Demolition Derby CTF
Welcome to our own take on Capture the Flag. In the Demolition Derby CTF, nearly everything goes. The competition network will also be crowdsourced, so we can't tell you beforehand exactly what to expect. In short, this competition will be complete CHAOS.
The crowdsourced nature of this event is where the chaos comes in. Rather than meticulously plan, design, and create the competition network ourselves, we're inviting everyone and their grandmother to bring a network device to contribute to the network. We recommend you bring your most obscure and interesting device so that the competition network is as diverse and eclectic as possible.
Each device contributed will have one or more flag files residing within it. Your goal? Collect as many flag files as possible to earn points. More details on flag files can be found below.
If you would like to contribute a device to the competition network, please email this form to us at email@example.com with details of what you would like to contribute, how it will be configured, and any key behaviors that it will be introducing to the competition network. We'll then coordinate with you regarding flag file placement on the device and other logistics. Please keep in mind however that due to the hostile nature of the network and the combative nature of the competitors, you will likely receive your device back in a different state than you brought it in. We expect many devices to get rm'd, wiped, or otherwise boot-disabled during the course of the competition. Do not contribute anything that you cannot restore after the competition, as we truly will have a "scorched earth" policy.
Unlike many other CTF competitions you may find, we have unexpectedly few rules. As such, nearly anything goes short of completely DoSsing the entire competition network.
Rules for device contributors:
- You must bring everything needed to connect your device to power and to the network. This means bring a power cable, a network cable, and/or ensure that your device's wireless card works. If your device has non-standard console, bring that as well so that we can configure the device.
- Your device must allow write access to at least part of its filesystem so that we may place the flag file(s) onto the device.
- You must provide us with credentials for the device upon submitting it so that we may place the flag file(s) onto the device.
- Your device cannot completely disable the competition network.
Rules for competitors:
- You may not completely disable the competition network.
All flags are not created equal, and not all network devices will house only a single flag... Scour the system thoroughly before you do anything too rash.
Flag files may contain data of varying formats, however each one will be conformant enough to be easily identifiable by either human or automata. In general, they will be a text file identifying the device that they originally came from, the owner or contributor of that device, their point value for competition ranking, and other meta-data. Flag files may or may not also contain other data, such as a Bitcoin private key (see prizes below), music data, video data, or other such fun and entertaining Easter-eggs. Flag files will also be cryptographically signed in their entirety in order to prove authenticity when redeemed for points.
Hold onto these flag files after redeeming them for points, as they may be useful and/or valuable well after the competition has ended...
Prizes for this competition will be based on points collected from captured flag files. Top-ranking competitors will all receive a complimentary pass to next year's conference, as well as their choice of one of the following prizes:
- A Demyo Power Strip, courtesy of Demyo
- A $100 Amazon gift card, courtesy of Splunk
Ideas and Suggestions
For Device Contributors
Keep in mind that nearly anything goes, short of violating the rules. So, you can't completely DoS the network... a few malformed Ethernet frames every few minutes couldn't hurt though, right? Who says a single segment can't have DHCP servers fighting over freshly-connecting competitors looking for access? And certainly no one said launching attacks or countermeasures back at a connecting host was out of the question... I mean, when you think about it, competitors connecting to the network become target devices themselves, right? It's their own damn fault for wandering into the kitchen, they can take a little heat...
Also consider that upon device submission to the contest, we will be placing one or more flag files onto the device. If you were to help us out and pre-configure some interesting or obscure places for us to place said files, we likely will make use of such when placing the flag files.
Why go after lame little devices with a measly one or two flag files on them when everyone knows that the real booty is sitting there all nicely collected on another competitor's system? I mean, they connected their system to the competition network, which makes it fair game as a target right? No one could argue with THAT logic... On the flipside though, that means that other competitors will likely be coming after you too, so you better be on top of your defense game. Also, given the scorched earth policy, you probably don't want to compete using a system that has any sort of valuable data on it or lasting value to you. This ain't no place for the employer's laptop that you use to work from home...