HACKER SUMMER CAMP 2023 GUIDES — Part Two: Capture The Flags & Hackathons
Welcome to the DCG 201 Guides for Hacker Summer Camp 2023! This is part of a series where we are going to cover all the various hacker conventions and shenanigans both In-Person & Digital! This year in 2023 somehow bigger than it was in 2022 and thus we will have a total of 15 guides spanning 3 Months of Hacker Insanity!
As more blog posts are uploaded, you will be able to jump through the guide via these links:
HACKER SUMMER CAMP 2023 — Part One: Surviving Las Vegas & Virtually Anywhere
HACKER SUMMER CAMP 2023 — Part Two: Capture The Flags & Hackathons
HACKER SUMMER CAMP 2023 — Part Three: SummerC0n
HACKER SUMMER CAMP 2023 — Part Four: Zero Gravity by RingZero
HACKER SUMMER CAMP 2023 — Part Five: The Diana Initiative
HACKER SUMMER CAMP 2023 — Part Six: BSides Las Vegas
HACKER SUMMER CAMP 2023 — Part Seven: Black Hat USA
HACKER SUMMER CAMP 2023 — Part Eight: SquadCon by Black Girls Hack
HACKER SUMMER CAMP 2023 — Part Nine: DEFCON 31
HACKER SUMMER CAMP 2023 — Part Ten: USENIX + SOUPS
HACKER SUMMER CAMP 2023 — Part Eleven: Chaos Computer Camp
HACKER SUMMER CAMP 2023 — Part Twelve: Wikimania 2023
HACKER SUMMER CAMP 2023 — Part Thirteen: HackCon XI
HACKER SUMMER CAMP 2023 — Part Fourteen: Blue Team Con
HACKER SUMMER CAMP 2023 — Part Fifteen: Hack Red Con
HACKER SUMMER CAMP 2023 — Part Sixteen: SIGS, EVENTS & PARTIES
What is a CTF (Capture The Flag)?
Capture the Flag (CTF) in computer security is an exercise in which “flags” are secretly hidden in purposefully-vulnerable programs or websites. Competitors steal flags either from other competitors (attack/defense-style CTFs) or from the organizers (jeopardy-style challenges).
Security CTFs are usually designed to serve as an educational exercise to give participants experience in securing a machine, as well as conducting and reacting to the sort of attacks found in the real world (i.e., bug bounty programs in professional settings).
Classic CTF activities include reverse-engineering, packet sniffing, protocol analysis, system administration, programming, cryptoanalysis, and writing exploits, among others.
This guide is only to cover in general CTF Challenges and hilight two indiependant ones happeing this year.
NOTE: We will sadly not cover Google CTF due to timing. We also will cover various minor CTF’s such as the ones in the DEF CON Villages in their respective sections.
Recommended OS Platforms:
Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing that incorporates more than 300 penetration testing and security auditing pre-installed. Kali Linux is distributed in 32-bit and 64-bit images for use on hosts based on the x86 instruction set and as an image for the ARM architecture for use on the Asus Chromebook Flip C100P, BeagleBone Black, HP Chromebook, CubieBoard 2, CuBox, CuBox-i, Raspberry Pi, EfikaMX, Odroid U2, Odroid XU, Odroid XU3, Samsung Chromebook, Utilite Pro, Galaxy Note 10.1, and SS808.
Kali Linux is also available on Windows 10, on top of Windows Subsystem for Linux (WSL). The official Kali distribution for Windows can be downloaded from the Microsoft Store:
For select Android Phones, you can run a derivative called Kali NetHunter. It includes a dedicated NetHunter App with a full Kali Linux toolset providing a touch screen optimized GUI for common attack categories, a custom kernel that supports 802.11 wireless injection with Software Defined Radio support and preconfigured connect back VPN services:
For those who will be involved in Attack/Defense CTF’s or having to harden servers/devices, we recommend the newly released Kali Purple. Unlike traditional Kali Linux, Kali Purple is creatively tailored for cyber security professionals and ethical hackers who focus on defensive security strategies by leveraging the NIST Cybersecurity Framework with the inclusion of new categories of tools specifically curated to bolster defensive security capabilities. These tools are catagorized under; Identify, Protect, Detect, Respond, and Recover. Another key differentiator is the introduction of the SOC-in-a-box architecture.
Parrot OS is a GNU/Linux distribution based on Debian’s testing branch (Bullseye) and a Linux 5.4 kernel with a focus on security, privacy, and development. It provides a suite of penetration testing tools to be used for attack mitigation, security research, forensics, and vulnerability assessment. The OS is certified to run on devices which have a minimum of 256MB of RAM and it is suitable for both 32-bit (i386) and 64-bit (amd64) processor architectures. In addition, the project is available for ARMv7 (armhf) architectures available for Raspberry Pi devices. The desktop environments are MATE and KDE.
You have two options for Fedora. First is Fedora Security Lab which provides a safe test environment to work on security auditing, forensics, system rescue and teaching security testing methodologies in universities and other organizations. It comes with the clean and fast Xfce Desktop Environment and a customized menu that provides all the instruments needed to follow a proper test path for security testing or to rescue a broken system.
Network Security Toolkit (NST) is a bootable live CD based on the Fedora distribution. The toolkit was designed to provide easy access to best-of-breed open source network security applications and should run on most x86 platforms. The main intent of developing this toolkit was to provide the network security administrator with a comprehensive set of open source network security tools.
Pentoo, based on Gentoo Linux, is a Live CD and Live USB designed for penetration testing and security assessment. Pentoo is provided both as 32 and 64 bit installable live CD. Pentoo is also available as an overlay for an existing Gentoo installation. It features packet injection patched wifi drivers, GPGPU cracking software, and lots of tools for penetration testing and security assessment. The Pentoo kernel includes grsecurity and PAX hardening and extra patches — with binaries compiled from a hardened toolchain with the latest nightly versions of some tools available. Tools are installed with versioned ebuilds and open-ended ebuilds, making it possible to pull in the latest subversions and still have installs tracked by package management.
BlackArch is an open-source distro and penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools, created specially for penetration testers and security researchers. The repository contains more than 2400 tools that can be installed individually or in groups. BlackArch Linux is compatible with existing Arch Linux installs.
Athena OS is an Arch-derived Linux distribution designed for penetration testing, bug-bounty hunting and InfoSec students. The distribution provides a way to connect directly to some of the e-learning hacking resources, such as Hack The Box, Offensive Security, PWNX and InfoSec certifications, and it provides integration with the Hack The Box hacking platform and connections to InfoSec communities. Athena OS also introduces InfoSec roles (e.g. penetration tester or open-source intelligence specialist) based on user preferences, so the user’s system is populated with relevant tools only. It’s also available in Docker and a Windows WSL version.
PentestBox is an Open Source, Pre-Configured Portable Penetration Testing Environment for the Windows Operating System. It provides all the security tools as a software package and lets you run them natively on Windows. This effectively eliminates the requirement of virtual machines or dualboot environments on windows. All the dependencies required by tools are inside PentestBox, so you can even run PentestBox on freshly installed windows without any hassle. PentestBox is entirely portable, so now you can carry your own Penetration Testing Environment on a USB stick. It supports both 32-bit and 64-bit systems.
Apple iMac machines run a POSIX compliant UNIX variant, and the hardware is essentially the same as what you would find in a high-end PC. This means that most hacking tools run on the Mac operating system. A properly set up Apple machine can do quite a bit of heavy lifting.
SecBSD Tool List is based off the long running SecBSD Project. SecBSD is an UNIX-like operating system focused on computer security OpenBSD-based. A BSD enviroment for security researchers, pentesters, bug hunters & cybersecurity experts. While the project is in a questionable limbo, for those running OpenBSD you can use their Tool List as a refrence guide to import and config your instance to be a pentesting platform.
Reverse Engeering & Recovery Operating Systems
Kaisen Linux is a distribution for IT professionals based on the Debian GNU/Linux distribution. It is a complete operating system whose originality is to provide a set of tools dedicated to system administration and covering all the needs for diagnosing and dealing with faults or failures of an installed system and its components. It also integrates a good number of wifi/video/sound and bluetooth drivers in addition to those contained in the kernel to provide improved hardware support and ensuring that you do not have to install anything more after installation.
Finnix is a small, self-contained, bootable Linux CD distribution for system administrators, based on Debian. It can be used to mount and manipulate hard drives and partitions, monitor networks, rebuild boot records, install other operating systems, and much more.
Rescuezilla is a specialist Ubuntu-based distribution designed for system rescue tasks, including backups and system restoration. It was forked from the “Redo Backup & Rescue” project which was abandoned in 2012. Like its predecessor, it allows a “bare-metal restore” after any hardware failure directly from the live image. Some of the features include: works directly from the live CD/USB image; works with Linux, macOS and Windows; automatically searches a local area network for drives to backup to or restore from; recovers lost or deleted data files; includes configuration tools for managing disk and drives.
Recommended Tools:
- NMAP : Nmap is a free tool for network discovery and security auditing. It can be used for host discover, open ports, running services, OS details, etc. Nmap send specially crafted packet and analyzes the response. Download NMAP
- Wireshark : Wireshark is a free open source network protocol and packet analyzer. It allows us to monitor the entire network traffic by putting network interface into promiscuous mode. Download Wireshark
- PuTTY : PuTTY is a free and open source SSH and telnet client. It is used for remote access to another computer. Download Putty
- SQLmap : SQLmap is a free and open source tool mainly used for detecting and exploiting SQL injection issues in the application. It has options for hacking the vulnerable database as well. SQLmap can be downloaded from http://sqlmap.org/
- Metasploit Framework : Metasploit is a popular hacking and pentesting framework. It is developed by Rapid7 and used by every pentester and ethical hacker. It is used to execute exploit code against vulnerable target machine. Metasploit Download
- Burp Suite : Burp Suite is an integrated platform for performing security testing of web applications. It has multiple tools integrate in it. Two main tools in free version are Spider and Intruder. Spider is used to crawl the pages of the application and Intruder is used to perform automated attacks on the web application. Burp Has professional version in which there is a additional tool present called Burp Scanner to scan the applications for the vulnerabilities. Download Burp Suite
- OWASP Zed Attack Proxy : OWASP zap is one of the OWASP project. It is a penetration testing tool for web applications having similar features of Burp Suite. It has automated scanner to discover the vulnerabilities in application. Additional feature include spider for Ajax based application. OWASP zap can be used as a intercepting proxy also. OWASP zap Download
- Nessus : Nessus is a Vulnerability, configuration, and compliance assessment tool. It has free and paid version. Free version is for personal use. It uses the plugins for scanning. Simply feed the IP address of the target machine and run the scan. There is an option to download the detailed report as well. Nessus can be downloaded from http://www.tenable.com/products/nessus
- Nikto : Nikto is a open source Web server vulnerability scanner. It detects the outdated installation of software and configuration, potentially dangerous files/CGIs, etc. It has a feature of report creation as well. Nikto can be downloaded from http://www.cirt.net/nikto2
- John the Ripper : It is a password cracking pen testing tool and commonly used to perform dictionary based brute force attack. John the Ripper can be downloaded from http://www.openwall.com/john/
- Hydra : Another password cracker similar to John the Ripper. Hydra is a fast network logon cracker. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more. Hydra can be downloaded from https://www.thc.org/thc-hydra/
- w3af : w3af is a Web Application Attack and Audit Framework.Some of its features include fast HTTP requests, integration of web and proxy servers into the code, injecting payloads into various kinds of HTTP requests, etc. It has a command-line interface and works on Linux, Apple Mac OS X, and Microsoft Windows. All versions are free of charge to download. w3af can be downloaded from http://www.wtcs.org/snmp4tpc/getif.htm
- bettercap: A powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution for hacking WiFi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks reconnaissance and MITM attacks. It includes powerful network sniffer for credentials harvesting which can also be used as a network protocol fuzzer coupled with a very fast port scanner and an easy to use web user interface. bettercap can be downloaded from https://www.bettercap.org/
Hacker Browser Extensions (Hilights)
PRACTICE YOUR HACKTICS
LEARN AT DEF CON 31
The Petting Zoo: Breaking into CTFs
Scheduled Date and Time (Pacific Standard): Saturday, August 12, 2023, at 0900 PDT
EventBrite Link: https://www.eventbrite.com/e/christo...=oddtdtcreator
Max Class Size: 80
Breaking into the capture the flag (CTF) world can be daunting and many people are overwhelmed when faced with participation in these events and challenges. With how beneficial the various challenges can be to both beginners and seasoned professionals, we want to demystify this world and help people get the most out of them.
This workshop will start with an overview of the CTF landscape, why we do them, and what value they have in the scope of the hacking community. This presentation will include various resources and a few simple demos to show how to approach a CTF and how it may differ from “real world” hacking challenges that many of us face in our professions. Next, a short CTF will be hosted to give attendees hands-on experience solving challenges with the ability to ask for help and will be guided through the approach to successfully navigating these challenges. Upon completion, the group will have worked through various types of hacking challenges and will have the confidence to participate in other CTFs hosted throughout the year.
Areas of focus will include:
* Common platforms and formats
* Overview of online resources, repositories, and how to progress
* Common tools used in CTFs and hacking challenges
* Basics of web challenges
* Basics of binary exploitation and reversing challenges
* Basics of cryptographic challenges
* Basics of forensic and network traffic challenges
Skill Level: Beginner
Prerequisites for students:
- Be curious about CTFs and have a very basic knowledge of or exposure to fundamental topics (e.g., Linux, websites, networking, data encoding and encryption)
- Exposure to the above concepts will help during the workshop defined CTF challenges but is not required for the workshop
Materials or Equipment students will need to bring to participate:
- Laptop
- Debian-based Virtual Machine (e.g., Kali) is recommended
- Virtualized environment or Kali is not required but Kali will provide all the tools useful in solving the challenges and help standardize available tools. All challenge solutions will be possible using default Kali installations.
- A limited number of Kali-Chromebooks and hosted resources will be available for those having issues or unable to bring their own systems.
Christopher Forte is a security researcher and a junky for learning, participating in CTFs, and solving challenges. He is curious, loves teaching others, and has a passion for breaking things. As a resident of Las Vegas, Christopher co-founded DC702, is the local Chapter President of TOOOL, and enjoys introducing people to the world of hacking and lock picking.
Robert Fitzpatrick is a military veteran of over 20 years. He began his cyber life leading the Information Assurance office, and quickly moved up to run the Network Operations Center, as well as the Network Test and Evaluation center. He has built multiple operations centers in both homeland and austere locations, purchased satellite infrastructures, and led vulnerability investigations for classified networks. He is also a co-founder of DC702 and enjoys training new students on an eclectic array of subjects surrounding his interests.
https://forum.defcon.org/node/246023
LEARN AT SQUADCON
Master List
Resource Dumps
Cryptography
Passwords
Shell Hell
Blue Teaming
Cloud Security
Scanning & Metaspolit
Reverse Engineering & Malware Examples
Privilege Escalation & Injections
Windows Specific
Blockchain & Smart Contracts
Training Platforms
HACKER SUMMER CAMP 2023 CTF HIGHLIGHTS
INTERNATIONAL CYBERSECURITY
CHAMPIONSHIP & CONFERENCE
The International Cybersecurity Championship and Conference (IC3) event is designed to attract top talent and raise global awareness of the power of games to upskill the cybersecurity industry.
Through its exciting, competition-based forum, the IC3 helps individuals further their cybersecurity education and skills. IC3 is designed with three primary components. The first is a speaker session showcasing top leaders in Cybersecurity Games and Exercises from around the world. The second is the hands-on expo of cyber games, immersive training, and exercises. Finally, the program includes the 2023 International Cybersecurity Challenge (ICC), a championship tournament featuring global teams (25 years and younger).
The cybersecurity championship tournament is composed primarily of capture-the-flag and attack-and-defend games. It is an annual challenge that moves from country to country each year and is organized by the ENISA International Cybersecurity Challenge Program (ICC). Teams representing global regions travel to this multiday event to compete in challenges related to web application and system exploitation, cryptography, reverse engineering, hardware challenges, and attack/defense.
CHAMPIONSHIP
Connect with top cybersecurity experts from around the world while experiencing the excitement of cybersecurity-oriented esports. Seven teams of cyber athletes ages 18–25 will represent over 65 nations in a final championship. In addition to the 600–700 expected attendees, the games will be live-streamed on Twitch to thousands of fans.
CONFERENCE
As if the action of the games wasn’t enough, our speaker lineup will keep you on the edge of your seats. They include leading cyber experts from the US Department of Homeland Security, EU, UAE, Microsoft, Mastercard, Google & Mandiant, and more! These global speakers from governments, corporations, and academia will discuss topics including:
- The power of global collaboration to cultivate a strong, diverse cyber workforce.
- The importance of aligning academia and corporations with cyber games and exercises that drive needed job skills.
- The role of cyber games and exercises for building resilience into our risk strategies.
TUESDAY, AUGUST 1, 2023 (PST)
8:45AM — 8:50AM
Opening Remarks
Jessica Gulick, US Cyber Team Commissioner
8:50AM — 9:00AM
Welcome Reception
Jonathan Behnke, CIO for the City of San Diego
9:00AM — 9:30AM
Announcing Soon!
Keynote Speaker
9:45AM — 10:30AM
Changing the Game: Why Innovation is the Key to Success
Dan Meacham, VP, Global Security and Operations, CSO / CISO at Legendary Entertainment
10:40AM — 11:00AM
Cloud: A Game Changer For Red Teaming & Privacy
Carlos Polop Martin, Hacking Content Creator, Halborn
11:10AM — 11:55AM
D1 Cyber
A panel of academic leaders discusses the use of cyber games in academia.
Moderator: Dan Manson, Chairman at NCL, Inc.
Panelists:
- Ron Pike, Associate Professor at Cal Poly Pomona
- David Zeichick, Assistant Professor, Computer Science at California State University Chico and NCL Commissioner
- Attlee M. Gamundani, PhD, Associate Professor at Namibia University of Science and Technology
- Dr. Ioannis Agrafiotis, Cybersecurity Expert at European Union Agency for Cybersecurity (ENISA)
- Dr. Josh Brunty,
Associate Professor & Director of the Cyber Forensics & Security Graduate Program at Marshall University
WEDNESDAY, AUGUST 2, 2023
8:45AM — 9:05AM
Arena Keynote:
Rodney J. Petersen, Director, NICE
Introduction by Jon Check, Executive Director, Cyber Protection Solutions, Raytheon Intelligence & Space
9:45AM — 10:15AM
Building High-Performing Cyber Teams
Security executives discuss how they cultivate high-performance cyber teams through team training, cyber games, and exercises.
Moderator: Tomás Maldonado, CISO, NFL
Panelists:
- Scott Gicking, Chief Information Security Officer, Hyundai AutoEver America
- Chase Franzen, Chief Information Security Officer & VP of IT Risk Management, Sharp HealthCare
10:30AM — 10:50AM
Featured Fireside Chat With HE DR. Mohamed Hamad Al-Kuwaiti
Antonio “T” Scurlock, Deputy Chief Learning Officer at CISA, discusses the UAE Cybersecurity Council’s award-winning Cyber Pulse initiative, which provides cyber culture awareness on a national level, with HE DR. Mohamed Hamad Al-Kuwaiti.
11:00AM — 11:20AM
Announcing Soon!
11:30AM — 12:00PM
Getting Value From Cyber Exercises
Simran Sakraney, Cybersecurity Consultant, and Nadean Tanner, Senior Manager, Education Services at Google/Mandiant
1:45PM — 2:30PM
Cyber Ranges: Building, Operating, And Maintaining
Angus Blitter, Packet Master and Creator of Packetwars, and Matt Berry, Senior Director (Global Field Cyber CTO) at WWT
THURSDAY, AUGUST 3, 2023
8:40AM — 9:00AM
Arena Keynote
Nitin Natarajan, Deputy Director, Cybersecurity and Infrastructure Security Agency (CISA) United States Department of Homeland Security
9:45AM — 10:25AM
Achieving Resilience In Critical Infrastructure
Critical infrastructure security executives discuss the need for continuous team training and exercises as a vital part of their risk management strategies.
Moderator: Jon Brickey Ph.D., Senior Vice President, Cybersecurity Evangelist, Mastercard Technology
Panelists:
- Kristin Demoranville, Founder & CEO of AnzenSage
- Demosthenes Ikonomou, Head of Capacity Building Unit, ENISA
- Peter Clay, Chief Information Security Officer, Aireon, LLC
10:30AM — 11:10AM
Unlocking Cyber Potential — Cyber Athlete & Game Maker Panel
A panel of gamers and game makers discuss the evolution of cyber games and its future.
Moderator: Ping Look, Director, Training & Communications at Microsoft Incident Response Team
Panelists:
- Eric Basu, CEO at Haiku
- Dmitriy Beryoza, Senior Security Researcher at Vectra AI
- Pete Hay, Principal Security Strategist at SimSpace
11:20AM — 12:00PM
Hacking Policy and Policy Hacking — A Hacker Guide to the Universe of Cyber Policy
Dr.Amit Elazari, Co-Founder and CEO of OpenPolicy, will discuss how Cybersecurity Policy has transformed our industry globally. This domain also serves as an amazing opportunity to drive impact at scale and collaborate with the hacker ecosystem to drive better policies and better security — that advance all users. This talk invites the audience to explore the latest trend in cyber policy globally, focusing on areas such as secure development, workforce, vulnerability disclosure, product security, and anti-hacking laws. We will cover the latest developments from the National Cyber Security Strategy to the EU Cyber Resilience Act — and introduce the audience to the world of policy hacking, and policy “hacking”.
1:45PM — 2:30PM
Featured Fireside Chat with Despina Spanou, Head of Cabinet for European Commission Vice President Margaritis Schinas — Discussion about the EU’s Cybersecurity Skills Academy Initiatives
NICE’s Danielle Santos will moderate this informative discussion about the EU’s Cybersecurity Skills Academy Initiatives with Despina Spanou.
CISA INL ESCAPE ROOM
CISA and Idaho National Lab will host an immersive Escape Room adventure to test your cybersecurity and infrastructure protection skills.
This Escape Room will challenge you through a series of traditional time-bound challenges for all skill levels. Cybersecurity puzzles involve wireless technologies, Open Source Intelligence (OSINT) analysis, database exploitation, network discovery, industrial control systems, cryptography, Arduino backed puzzles, and more. Come have fun while learning more about cybersecurity with CISA and Idaho National Lab.
Limited spots available. Event registration required.
DEF CON 31 Capture The Flag
HACK-A-SAT 4
August 11–13, 2023
Find us in the Aerospace Village!
Hack-A-Sat is a Capture the Flag (CTF) competition designed to inspire the world’s top cybersecurity talent to develop the skills necessary to help reduce vulnerabilities and build more secure space systems.
In Hack-A-Sat 1, 2 and 3, the best of the best have been learning more about all the skills required to hack in space through physical flatsat hardware and digital twin simulation. But, this year, PRACTICE IS OVER, as Hack-A-Sat 4 presents the world’s first CTF competition IN SPACE.
Five Finalist Teams will compete on Moonlighter, an on-orbit satellite. Moonlighter is the world’s first and only hacking sandbox in space, designed specifically to advance the cyber security community and secure space for us all.
The Department of the Air Force presents Hack-A-Sat, open to all cybersecurity researchers who want to up their skills and knowledge of space cybersecurity. This Capture the flag challenge begins with a Qualification Event and culminates in a Final Event that will take place in the Aerospace Village at DEF CON 31 in Las Vegas.
Whether you’ve been with them since the start in 2020 or are just tuning in, you are in the right place to catch up on all the competitions, get educated on hacking in space and even practice building your own CubeSat like Moonlighter.
FINALIST TEAMS
Rules:
What is this Moonlighter thing?
Moonlighter is the world’s first purpose-built satellite just for cybersecurity training and research. It’s literally a hacking sandbox in space, that will be launched in 2023 and host the Hack-A-Sat 4 Finals competition.
When is Moonlighter launching?
Moonlighter launched on June 5th as part of an International Space Station (ISS) resupply mission from Kennedy Space Center on SpX-28. After a short visit with the ISS, Moonlighter is scheduled to deploy into Low Earth Orbit on July 6th.
Why are there 5 teams at Finals this year?
On careful consideration, five is the ideal number of teams to ensure fair and interesting game dynamics with the finite number of orbital passes Moonlighter will make during the game hours at DEF CON 31.
Why is the deadline to commit to playing in HAS4 Finals so long after HAS4 Quals?
To mitigate the overlap of Hack-A-Sat 4 and DEF CON CTF at DEF CON, we are setting our deadline for team commitments after teams have had a chance to compete and see how they placed in both Hack-a-Sat 4 and DEF CON CTF qualification rounds. This way any team that qualifies for both final events can make an informed decision.
The 2023 BIC CTF @ DEF CON 31 is powered by BIC members across four participating organizations ( so far..) :
- BIC HQ CTF Development Team ( Headquarters)
- The CTF Room ( BIC @ Kenya)
- KC7 ( BIC @ DMV Metro)
- Xcape Inc. ( BIC @ California)
The team has combined forces to create physical, virtual, wireless, emulated environment, crypto and OSINT challenges to showcase the talent of the International Black community and educate about the Black diaspora and our history and culture.
Each creator has cross-pollinated ideas and cultivated creations for each and every unique challenge and it would behoove you to get to know each one (especially your on-site operative)…
Register for the official contest here, from here you will be able to submit scores for all of the challenge types in our multiple challenge offerings: The On-Site Physical Challenge “Abandoned Server Room” in District #9, The “special” locks in District #3, The SOC Environment in District #2, Black History OSINT in the Library District #4 and the City Center District #1 Challenges to top off the array of different styles you can work through. May the best team win!
BIC K!DZ&T33NZ 2023 CHALLENGE SET & WALKTHROUGH
A set of 5–10 Capture The Flag style challenges hosted to provide kids, teenagers & beginners with an appropriate set of challenges to explore and work through. The BIC CTF team members will demonstrate skills and present solves to the community virtually or in-person to allow attendees to learn and ask questions.
These challenges will be walked through so that all participants of DEF CON can interact despite their skill level or exposure to the field. We invite all to take part and learn via this unique experience and would like to note that while we will have a scoreboard these challenges DO NOT ADD POINTS to THE OFFICIAL CONTEST, TO PARTICIPATE IN THE OFFICIAL CONTEST YOU MUST HAVE A SEPARATE TEAM AND REGISTRATION HERE.
DEFCON GROUPS KING OF THE HILL
COMMING SOOON — https://twitter.com/DCGCTF
PROS VS JOES 2023
The Pros V Joes CTF is an event where the average Joe can have a chance to defend along with Professionals in the field, to learn from them while having fun. The game consists of live combat, with each team of Joes defending a network from a Red Cell of professional hackers. Each team of Joes will be lead by a Pro Captain (PvJ Staff) and Pro co-Captain. These fine folks will help train and prepare their Joes, supporting them throughout the two days of carnage and mayhem.
The 2023 calls for Joes and Pros are now OPEN! Apply to be a Pro or a Joe or check out our sponsorship opportunities.
As in the past, this game is designed to give regular Joes their first taste of live-fire security, where they have to defend networks against Professionals who know how to break in.
For the Pros, this is a chance to flex your muscles, showing how good you are against live threats. Or, if we accept you to our Red Team to play with our PvJ Staffers, it’s a chance to show your skills in pwning all the things. For both colors of Pro, Red and Blue, it is a chance to lend your experience to help others improve their game.
The environment to host this CTF is laced with various surprises to keep the game interesting. The networks that the Blue Teams must defend will be a mix of Windows and Linux, with the typical Internet services (web, DNS, mail, etc) and a mix of obscure systems and services.
For more information for both Pros AND Joes head over to http://prosversusjoes.net. Also, watch for tweets from @dichotomy1, our Red Blue and Gold teams, or any of the rest of the PvJ Staff.
Adversary Wars CTF at DEF CON 31
11–13 Aug, 2023.
DEF CON Contest Area, Caesars Forum, Las Vegas.
Adversary Village proudly presents “Adversary Wars CTF,” a cutting-edge capture the flag competition that revolves around adversary attack simulation, adversary-threat actor emulation, purple team tactics and adversary tradecraft. This unique competition is designed to replicate enterprise infrastructure and present participants with challenges that encourage the adoption of various techniques, tactics, and procedures (TTPs) employed by real adversaries and threat actors, all within a defined time frame.
We are excited to be back at DEF CON as an official contest this year. Adversary Wars CTF will be located in the contest area for DEF CON 31.
Adversary Adventure Game
The Diana Initiative excited to bring you the Adversary Adventure Game from Adversary Village!
Choose your own path in this single player game — as a Adversary or a Defender
See how your path progresses by making choices until it reaches the conclusion:
August 11–12, 2023 @SQUADCON
CYBER BLOCK PARTY
Charity Battle is back. Ditch your suit coat and heels. Grab your shorts and tank tops and let’s party.
We are taking it outside. We will be at SQUADCON. Don’t miss our 80 ft. long 35-ton semi-tractor-trailer that transforms into a full-fledged state-of-the-art mobile arena and production for two nights of gaming and entertainment.
GET IN THE GAME
Come play some games, enter a battle or hunt for a bounty — all for charity. Individuals and teams of 3 welcomed. Tournaments require entry fee (donation to prize pool). Cash bar and food trucks.
AUTONOMOUS ARCADE @ Black Hat USA 2023
Drone hacking workshops and the CTF challenge are built and hosted by our partners at Dark Wolf Solutions and will be run throughout the day on a first come, first serve basis. All skill levels are welcome, hardware will be provided for those who need it, and commemorative prizes will be awarded to the top challengers!
Trace Labs OSINT Search Party CTF
Friday: 10:00–18:00
Saturday: 10:00–17:00
DEF CON Contest Area, Forum Ballroom | Hybrid
The Trace Labs Search Party CTF is a non theoretical, gamified effort that allows for the crowdsourcing of contestants to perform a single task: Conduct open source intelligence operations to help find missing persons
You can have teams of 1–4 people, 4 person teams provide many benefits which include the coaching of more junior members. Often a great learning opportunity if you are able to pair up with OSINT veterans. Get your team together, stop by our booth for a registration code, and join us at searchparty.tracelabs.org/register
Twitter: @tracelabs
Forum users that can provide authoritative comments or answer questions: Belouve
ImaginaryCTF 2023
July 21–23, 3 PM EDT
ImaginaryCTF 2023 is a cybersecurity CTF competition run by ImaginaryCTF with a variety of challenges for all skill levels. It runs from July 21 to July 23, starting and ending at 3 PM EDT.
Teams will be challenged to discover vulnerabilities in websites, crack codes, and recover information through challenges in cryptography, binary exploitation, web exploitation, forensics, reversing, and more. We hope that you will learn something new from our challenges!
If you would like to do some CTF before or after this competition, we do host daily CTF challenges on our main website and Discord server. You can join the competition for practice, or just for fun, as we will continue hosting them throughout the year.
We also have an active community around our daily challenges to provide support and help! Our daily challenges use the same Discord server as the server for this event, so feel free to stick around after the competition.
Prizes
1st place — 500 USD
2nd place — 300 USD
3rd place — 200 USD
4th place — 100 USD
5th place — 100 USD
Best writeup — 100 USD
Prizes are subject to change.
ENOWARS 7
Attack/Defense CTF by ENOFLAG / TU Berlin
ENOFLAG will host another ENOWARS CTF on the 22th of July. Registration is open, don’t hesitate to sign up!
Attack/Defense CTF for Beginners
A typical attack/defense CTF consists of three components.
The Gameserver
It is provided by the organizers and runs throughout the competition, starting when the network is opened. It periodically stores flags on your Vulnbox using functionality in the provided services. It then later retrieves these flags, again using existing functionality. The Gameserver does not run exploits! It simply uses the service as intended.
Now, why can’t the other teams then simply do what the Gameserver does?
The Gameserver has more information. Every service is either designed to allow the Gameserver to store a specific token for each flag or generates one and returns it to the Gameserver.
The Gameserver uses this token to check periodically that the flag is still there. Whether or not it gets the stored flag using that token, determines your SLA (Service Level Agreement). You mustn’t remove or break any legitimate functionality.
Some services can have a vulnerability that directly leaks the flag, which will let you retrieve the flag easily. For others, it will require more effort.
Your Vulnbox
The Vulnbox is your running instance of the virtual machine image given to you by the organizers. It contains and runs all the services of the competition and should be reachable at all times. The Gameserver stores its flags here and uses the communication with this machine to decide if your services are working as intended or not. This machine is accessible to everyone on the network, and is the target for all the exploits from other teams.
Protecting the flags on this machine is what determines your defense points!
You normally have one hour from getting access to your Vulnbox until the network between teams is opened and everyone can attack each other. Use this time to get the VM running, then start analyzing what’s running on it. It has happened that services with vulnerabilities that are easy to find have been exploited as soon as the actual competition starts.
For the Bambi CTF and ENOWARS, we will be providing hosted vulnboxes which are accessible via SSH.
The other teams
All the other registered teams are connected to the same VPN as you. Their Vulnboxes have known IP addresses, all other machines are off-limits! The other teams will run exploits from their own machines, but the VPN infrastructure will use NAT to obfuscate whether a packet came from the Gameserver or another team.
Successfully stealing and submitting flags from the Vulnbox of other teams determines your attack score!
If you have played jeopardy CTFs before, you already know flag submission. In this game however, you’ll have to run you exploits periodically, as new flags get stored by the Gameserver every few minutes. So you probably want to script exploits and submit Flags automatically and you don’t spend all your time manually exploiting everyone.
Summary
- Some services may require additional information to exploit them, so don’t forget to have a look at the corresponding attack info.
- Vulnboxes and VPN servers are provided by us, you don’t have to provide or take care of anything.
- The game will start on 7/22/2023 12:00:00 PM UTC.
- The network between teams will open after 1 hour.
- You must register before 7/20/2023 12:00:00 PM UTC.
- You must check in between 7/22/2023 12:00:00 AM UTC and 7/22/2023 11:00:00 AM UTC.
- You must start your vulnbox once the game starts.
- A round lasts 60 seconds, flags are valid for several rounds.
- Flag format:
ENO[A-Za-z0-9+\/=]{48}
- Flag submission:
nc 10.0.13.37 1337
- You will find an Arkime installation on your vulnbox. Arkime is a traffic analysis tool, not a vulnerable service.
Setup Details
We will be providing hosted vulnboxes for all teams. You can start your vulnbox through the registration page after the start of the CTF. Note that you must check in before the start of the CTF, otherwise you will not be able to start your vulnbox!
You can download an OpenVPN configuration file which allows you to access your vulnbox as well as the rest of the competition network. You will be able to access your vulnbox immediately after the start, whereas the rest of the competition network will only be reachable after the network has opened.
The vulnbox has the IP address 10.1.teamID.1, your team network will be assigned IP addresses from the IP range 10.1.teamID.130 to 10.1.teamID.254. While we are blocking direct access to your team VPN from other teams, your device will be reachable from the vulnbox and thus might be targetable by teams who get remote code execution on your vulnbox. Please take measures to protect your device used to access the network, e.g. by setting up a firewall!
For security reasons, the access to Arkime/Moloch is blocked over the network and it is only accessible from localhost. You can use SSH port forwarding to access your Arkime/Moloch by running ssh -L 8005:localhost:8005 root@
. Then you will be able to access it on your local machine by opening http://localhost:8005 and logging in with username and password moloch.
Attack Info
This endpoint delivers a JSON that is updated at the start of every round and has the following format:{ "availableTeams": [ "10.1.52.1" ], "services": { "service_1": { "10.1.52.1": { "7": [ [ "user73" ], [ "user5" ] ], "8": [ [ "user96" ], [ "user314" ] ] } } } }
The availableTeams
field contains a list of team addresses that were at least partially up in the previous round. The services
field will, for some services, provide you with additional information that may be helpful or necessary to exploit a given service. This is typically something like the username of the account containing the flag, but the exact format depends on the service. These are grouped by service, team address, and type of flag.
Opponent IP List
For the services that do not have attack infos available, you can get a list of IP addresses here.
Scoring
We are currently using the scoring formula by Faust CTF.
Social Conduct
TL;DR: Be good! It’s a game. Attack the services, not the players. Be sure that we can contact you.
The goal of this CTF is to allow people to practice their skills and have fun. We ask you to avoid spoiling other’s fun unnecessarily.
We want the competition to be a pleasant experience for all participants, regardless of their gender, sexual orientation, race, religion, skill level, personal background or any other criteria. Therefore, we do not tolerate harassment in any form.
This especially applies to our official communication channels, i.e. Discord and Twitter. Misbehavior may lead to a ban from these communication channels and ultimately, the same consequences as for any other rule violation (see below). We ask everyone to speak English on the Discord server, so that all participants know what’s going on.
Teams are prohibited to collaborate with other teams (e.g. share flags, information on vulnerabilities and exploits, or similar). There may be some services where collaboration is allowed, this will be stated explicitly. Every individual participant must only be member of one team.
The Vulnboxes of other teams are the sole target for exploitation, attacks against competition infrastructure or any other portion of a team’s network (inside or outside of the VPN) are forbidden.
Causing unnecessarily high loads for CPU, traffic, memory, I/O, etc. (“denial of service”) on our infrastructure, other teams (including Vulnboxes) or any other party is also strictly prohibited. Breaking a service of another team through sheer amount of requests is forbidden, breaking it through a vulnerability is OK as long as it does not lead to resource spikes. But remember that preventing yourself from stealing their flags won’t do you any good.
Despite these policies, all participants are responsible for the security of their own hard- and software. We will do our best to enforce the rules, but cannot give any guarantees for other participant’s behavior. We are not liable for any potential damage to your equipment.
Violation of the rules or any other hostile behavior may lead to deduction of points, temporary or permanent exclusion from the competition or any other measure deemed appropriate by the Organizing Team.
We suggest every team to have at least one representative on our Discord server with a nick starting with the team name. In case of problems this will be our first point of contact, because email delivery can be slow. If we want to stop you from doing something and are not able to reach you as fast as the issue requires, we might temporarily kill your VPN connection in order to get your attention.
ESCAPE CTF 2023
Saturday, August 5th — Sunday, August 6th
This ESCAPE CTF 2023 has the theme of “escape” as the title suggests. Solve the challenges and try to escape!
Pwnable, Reversing, Web,
Forensic, Crypto, Misc Each
field has 3 challenges (MISC 4 challenges).
The Final 🥇🥈🥉 team can
receive a variety of licenses supported by the sponsor. (Further notice via Discord)
BDSec CTF 2023
Think Fast, Hack Smart, Win The Game !!
Unleash your full potential and put your hacking skills to the test with BDSec CTF 2023! Organized by the Knight Squad community from Bangladesh, this premier international competition brings together top hackers from around the world to compete in challenging categories such as web exploitation, reverse engineering, and cryptography. Join us for BDSec CTF 2023 and make a name for yourself in the exciting world of cyber security!
Event will start on 20 July 2023 at 09 PM GMT +6. Register Your Team Now !!
[ PRIZES ]
- First Prize
- [+] Parrot CTFs VIP Vouchers
- [+] Discord Bot Hosting
- [+] JetBrains IDE License
- [+] BurpBounty Pro License
- [+] Wolfram|One for 1 Year
- [+] Wolfram|Alpha Pro for 1 Year
- Second Prize
- [+] Parrot CTFs VIP Vouchers
- [+] Discord Bot Hosting
- [+] JetBrains IDE License
- [+] BurpBounty Pro License
- [+] Wolfram|One for 1 Year
- [+] Wolfram|Alpha Pro for 1 Year
- Third Prize
- [+] Parrot CTFs VIP Vouchers
- [+] Discord Bot Hosting
- [+] JetBrains IDE License
- [+] BurpBounty Pro License
- [+] Wolfram|One for 1 Year
- [+] Wolfram|Alpha Pro for 1 Year
[ WHO ARE WE ]
We are Knight Squad, an ethical hacker community in Bangladesh founded on 28 January 2020. Since then the community has been trying to contribute to the cyber space of Bangladesh by organizing free workshops, CTF competitions and so on.
Our official website : https://knightsquad.org/
CCCamp CTF 2023
Wednessday, August 16th — Thursday, August 17th
The CTF is open to everyone and can be played online. You do not need to pre-register for the event. A CTFtime.org account will be required to sign into the event (make sure your team members have access!).
We will be at Camp in our ALLES! Village. You are welcome to come and sit down at the village.
Communication for this event will happen on Discord.
We prepared typical challenges in the classic categories (Reversing, Crypto, Web, Pwning, Game Hacking and Misc)
HACKER SUMMER CAMP 2023 HACKATHON HIGLIGHTS
MLH Global Hack Week INIT
July 3rd — 10th, 2023
Join us in July to kick off the 2024 Hackathon Season! This GHW will feature special community facing annoucements 👀
https://organize.mlh.io/participants/events/9610-global-hack-week-season-launch
It’s free for anyone, anywhere
Global Hack Week is a 100% free event for anyone, anywhere! It’s easy to register and participate, so join us and put your skills to the test.
Follow along with live challenges
Whether you’re a seasoned pro or just starting out, there’s always something exciting and new to discover at Global Hack Week.
Check out Challenge Examples ›
Join a Guild
Join a digital community called a “Guild” to complete challenges together, enjoy mini-events, and more all while making new friends and connections.
Global Hack Week is organized by Major League Hacking (MLH). It is our mission to empower hackers worldwide by providing them with the tools, resources, and opportunities they need to succeed.
We want to make sure that all MLH events are an inclusive and safe space for all attendees, organizers, and sponsors. For this reason, the MLH Code of Conduct should be followed throughout the event.
KATY YOUTH HACKS
Friday, August 11th — Sunday, August 13th
Katy Youth Hacks is a 36-hour long hackathon hosted by Girls Who Code Katy for students from all around the world.
Our theme for this year is sustainability — we hope to guide participants to take a greater role in fighting social problems while encouraging underrepresented groups to engage in computer science and tech development.
By challenging students to solve real-world problems with technology, KatyYouthHacks aims to inspire the next generation of developers.
Who can participate?
ALL high school, middle school, and college students are eligible. (Not just girls!)
1st Place:
- Logitech Keyboard
- JBL Headphones
2nd Place:
- Logitech G203 Gaming Mouse
- Anker Portable Charger
3rd Place:
- Venture Pal Waterbottle
- Blue Light Glasses
Best Design:
- Fujifilm Quicksnap Camera
Best Beginner Hack:
- 3-Pack Lightning Cable Charges
Honorable Mention:
- Exclusive Sponor Prizes
All Participants:
- Sponsor Prizes
MORE CTFs & HACKATHONS COMING SOON!
CONTINUE TO :: HACKER SUMMER CAMP 2023 — Part Three: SummerC0n