Capture the Flag (CTF) is a symmetric information warfare game. Each team is given a machine or a network of machines to defend, located on a network isolated from the Internet to prevent the game from causing any damage to production systems. Teams are scored on both their success in defending their assigned machine and on their success in attacking machines assigned to other teams. The goal is to give participants experience in securing a machine, as well as in conducting and reacting to real attacks using commonly available tools, in order to demonstrate the level of effectiveness of their chosen defensive strategies and tools.
For my classes, you need to produce a report as described on the CTF Report page. Even if you're just doing a Capture the Flag exercise for fun, I highly recommend completing a defensive preparation plan, offense plan, and incident response plan, before beginning. CTF is much more fun when you're ready for it.
Capture the Flag exercises may run from a few hours to a few days. They also may or may not provide for a preparatory period before the all-out competition begins. For my computer security class in Spring 2005, I ran an eight hour exercise, with half the time allocated for preparation as shown in the table below.
| Preparation | 12:00-4:00 | Install offensive and defensive software. Harden hosts. No offense. |
|---|---|---|
| Intermission | 4:00-5:00 | Dinner |
| Offensive | 5:00-9:00 | Time to hack! This is the scored phase of the exercise. |
Each team will be given a User Mode Linux virtual machine (VM) running Red Hat Linux 9, accessible via ssh from the external network. You will have 2GB of disk space on your VM. At the start of the game, each machine will display the flag of its team on the three selected network services. Other than the flags, hostname, and IP address, the machines are configured identically. Note that the Linux kernel is not configured to use loadable kernel modules.
Teams can request that a judge reboot their machine if they cannot access it to do so themselves. The judge may restore the machine to its initial pre-game state if there is no other means to restore access for the team.
Each team's machine will have its flags checked by the score server once every ten minutes. Current scores will be available on the web server. The score page only provides current scores and does not indicate which team controls which services on which VMs, so it will be useful for your team to have a way of checking your own flags to ensure that no other team has taken them over.
You are not permitted to filter access to your home machine's flags by IP address. The score server may not have a consistent IP address. It will also check your machine's firewall and host ACLs to ensure that no filtering is going on. You will receive a penalty if the score server detects any such filtering.
The score server will score you based on the flags listed in the flags section below.
Source code for the score server is available now.
While in 2004 there were three flags, there is only one flag in 2005, which performs the following actions:
You may patch services, harden configurations, and even change the implementation of the flag services in order to improve security, as long as the services still function correctly and return the flag to the scoring server.
Flag scoring is based on the state of each flag as follows:
The scoring server may stop the moment it encounters a down or misfunctioning service without probing your machine any further. The only way to score points is to configure your system so that the scoring server will be successful in all of its steps above.
Penalties of 10 or more points will be assessed for violating any of the following rules: