Oh, btw, for sign up there is no password field. You must be using the sign in form (it could still be a bug, e.g. Clicking sign in shows the sign up form for your browser).
The apparent trouble with signup notwithstanding, this seems like great fun. The thing is, I didn't find out about those problems, because I didn't even try to sign up. I have no idea how I would go about getting started being able to do this.
Can anybody suggest resources for lowly web developers to make our way into security? Even if just for fun?
It's a good illustration of a misuse of the webapp single-page formula for a simple informational site. This could have been simple HTML with a proper url for each page, so that you could actually link to the subpages, but instead they're trying to load the content in with js, and performing terribly with no feedback on clicks when I last looked.
The actual content is here (and loads pretty quick as it should):
Looks like a rails site, not sure what all the gmaps code is all about, perhaps backend pages?
A fun idea, but I'd prefer if they just specified a simple set of services that you have to support, say something like:
IMAP
Serve this json
Serve this html and let people edit it
Serve this information from any db and let people edit it
and leave the backends to people's imagination. It sounds like they're going to actually specify different CMSs etc, and installing browsers?!?, when they should be specifying what protocols and data are required - that would let you use whatever service and backend tools you wanted.
This will be interesting to see when finished, but it would be better if each 'Fortress" had to offer services, instead of dictating that each camp has to run POP + Wordpress + some bullshit plugins. Also, this type of activity definitely will break terms of service for internet service and hosting providers, as well as potentially several laws.
> "...this type of activity definitely will break terms of service for internet service and hosting providers, as well as potentially several laws."
How so? Is the activity itself inherently against TOS or laws? It seems to me that by running the competition, ctf365 intends to have users purposefully exploit sandboxed systems.
I would imagine one example could be a website hosted by a third party. Possibly you would have to inform the host of the situation and get their approval. Otherwise you might be breaking a generic law about gaining unauthorized access to a computer.
Ah, I suppose that would cover most bases. If they own the servers and they are giving permission to access them in such a way then there's likely no worries over unauthorized access type laws.
I took a look at this a while back (excited to see it's still going), but there is the chance that your ISP might send you a nastygram/suspend service if they notice a lot of activity that looks like port scanning, though that depends on how intrusive/vigilant your ISP is being.
If ctf365 wanted to keep the playing field level, they could sandbox the entire network so that attacks originate from another device on the network. So you have:
No shady traffic ever needs to traverse the public internet. Only ssh access to my_command&control_box and my_fortress is required. This has the added benefit of normalizing the attacking horsepower of the entrants.
That would limit to some degree the gear that you could bring to the fight. Given that choice of tools in this situation is a valid differentiator I don't think arranging the challenge as "Backtrack5 at Dawn" is a realistic way to go about it. Clearly you could write or upload anything you wished if you sshed in, but the added convenience of BYOD seems like a net win.
How do you define a 'sandboxed' system? What if I choose to run the Wordpress/Django/Drupal/Whatever-CMS on a shared host? Cracking tools don't often take into account the negative effects on non-target hosts, nor are they generally tolerated by shell providers.
Hmm. I think my confusion comes from the assumption that each "fortress" (server) is a virtual server hosted by ctf365.
From their rules:
Don't try to conduct underground activities with your Fortress (system) from our platform in the Real World (e.g. using our platform to spam others, attack other servers on the internet and so on). We don't care who you are, but we do care what you are doing in our home (CTF365 Platform). Please remember that you are our guest and please behave accordingly.
I read this to imply that they will provide the "fortress". So when I say "sandboxed" system, I mean a system provided by ctf365 on their own infrastructure - infrastructure which permission is implicitly granted to attack.
Hopefully they'll at least link to good configuration sites for each service, to give new players at least a fighting chance.
I wonder how long it would take someone to spin up a script to install all of these services...
SMTP, POP, IMAP, FTP, etc., one CMS + specific plugins, 2 different internet browsers, 3 web applications & at least 2 different databases
So...a mail server, file servers, multi-webhost, databases, and CMS with many plugins. I assume that "different databases" means different database stacks on different clusters, not "both MySQL and SQL Server 2012" on the same server, right? (In Windowsville this would all be within an AD domain, I'm not sure what the Linux equivalent is.) Will there be a required volume of photo/social datamass to be stored on the server? Maybe instead of some kind of "flag file", we'll have to store embarrassing photos of ourselves?
1. They come preinstalled on some closed-source OSes
2. How else would you connect to a datacenter server's integrated lights out (ILO) webpage from a bastion server within the datacenter and domain, to which you're only allowed an RDP connection?
It might be a great learning opportunity then. Check out some tutorials and see what sort of security considerations go into setting up and running a server.
Per another branch of the conversation, they set up the servers, you just control them, so the entire conflict happens in a relatively sandboxed environment.
I don't think there is anywhere on the website that explicitly tells you what the objective of this is, nor exactly what a flag is (even if it is more of a concept). As much as I can infer from it, in game instructions, they should be explicit.
Shoot me an email, brianw.stearns@gmail.com. I have [very] limited practical admin experience, but I will try to scare up a friend who can devote some time to it.
CTF365 It's a Startup on bootstrap mode (self funded) that will change the way Information Security is learned. We try to do our best with very few resources. No seed money, no Kickstarter money but full of passion and dedication.
reply