Panoply Rules

Black Hat 2020 Edition

 

Overview

Welcome to the Black Hat Europe 2020 Panoply competition.  Panoply is a network assessment and network defense competition that will run on Tuesday, December 8th from 6PM to 10PM GMT.  Prizes will be awarded to the top three scores:  Grand prize:  Black Hat Black Card valid for a full Briefings pass to a Black Hat 2021 core event (Asia, USA, or Europe).; Second Place:  Black Hat Ogio Backpack, Third Place: Black Hat water bottle  

 

At the beginning of the competition, common resources are available for competitors to scan, assess, and penetrate.  To claim ownership of a service, you must plant your player token, an assigned hexadecimal hash, inside the banner of the service or inside specified files (depending on the service).  An automated scoring engine detects ownership changes and awards points for each functional service to the competitor whose token appears in the service banner or file.  At random intervals, the scoring engine checks the status and functionality of all critical services in the competition environment. 

 

If a competitor has ownership of a functional critical service during a successful service check, that competitor is awarded points for owning and maintaining a critical service.  Competitors must maintain the original functionality and content of services they own (i.e., an owned website must continue to serve the same content).  Competitors accumulate points for each critical service they control and continue to accumulate points as long as they own and maintain those critical services.  Competitors that fail to secure resources and services they have captured may have them taken away by other competitors.  The competitor with the highest point total at the end of the competition wins.

 

Who can play?

The Panoply competition is open to any Black Hat EU 2020 attendee excluding employees of Black Hat and the University of Texas at San Antonio. To play, simply register at the Eventbrite site by clicking here. After you are registered competition officials will contact you with your player token, VPN credentials, and other information. Prizes can be claimed by stopping by our booth at Black Hat.


Prizes

A Grand Prize will be awarded to the contestant with the highest score. The grand prize is a Black Hat Black Card valid for a full Briefing pass to a Black Hat 2020 core event (Asia, USA, or Europe) 

 

Second place will receive a Black Hat Ogio Backpack 


Third place will receive a Blackhat Water Bottle


 

Rules

  1.  Software and Equipment
    1. Competitors must provide their own assessment platform, tools, and Internet connectivity.
    2. Competitors may use any open-source or commercial assessment, exploitation, or scanning tool.
    3. Competitors may install software on resources they have captured including patches, applications, firewalls, and so on.
    4. Competitors assume all responsibility for any damage that may occur to their assessment systems. Competitors are responsible for securing their own systems.
    5. Competitors will connect to our target environment through a VPN client for all Panoply activity.
  2. Competition Conduct
    1. Competitors are prohibited from conducting offensive operations against any White Team system including but not limited to scoring systems, display systems, and the core network.  Any offensive actions against White Team systems can result in disqualification.
    2. Competitors are allowed to use active response mechanisms such as TCP resets when responding to suspicious/malicious activity.  Any active mechanisms that interfere with the functionality of the scoring engine or manual scoring checks are exclusively the responsibility of the competitors.  Any firewall rule, IDS, IPS, or defensive action that interferes with the functionality of the scoring engine or manual scoring checks are exclusively the responsibility of the competitors.
    3. Network flooding attacks are prohibited during the competition.
    4. Competitors may capture ownership of target systems and services from other competitors.
    5. Attacking other competitors’ personal systems is discouraged and may be grounds for disqualification.
  3. Scoring
    1. Competitors will receive points for each successful check on a service they own at the time the scoring check is run.  For a check to be successful the service must be responsive and continue to provide the same functionality and content as it did prior to ownership.
    2. To own a service, competitors must plant their “token” – an 8 character hash – in the service they are attempting to own.
    3. Each service has an associated service level agreement of 15 minutes.  When a service is in violation of the service level agreement (down or non-functional for 15 minutes), the entire system that service resides on will be reset to its starting configuration.
    4. All identified critical services must be accessible to the scoring engine at all times.  The scoring engine operates using random source addresses.  Any effort to block or restrict access to a critical service that interferes with scoring engine access is the fault of the competitors and may result in SLA violations.  All services must accept connection attempts from any source IP address.

Competition Play

At the start of the event there will be a number of virtual machines running as targets for competitors to probe and break into.  These are the “resources” you need to control.  All competitors will attempt to break into and control the same set of targets.  The services and operating system on each target vary so it could be a Windows 2003 server running DNS or a Solaris server running Apache and SSH.  Each target will have one or more critical services on it – these are the services necessary to keep operational when you take over a target.  The IP address and critical service(s) on that IP will be published on the internal Panoply website so you won’t have to guess what they are.


Once you’ve gained access to a target, you’ll need to show you have control of it by marking the critical service with your unique hash.  For an FTP service you’ll need to plant your hash inside the FTP banner – so it will say “Welcome to FTP ABCD1234” instead of “Welcome to FTP” (replace ABCD1234 with your unique hash).  For an HTTP service you’ll create a file called “ownership.html” in the top level web directory with your hash inside the file.  Due to the nature of how different services operate, here’s how you’ll mark ownership for each critical service type (please note that not all of these services may appear at this competition):

  • HTTP and HTTPS:  You’ll need to create a file called “ownership.html”, put your hash in that file, and place that file on the top level of the web directory (same place you’d put index.html). The file needs to be world readable and the HTTP service (including any existing content) must remain world readable and accessible from any IP address.
  • FTP:  You need to put your hash inside the FTP banner.  If the FTP service reads “Welcome to FTP” you need to modify it to read “Welcome to FTP ABCD1234” where ABCD1234 is your unique hash.  FTP services must accept connections from any IP address.  If the FTP service allows anonymous access when you take ownership, it must continue to provide anonymous read access to any IP address at all times.
  • Windows File Share and SAMBA Shares:  You need to create a file called “ownership.txt”, put your hash in that file, and place that file on the top level of the file share.  The file needs to be world readable by all system users.  All shares must accept connection attempts from any IP address.  If the share is providing anonymous read access when you take ownership, it must continue to provide anonymous read access to any IP address at all times.  If the share is restricted to specific users you must maintain read/write access for those users from any IP address.
  • SSH:  You’ll need to enable or modify the pre-login welcome banner of the SSH service so it includes your unique hash (usually /etc/banner or /etc/issue). 
  • SMTP:  You’ll need to modify the greeting message the mail service displays when connections are made to it and place your unique hash inside the greeting message.
  • POP3:  You’ll need to modify the greeting message the POP3 service displays when connections are made to it and place your unique hash inside the greeting message.  You must allow plain text authentication on POP3 services.
  • Telnet:  You’ll need to create or modify the welcome banner of the Telnet service so it includes your unique hash.
  • DNS:  You have to create a reverse lookup entry that responds to DNS queries with an IP address of 1.1.1.1 and your hash in the name.  For example, if we do an nslookup of 1.1.1.1 using the DNS server you control it should respond with something like “Name: ABCD1234  Address: 1.1.1.1” where ABCD1234 is your unique hash.

  • The scoring engine uses random source IP addresses for each scoring check - your services must accept connections from any IP address to be considered “functional”. 
     
    After you’ve marked a critical service and claimed it as your own, you have to keep it functional while defending it against other competitors.  You may have to adjust the configuration of the service, patch the operating system, etc. to keep it safe but know that other competitors will be trying to break into the target you’ve claimed and take your service from you.  Why?  Because you only score points if you have control of a critical service and that service is still working properly.
     
    A scoring engine will check each critical service at random intervals, usually every 3 to 5 minutes.  The critical service has to be running and functional – in other words the content has to match what was there at the beginning and the service still needs to provide the required functionality.  So an HTTP service still needs to display the original website, an FTP service still needs to serve up the files, a DNS service has to resolve queries, shares still need to allow read access from any IP address, etc.  When you take ownership of a service, you can’t destroy the content that was there while you’re taking ownership and once you own it you can’t let a competitor destroy the content of your service.  When the scoring engine checks a service, it will also determine who owns that service.  If you own that service and the service is still functioning, you’ll get points.  You get points every time the scoring engine checks one of the services you own if that service is still working properly.  The more targets and services you control – the more points you score.  High score at the end of the event wins.

     

    © Panoply 2020. All Rights Reserved.

    University of Texas San Antonio