Take part in this year's 9447 CTF over at: https://9447.plumbing/
!As promised, the scoring site is now released as open source at https://github.com/Nakiami/mellivora
Huge thanks to all participants - a fantastic show of skill. We had a great time and hope you enjoyed the last 24 hours.
Congratulations to the winners of UNSWCTF:
#1 - Team "7449" (The University of New South Wales)
Sarah Jayne Bennett, Evgeny Martynov, Oliver Chang, and John Cramb
#2 - Team "takyon" (The University of New South Wales)
Ben Faull, Steven Fan, and Casey Roberts
#3 (General), #1 (High School) - Team "a" (North Sydney Boys High School)
Austin Tankiang, Donny Yang, Kelvin Xu, and Haimin Huang
Shortly before the competition ended, the team th3j35t3r withdrew from the competition as not all of their members were students, and were as such not eligible to compete.
In the interest of furthering everyone’s education, all placing teams have kindly produced write-ups of how they solved the challenges. They can be found here:
If you wish to attempt the challenges again, you can still download associated files by logging on with your user details. Challenge services are no longer running however, so you will have to set up locally.
You can register interest in future events here
. Future events are likely going to be open to the public.
Thanks again to our sponsors, SecurusGlobal
, without which the competition would not have been possible.Welcome to game day! All accounts have been enabled. You should have received an email from us this morning with important information.
Please Ctrl + F5 twice on the page to get the latest CSS. Otherwise the challenge page will look very bad.
Please see https://twitter.com/UNSWCTF
Click this link to join our chat channel using Kiwi IRC
.Welcome to the UNSW Security Society CTF, sponsored by Securus Global
. Australian university, high school and TAFE students are invited to register today. The intention of this competition is to raise public awareness of the importance of security in IT technologies. It aims to create an environment in which teams of students can use their skills constructively to solve security related problems.
The top three teams receive
- 1st place $1000 cash, as well as three tickets to attend the Ruxcon Security Conference in Melbourne
- 2nd place $500 cash
- 3rd place $250 cash
Special prizes will also be awarded to the highest scoring high school team (TBA).
The competition is run online and teams can compete from any location. This site is used for retrieving challenges, submitting flags and tracking scores during the competition. Updates and service statuses will be posted on our twitter account: https://twitter.com/UNSWCTF
. Important team-specific updates will be sent by email to registered teams. The competition is open to Australian university, high school and TAFE students only. An email address issued by your institution is required to register.
The competition is set to run continuously for 24 hours, starting at 10am (Sydney time), Saturday the 28th of September, 2013
Registration closes one week before the competition begins. The scoreboard will be public - spectators do not need to register.
Challenge topics cover
- Web applications
- Reverse engineering and exploitation
- Network and memory forensics
and are aimed at students of all levels.
- The goal of each challenge is to uncover a "flag", which is a string of text. The flags for each challenge are submitted on this site in order to receive points. Challenges award varying amounts of points depending on difficulty. The teams with the most amount of points at the end of the competition wins (see below).
- The scoreboard (made available once the competition begins) is automatically updated to reflect the current state of the competition. Discounting any teams being disqualified, the scoreboard will reflect the final rankings when the competition ends. In the event of a tie for points, the team to fastest submit their flags wins. The scoreboard reflects this.
- While under way, updates about the competition will be posted at https://twitter.com/UNSWCTF
- IRC is the first point of contact. Please join #unsw-ctf on irc.what-network.net : 6697 . If you're not used to IRC, the easiest way to get on the channel is to use a web client like KiwiIRC. Use this link to go to our channel using KiwiIRC.
- You can also contact us by email at ctf[at]k17[dot]org .
It is not allowed
- Teams entering can have a maximum of four members.
- All team members must be current Australian university, high school or TAFE students. All signups must be with EDU email addresses.
- The organizers may change rules throughout the competition. If rules are modified, the changes will be announced on IRC and on this site.
- Teams breaking rules may be penalized or excluded from the competition. Logs will be analyzed to ensure fair play, and the final winners will be announced within 24 hours of competition ending.
For placing teams to receive prizes, they must
- for teams, directly or indirectly, voluntarily or involuntarily, to cooperate on challenges.
- to attack, attempt to uncover or in any way exploit flaws in the competition infrastructure. This includes any and all entities not explicitly pointed to as fair targets in the challenges. If flaws in the infrastructure are found they must be reported.
- to sabotage or in any way hinder the progress of other competing teams. This includes attempting to destroy a challenge after you have completed it.
- to generate large amounts of traffic.
- to brute-force challenge flags/keys against the scoring site.
- undergo identity verification.
- produce a short writeup of each challenge, explaining how it was solved. This writeup may be published.
I'm a noob, where can I go for learning before the competition begins?
- Q: Are students from multiple different high schools forming a total group of 4 people considered as a "high school team"?
A: Yes, teams from mixed institutions are allowed.
- Q: One of the rules states that we are not supposed to drive high amounts of traffic to the site, could you please explain or give a specific on how much traffic is considered bad/breaking the rules.
A: This rule really just relates to tools/behavior that serve no other purpose than to generate large amounts of traffic.
- Q: Can general tools such as FuzzDB and Burpsuite be used in the competition?
A: You can use any tools you want against valid targets - unless they explicitly break rules above or rules defined for that challenge.
- Q: Could you please explain what "memory forensics" refers to/means?
A: Memory forensics usually refers to analyzing a memory dump from a computer. You can look into Volatility for more information.
- Q: How many people has access to my email? What will you do with my email?
A: Only the organizers (three people) have access to your email addresses. They won't be shared with anyone and will only be used to send out information regarding the UNSW CTF.
- Q: There's a bug / mistake in your code, you're sending out plain text passwords!
A: It's not a bug, it's a feature. The registration page clearly states that your password will be sent to you.
- Q: How are passwords stored in the database?
A: They're hashed. Don't rely on this for security, etc, though.