I competed last week-end in La Nuit Du Hack Private CTF, the one where you needed to quality in the prequals first.
Being a positive person and not willing to discard efforts that were already made this year to sort out this CTF, this is a short list of points that could be improved so we can have a better experience next year.
- Stop caring about hosting the team servers yourselve. Distribute a VirtualBox image at the beginning, give everybody 1 hour to sort it out and then open routing between teams. Team will be able to reboot their server, investigate extended downtime in single mode and the contest will get more realistic. Any decent laptop today has plentyful of resource to do hardware assisted virtualization.
- Stop caring about the team firewall. The current emulated interface is cumbersome. Let the team manages it themselve directly on the VM or on the VirtualBox host. (and don’t care about cheating with blocking other teams, it’s already happening sometime with the current setup)
- Change the monitoring system so that a working service do not rely on administrative credentials, this is not realistic. Changing credentials is part of everyday life for a sysadmin. Not being able to change admin credentials because the monitoring system uses it to connect to the service is unrealistic. A working service should be checked using a normal user account and patching should allow changing those default admin credentials.
- Flags should expire after 5 minutes and should get replaced every 5 minutes by an out-of-band updates system (ssh keys for example or specific daemons). Those flags should also get checked for presence by the monitoring system. Some teams cheated by changing their flags this year and you loose a lot of time realizing that it’s not your exploit that is broken.
- Have a webservice or telnet service for easier automated flag submission.
To be honest, many of these points are already handled very well by other attack/defense CTF like RusCTFE so NDH organizers needs to have a look there.
My 2 bytes.
Comments on this blog are closed so discuss it on Twitter with me if you want.