Capture The Flag

JPanic, rumoured to herald from the trumpets of the digital gods, who incarnated this mythical beast to dominate the digital underground. Upon this immaculate conception he ruled over the 90s VX Scene, sprinkling his magic, 16 bits at a time. Introducing techniques to the scene so advanced for that time, they seemed alien. JPanic caused quite the Immortal Riot wherever he roamed. As technology progressed, word size increased to 64bits, Russians gained dominance in crimeware, and gigabit network connections became the norm (except in Australia), the presence of JPanic seemingly disappeared. For those in the know, the beast has been quietly sleeping in the underground, for over a decade now, not seen or heard of since the great #hpaus war of 1999. But something is a-miss, disturbing rumblings from the underground have been detected recently, some even claim the sleeping giant has awoken, and he's fucking pissed...

Meanwhile, young up-start, Buo, still scarred by the memories of JPanic mercilessly beating Retch to within an inch of his life at Seccon 98, is forging himself a fine and noble career as a anti-malware analyst. Loved by all, Buo has quickly established himself as the young rising star and golden boy at Lambsky AntiVirus. One boring day while trawling through malware samples, Buo comes across something interesting ! A mysterious sample submitted by a dormant honeypot in Pakistan that has not reported anything for the past 5 years. The sample is packed in a strange and unrecognisable format. Buo gives his friend Silvio a call and describes the characteristics of the sample: 'an obfuscated decryptor which unpacks an obfuscated body, with both the decryptor and body changing on each execution'. Silvio advises Buo that it sounds like a polymorphic virus and not to worry. Buo rolls his eyes and sighs as he puts the phone down and gets back to work.

After several days of carefully stepping through assembly code, peeling back several layers of obfuscation, and circumnavigating numerous anti-debugging tricks, Buo is finally able to take a small glimpse inside a tiny portion of the packed sample. He manages to capture a string located at offset 0x7dfb 'CAPZLOQ TECHNIQ II ELECTRIC BOOGALOO ... JPANIC > BUO'. A cold chill shoots up Buo's spine....

(and Buo wee's himself a little)

 

Date Saturday, 20th
Time 1:00PM
Location Event Room 3

How to Play

Assist JPanic on his crusade to cleanse the Internet or help Buo stop JPanic before it is too late! Welcome to Ruxcon Capture the Flag: Operation Sizzlechest, a hacking game where you can test your skills, compete against other players, and win some great prizes.

The CTF game is made up of a series of levels based on the scallywag behaviour of JPanic, and the heroics of our white-knight Buo. All the levels can  be played at your own leisure and level difficulty ranges from easy to moderate.

You can register as team or hit the trail as a lone wolf. The CTF registration site will be available on the CTF Network at Ruxcon. See the handbook for more details on how to connect to the CTF network.

CTF will launch at 1:00PM on Saturday in the bar room  and finish up at 3:00PM on Sunday. We will be taking the CTF competition with us to the Ruxcon Saturday night party so you can continue playing throughout the night and enjoy a bunch of free drinks while you're at it.

Tokens

Players will tackle a series of levels of varying difficulty which can be played in any order. Each level contains a token which you will receive on completion (or you might be lucky to stumble across some during your journey). You’ll need to submit the token to the CTF Scoreboard in order collect points and increase your over-all ranking. Not all tokens are created equally, token value is based on the difficulty of the level.

Submit a token via http://opsizzlechest/submit

The player or team with the most points at the end of the competition will be declared the winner.

Challenges

Ruxcon CTF has been designed to accommodate all levels of skill and experience, but most importantly the CTF has been designed as a fun challenge which anyone can play. So even if you’re not the competitive type and you’re just a bit curious, please register and have a bit of a poke around. We will provide solutions for all levels once the competition is over.

Some of the challenges you can expect to come across include:

  • Client-Side Ownage
  • SQL Injection
  • Dotslash Technique
  • Reverse Engineering and Binary Analysis
  • Basic Exploit Development
  • Basic Forensics
  • Unix Insecurities
  • Network Attacks
  • Logic Bugs
  • Ascii Jump!

Watch

During the competition we will have a live scoreboard located in the bar area, or you can view via it at http://scoreboard. The scoreboard displays some real-time action of our players attempting to complete challenges courtesy of some sneaky terminal sniffing we have set up on the competition servers.

We’ve also set up a Ruxcon CTF Twitter bot @RuxconCTF so you can follow the competition at home or on the move.

Software

There are no software requirements but if you have never played a CTF before then installing Backtrack and Metasploit will be enough to get you started.

We have archived a local copy of Metasploit and Backtrack available on the CTF Network.

Rules

There’s no rules here. Rules, *no*. Robbo?
Robbo: No rules.

There are no rules! But some of the following dick-moves are discouraged:

  • DoS'ing other competitors or servers
  • Trashing servers and dropping tables
  • Coaching - team collaboration is encouraged but external mentors need not be consulted

Credits

The following awesome guys help put together CTF:

Exploit-Exercises: Heaps of cool training material to help you skill up in all things vulnerability development
PentesterLab: Free online training for web application penetration testing.