-
Notifications
You must be signed in to change notification settings - Fork 0
/
regulations.html
130 lines (121 loc) · 7.03 KB
/
regulations.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
<!DOCTYPE html>
<html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<title>VolgaCTF 2024 Final – Regulations</title>
<link href="./css/bootstrap.min.css" rel="stylesheet">
<link href="./css/sticky-footer.css" rel="stylesheet">
</head>
<body>
<nav class="navbar navbar-dark bg-dark">
<a class="navbar-brand" href="./">
<img src="./img/volgactf-logo.svg" height="30" class="d-inline-block align-top" alt="VolgaCTF logo">
VolgaCTF 2024 Final
</a>
</nav>
<main role="main" class="container mb-5">
<h1 class="mt-5">VolgaCTF 2024 Final – Regulations</h1>
<ul class="lead">
<li><a href="#general-provisions">General provisions</a></li>
<li><a href="#common-terms-and-definitions">Common terms and definitions</a></li>
<li><a href="#teams-rights-and-responsibilities">Teams' rights and responsibilities</a></li>
<li><a href="#calculating-scores">Calculating scores</a></li>
</ul>
<h2 id="general-provisions" class="mt-4">General provisions</h2>
<p>
The final round is held onsite.
</p>
<p>
As the competition starts, all teams are provided with identical virtual machine images (called <strong>vulnboxes</strong>), each of which contains a set of vulnerable services. The contestants' target is to detect vulnerabilities in these services, patch their vulnbox so as to defend their services and to exploit those vulnerabilities, stealing confidential information (flags) from rival teams' services. The game is managed by the automatic checking system (<strong>ACS</strong> for short) which places new flags into services on a regular basis. ACS also accepts flags captured by teams, checks availability of all services and recalculates teams' scores. A team gaining the maximum score becomes the winner.
</p>
<h2 id="common-terms-and-definitions" class="mt-4">Common terms and definitions</h2>
<p>
A <strong>team</strong> is a group made of 5 persons, who are <strong>physically present</strong> at the venue. Other people are not treated as participants of a team and thus are not allowed to take part in a game on behalf of that particular team.
</p>
<p>
A team's ultimate <strong>aim</strong> is to detect vulnerabilities in the services, patch services in their vulnbox and to obtain flags by exploiting those vulnerabilities in other teams' services.
</p>
<p>
A <strong>service</strong> is a program or a set of programs which implements some functions and interacts with ACS by the means of some protocol.
</p>
<p>
A service <strong>state</strong> is considered <strong>UP</strong> when a service fully implements its basic functions and correctly interacts with ACS.
</p>
<p>
A service state is considered <strong>DOWN</strong> when a service is not reachable within the game network.
</p>
<p>
A service state is considered <strong>MUMBLE</strong> when a service does not fully implement its functions and/or does not comply with the communication protocol (ACS ⟷ service).
</p>
<p>
A service state is considered <strong>CORRUPT</strong> when a service returns unexpected data (e.g. a wrong flag) <strong>although</strong> fully implementing its functions and being in compliance with the communication protocol (ACS ⟷ service).
</p>
<p>
The performance of each service is evaluated by three parameters: defence, availability and attack.
</p>
<p>
A <strong>vulnerability</strong> in a service is a design flaw which enables inadvertent and/or potentially malicious behaviour in a service.
</p>
<p>
A <strong>flag</strong> is the string which stands for some valuable and confidential information and thus is in need of protection.
</p>
<p>
ACS is a set of programs which manages the game. ACS has the following functions:
</p>
<ul>
<li>creating and signing flags;</li>
<li>placing flags into teams' services by the means of some protocol;</li>
<li>checking placed flags by the means of some protocol;</li>
<li>checking whether each service of each team implements an
original set of functions;</li>
<li>accepting captured flags.</li>
</ul>
<h2 id="teams-rights-and-responsibilities" class="mt-4">Teams' rights and responsibilities</h2>
<ol>
<li>
Teams are <strong>obliged</strong>:
<ul>
<li>to use their own computer as a virtual machine instance host;</li>
<li>to install a virtualization tool and to configure virtual machine instance parameters, such as instance location on a hard disk, amount of RAM, MAC-address of a network card etc.;</li>
<li>to launch a vulnbox instance and configure its operating system & network, including resetting of instance user account password, setting static IP address etc.;</li>
<li>to investigate into services and to perform other actions exclusively from their network segment.</li>
</ul>
</li>
<li>
Teams are <strong>prohibited</strong>:
<ul>
<li>to perform attacks against competition infrastructure;</li>
<li>to filter network traffic with an intention to block other teams' actions against them (e.g. by IP addresses);</li>
<li>to generate an inexplicably immense amount of traffic (flood, DOS, DDOS);</li>
<li>to perform destructive attacks against vulnboxes & infrastructure units belonging to other teams;</li>
<li>to perform all aforementioned actions on behalf of other teams;</li>
<li>to address individuals not belonging to their team for help (e.g. by means of VPN and/or by other means of communication).</li>
</ul>
</li>
<li>
Teams <strong>may</strong>:
<ul>
<li>change the network topology of their network segment;</li>
<li>change their deployment scheme (e.g. to host services on several computers to withstand load)</li>
</ul>
<strong>at their own risk</strong>
</li>
</ol>
<h2 id="calculating-scores" class="mt-4">Calculating scores</h2>
<p>Teams get scores for:</p>
<ol>
<li>maintaining their services so as they are in <strong>UP</strong> state;</li>
<li>patching their services so that other teams are not able to obtain
flags from them;</li>
<li>handling successful attacks against other teams's services and
submitting stolen flags to ACS.</li>
</ol>
</main>
<footer class="footer">
<div class="container">
<span class="text-muted">© 2011 – 2024 <a href="https://volgactf.ru/en/" target="_blank" rel="noopener">VolgaCTF</a></span>
</div>
</footer>
</body></html>