worrbase

CRTS

2011-04-09

A week ago, I participated in a competition at RIT called ISTS, the Internet Security Talent Search. This competition challenges students in the area to form teams to defend and maintain a small network, while attacking other teams' network. And lemme tell you, this was a fucking blast. I did it last year, but now that I'm significantly more competent, I had so much more fun.

The competition works something like this: there are 14 teams that all have identical setups of mixed Windows, Linux and FreeBSD machines. Three of the five machines host network services that need to have maximum uptime, and the other two machines are clients that can be used for attacking. Teams get points for every minute of uptime each service has, as well as for attacking machines of other teams.

During the competition, teams are given challenges to complete called business injects, which can range from adding services, to adding features to existing services, to attacking other teams. It really runs the gamut.

However, while we're busy doing our thing, the red team, made up of graduates, security consultants, etc. are indiscriminately attacking everyone. Since every team has identical machines with identical configurations, we all know the security vulns that other teams have as soon as we discover them ourselves, so really the red team is kind of at a disadvantage.

For the CSH team (Team OPCOMM), I was mail bitch (because apparently no one wants to deal with postfix), and FreeBSD wizard. I maintained the postfix and dovecot installation on a teammates machine, while also maintaining FTP and DNS on my own. Unsurprisingly, my box was the only one box on the team that didn't get pwned during the competition. And I'm not saying that it's unsurprising because I'm pompous or anything, I'm saying it because I was maintaining the FreeBSD box. I mean really, next to all that Windows and Linux-y shit, FreeBSD is a fucking tank.

Now, since I'm talking about ISTS, you're probably wondering why this post is titled CRTS. Well, through talking to people on CSH after the competition, I found that many people were interested in the idea of the competition, but they didn't think they had enough skill to compete.

So I decided to hold an event just like ISTS for CSH.

I'm calling it the Computer Science House Root Type Person Talent Search, or CSH RTP Talent Search, or CRTS. It's definitely focused at people who have little to no systems administration experience, but still challenging enough such that people who know what they're doingwill still have fun.

Prior, there will be a fuckton of seminars given about topics people will need to be familiar with, starting with basic UNIX skills ranging all the way up to intermediate hacking techniques.

It's going to be a great weekend, and I've already gotten a lot of interest from people on CSH. I've planned some fun vulns for teams to discover, and I'm writing a bitchin' Perl scoring engine using POE and Dancer. All of the code is on github, and I'll make sure to list the different setups in detail after the competition.