Pages

Thursday, May 27, 2010

RusCrypto CTF 2010 Full Disclosure

RusCrypto CTF is an open competition in information security held on Capture The Flag principle. At the beginning of the game teams have identical servers with installed vulnerable services.

Besides vulnerabilities in specially designed services, there are vulnerabilities common for real information systems: weak passwords, known vulnerabilities in OS/services, errors in configuration, real vulnerabilities in web applications (such as popular CMS).

During the competition, changes in the system can be made that can lead to additional vulnerabilities to competitors’ services. Competitors’ goal is to detect the vulnerabilities, eliminate them in their servers and do not break the server operation. Competitors also should use similar vulnerabilities on competitors’ servers to capture flags.

Teams earn points by:

  • Make your own services to be available all time;
  • Send messages about vulnerabilities and elimination methods (advisories) – the jury estimates notification completeness and proof of concept code (POC);
  • Send flags captured in competitors’ services;
  • Eliminate vulnerabilities on the servers without any damage to service performance;
  • Additional tasks;

And by special jury solution.

The jury continuously watches the competition, and from time to time add new flags and vulnerabilities to competitors’ servers, and also watch previously added flags and vulnerable services execution. Moreover, the system takes captured flags and recommendations how to eliminate detected vulnerabilities and ways how to use them (advisories).

There are several servers for every team infrastructure that have a number of predefined vulnerabilities.


Network architecture

RusCrypto CTF 2010 legend

America, 3rd decade of 21st century. The country is divided into corporations and franchisees spheres of influence. You are a young specialist from Russia who works as a trainee in franchisee "Pizza Cosa Nostra" 3569. Your task is to guarantee systematic pizza delivery under trying conditions of permanent attacks from competitors. Network infrastructure and security does not strike you. But uncle Enzo says: "Orders should come; pizza should be baked and delivered, at any price. And if something happens with competitors... Well, sometime best defense is offense."

RusCrypto CTF 2010 winners

CTF competition results are as follows:

1st place with 486 points was awarded to CIT from ITMO University, St. Peterburg.
CIT was also awarded as "Best Pentesters".

2nd place with 376 points was awarded to HackerDom from Ural State University, Ekaterinburg.
HackerDom was also awarded as "World Wide Web Protectors".

3rd place with 336 points was awarded to Bushwhackers from Lomonosov Moscow State University.
Bushwhackers was also awarded as "World Wide Web Protectors".

4th place with 323 points was awarded to SiBears from Tomsk State University.
SiBears was also awarded as "Best Pentesters", "World Wide Web Protectors" and as "Best Bureaucracies" by jury special opinion.

5th place with 37 points was awarded to [Censored] from RGU University, Kaliningrad.
[Censored] receives the special prize form the sponsor 1C-Bitrix as the team manages to do the appropriate task.

6th place with 33 points was awarded to Huge Ego Team from MIFI University, Moscow.



You can find details here: http://www.ptsecurity.ru/download/PT-Ruscrypto-CTF2010-EN.pdf

1 comment: