Panoply Rules

Blackhat 2015 Edition



Welcome to the Black Hat Europe 2015 Panoply competition.  Panoply is a network assessment and network defense competition that will run on Thursday, November 12th and Friday, November 13th.  Each day is a separate event with different target sets - you may compete in either day or both days.  Prizes will be awarded to the top three scores from each competition day:  Grand prize:  Black Hat Briefings Pass (free briefings pass to Black Hat 2016); Second Place:  500GB SATA3 SSD, Third Place: Rasberry Pi 2 (1 GB) Dev Kit.  NOTE:  Competitors may receive a maximum of one (1) grand prize per person.


At the beginning of the competition, common resources are available for competitors to scan, assess, and penetrate.  To claim ownership of a service, you must plant your flag, an assigned hexadecimal hash, inside the banner of the service or inside specified files (depending on the service).  An automated scoring engine detects ownership changes and awards points for each functional service to the competitor whose flag appears in the service banner or file.  At random intervals, the scoring engine checks the status and functionality of all critical services in the competition environment. 


If a competitor has ownership of a functional critical service during a successful service check, that competitor is awarded points for owning and maintaining a critical service.  Competitors must maintain the original functionality and content of services they own (i.e., an owned website must continue to serve the same content).  Competitors accumulate points for each critical service they control and continue to accumulate points as long as they own and maintain those critical services.  Competitors that fail to secure resources and services they have captured may have them taken away by other competitors.  The competitor with the highest point total at the end of the competition wins.


Who can play?

The Panoply competition is open to any Black Hat Europe 2015 attendee excluding employees of Blackhat and the University of Texas at San Antonio. To play, simply stop by the NCCDC/CIAS booth to fill out a registration form and recieve your hash.


A Grand Prize will be awarded to the contestant with the highest score each day. The grand prize is a fully paid briefings pass to the Black Hat 2016 conference.  Competitors are only eligible for one Grand Prize.


Each day, second place will receive 500 gigabit Solid State Drive.  Third place will receive a Rasberry Pi 2 (1 GB) Dev Kit.

Raffles for a 500 SSD  will be held at the end of the two days of competition.  If at any time during the competition you owned a functional service and gained points from a successful service check, you will automatically be entered into the raffles.



  1.  Software and Equipment
    1. Competitors must provide their own assessment platform and tools.
    2. Competitors may use any open-source or commercial assessment, exploitation, or scanning tool.
    3. Competitors may install software on resources they have captured including patches, applications, firewalls, and so on.
    4. Competitors assume all responsibility for any damage that may occur to their assessment systems. Competitors are responsible for securing their own systems. This is a blackholed network with no available Internet access; however, other competitors using malicious tools will be on the same subnet.
    5. Competitors will connect to a dedicated wireless network for all Panoply activity.
  2. Competition Conduct
    1. Competitors are prohibited from conducting offensive operations against any White Team system including but not limited to scoring systems, display systems, and the core network.  Any offensive actions against White Team systems can result in disqualification.
    2. Competitors are allowed to use active response mechanisms such as TCP resets when responding to suspicious/malicious activity.  Any active mechanisms that interfere with the functionality of the scoring engine or manual scoring checks are exclusively the responsibility of the competitors.  Any firewall rule, IDS, IPS, or defensive action that interferes with the functionality of the scoring engine or manual scoring checks are exclusively the responsibility of the competitors.
    3. Network flooding attacks are prohibited during the competition.
    4. Competitors may capture ownership of target systems and services from other competitors.
    5. Attacking other competitors’ personal systems is discouraged and may be grounds for disqualification.
  3. Scoring
    1. Competitors will receive points for each successful check on a service they own at the time the scoring check is run.  For a check to be successful the service must be responsive and continue to provide the same functionality and content as it did prior to ownership.
    2. To own a service, competitors must plant their “flag” – an 8 character hash – in the service they are attempting to own.
    3. Each service has an associated service level agreement of 30 minutes.  When a service is in violation of the service level agreement (down or non-functional for 30 minutes), the entire system that service resides on will be reset to its starting configuration.
    4. All identified critical services must be accessible to the scoring engine at all times.  The scoring engine operates using random source addresses.  Any effort to block or restrict access to a critical service that interferes with scoring engine access is the fault of the competitors and may result in SLA violations.  All services must accept connection attempts from any source IP address.
    5. Each day is a separate competition and scores will be zeroed out at the beginning of Day 2.  However, the Grand Prize winners are only eligible for the Grand Prize once during the 2 day period.

Competition Play

At the start of the event there will be a number of virtual machines running as targets for competitors to probe and break into.  These are the “resources” you need to control.  All competitors will attempt to break into and control the same set of targets.  The services and operating system on each target vary so it could be a Windows 2003 server running DNS or a Solaris server running Apache and SSH.  Each target will have one or more critical services on it – these are the services necessary to keep operational when you take over a target.  The IP address and critical service(s) on that IP will be published on the internal Panoply website so you won’t have to guess what they are.

Once you’ve gained access to a target, you’ll need to show you have control of it by marking the critical service with your unique hash.  For an FTP service you’ll need to plant your hash inside the FTP banner – so it will say “Welcome to FTP ABCD1234” instead of “Welcome to FTP” (replace ABCD1234 with your unique hash).  For an HTTP service you’ll create a file called “ownership.html” in the top level web directory with your hash inside the file.  Due to the nature of how different services operate, here’s how you’ll mark ownership for each critical service type (please note that not all of these services may appear at this competition):

  • HTTP and HTTPS:  You’ll need to create a file called “ownership.html”, put your hash in that file, and place that file on the top level of the web directory (same place you’d put index.html). The file needs to be world readable and the HTTP service (including any existing content) must remain world readable and accessible from any IP address.
  • FTP:  You need to put your hash inside the FTP banner.  If the FTP service reads “Welcome to FTP” you need to modify it to read “Welcome to FTP ABCD1234” where ABCD1234 is your unique hash.  FTP services must accept connections from any IP address.  If the FTP service allows anonymous access when you take ownership, it must continue to provide anonymous read access to any IP address at all times.
  • Windows File Share and SAMBA Shares:  You need to create a file called “ownership.txt”, put your hash in that file, and place that file on the top level of the file share.  The file needs to be world readable by all system users.  All shares must accept connection attempts from any IP address.  If the share is providing anonymous read access when you take ownership, it must continue to provide anonymous read access to any IP address at all times.  If the share is restricted to specific users you must maintain read/write access for those users from any IP address.
  • SSH:  You’ll need to enable or modify the pre-login welcome banner of the SSH service so it includes your unique hash (usually /etc/banner or /etc/issue). 
  • SMTP:  You’ll need to modify the greeting message the mail service displays when connections are made to it and place your unique hash inside the greeting message.
  • POP3:  You’ll need to modify the greeting message the POP3 service displays when connections are made to it and place your unique hash inside the greeting message.  You must allow plain text authentication on POP3 services.
  • Telnet:  You’ll need to create or modify the welcome banner of the Telnet service so it includes your unique hash.
  • DNS:  You have to create a reverse lookup entry that responds to DNS queries with an IP address of and your hash in the name.  For example, if we do an nslookup of using the DNS server you control it should respond with something like “Name: ABCD1234  Address:” where ABCD1234 is your unique hash.

  • The scoring engine uses random source IP addresses for each scoring check - your services must accept connections from any IP address to be considered “functional”. 
    After you’ve marked a critical service and claimed it as your own, you have to keep it functional while defending it against other competitors.  You may have to adjust the configuration of the service, patch the operating system, etc. to keep it safe but know that other competitors will be trying to break into the target you’ve claimed and take your service from you.  Why?  Because you only score points if you have control of a critical service and that service is still working properly.
    A scoring engine will check each critical service at random intervals, usually every 3 to 5 minutes.  The critical service has to be running and functional – in other words the content has to match what was there at the beginning and the service still needs to provide the required functionality.  So an HTTP service still needs to display the original website, an FTP service still needs to serve up the files, a DNS service has to resolve queries, shares still need to allow read access from any IP address, etc.  When you take ownership of a service, you can’t destroy the content that was there while you’re taking ownership and once you own it you can’t let a competitor destroy the content of your service.  When the scoring engine checks a service, it will also determine who owns that service.  If you own that service and the service is still functioning, you’ll get points.  You get points every time the scoring engine checks one of the services you own if that service is still working properly.  The more targets and services you control – the more points you score.  High score at the end of each day wins.


    © Panoply 2015. All Rights Reserved.

    University of Texas San Antonio