A New CTF?
I’ve been playing in CTFs for about a year now. I don’t think I’m that great at them, but I have a lot of fun and always feel like I’ve learned something. A few months ago I had an idea for a type of CTF that I haven’t really seen before, and I’d love to work with someone to make it happen.
Typically, CTFs are divided into “Attack & Defend” and “Jeopardy” styles. Attack & Defend is exactly what it sounds like, you score points for successfully attacking opposition networks while simultaneously defending your own network. Jeopardy provides several categories of challenges, with multiple challenges per category, usually of varying point values. Each challenge is typically stand alone, or occasionally built upon another challenge in the same category.
At events like Defcon, there are a ton of villages and each focuses on their own little thing. Lockpicking, car hacking, social engineering, crypto and privacy, tamper-evident, hardware hacking, and several more that I am not very familiar with. Several of these villages have challenges and contests surrounding their own subject matter. If someone were to go from village to village and participate in each challenge and contest (which you really can’t, there’s too much to do!) then they’d get a very well rounded experience with types of challenges.
What I’m proposing is a new type of CTF that loosely mimics the entire range of what you might encounter while attempting to break into a company. The organizers of the event would setup a mini “office” in the contest area or a room somewhere at the venue. The organizers are running a fake company that contestants are expected to compromise. The contest starts when you receive a business card from an “employee” of the company.
This event would be a narrative-driven “hack that company” type challenge. No one is expected to get all the flags, but contestants will be given a rough list of challenges ahead of time so they can choose the path they want to take. Contestants can compete alone or with a partner, but no teams larger than 2. A limited number of contestants would be necessary for the first few runs in order to work out any unexpected problems encountered from unleashing a bunch of hackers on a (fake) network. The event is largely “BYOE”, bring your own equipment. A list of recommended equipment will be provided in advance of the competition.
Types of Challenges
Physical Security — Contestants can score points for successfully picking a few different types of locks, but are given a time limit to successfully pick the lock based on game context. Contestants are also given access to a proxmark with which they can clone a badge to get access to the office and score points this way.
OSINT — The company has a website and employees. The website contains information about services provided, information about management, and a calendar of public events. The employees have social media profiles (LinkedIn, Facebook, Twitter, Yelp, Etc) that each leak some bits of information that can be used for other challenges. Points aren’t explicitly scored from OSINT, but it makes scoring points much easier in other categories.
Social Engineering — Contestants can score points from social engineering in a variety of ways. A successful phishing attempt, convincing the receptionist to plug in a flash drive, extracting certain information from phone support. Social Engineering successes are based on a yet to be decided formula based on the amount of pretext provided and a d20 roll, since the “company” knows its in the event we need some way to determine success.
Wireless — Wireless flags can be received by cracking our guest WEP network, capturing and cracking our employee WPA2 handshake, and capturing certain packets from the network. This will require actually pcapping the network, not just inspecting pcap files after the fact.
Internet of Shit — More and more companies are getting “smart” things all over their office in order to make the work experience more pleasant. I’d really love to have a flag you could get via things like finding and watching a security camera in the “office”, getting access to a smart lock or thermostat or something. Find a saved job on a printer spool somewhere and re-print it.
Web — The company has a website where you can create an account and do certain interactions with them. Find some reflected XSS, SQLi, and other web type flags for points. Maybe the company forgot to chmod -R their /.git folder so you 403 on /.git but not on /.git/HEAD. I bet that repo has some juicy info.
Mobile — What company doesn’t have a mobile app these days? I mean people are glued to their phones, so if you want to be successful, you better be on their phones. Unfortunately the app developers weren’t very good and left login information available in the app for any reverser to grab.
Lateral Move — So you owned a box with MS08–067 or MS17–010. Congratulations, but can you turn that into expanded access in the network? Flag(s) are awarded for pivoting through the network to get to certain “high value” systems.
The D(o|a)rk Web — Rumor has it there’s a hacker out there who has already compromised your target. Find him and get the information he has for another flag!
(Surprise) Reporting time! — There are a few differences between legally breaking into a company and illegally breaking into a company. One of those differences is whether or not you write a report. (The other is permission, but we’ll just pretend you already got that). Contestants can choose to submit a report for points during the last couple hours of the competition.
I don’t know this yet, but participants would all be given some participation reward (a badge or something probably), with the top three contestants getting Gold/Silver/Bronze level prizes.
I don’t know this either. I want to shop the idea around to a few conferences and see what happens. If it’s something you’re interested in, feel free to reach out with ideas :)