I've attended several CTF contests and I'd like to implement a CTF system for my students. I asked Google about designing such system but it's fruitless. Any ideas?
-
1Are you refering to Capture the Flag? I assume you mean in relation to social engineering. What do you teach and at what level (elementry, intermediate, high school, university)? – this.josh Oct 04 '11 at 08:30
-
Oh, I'm teaching cyber security at a university. I want to build a CTF system for students to practice simple hacking techniques. – anhldbk Oct 04 '11 at 08:56
-
1Do you want a computer system with intentional flaws to allow students to discover and exploit vulnerabilites? – this.josh Oct 04 '11 at 09:06
-
Yep, that's the system I want. :( – anhldbk Oct 05 '11 at 02:02
-
Did you see this question: http://security.stackexchange.com/questions/1735 – this.josh Oct 05 '11 at 07:57
-
possible duplicate of [Servers for penetration testing](http://security.stackexchange.com/questions/1735/servers-for-penetration-testing) – this.josh Oct 05 '11 at 19:33
-
The term CTF is kinda ambigous. See http://security.stackexchange.com/questions/3592/what-hacking-competitions-challenges-exist/3648#3648 – freddyb Dec 01 '11 at 23:42
6 Answers
As mentioned by this.josh, you can look at multiple already existing vulnerable applications in this question or you might try to find existing CTF source codes - for example, look at the OWASP hackademic challenges. You might just take one of these and modify them slightly for your students. Also, try to contact authors of past CTF's - they might help you by giving their source codes. Here's a handy calendar of various CTF challenges with appropriate links.
- 4,068
- 20
- 30
I once stumbled upon a OS VM machine which is called Metasploitable, it is made by the creators of Metasploit and is used as a target machine for practicing.
It is, and this is a quote from the page:
Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are >included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, >twiki, and an older mysql.
If you go through some exploits yourself, you can assign these tasks to your students and give them some guidelines.
Here is the link:
And a link for the metasploit framework
And last but not least, Backtrack 5, if you havnt already introduced your students to this OS and compilation of pentest software:
- 1,054
- 7
- 7
Instead of creating a new demo system with intentional vulnerabilities from scratch, take a look first at the existing ones:
Google's Gruyere codelab, "Web Application Exploits and Defenses" http://google-gruyere.appspot.com/
OWASP's WebGoat: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
- 215
- 1
- 6
organizer of previous CTF events here.
First thing, write down a simple score board system, then decide how many and which categories you would like to have on ur event. If you look at this photo https://p.twimg.com/Ad_ncp0CAAE7L_I.jpg:large < its the last CTF I organized at codebits.eu it was an event for 10 teams with 4 elements each.
It had 4 categories:
- Web apps
- Forensics
- Pwnables
- Trivia
If you want to have a look at some sample CTF challenges I have a list of websites I can provide you with:
-http://balgan.eu/?page_id=67 << (My Website)
-http://hackerschool.org/DefconCTF/17/B300.html
-http://nopsr.us/
-http://leetmore.ctf.su/hack-lu-2010/
-http://www.routards.org/2010/06/defcon-17-quals-forensics-300.html
-http://www.vnsecurity.net/2010/05/defcon-18-quals-writeups-collection/
-http://www.vnsecurity.net/c/capture-the-flag/
Hope its helpeful, feel free to ask more question if u need some help!
- 316
- 1
- 6
If case anyone still needs an ingame management system for CTF's my research team wrote our own scoreboard which we have now made available to the world at: http://www.ptcoresec.eu/?p=347
- 316
- 1
- 6
You might take a look at the International Capture The Flag run by folks at UCSB.
- 98,420
- 30
- 267
- 572