Rules and Regulations

Please read the following, and then go here to register your team. We're excited to have you!

General

Atmosphere

Rules

Structure:

After doing a test run of the event on Feb 2nd, we decided to change up the structure, slightly. Initially, all of the challenges were going to be given out at the same time. However, after the test event, we realized this was extremely overwhelming and needed to be changed. So, the competition will only have the wargame challenges for the first couple hours of the competition. After lunch, the attack/defense challenges will also open up.

Teams will be divided up into rooms, with a varying amount of teams per room. The home base room (107) will be where the rules are explained, lunch is located and where the speakers will talk at. Furthermore, the judges (participante helpers) will be walking around from room to room to help with the challenges.

Leagues:

In order to set the bar for entry as low as possible there will be two different leagues: Canaries and Swallows. Depending on the teams skill level, choose which league your team will enter.

The two main differences between the leagues are in Canary a team can get as much help as the team would like (deemed that they gave the challenge a reasonable try), while the Swallow league will deduct points for large hints (but not small hints). Secondly, the competition will be harder in the Swallow league.

Canary

Of the two leagues, Canary is considered to be the lower of the leagues. Here is when you should be in Canary:

The creators of the competition would like to stress that this is a step in the path of learning! Even if you do not know anything going into the contest about cyber security, you will be the biggest winner of the day because of the amount of knowledge you gained from the contest. The goal of this contest is to teach students about the wonderful world of cyber security.

Swallow

This league falls into everything above Canary.

Attack/Defense:

Each team will be assigned a server with multiple services designed specifically insecure for the contest. The exploitation of these services can lead hackers to do malicious things on the server. The goal is to patch(fix) your own services while exploiting the other teams applications. Teams will have complete access to the complete source code, as well as documentation on the service. Furthermore, startup, shutdown and reset scripts will be provided. At the start of the contest, every team will have the exact same services, with the same vulnerabilities present.

Scoring

There are three main ways of scoring:

All of the flags will be in the form flag flag{15_alphabetic_characters} for the attack/defense challenges. Also, all of the flags will be in the '/etc/Services/ServiceA'and'/etc/Services/ServiceB' directories depending on the service. ServiceC has the flag in the database, not in a directory

Rounds

The contest will have 4 one-hour rounds, with one flag associated with each service. At the beginning of each round all services will be issued new flags. So, this will give teams the opportunity to exploit the service once again.

Check scripts will run in order to validate the services are up and running correctly.

Jeopardy

In jeopardy there are several categories where you pick a question, then attempt to answer it. The same goes with jeopardy CTF, with the only difference being that the questions are challenges of some kind, where the answer is the flag. The current categories are Software(Web/Native), Log Analysis/Steganography, Cryptography, Social Engineering and Miscellaneous.

Scoring

Scoring

With their being two types of challenges (attack/defense and wargame) an overall score needed to be accessed. This is done by taking the two placements, adding them together and dividing by two. The teams with the lowest scores are ranked the highest. However, the split for the overall score is weighted 60-40 in the favor of the wargame challenges. So, pick your strategy wisely.

Tips

These challenges are not impossible; in general one should 1) understand the problem and what it is asking for 2) Gather the information about what technologies/strategies are being used 3) Flip the evil bit; think like an attacker.

Besides the tips above, here are a few general best practices: