Buena Vista University's 9th AnnualCapture the Flag Contest
The contest is over. Thanks for your participation!
Overview
The Buena Vista University Computer Science department is hosting its 9th annual attack-and-defend Capture The Flag computer security contest. The CTF contest is designed for computer science students enrolled in primarily undergraduate institutions that are hoping to broaden their exposure to the field of computer security. The event is designed to be a learning experience providing students opportunities to discover software vulnerabilities and research ways to exploit and patch them.Premise
Each team will be assigned a server to protect. These servers will contain a number of unique software services designed specifically for the contest. These services are meant to be kept running and fully functional throughout the span of the contest. However, each of these services will contain potentially multiple vulnerabilities. The exploitation of these vulnerabilities can lead malicious hackers to steal sensitive data (flags) from within the server. Teams will have complete access to the source code of these services and may modify the services at will to fix (patch) these vulnerabilities. At the start of the contest, all teams will have on their server the same exact set of services, the same exact source code for those services, and therefore the same set of vulnerabilities initially present in those services. Over the course of the contest, teams will have the following objectives:- Maintain service uptime to accommodate legitimate users of the services
- Identify vulnerabilities found within the services
- Patch vulnerable services to prevent flag theft
- Exploit service vulnerabilities on opponent servers to steal their flags
Scoring
With your team, you are to hack and defend your way to the top of the scoreboard. Points are awarded by:- Keeping services online and functional
- Submitting stolen flags to the flag authentication server
- Keeping flags secure & out of the hands of other teams
Capturing flags
Each server will store flags in known locations (/etc/flags/Service_A, /etc/flags/Service_B, ...) with one flag associated with each service. The services run with the only credentials that have read-access to their respective flags. Therefore, if a team exploits another team's service then they have created an opportunity to read the corresponding flag on that server. The flag file will contain the flag (a random hexadecimal value) which must be submitted to a flag authentication server in order to capture the flag. A team may capture the same flag only once however other teams may also capture that same flag. Also, teams will not be rewarded for capturing their own flags.Rounds
The contest will take place over a span of 8 thirty-minute rounds lasting a total of 4 hours. At the beginning of each round, all services will be issued new flags so that all flag files will be updated. This will provide all teams with an additional opportunity to exploit services and capture those newly distributed flags with each round. The continued threat of exploitation should also reinforce the urgency for teams to thoroughly patch their services in order to prevent flag theft in subsequent rounds.Team Composition
Participants may register in teams of 4-to-6 students. However, only students who have not yet began their second year of computer science study may be eligible to be a team's fifth or sixth members. This contest is meant to stimulate learning and camaraderie across the major which is why we highly encourage the inclusion of computer science undergraduate students of all levels.Schedule
The contest will be held completely remotely for all parties on Saturday, April 10th. All teams will be briefed via video web conference (over Zoom) on additional details of the contest. Due to the difficulties COVID-19 has placed on the semester, this will be quite a bit different than prior contests. As noted, this contest will be held on a much smaller scale (in participant count and duration). The contest will run for only 4 hours this year with no 1-hour break that we would usually see in the middle of the event.
| Central Standard Time | |
|---|---|
| Briefing | 11:40am |
| Contest begins | 12:00pm |
| Contest ends | 4:00pm |
Sponsors
Supported by a grant from theBVU School of Science Stine Endowment
Preparation
Students planning on competing in the contest should familiarize themselves with the following technologies that may be used in the contest:- SSH: Teams will connect to and administrate their servers using ssh. Mac and Linux users can run their ssh client directly from the terminal. Windows users can download and use Putty (a great windows-based ssh client) or Cygwin which contains an ssh client.
- Linux: The servers that teams will be expected to attack and defend will be running Ubuntu Server 20.04 LTS. Teams should try to achieve basic familiarity of the following principles in order to participate effectively:
- Basic directory navigation
- A command-line-interface text editor (vim, emacs, nano, etc.)
- Shell scripting (also useful to automate attacks!)
- Web application development
- HTML
- JavaScript
- Node.js
- The LAMP stack including
- Apache
- MySQL
- PHP
- Java: Utilizing the javac compiler from OpenJDK 11
- Python: Version 3.6
- C/C++: Utilizing the gcc & g++ compilers (7.3) in Linux.
- Intel x86 architecture: Knowledge of general registers, the stack frame, and a debugger (such as gdb) would be useful.
- Directory traversal vulnerabilities
- SQL injection
- File inclusion vulnerabilities
- Improper web server configuration
- Buffer overflows & over-reads
- Format string exploitation
- Cross-Site Scripting
- Race-condition exploit