Thread: 263's Computer Hacking Competition
View Single Post
  #13   Spotlight this post!  
Unread 21-09-2005, 20:13
SeanCassidy's Avatar
SeanCassidy SeanCassidy is offline
Antiregistered User
#0263 (Aftershock)
Team Role: Programmer
  
Join Date: Oct 2003
Location: Holtsville, NY
Posts: 37
SeanCassidy is an unknown quantity at this point
Re: 263's Computer Hacking Competition
Okay, here's a draft of the game I decided to write up.

The game will be point based. Both computers will run the same distro of Linux on very similar computers. There will be a grace period. No hacking of any kind is allowed during this period. It results in an instant loss if it's detected. Social engineering is allowed, though, during this period.

Here is the point allocation:
-150 points for every minute you hold root on a victim computer.
-0-50 points based on overall how secure your computer is. This will be judged after competition.
-10 points for running Apache 1.3 during the entire open season.
-10 points for running sendmail 8 during the entire open season.
-10 points for running ProFTPD 1.2 during the entire open season.
-25 points for a working kernel recompile by hand!
-100 points for writing your own vulnerable network service and running it as root (not in a chroot) during the entire open season. This is only worth 50 points if you don't run it as root.
-200 points for giving a working exploit for the network service.
-0-20 points for social engineering.
-0-30 points for any special attacks (ARP poisioning, keylogging, packet sniffing)
-0-30 points for any special defenses.
-1 point for every minute before open season that you're completely done. (NO screen sessions running, etc.) You can tell us when you're done and we'll cut access to your box.
-0-30 points for the whitepaper describing what happened.
-0-30 points for securely backdooring your own box.
-0-75 points for overall attack strategy. If you use metasploit or nessus, prepare to get very low points here.

Other rules:
-You cannot reboot in open season. It's an instant loss if you do.
-No outbound connections from your box inside the LAN.
-You can only attack the victim computers on the LAN, any other even scanning other boxes, is an instant loss for that team.
-We'll be logging everything, please don't touch the logs. We want to look at the games afterwards too.
-If you don't want your 0day to be released, don't use it here.
-You must use vanilla kernels, and nothing you use can be stack guard compiled (especially your vulnerable network daemon).

Most of this will be judged after the competition. We hope to make this as professional as possible. We'll probably be in #aftershock on irc.freenode.net too. I'm usually in there as bockman.

We have some opposing ideas on the format of the game itself. We can do it like a four hour grace period and an eight hour open season in one day, or break it up. Possibly three four hour sessions over a week. Any ideas about this?
Last edited by SeanCassidy : 21-09-2005 at 20:16.
Reply With Quote