SibSUTIS CTF 2015: How we conducted our student competitions

Good day!

52 participants, 11 teams, 8 hours - these are the main numbers of the SibSUTIS CTF 2015 information security competition, which was held for the first time on February 21 at the Siberian State University of Telecommunications and Informatics (Novosibirsk).

I would like to tell you how the preparations for these competitions went on behalf of the organizers.

A bit about CTF

CTF (Capture the Flag) - information security team competition.

There are several formats, the main of them:

• Tasks - the teams are given a list of tasks from various categories, each of the tasks is evaluated in a certain number of points given for the solution. As a result, the team with the most points wins. In case of equality of points, the team that solved the tasks in less time is rated higher;
• Classic - teams are given access to identical virtual machines available on the local network. Usually this is some kind of Linux distribution on which various web services are running. Teams need to fix all found vulnerabilities and conduct attacks on the servers of competing teams. For attacks and defenses give a certain amount of points. The team that scores the most points for successful attacks and defenses wins.

In Russia, this movement is rapidly gaining momentum; RuCTF Positive Hack Days should be noted of major events.

About the organizers and format of the competition

Basically, the organizers were second-year and third-year students of the Siberian State Technical University of the departments of BiUT (Department of Security and Management in Telecommunications) and PMiK (Department of Applied Mathematics and Cybernetics) in the amount of 7 people.

We had sufficient experience in CTF competitions as participants (in the Siberian Federal District), but for the first time we acted as organizers. With the format of the competition, we settled on Tasks-based, since it was somewhat easier for us to implement, and we did not know exactly how many participants there would be and what knowledge they would have.

Competition preparation

For all the preparations we had about the 21st day. The first step was to draw up the rules of the competition, which determined the format of the event, the number of participants (from 3 to 7 people in a team), the rules for participants and the categories with tasks.

We have compiled the following categories of tasks:

• Reversing - research and reverse processing of application software;
• Web - research of web scripts on vulnerabilities (blackbox);
• Crypto - cryptographic tasks;
• Forensic - tasks on research in the field of computer crimes;
• Joy - general interesting tasks, tied mainly to logic.

There were 3 tasks in each category, which were rated from 100 to 300 points depending on the complexity of the task.

Next was the distribution of responsibilities, who will do what for training, namely it was necessary (according to priority):

• Agree with the administration of the university about the place and time of the competition, as well as prizes for the winners;
• Configure the server and raise the system on it to check responses, as well as the command registration page;
• Compose 15 tasks in all categories;
• The logo of the competition, advertising in the social. networks, stick flyers at the university;
• Prepare a place for the competition;
• Well, a bunch of little things ...

I was involved in setting up the server and compiling tasks. I’ll talk a little about the subtleties. We had a “tube” server available, I won’t name the exact configuration, but it’s something like a 4-core Intel Xeon - 3.2Ghz and 16Gb of RAM. It has Debian 7, there is a static IP address that goes to the external network.

For our tasks, it was necessary to raise a web server, which was implemented through Docker virtualization. Until that time, I had no business with the docker, and so lifting the container with the server and port forwarding to the external network brought me a couple of happy sleepless nights before I finally figured out how it works.

As a result, the standard set was installed in the container: Ubuntu + Apache + MySQL + PHP .

Then, in a very short time, a simple registration page was made for participants and the “CTF Managment System” with fairly modest functionality:

• Adding tasks (title, description, number of points for the correct decision, the correct answer to the task);
• Rating table;
• The ability to publish news;
• And a spy thing in order to watch what answer options try to substitute teams to the task.

The rest of the time there was an emphasis on the development of tasks.

A week before the competition, the registration page was opened for participants and in the first 4 days only 4 teams were registered - about 15-20 people in total (we honestly did not expect more), but something terrible happened in the last 2 days: 7 teams and in total we had 52 people as participants.

The venue was chosen as the reading room of the library of our university and, to everyone's happiness, all the teams were lodged in this room.

But besides this, as it turned out, the day before the competition in the library there are some problems with the Internet - only 1 Wi-Fi access point (ideally for 20 people) and 4 Internet outlets. But that is not all. For some reason unknown to us, our server was inaccessible from this ill-fated library.

The war with our Internet provider didn’t lead to anything - they insisted that there were problems with the server (if anything, the server worked absolutely everywhere and even the Host-Tracker confirmed it), so we had to solve the problem bypassing the provider - we made proxing via our friend's Malaysian VPS.

They also added 1 more Wi-Fi access point to the library and put 2 network switches.

Competition day

Competitions were held on Saturday - February 21. The opening took place in the assembly hall, where the administration and the organizers said a few introductory words to the participants. Then all the participants went to the venue and at 10:00 Novosibirsk time the competition was open.

Teams showed a fairly high level of knowledge - 6 teams solved more than half of the proposed tasks and crossed the bar for 2000 points. All the teams were in favor of fair play, during the conduct some vulnerabilities were found in the checker that gave an advantage, but the organizers were immediately informed about this. During the competition, all vulnerabilities were fixed.

Also, to our happiness, there were no critical Internet problems, there was a slight hitch at the start of the competition - it fell by 1.5 minutes and then worked stably.

A small photo report:









By the end of the day, a fierce struggle continued until the close of the competition. The second-place team solved a task that would put them in first place, but they did not manage to send an answer for 1 minute. The system has already been shut down.

All participants were satisfied. After the competition, we talked with them, conducted reviews of some tasks that were difficult to solve.

UPD: Tasks and Answers Archive