CONFidence and OWASP CtF
For the 2009 edition of CONFidence and OWASP Europe, Bonsai helped with the development and organization of the Capture the Flag event. This post is a general description of the capture the flag, and a “statistical analysis” of the results.
The CtF levels were divided into three different categories: Web, Networking and Forensics. Each category had 5 levels with increasing difficulty that awarded the player with 300 to 750 points. One of the features of this CtF was that players were able to play any level at any time, if players got stuck with the second level of the Web challenge but had a good idea about how to solve the fifth level of the same category, they were able to do it.
In order to be awarded with the points, players had to solve each level to get the magic_token: a twelve character long password that proves they solved the level. Magic tokens had then to be entered in the CtF scoring system together with the player’s username and password created at sign up.
The access to the CtF was open during the whole conference time, giving the players the opportunity to play at any time and place (WiFi access was provided also). In most cases CtF players created teams and solved the different levels together to have more chances to win the prices. In most cases you would think that creating a big team increases your chances of winning, which was true for OWASP conference where first and second place were awarded to teams of more than five players; but in CONFidence a team of two managed to win the CtF!
To be able to run the CtF game, Andrzej Targosz provided us with two different servers:
- CtF scoring system: A simple Pentium IV box with 512MB of RAM, where we installed a stable Debian.
- CtF vmware server: A much more robust server, with 3GB of RAM and two dual 2.4Ghz core processors, where we installed a stable Debian with VMware server to be able to run all the different levels that gave the user some kind of interaction with the operating system.
The VMware server was needed in order to host the different levels. In some levels the players had to get remote command execution and we wanted to be totally sure that there was no way to read the source code of other levels or gain any other advantage by getting root in the servers.
At the end we had a total of seven virtual machines running smoothly in the VMware server. The levels that required a virtual machine were Web 2, 3, 4, 5 and Networking (1,2,3), 4 and 5.
For each conference we had three winners. The material prices aren’t important, what these guys care about are the bragging rights, so here are the names of the winning teams at the OWASP conference:
- defrag_brains (6150)
- tripkaci (4900)
- FluxReiners (4200)
And the winners from CONFidence conference:
- the0wners (6000)
- yellowfrogs (5700)
- korzen (5284)
The following statistics were created from the joint results of both CtF games:Easiest levels
Stay tuned, more information about the different levels, including the source code is going to be posted here!
The whole experience of organizing the CtF was excellent. I learned a lot of nice technical tricks from the players, who interacted with me at all times ( I think they were trying to social engineer me to give them tips) and I made a couple of new friends.
I would like to thank Jaroslaw Sajko, the co-organizer of the CtF for all his hard work on the servers.