ATTENTION CTF PLAYERS!
Welcome to Quest CTF for BSides ROC! The start of the CTF is only days away, which means you will soon be receiving an email from Mr. E, an agent who works for a totally made up three letter government agency we control. However, before that happens, we have various things to go over with you. Important things. It’s critical you read and understand what we have to say in relation to the rules. We ask this so you do not end up mistakenly committing a crime.
Please do not TL:DR this. Take it seriously, it’s important.
Let’s get started
Signing up to play in this CTF is easy. All you have to do is send an email to firstname.lastname@example.org with your desired username as the subject.
A short time later you will receive an email back acknowledging you have been registered. Your acknowledgement email will contain a link to this page as well as other directions we encourage you to read from start to finish.
Be advised: Rules may get updated without warning. Check back often.
1. Whitelist email from definitelynotaspyagency.com in your email tenant / client.
2. Do NOT attack or otherwise do anything disruptive to the game environment. This includes any and all infrastructure. For example. The server hosting this website is a shared hosting provider. WE DO NOT OWN IT. Attacking it is a felony. So please avoid doing anything silly.
3. Do NOT try to damage, negatively impact, disrupt or otherwise screw with the other players.
4. To gain points, you must adhere to the rules and send the specified emails to the correct email addresses using the email address you signed up to the CTF with.
5. By playing in this CTF you agree to hold the creators harmless if you go off script, or screw up and attack the wrong device online. Follow the directions when they are supplied and you should do just fine.
6. Have fun.
Q & A:
Q: Does it really take two weeks to play this CTF?
A: Technically, yes. The CTF starts two weeks prior to the convention and to finish you must attend the convention. There are physical aspects of this you will have to complete at the con.
Q: I'm a rock star and finished all of the online content this morning, now what?
A: No you didn't. As much as we would like to believe you. You're not the first person to make that claim. You missed something. But if we're some how wrong and you did, let's talk, I might have a job opening on my team.
Q: I’m looking at a web app, is it okay to attack the hosting provider to gain access to the device?
A: Obviously NOT. You should only focus on the web app in that specific case.
Q: I just NMAP scanned a device and found SSH open. Is it okay to attack the hosting provider to gain access to the device?
A: No; obviously you should see what that SSH port is about. Also, the guys and I have been talking about your strange fascination with wanting to attack hosting providers.
Q: I’ve been staring at this WordPress app for 20 hours and haven’t found anything I can exploit. What should I do?
A: We get this question more often than any other. You’re likely not looking in the correct place. Our games are hard, but not impossible. Did you check exploit DB for the WordPress version number? What did the clue Mr. E gave you say? Did it have a username or other important information? Should you maybe try to figure out the password for that username? Just say’n.
Q: I’m still stuck on the WordPress thing; can I email or call you for tips?
A: You can but no one will pick up. We want you to be successful and you will, but if you’re truly stumped. We would encourage you to team up with others or simply communicate with the other players. Maybe if they’re cool, they will guide you without flat out giving you the answers.
Q: I registered but it seems like it took a long time to get my acknowledgement email. Did I do something wrong?
A: We manually send the acknowledgement emails back. So it might take a short bit of time to go through them and get back to you.
Q: It almost seems like the device I'm targeting has enterprise level security appliance in front of it, what's up with that?
A: Short answer, it might.
A: Longer answer, due to the fact we are putting devices directly online for the whole world to see (in most cases), we have a need to protect the devices with a high level of security. You should know and understand that we deliver these CTFs as a learning opportunity. The idea is that everyone of every skill level can learn something. More often than not its the blue teamer, or operations person that is successful or wins. We rarely see the "professional hacker" win our events. We design them this way on purpose. This gives everyone a chance to do well and see their names on the scoreboard. (ref: https://www.definitelynotaspyagency.com)
Q: Look guy (if that’s even your real name), I’m just gonna attack the scoreboard or the server Mr. E is sending emails from and call it a day. What do you think about that?
A: We would like once again discourage you from doing that. Why? Well it should be obvious that we are not the hosting provider for most if not all infrastructure. By attacking it, you’re committing a felony. So, stick to the things Mr. E told you to do and only attack things you have received an approval email for. Seriously, we like you and want to see you avoid any sort of, you know, jail cell inspired butt stuff…