Watch the best CTF teams in action!
The world’s top CTF teams battle it out in a new style of attack and defense contest featuring a record-breaking prize pool of $100,000! We’re flying the world’s best CTF teams into Abu Dhabi to battle it out in a three-day attack and defense CTF competition organized by HITB in collaboration with Hackerdom, Russia’s leading CTF organizing crew. The CTF will pit winning teams from various other contests to prove definitively that they are the best in the world and also features a new contest visualization system to make it easier for spectators to understand the challenges teams will face while they battle it out for glory!
Who?
- Eat Sleep Pwn Repeat (HITB2018 Overall Champions & Winners of HITB2019AMS CTF)
- RedRocket (CyberSec Challenge Germany & HITB2019AMS CTF 2nd Place)
- Hack.ERS (HITB2019AMS CTF 3rd Place)
- dotRA (Winners of PHDays 2019)
- DEFKOR00T (Winners of DEFCON 2018 & HITCON CTF 2018 2nd Place)
- PPP (Winners of TokyoWesterns CTF 2018 & DEF CON CTF 2019 & Code Blue CTF 2018 2nd Place)
- True0xA3 (WInners of PHDays 2019 CTF)
- TokyoWesterns (Winners of BCTF 2019)
- Tower of Hanoi (Winners of RUCTF 2019)
- saarsec (Winners of RUCTFE 2018)
- Bushwhackers (Winners of iCTF 2019 & RuCTF 2018)
- Dragon Sector (Winners of 0CTF 2018 & HITCON 2018)
- r3kapig (Winners of 0CTF 2019 & BCTF 2018 & XCTF Finals 2018)
- LC↯BC (Winners of Insomni’hack 2019)
- PDKT (Winners of HITBGSEC 2019 CTF)
- r3billions (Winners of Arab Regional CTF)
- mHackeroni (Italian CTF Team)
- TBA (Winners of Cyber Battle of the Emirates)
- H3X VI5ION
- 4horsemen
- root4fun
Rules
These rules are similar to the RuCTFE contest rules, but for those of you who haven’t ever played RuCTFe or other classical attack-defence CTF competition, please read this carefully.
Here some general gameplay is described, the exact scoring rules will be announced later, on the evening before the game.
At the venue you’ll have a switch on your table that is already connected to the remote machines where some operating systems with vulnerable services run — they are called vulnerable images. All the teams have identical set of vulnerable images. There are also cables for your laptops to connect to the switch — please use them.
All the computers — both team members' laptops and vulnerable images — are connected via wired local network so you can send requests to other teams’ vulnerable images. They will have similar IPs: for the first team it would be 10.60.1.X, where X is a number of vulnerable image, for the second team it would be 10.60.2.X, for the third — 10.60.3.X, etc.
Game structure
Every day the network will be closed for the first hour from 9AM to 10AM, so you can look through the images and services. At 10 AM we open the network and you can attack other teams yet being hacked by others. Also the checksystem starts its work.
Checksystem is orgs’ server that checks if services work as expected. Every game round (1 round = 1 minute) it checks all the services of all the teams and if something fails — the SLA of such a service will decrease. This may happen if you tried to patch the vulnerability in your service and broke its main functionality. Or if other team has deleted something critical from your service.
The other important function of checksystem is to put some secret information in the services, we call it “flags”. A flag is a string that consists of 32 chars: digits, capital letters and “=” symbol in the end and can be described with the following regexp: '[A-Z0-9]{31}='. It looks like this: 72DZHJQ509TPKPGRB1J9T7T9W6VVL5R=.
During these three days we’ll unlock new services and shut down those ones we consider to have already done their work. We’ll announce the full algorithm later.
Capturing the flags
You can capture the flags in any way except the physical one :) You are not allowed to destroy other teams’ infrastructure (like running rm -rf /) or generate a large amount of traffic, otherwise we can disqualify you.
Once you’ve captured someone’s flag, send it to orgs as soon as possible by performing a HTTP request to http://10.10.10.10/flags using PUT method, X-Team-Token header (you’ll get your token right before the game) and a json payload with flags.
Here is an example:
$ curl -s -H 'X-Team-Token: your_secret_token' -X PUT -d '["PNFP4DKBOV6BTYL9YFGBQ9006582ADC=", "STH5LK9R9OMGXOV4E06YZD71F746F53=", "0I7DUCYPX8UB2HP6D6UGN86BA26F2FE=", "PTK3DAGZ6XU4LPETXJTN7CE30EC0B54="]' http://10.10.10.10/flags | json_pp[ { "msg" : "[PNFP4DKBOV6BTYL9YFGBQ9006582ADC=] Denied: no such flag", "status" : false, "flag" : "PNFP4DKBOV6BTYL9YFGBQ9006582ADC=" }, { "msg" : "[STH5LK9R9OMGXOV4E06YZD71F746F53=] Denied: flag is your own", "flag" : "STH5LK9R9OMGXOV4E06YZD71F746F53=", "status" : false }, { "status" : false, "flag" : "0I7DUCYPX8UB2HP6D6UGN86BA26F2FE=", "msg" : "[0I7DUCYPX8UB2HP6D6UGN86BA26F2FE=] Denied: you already submitted this flag" }, { "msg" : "[PTK3DAGZ6XU4LPETXJTN7CE30EC0B54=] Accepted. 1.73205080756888 flag points", "flag" : "PTK3DAGZ6XU4LPETXJTN7CE30EC0B54=", "status" : true }]
If the flag was put into the image in the last 15 minutes, you’ll earn FlagPoints (FP). The amount of FlagPoints depends on the victim team’s position on the scoreboard relative to you in the previous round. It is more FP-efficient to hack the teams that are higher than you.
If your flags were stolen, your FlagPoints will decrease, but never gonna fall below 1.
During the game
Teams are allowed to
- Do whatever they want within their network segment. Most likely the team would patch vulnerabilities in their services or block exploitation of vulnerabilities;
- Attack other teams. Didn't expect that, huh?
Teams are prohibited to
- Filter out other teams' traffic
- Generate a large amount of traffic that poses a threat to network stability of organizers' facilities
- Generate a large amount of traffic that poses a threat to network stability of any other team
- Attack teams outside the game network
- Attack the game infrastructure facilities operated by organizers
Also there's a certain class of problems that the teams cannot reasonably fix on their own, so we kindly ask the participants to refrain from:
- Obscuring the flags by flooding the services (be it their own or other teams') with the large amounts of data
- Application level DoS attacks on other teams
- Other uncompetitive actions that could ruin the fun of the game
Scoreboard
During the game, the scoreboard will be available at the main screen and at http://10.10.10.10.
Teams are ranked by total score.
Apart from FlagPoints, SLA and total score, scoreboard shows statuses of each service. Statuses are as following:
- OK — means that service is online, serves the requests, stores and returns flags and behaves as expected.
- MUMBLE — means that service is online, but behaves not as expected, e.g. if HTTP server listens the port, but doesn't respond on request, or some of its functionality has been broken.
- CORRUPT — means that service is online, but past flags cannot be retrieved.
- DOWN — means that service is offline.
Scoring system will be announced later.