HomeHack3rCon CTF — SecureWV 11

Hack3rCon CTF:

This Capture the Flag competition is being hosted during the SecureWV virtual conference, and because of that only CTF players who are registered for the conference are eligible for prizes. 

Also, in the spirit of “capture the flag” and security education, there is no monetary cost to playing this CTF, however, to foster growth and development of SecureWV, you will need to register for the conference.

For any questions or other clarification on these rules, please feel free to reach out in the CTF channel on the discord server.

CTF Rules:

We don’t want to have to enforce restrictions on you, but there are a few things we would like to politely ask you not to do:

  1. Please do not attack the competition infrastructure or other players. The CTF Scope will only be VMs in the 10.144.1.0/24 range.  Do not try to hack any other subnet range.
  2. Please do not try to hack the scoreboard.  It is not in the 10.144.1.0/24, and is out of scope for this CTF.
  3. Please do not share flags with other players, except for your team, or explicitly and deliberately cheat.
  4. Please do not blatantly ask for hints. The proper way to ask for help is to explain what you have tried and showcase(in a direct message) what errors or output you may have.
  5. Please do not change user passwords on the VMs.  We want as many folks to get flags as possible.  This will mean you should leave the VMs as clean as possible.  Let’s make this as big a learning event as you can.
  6. Please do not update the servers.  Yes, they are out of date and there are packages that need to be updated, but that is why they are in the CTF.

CTF Scope:

You can only test VMs within the 10.144.1.0/24 subnet range.  The scoreboard will have the IP addresses of the VMs except for the Spinal Tap AD server, which you will need to find via the other windows PCs on that network.

Flag Format:

Flags for this competition will follow the format: flag{}, with a hash between the curly brackets.  You will submit the hash (minus the flag{} part).

There will be a few multi-choice Trivia questions which are open that will need some OSINT skills to find the answers.

CTF Scoreboard:

We are using the excellent Root The Box scoreboard from moloch and it is set to use money instead of points (CTF money, not real money).  You will be able to ban users for a limited time by “bribing” the authorities.  You will also be able to set up bots on certain servers (Linux only), which will allow you to gain points/money by having your bot collect info from the VMs.  Look for those in the Black Market section of your login page.

CTF Scoreboard Levels:

Players will work through four game levels:

  1. Beginner
  2. Script Kiddie
  3. Hack3r
  4. 1337

Each level has 3 servers in them except Script Kiddie which only has 2.  Players will be able to see the next level after getting 50% of the flags of the current level, except for 1337, which will open when 35% of the Hack3r level is completed.

With each level, the difficulty gets harder for the VMs (1337 is the hardest, of course).  Flags can be anywhere on the VM.

Teams:

You can play individually or as a team, but teams are only allowed 4 people on them.  If joining a team, the first person who registers the team will need to send the team code to the rest of the team so they can use it when they register.

CTF Schedule:

Registrations will open up on Monday, Nov. 2nd at 9am EST and will run until the start of the CTF.  Folks can still join after the CTF starts, but it is encouraged to register early.  If you have issues with registration, please contact the admins on the CTF channel on the discord server.  The instructions for the registration (URL and such) will be in the CTF Channel description.

The CTF will start at 1pm on Friday, Nov. 6th, and end on Saturday, Nov. 7th at 3pm.  The CTF will stay up during the “off hours” (9pm Nov. 6th until 8am Nov. 7th).  You will have 26 hours to get as many flags as you can.

If we need to reboot or rebuild a server, we will try to announce it in the Discord CTF channel (please see Rule #5).

CTF Network:

You must use Zero Tier (https://www.zerotier.com/download/) to connect to the CTF Network.  Once you have zero tier installed, check the CTF Channel for the network ID to join.  You will need to be approved in order to join the network.  After you try joining, we will approve you and you should start to see the network.  If you don’t see the network by Thursday afternoon (EST time) then ping one of us in the CTF channel.  Be sure to put in your Zero Tier ID in your message to us.

After joining the network, also double check your Zero Tier IP and make sure it is not in the 10.144.1.0/24 subnet.  If it is, let us know.

Prizes:

You must be a SecureWV 11 ticket holder (Training Track, Conference, Speaker or Black badge) in order to win.

  • 1st Place: BHIS Cyber Range access (6 months) and a $200 Amazon gift card
  • 2nd Place: $125 Amazon gift card
  • 3rd Place: $75 Amazon gift card

304Geeks board members are ineligible to win prizes, but may play for fun.

Support/Issues:

For admin support in the case of any technical issues, please post in the Discord server under the ctf-channel.  We will watch that channel for questions and folks needing help.

If your question requires discussing a specific challenge, please direct message one of the Capture the Flag staff members (see the discord channel).

Socials:

You can follow our tweets for hints and suggestions at @Hack3rCon_CTF.

We have a playlist for songs that inspired the Spinal Tap “theme” this year (it goes to 11).  You can listen via Amazon at https://music.amazon.com/user-playlists/e989ab9ac4e1433fadc07d9f5d81ba38sune?marketplaceId=ATVPDKIKX0DER&musicTerritory=US

As always, bear with us as we run the CTF this year.  

— CTF Team

Copyright SecureWV. All rights reserved.