This post is here to provide some information on our CTF Games currently running at OpenWest conference. These are ran and organized by theTransistor and DC801.
You absolutely do NOT need to have previous experience to participate. Everyone starts somewhere, and these are great skills to learn.
We are running 2 games:
Attack-A-Box and OpenCTF
The Attack-A-Box is a live exploitable server environment, and the OpenCTF is a jeopardy-style challenge-based game board. We will be running BOTH of these games the entirety of the OpenWest conference; from Thursday through the end of Saturday.
1st Prize: Laser cut plaque, bragging rights, and One Month free membership at theTransistor.
2nd Prize: Laser cut plaque, bragging rights, and a gift card
3rd Prize: Laser cut plaque, and bragging rights
Prizes are PER game. (So there are 2 first-place winners, 2 second-place winners, and so on)
If you aren’t familiar with CTF, you may not have the tools that you need to participate. Don’t worry, we should have you covered. We have a stack of live-boot CDs with Kali Linux on them. Please ask us if you need one, or if you have any further questions on the CTF.
Registration and leader-boards
OpenCTF Registration is located at: http://10.108.10.11
Attack-A-Box Registration is located at: http://10.108.10.15
These will be the servers that you register on, submit flags to, and check the leader-boards on.
Flags and Scoring
To capture a flag (how you get points) you will need to find the flag on the servers that you exploit. There may also be flag hidden in other places of the game. We’ll leave that up to you to figure out what that means.
Each flag is a SHA1 hash or a PNG file containing a QR code. To capture a SHA1 hash flag, you simply copy the hash and paste it into the scoring server under your login (which you will create). To capture a QR type flag, you will need to first decode the flag (typically via cell phone or linux library), and then paste the result into the scoring server to claim.
Network Structure and Etiquette
10.108.10.1/24 Scoring and Game Board: Do NOT attempt to hack this network. This is used by all players to register for the games, capture flags, and view the leaderboards. Your email is required only for us to get any potential prizes to you.
10.108.42.1/24 Public Network: Do NOT attempt to hack this network please. This includes ARP spoofing / etc. This is the network that you will plug your machines into. This is also the network that all the other players connect on.
10.108.69.1/24 Malicious Network: ATTACK! This is the network that contains the servers that you will be attacking for glory, prizes, and maybe even a pat on the back. See Instructions below for each games information:
OpenCTF Specific Information
Scoring, Gameboard, and Registration at: http://10.108.10.11
The OpenCTF game is a jeopardy-style gameboard located at http://10.108.10.11. To play you will need to:
1) Register (email is ONLY so that we can contact you if you win a prize)
2) Visit the gameboard, and solve some challenges!
3) Once you solve a challenge, you will need to submit the answers to the questions.
Attack-A-Box Specific Information
Scoring, Leader-Boards, and Registration at: http://10.108.10.15
The Attack-A-Box is a network of servers located on the 10.108.10.69/24 network. The goal is to break into the servers (totally legal, we give you permission!), and find the flags. Flag are either SHA1 style keys in files, packets, etc or QR codes (as PNG files) that you will need to scan (or run through a QR decoder) and then submit the result to get your points. It usually goes something like this:
1) Boot into Kali Linux (we have live-boot DVDs, if you need one), or your choice of Security-Based OS.
2) Use NMAP to scan the 10.108.69.1/24 network for servers with open ports.
2.1) Use Wireshark to capture data to and from your computer if you wish.
3) With your server / port list in hand you can now attempt to exploit services that may be vulnerable. Network share on a server? Connect to it and see what’s there. VNC port open? Try to connect with default settings. Maybe you have discovered a password somewhere. If you know metasploit, there may be an exploit you can run against it (or any other services).
4) Once you have found a flag, submit it!
5) Profit. Get in the top 3 on either (or both!) leader-boards to win cool stuff!
Read more »