CTF 2011

Positive Hack Days Positive Hack Days Positive Hack Days Positive Hack Days Positive Hack Days Positive Hack Days Positive Hack Days Positive Hack Days Positive Hack Days Positive Hack Days Positive Hack Days Positive Hack Days Positive Hack Days Positive Hack Days Positive Hack Days

CTF 2011 Results

CTF 2011 Rules

CTF 2011 Technical Details

CTF 2011 Contest Participants

CTF Results

10 teams from Russia, the USA, India, France and Switzerland took part in the international hacker PHD CTF contest. For 8 hours of non-stop competition, the participants demonstrated their skills of attacking and protecting servers.

The organizers managed to combine traditional CTF and HackQuest in the Positive Hack Day CTF. The game infrastructure contained both white-box services (full-privileged access to the system) and black-box services (no initial information on the system). The tasks covered all branches of information security: reverse engineering, web-application security, operating system security, application security, etc. For fans of traditional CTF contests, there also were some guesswork tasks.

In a nutshell, each team received a computer system, an infrastructure of virtual servers with a few vulnerabilities and a set of so-called flags (unique identifiers). Flags were represented by special code lines. The contestants' task was to protect their system from other competitors by eliminating vulnerabilities and attack the rival systems to capture the flags. To make the task even more complicated, the services would change their status causing new vulnerabilities and eliminating old ones.

To qualify for successful, an attack was supposed to result in obtaining the hidden key. Ended with registration of the obtained rival flag, such an attack scored a point to the attacking team, while the attacked team got fined. No destructive actions were allowed either against the contestants, or against the system of the contest. Every step teams took was registered by the system and displayed on the contest screen.

Unlike the majority of CTF contests, PHD CTF used vulnerabilities from real-life situations. For example, the organizers developed a prototype model of a SCADA-class system to serve as a software solution for the contest; such systems are usually applied to manage various industrial objects.

There was another peculiarity that made the event different. The contest was developed as a beautiful legend with each task being a part of the plot introduced by a plot-relevant video. According to the legend, an international crew of astronauts had discovered an enigmatic parallelepiped monolith nearby the Jupiter. The find was given a name of PHD (Parallelepiped Habile Deflective). When they tried to examine the monolith, its copies appeared in all leading countries in a mysterious way. Two scientists, Prof. Anisimis and Dr. Pavlov, studied the phenomenon and concluded that PHD was a huge distributive transformer that accumulates energy of space radiation and transmits it to its copies on the Earth. When developed, the copies are able to provide the humankind with energy for hundreds of years. Besides, the projections can exchange information over the Internet. Another extraordinary feature was the ability of the monoliths to block the international military potential. So, every country is levying elite hackers to destroy the monoliths of the hostile states using network attacks while protecting their own systems.

Most points were scored by Plaid Parliament of Pwing (PPP), a team from Carnegie Mellon University, Pittsburgh, PA, USA. The team won the main prize - $5,000. The second prize, $3,000, went to Leet More, a team from the National Research University of Information Technologies, Mechanics and Optics, Saint Petersburg, Russia. The third-best team was HacherDom from the Ural State University, Yekaterinburg, Russia.

According to Dmitry Evteev, who was watching over the CTF contest, the US team left no chances to the others due to the following factors.

They were mostly focused on the CTF infrastructure, which is the best strategy to follow. Next year, the terms of PHD CTF 2012 will be slightly changed so there will be no one and only correct approach. The organizers will offer several score-equivalent strategies.

When testing for vulnerabilities, unlike their competitors, the PPP team automatized an exploit to obtain as many flags from the rivals' infrastructures as possible at a time.

PPP built quite a good and timely protection for their services, which saved them from losing points when being attacked by the competitors.

The USA students were very cautious about accessibility of their services, which saved them from many penalty points.

The American team is an experienced contestant of CTF-like contests. 'This is not the first time we are taking part in a CTF contest, but at the PHD CTF, not only did we have to attack the rivals' resources, but to protect ours as well. And this is quite a new experience for us. We would be pleased to take part in the next contest", says a member of the team.

"We were pretty surprised once we got into the actual location where the CTF was being held. Not only was the room originally a nightclub rather than a standard conference hall, but everything was setup in the room quite awesomely.

"The competition organization was excellent. Not only were there a ton of challenges (some of which we didn't even have time to look at), the organizers also had some awesomely made video clips throughout the competition to introduce new updates, which were handed to us in envelopes marked "Top Secret".

h1>CTF Rules

At the beginning of the game the teams get identical servers with preinstalled set of vulnerable services. The aim of the contestants is to detect vulnerabilities, fix them on their servers and exploit them to obtain sensitive information (capture the flags) of competitor teams.

The game process is continuously monitored by the jury's supervising system, which regularly changes the state of the game infrastructure, adds new flags and vulnerabilities to team servers, and checks the state of the previously added flags and the functioning of vulnerable services.

The PHD CTF contest organizers prepare in advance a limited number of vulnerable services, which perform specific functions and already contain some vulnerabilities. The contestants deal with the systems of two types: open (contestants have privileges to access a system on the level of operating system) and closed (contestants have access only via network - a black box principle). Within the specified network segment, any participant of Positive Hack Days CTF may try themselves in exploiting real vulnerabilities and contend for extra prizes (beyond the general CTF contest).

General Rules

Each team should consist of 5 members including a captain (the latter is compulsory).

Teams use their own computers (e.g., laptops).

Points are given for:

sending flags, captured from services of competitor teams;

sending flags, captured from services of the shared segment of network infrastructure (the black-box);

preventing access to a team's own flags by fixing vulnerabilities on provided servers and not affecting the functions performed by the vulnerable services.

Points are withdrawn for:

affecting availability of a team's own services;

affecting the functions performed by the vulnerable services.

General Permissions

During the game, teams are allowed to:

use not more than 15 computers and network devices not lower than the second level of the ISO OSI protocol stack;

add any changes to the provided servers unless it is not explicitly prohibited by the jury;

conduct attacks against competitor teams' servers to capture flags;

conduct attacks against servers of the shared segment of the game infrastructure to capture flags.

General Prohibitions

During the game, teams are not allowed to:

conduct attacks against the computers of the jury;

filter traffic to any CTF resources (e.g., by IP-addresses);

generate unreasonably large amounts of traffic (Flood);

conduct destructive attacks against competitor teams' servers (e.g., rm -rf /);

deliberately affect normal functioning of services, including competitor teams' services and services of the shared game infrastructure;

remove flags from provided servers, from competitor teams' servers and servers of the shared game infrastructure;

perform the above-mentioned actions on behalf of competitor teams.

Work of the Jury

The jury can specify the rules at any point before the game begins.

The jury can penalize/disqualify a team for violation of the rules.

The jury determines the winner on the basis of collected points.

CTF Technical Details

Possible Vulnerabilities in Services Prepared for the CTF Contest

Vulnerabilities in Web Applications:

Authentication vulnerabilities;

Authorization and access control vulnerabilities;

Vulnerabilities allowing attacks against web application clients (including Cross-Site Scripting, Cross-Site Request Forgery, etc.);

Vulnerabilities resulting in code execution (including SQL Injection, OS Commanding, XML Injection, etc.);

Sensitive information disclosure;

System logic vulnerabilities;

Vulnerable configuration of applications and servers.

Vulnerabilities in Network Services:

Authentication vulnerabilities;

Authorization and access control vulnerabilities;

Vulnerabilities resulting in code execution (Buffer Overflow, Stack Overflow, etc.);

Cryptographic protection vulnerabilities;

System logic vulnerabilities;

Public vulnerabilities for external exploitation;

Improper administration;

Use of weak passwords.

Vulnerabilities in Applications and Scripts of Administration Automation:

Authentication vulnerabilities;

Authorization and access control vulnerabilities;

Vulnerabilities resulting in code execution (Buffer Overflow, Stack Overflow, etc.);

Cryptographic protection vulnerabilities;

System logic vulnerabilities.

Vulnerabilities in Wireless Networks:

Unauthorized access points and wireless access clients;

Vulnerable configuration of wireless access, including configuration of wireless clients (weak security protocols, etc.).

CTF Contest Participants

Logo Team Country City Institution of Higher Education


Russia Kaliningrad Institution of Higher Education: Immanuel Kant State University of Russia
The [censored] team of the Immanuel Kant State University of Russia consists of students only and has been participating in various competitions (both Russian and international) since 2009. For this period, [censored] has shown decent results (for a team of students):

1st place at RusCrypto CTF 2011;

5th place at RusCrypto CTF 2010;

9th place at RuCTF 2011;

13th place at NDH2011 Prequals.


India Chennai Amrita Vishwa Vidyapeetham
The BIOS team of the Amrita Vishwa Vidyapeetham, Amritapuri Campus, India, has been taking part in CTF contests since 2008. Their first contest was CIPHER4, where the team took 24th place. The team's mentor, Mr. Vipin Pavithran, encouraged the team members to participate further in such events. They participated in CIPHER5, HARCTF, and ruCTFE 2009, and took 22nd, 14th and 28th places respectively. The team has successfully conducted InCTF 2010, India's first national level CTF style ethical hacking contest, and InCTF 2011 is currently going on.


Russia Moscow Lomonosov Moscow State University
The Bushwhackers team was organized in 2010 at the MSU Faculty of Computational Mathematics and Cybernetics (CMC) on the basis of the Information Security and Computer Networks special seminar of the Computer Systems Laboratory, the Computer Systems Automation Department. During its first year the team performed well in several Russian and international information security contests:

3rd place at RusCrypto CTF 2010 (Moscow);

2nd place at Deutsche Post Security Cup 2010 (Germany);

1st place at RuCTF 2011 Quals (Yekaterinburg);

1st place at Swiss Cyberstorm Wargames 2011 Quals (Switzerland).


Russia Yekaterinburg A. M. Gorky Ural State University (USU)
The HackerDom team was created in 2005 at the - Department of the USU. The members conduct the Secrets of HackerDom weekly seminar. The team regularly participates in CTF and CTF-like contests, and also conducts national (RuCTF) and international (RuCTFE) interuniversity contests in information protection. The team's achievements:

3rd place at iCTF 2007 (USA);

1st place at C.I.P.H.E.R. 2008 (Germany);

2nd place at C.I.P.H.E.R. 2009 (Germany);

2nd place at RusCrypto CTF 2010 and 2011 (Russia);

1st place at RusCrypto CTF Quals 2011 (Russia);

13th place at DEFCON Quals 18, the best result of all Russian teams.

Leet More

Russia St. Petersburg Saint Petersburg State University of Information Technologies, Mechanics and Optics (ITMO)
The Leet More team was created in 2008 at the SPbSU ITMO Department of Secure Information Technologies. The team's achievements:

1st place at RusCrypto CTF 2010

3rd place at RuCTF 2010

3rd place at CTF 2010

4th place at CSAW CTF Quals 2010

Also, Leet More took 5th place at CodeGate 2010 Quals which made it the first Russian team that reached the finals.


Russia Moscow Bauman Moscow State Technical University (Bauman MSTU)
The team was created in 2011 at the Information Security Department of the Bauman MSTU. The team will make its debut at PHD CTF 2011.


Nibbles is a French team created in 2006. The team has participated in CTF competitions as often as possible since 2009, and was reformed a few months ago. Ranking:

1st place at Insomni'hack (February 2011);

2nd place at (October 2010);

1st place CITCTF (June 2010).

Plaid Parliament of Pwning

USA Pittsburgh Carnegie Mellon University
Plaid Parliament of Pwning ( PPP) is an information security research team at the Carnegie Mellon University. The PPP team was created in September, 2009. Information about the PPP team's achievements is available here.


Russia St. Petersburg
Rdot.Org is a new team, actively doing research in the web security area. Members of the team have already managed to make themselves known by taking first places at such contests as HQ2010 and NDH2011 Prequals.


The SmokedChicken team was created in 2006. The team regularly takes part in CTF and CTF-like contests. SmokedChicken is one of the most experienced CTF commands in Russia.
__________________________________ __________________________________ __________________________________ __________________________________
Copyright 2011
Positive Technologies