bridge network adapter.
 +
*Configure the second network adapter to be a host-only network on your VM with IP address 10.50.65.254/24
 +
* Load the .vmdk files
 +
* Make sure you are using a browser other than Internet Explorer which for security reasons is not supported by the scoreboard.
 +
 +
*Make sure you are on the CTFSnowFROC wifi network (or plugged in directly at a table).
 +
 +
#Start by copying VM over to your machine. While that is going on, move on to the next steps.
 +
#Make sure hosts file has the entries provided above.
 +
#Within VirtualBox, go to file --> preferences --> network --> add host only network adapter.
 +
#Edit this new adapter - put in 10.50.65.254 255.255.255.0
 +
#In the VirtualBox main page- go to New, give the VM a name, set type to BSD, click next, set mem to at least 1 GB, Use Existing Virtual HD. Point it to the ctf.vmdk file you copied onto your machine. Create.
 +
#Select VM in the VirtualBox main window, at top click settings. go to network, adapter 1, change to "Bridged Adapter". Adpater 2, enable network adapter, make it a host only adapter and select the adapter you created earlier. Hit ok.
 +
#Start VM. Follow directions provided in VM.
  
 
===Registration instructions===
 
===Registration instructions===
 
<!-- Registration/scoreboard location; team sizes and naming conventions; etc. -->
 
<!-- Registration/scoreboard location; team sizes and naming conventions; etc. -->
 +
Coming soon.
  
 
===Gameplay instructions===
 
===Gameplay instructions===
 
<!-- How to use the scoreboard; where to get help; etc. -->
 
<!-- How to use the scoreboard; where to get help; etc. -->
 
 
<!--
 
==Competition Overview==
 
-->
 
<!-- Basic plot intro, other background information -->
 

Latest revision as of 17:45, 28 March 2013

Contents

Capture the Flag Overview

Test your skills with a capture the flag (CTF) hacking competition created specifically for SnowFROC by members of the Boulder OWASP chapter.

Competitors will be provided a series of web applications containing a variety of vulnerabilities. Each discovered vulnerability will earn points. The harder the hack, the more points earned. At the end of the day, the team with the most points wins.


Rules

All conference attendees may participate in the CTF tournament for no additional cost. If you would prefer to attend the general conference proceedings, the competition will be made available to attendees after SnowFROC ends.

Format

Contestants will be provided a virtual machine which will run locally on self-provided devices. This is a BYOD event and all contestants are responsible for providing their own machine. No "loaners" will be made available.

All contestant machines should have:

Acceptable behavior

Competitors are only permitted to attack targets running on their local systems. Network traffic will be monitored to ensure there will be:

  • No attacking the scoreboard. Misuse will result in punitive action.
  • No targeting the VM. Do not mount the VM and harvest flags from within.
  • No attacking other teams, whether through coercion, DoS, theft, sabotage, or other malicious activity.
  • No collusion. Work only within your own team.

Prizes

Small prizes will be awarded to winners. Anyone who worked on the project or who has access to project-related repositories is ineligible to win prizes.

Both team and individual prizes will be awarded based on merit and other achievements.


Getting Started

Content acquisition

This information will be released closer to the day of the event.

Installation and configuration instructions

  • Add the following entries to your hosts file:
 10.50.65.12 training.theagency.owasp, theagency.owasp
 10.56.65.87 theagency.owasp, Im.theagency.owasp
 10.50.65.26 www.pla.owasp, secretlogin.pla.owasp, download.pla.owasp, www.pla.pt
 10.50.65.187 shadowcorp.owasp
 198.19.147.198 ctf.snowfroc.com
  • The first network adapter must be a bridge network adapter.
  • Configure the second network adapter to be a host-only network on your VM with IP address 10.50.65.254/24
  • Load the .vmdk files
  • Make sure you are using a browser other than Internet Explorer which for security reasons is not supported by the scoreboard.
  • Make sure you are on the CTFSnowFROC wifi network (or plugged in directly at a table).
  1. Start by copying VM over to your machine. While that is going on, move on to the next steps.
  2. Make sure hosts file has the entries provided above.
  3. Within VirtualBox, go to file --> preferences --> network --> add host only network adapter.
  4. Edit this new adapter - put in 10.50.65.254 255.255.255.0
  5. In the VirtualBox main page- go to New, give the VM a name, set type to BSD, click next, set mem to at least 1 GB, Use Existing Virtual HD. Point it to the ctf.vmdk file you copied onto your machine. Create.
  6. Select VM in the VirtualBox main window, at top click settings. go to network, adapter 1, change to "Bridged Adapter". Adpater 2, enable network adapter, make it a host only adapter and select the adapter you created earlier. Hit ok.
  7. Start VM. Follow directions provided in VM.

Registration instructions

Coming soon.

Gameplay instructions