Network King of the Hill: The fun and lazy hacker CTF

Capture the flag is a popular hacking challenge at security conferences around the world that can be a pain for organisers to make new and interesting. With that in mind, one security researcher has offered a means to make the games easier to setup while remaining fun for players.

Network King of the Hill (NetKotH) was a dynamic CTF that pitted players as simultaneous attackers and defenders in series of realistic hacking scenarios. 

Ruxcon 2011 CTF

Creator Adrian Crenshaw (@IronGeek_adc), a senior security engineer for Diebold and co-founder of Derbycon, said the CTF was like a game of chess in that players had to come up with new offensive and defensive strategies.

"It's a CTF for lazy bastards," Crenshaw said at the AIDE 2013 security conference.

"You don't want the same people turning up and winning every single year, that gets boring ... so I had to come up with new scenarios."

A team would be tasked with breaking into a network (the hill) and defending it and its running services from attacks by other teams. Points would be awarded every minute a team has control of the hill and maintains the services.

Crenshaw said NetKotH meant organisers could reuse the same design with little or no variation and still produce a compelling and fun game.

The rules

Teams were tasked with defacing web pages on vulnerable web servers (10.0.0.1 to 10.0.0.98) with their team logos while defending it from attempts to replace it by other players.

They could utilise a variety of defensive measures including patching and could launch DoS and network routing attacks.

The network was in scope, meaning teams could use ARP poisoning to drop their own team tags in traffic but were not permitted to launch destructive attacks against rival players.

He said targeting traffic was permitted because the games were a model of real world attacks, but added organisers could limit the calamity with his Windows ARPFreeze tool.

"If you're winning, DoSing might be a good thing because it could prevent other players scoring", Crenshaw told delegates ahead of the NetKotH at the US conference.

He said players of previous NetKotH challenges had lost points by targeting a single hard box while ignoring softer targets, and had curiously not tested for password reuse.

Crenshaw also advised players to get good a scripting to set alerts for when their defacements were removed.

The Python scoring code was available online.

Copyright © SC Magazine, Australia