No announcement yet.

AppSec Village (CTF)²

  • Filter
  • Time
  • Show
Clear All
new posts

  • AppSec Village (CTF)²

    It's a CTF Task Fight!!!

    CTFs test your skills, challenge your ingenuity, and push mental boundaries. But what is even MORE AWESOME than a regular CTF?

    A (CTF)2!! A competition that stretches your creative mind as a task author and makes you step up your game as a task player. This year, AppSec Village @ DEF CON 28 invites you to compete in both roles!

    Calling all CTF Authors!

    The AppSec Village CTF Task Fight invites you to join the talent search for the world’s best CTF authors! Write and submit a new challenge Do you have an amazing task that has already been used? Submit it to the AppSec Village Hall of Fame for a chance at Honorable Mention. Hall of Fame challenges will be voted on by the players to win special prizes. Levels Due before midnight July 24th.

    Task Players

    Ready to test your muster? You will also have the chance to play some of the Judges’ favorite burned tasks in the CTF Hall Of Fame.

    Stay tuned to learn about prizes; who's on our amazing judging panel, and where to submit!

    Task Judging

    Our panel of badass judges will review your challenge and select the best for the CTF Task Fight! Judges will evaluate the tasks based on creativity, level of difficulty, and amount of awesomeness. Tasks will compete in 5 categories:
    1. Web
    2. Pwn
    3. Crypto
    4. Reversing
    5. Misc
    Judges will select 2 finalists from each category (10 winners in total). All task finalists will win a DEF CON 29 badge, and a chance to compete for the "Best Overall Task" and $1337 USD!

    Task Author Prize Categories:
    • Best PWN: 2 Finalists.
      • This category should consist of a binary without a flag, that is provided to players, and an online service running the same binary with a flag. The players should find the vulnerability from the local binary and exploit the remote service to obtain the flag. Crypto-only challenges should apply to crypto instead. Challenges that include the flag in the downloaded binary, or that do not have a vulnerability should apply to Reversing instead.
    • Best WEB: 2 Finalists.
      • This category should consist of a web (HTTP) service vulnerable to a client-side vulnerability (CSRF, XSS, etc), or a server-side vulnerability (SQLi, SSRF, etc). The players should NOT be able to find the vulnerability through the use of scanners. If a vulnerability could be found by a scanner, it should be provided in the challenge description. Challenges should be self-contained by infrastructure.
    • Best CRYPTO: 2 Finalists.
      • This category should consist of either a file, or of one or more online services (TCP or HTTP) implementing a crypto protocol or weakness that players must exploit by solving a cryptographic challenge. If players just need to reverse engineer the protocol or algorithm used, the challenge must be submitted to Reversing instead.
    • Best REVERSING: 2 Finalists.
      • This category should consist of either a file, or one or more online services on which players must reverse engineer a system or binary to discover a flag. This category is not steganography related, and does not exploit a vulnerability. Players should be able to extract or deduce the flag without depending on luck. Challenges must test skills related to application security.
        • Reverse Engineering is a crucial component for most vulnerability research, and tasks in this category should test skills that could be useful in application security. Examples of this include, but are not limited to the type of deobfuscation needed when looking for vulnerabilities in closed-source code, working on top of niche or old architectures when doing security research, hardware security research, or even debugging the communication protocol between a JavaScript web application and the server. Note that challenges in this category should not exploit a vulnerability themselves, and are just meant to test the skills of the reverse engineering stage of vulnerability research.
    • Best MISC: 2 Finalists.
      • Any challenge that doesn't match the criteria of a category presented above must be submitted in this category. Challenges must be related to application security.

    Finalists from the tasks below will also be labelled as PWN/WEB/CRYPTO/REVERSING/MISC.
    • Best Implemented Task
      • Great attention to detail. Great User Interface. Superb documentation. Overall high quality. Superb stability (if applicable). Abuse protection. Great monitoring or troubleshooting.
    • Best (educational) Beginners Task
      • Complete beginners (CS students) could solve the task and learn something from it. Can be used as a "gateway" to CTFs. Required knowledge presented to players naturally. Dead-ends and next-steps clearly defined.
    • Most fun/engaging Task
      • Tasks that are fun and engaging to solve. Either because of the mechanics, or because of the overall problem solving experience designed by the author. Must be fun for most players, so if a challenge is very hard, it might qualify instead for Best Implementation or Most innovative instead.
    • Best (reasonable) Difficult Task
      • Best task for experienced players. Could be a 500 points task in top-tier CTFs. Solution is reasonable. Can't be solved by pure luck. Acceptable amount of work.
    • Most innovative/original Task
      • Solution requires a novel exploitation idea, a new vulnerability class, a never-seen before primitive, or is otherwise unique in some positive way.

    Challenge Submission
    • Must be submitted as a link to a ZIP by July 24, 2020.
    • Must be licensed with an OSI approved license. Will be open-sourced after the CTF ends.
      • Third-party dependencies should be clearly marked!
    • Must be completely novel and never seen before (unless applying for "Hall of Fame")
      • IMPORTANT: Task must be kept secret until after the end of the competition (August 10). If a task is leaked, it will be disqualified.
    • Must submit your level in a ZIP file that includes a Dockerfile and code for your task.
    • Must meet the criteria for one of the 5 categories (web, pwn, crypto, reversing, misc)
    • Must include a file that includes (in english) three sections:
      • Public Challenge Description.
        • What players will see, including hints (if any).
      • Secret Design Specification. For example, a slide deck, design document or similar.
        • This will be what the judging panel will use to score the challenge.
      • Full Solution Explanation. A CTF task write-up and exploit.
        • This will be what the judging panel uses to score the challenge.
        • Don't forget to include the flag.
    • Must include an exploit and solver that works out of the box (use a Dockerfile as well)
    • Challenge must be solvable in less than 2 days (the CTF lasts longer, but challenges shouldn't take longer than 2 days to solve)
    • Flag format is CTF\{[a-zA-Z+/.=!_-]{10,100}\} unless impossible (challenge description should explain).
    • A task can be a finalist for more than one nomination (best PWN + most innovative), but can only be in one category (can't be in both PWN and MISC).
    • Authors can submit multiple tasks and can be finalists multiple times.
    • Multi-flag / Multi-stage tasks are not allowed. Every task must be self-contained.
    For tips and suggestions on how to make great CTF tasks check The CTF Design Guidelines, The Many Maxims of Maximally Effective CTFs, and PPP Suggestions for Running a CTF.

  • #2
    Email for questions: ctf{at}appsecvillage{dot}com