Panoply Rules

New York State Cyber Security Conference, 2014 Edition

 

Overview

Welcome to the 2014 New York State Cyber Security Conference Panoply competition.  Panoply is a network assessment and network defense competition that will run on Tuesday, June 3rd and Wednesday, June 4th.  Each day is a separate event with different target sets - you may compete in either day or both days. Awards will be given to the top three scores from each competition day. Raffles for a solid state drive will be held at the end of each day of competition.  If at any time during the competition you owned a functional service and gained points from a successful service check, you will automatically be entered into the raffles.  Additional prizes will be available for specific competition challenges.

 

 At the beginning of the competition, common resources are available for competitors to scan, assess, and penetrate.  To claim ownership of a service, you must plant your flag, an assigned hexadecimal hash, inside the banner of the service or inside specified files (depending on the service).  An automated scoring engine detects ownership changes and awards points for each functional service to the competitor whose flag appears in the service banner or file.  At random intervals, the scoring engine checks the status and functionality of all critical services in the competition environment.

 

 If a competitor has ownership of a functional critical service during a successful service check, that competitor is awarded points for owning and maintaining a critical service.  Competitors must maintain the original functionality and content of services they own (i.e., an owned website must continue to serve the same content).  Competitors accumulate points for each critical service they control and continue to accumulate points as long as they own and maintain those critical services.  Competitors that fail to secure resources and services they have captured may have them taken away by other competitors.  The competitor with the highest point total at the end of the competition wins.

 

Who can play?

The Panoply competition is open to any New York State Cyber Security Conference attendee. To play, simply register at the New York State Cyber Security Conference website or stop by the competition area during the conference.

 

Rules

  1.  Software and Equipment
    1. Competitors must provide their own assessment platform and tools. (i.e., bring your own laptop to play on).
    2. Competitors may use any open-source or commercial assessment, exploitation, or scanning tool.
    3. Competitors may install software on resources they have captured including patches, applications, firewalls, and so on.
    4. Competitors assume all responsibility for any damage that may occur to their assessment systems. Competitors are responsible for securing their own systems.
    5. Competitors will connect to a dedicated wireless network for all Panoply activity.
  2. Competition Conduct
    1. Competitors are prohibited from conducting offensive operations against any White Team system including but not limited to scoring systems, display systems, and the core network.  Any offensive actions against White Team systems can result in disqualification.

    2. Competitors are allowed to use active response mechanisms such as TCP resets when responding to suspicious/malicious activity.  Any active mechanisms that interfere with the functionality of the scoring engine or manual scoring checks are exclusively the responsibility of the competitors.  Any firewall rule, IDS, IPS, or defensive action that interferes with the functionality of the scoring engine or manual scoring checks are exclusively the responsibility of the competitors.

    3. Network flooding attacks are prohibited during the competition and use of these types of attacks will result in your disqualification.

    4. Competitors may capture ownership of target systems and services from other competitors.
    5. Attacking other competitors’ personal systems is discouraged and may be grounds for disqualification.
  3. Scoring
    1. Competitors will receive points for each successful check on a service they own at the time the scoring check is run.  For a check to be successful the service must be responsive and continue to provide the same functionality and content as it did prior to ownership.

    2. To own a service, competitors must plant their “flag” – an 8 character hash – in the service they are attempting to own.

    3. Each service has an associated service level agreement of 30 minutes.  When a service is in violation of the service level agreement (down or non-functional for 30 minutes), the entire system that service resides on will be reset to its starting configuration.

    4. All identified critical services must be accessible to the scoring engine at all times.  The scoring engine operates using random source addresses.  Any effort to block or restrict access to a critical service that interferes with scoring engine access is the fault of the competitors and may result in SLA violations.  All services must accept connection attempts from any source IP address.

    5. Each day is a separate competition and scores will be zeroed out at the beginning of Day 2. 

Competition Play

At the start of the event there will be a number of virtual machines running as targets for competitors to probe and break into.  These are the “resources” you need to control.  All competitors will attempt to break into and control the same set of targets.  The services and operating system on each target vary so it could be a Windows 2003 server running DNS or a Solaris server running Apache and SSH.  Each target will have one or more critical services on it – these are the services necessary to keep operational when you take over a target.  The IP address and critical service(s) on that IP will be published on the internal Panoply website so you won’t have to guess what they are.


Once you’ve gained access to a target, you’ll need to show you have control of it by marking the critical service with your unique hash.  For an FTP service you’ll need to plant your hash inside the FTP banner – so it will say “Welcome to FTP ABCD1234” instead of “Welcome to FTP” (replace ABCD1234 with your unique hash).  For an HTTP service you’ll create a file called “ownership.html” in the top level web directory with your hash inside the file.  Due to the nature of how different services operate, here’s how you’ll mark ownership for each critical service type (please note that not all of these services may appear at this competition):



  • HTTP and HTTPSYou’ll need to create a file called “ownership.html”, put your hash in that file, and place that file on the top level of the web directory (same place you’d put index.html). The file needs to be world readable and the HTTP service (including any existing content) must remain world readable and accessible from any IP address.
  • FTPYou need to put your hash inside the FTP banner.  If the FTP service reads “Welcome to FTP” you need to modify it to read “Welcome to FTP ABCD1234” where ABCD1234 is your unique hash.  FTP services must accept connections from any IP address.  If the FTP service allows anonymous access when you take ownership, it must continue to provide anonymous read access to any IP address at all times.
  • Windows File Share and SAMBA SharesYou need to create a file called “ownership.txt”, put your hash in that file, and place that file on the top level of the file share.  The file needs to be world readable by all system users.  All shares must accept connection attempts from any IP address.  If the share is providing anonymous read access when you take ownership, it must continue to provide anonymous read access to any IP address at all times.  If the share is restricted to specific users you must maintain read/write access for those users from any IP address.
  • SSHYou’ll need to enable or modify the pre-login welcome banner of the SSH service so it includes your unique hash (usually /etc/banner or /etc/issue).
  • SMTPYou’ll need to modify the greeting message the mail service displays when connections are made to it and place your unique hash inside the greeting message.
  • POP3You’ll need to modify the greeting message the POP3 service displays when connections are made to it and place your unique hash inside the greeting message.  You must allow plain text authentication on POP3 services.
  • TelnetYou’ll need to create or modify the welcome banner of the Telnet service so it includes your unique hash.
  • DNSYou have to create a reverse lookup entry that responds to DNS queries with an IP address of 1.1.1.1 and your hash in the name.  For example, if we do an nslookup of 1.1.1.1 using the DNS server you control it should respond with something like “Name: ABCD1234  Address: 1.1.1.1” where ABCD1234 is your unique hash.

  • The scoring engine uses random source IP addresses for each scoring check - your services must accept connections from any IP address to be considered “functional”. 
     
    After you’ve marked a critical service and claimed it as your own, you have to keep it functional while defending it against other competitors.  You may have to adjust the configuration of the service, patch the operating system, etc. to keep it safe but know that other competitors will be trying to break into the target you’ve claimed and take your service from you.  Why?  Because you only score points if you have control of a critical service and that service is still working properly.


     A scoring engine will check each critical service at random intervals, usually every 3 to 5 minutes.  The critical service has to be running and functional – in other words the content has to match what was there at the beginning and the service still needs to provide the required functionality.  So an HTTP service still needs to display the original website, an FTP service still needs to serve up the files, a DNS service has to resolve queries, shares still need to allow read access from any IP address, etc.  When you take ownership of a service, you can’t destroy the content that was there while you’re taking ownership and once you own it you can’t let a competitor destroy the content of your service.  When the scoring engine checks a service, it will also determine who owns that service.  If you own that service and the service is still functioning, you’ll get points.  You get points every time the scoring engine checks one of the services you own if that service is still working properly.  The more targets and services you control – the more points you score.  High score at the end of each day wins.

     

    © Panoply 2012. All Rights Reserved.

    University of Texas San Antonio