things for 44CON, security tester, breaker of things, played and run a few CTFs way back TTYsig, Some times known as ‘Dean’, also a security tester and breaker of things, played and has run some before. Wednesday, 21 November 12
that tested skills of the contestants to find vulnerabilities in applications and systems defend a system from attack (the other teams) identify other interesting things in the CTF environment We also wanted to see if the player could communicate what they found Wednesday, 21 November 12
services running on it Identify what was running on the system Identify any vulnerabilities in those services Try and fix/mitigate these vulnerabilities Using this knowledge to attack the other teams Wednesday, 21 November 12
Service and SMTP/POP3) One in C (Custom Service) Web App in PHP Each had a couple of vulnerabilities Each required different levels of expertise to exploit Wednesday, 21 November 12
different Operating Systems and Software installed Each had a known compromise path Couple of the systems where ones we used for the 2011 CTF that no one managed to compromise Wednesday, 21 November 12
Netwitness (a 2011 Sponsor) Full Packet Capture system watching the network. In 2012 we went Open Source Security Onion based setup using SNORT + SNORBY + Full Packet Capture (DaemonLogger) + SQUIL to watch and alert on traffic Proper enterprise switching that allowed us to monitor the CTF VLANs instead of homegrown TAPs we’d used previously Wednesday, 21 November 12
distribution of the network Wired network to the CTF network and an isolated Wireless Network via our Wireless LAN controller ESX server running the 5 standalone systems on the CTF network, a standalone system running the scoring server and a standalone system with lots of disk for the monitoring Firewall to prevent the players attacking ‘out of scope’ systems Wednesday, 21 November 12
Defensive points If a player was able to defend their system from attack and prevent the other teams stealing their flags they got defensive points. Offensive points Attack the vulnerabilities on the other players systems and gain offensive points Wednesday, 21 November 12
within the services, these where marked out of 10 by the Judges Reporting style as well as content was important We used the same system for reporting standalone system compromise Good Behavior Everyone was given 100 points, if they breached the rules we deducted points Wednesday, 21 November 12
our two 2011 systems didn’t get popped, they will be back Someone with Nessus managed to get close, but they didn’t follow through on their scan.... The VM got a good bashing, although not all the vulnerabilities were identified. Wednesday, 21 November 12
Final Scores and Advisories Posted here http:/ /44con-networking.net/mwrlabs-ctf-2012/results/ http:/ /44con-networking.net/mwrlabs-ctf-2012/results/ adv/adv.html Each Vulnerability in the services has a write up here http:/ /44con-networking.net/mwrlabs-ctf-2012/ mwrlabs-ctf-2012-vulnerable-services-vulnerabilities Wednesday, 21 November 12
44con
naospon
salaboy
oracle4engineer
sinsoku
linyows
ysknsid25
iotengineer22
sadnessojisan
coincheck_recruit
miu_crescent
blueb
mikit
colly
reverentgeek
csswizardry
bluesmoon
stephaniewalter
jakevdp
addyosmani
thekraken
mclloyd
philhawksworth
paigeccino
brianwarren
