Wargame Rules and Code of Conduct
Note: If you can't spare 10 minutes to read this in its entirety this is not the game for you. Ignorance of the rules will not be accepted as an excuse.
Code of Conduct
The primary focus of the games is to provide a place to practice and learn computer security without legal risk.
When in doubt, ask yourself if your actions will jeopardize the continued functioning of the wargame. If the answer is yes, DONT DO IT. This covers things like DoS against infrastructure, anything that might cause our ISP to kill the connection, attacking/poking non wargame targets, etc. Fuckups happen, so if you find yourself fucking up please communicate with wargame staff as quickly as possible. If we find out first, you WILL be disqualified from the current game and depending on the severity of the incident you may be BANNED. If you're not sure if an action is ok and you really want to do it, asking staff first is a good way to avoid negative repercussions.
Don't attack or scan any non-wargame hosts. This includes the gateway, which should remain accessible to all players at all times. Which boxes are in scope will be specified explicitly before each game and should be taken seriously. Do not launch attacks against anyone from our platform. We're not liable for the actions you take on our network, and if a fucking black van shows up at any of our houses we will drop your info without hesitation. The continued existence of the games requires that staff remain out of jail and computers remain connected to our network.
The games are here for people to learn in a safe, fun, and competitive environment. Please be courteous. Here are some example DOs and DONTs
- DONT go around forkbombing or running
rm -rf every box you pop. Bringing a box offline will likely result in a penalty or disqualification.
- DO leave fake shells responding to old login info to frustrate your targets and amuse everyone else. Bonus points for publicly embarrassing other teams.
- DONT disable any of the remote logging functionality that sends info back to the gateway for scoring and monitoring.
- DO manipulate local logs on the machine and protect ya neck.
- DONT storm, flood, nuke, bomb, or otherwise DoS any boxes.
- DO spoof packets to reset enemy ssh sessions so your mitm attack can steal the credentials upon reconnecting.
- DONT be an idiot and give out your team account info. There's no point penalty for this, but your pride might take a hit.
- DO try to convince people to give you their team account info using any means available.
You should get the idea by now. Don't fuck things up for staff or future players. Everything else is permissible until someone fucks up and makes us turn the rules ratchet.
In the event of a dispute about the rules or any other aspect of the games, staff has full discretion and final say. If you don't trust us to make balanced decisions, don't play. We're here to make sure the game remains fair and fun and entertaining.
- Teams MUST have 2 to 6 players
- Teams MUST reveal handles and contact info (email) for all members of the team at the start of the game
- Teams MUST consist of the list of members submitted at the start, if a member drops out mid-game they can not be replaced.
- Teams MUST follow the rules and code of conduct or risk disqualification and a ban from all future games. Act ethically and ask staff when in doubt.
- Teams MUST NOT remove remote logging features put in place by wargame staff (these will be clearly marked)
- Teams MUST NOT remove, attack, or access wargame staff accounts on ANY box
- Teams MUST NOT attack the gateway or any boxes outside the scope of the game
- Teams SHOULD NOT lock themselves out of their own box, depending on the circumstances it could lead to an embarrassing disqualification. If this happens to your team notify wargame staff and they may assist you in recovering access
- Teams SHOULD secure their own box to the best of their ability during the grace period and throughout the game
- Teams SHOULD compromise the security of their opponents using any and all tools and tricks at their disposal. The more righteous the hack the better.
- The gateway is the entry point for the games. Each team will have one or more accounts on the gateway and will need to access it to play. Preventing teams from accessing the gateway is a no-no, unless they were dumb enough to hand over their own gateway account info. If you give someone your password and they lock you out, don't expect staff to reset it for you.
- The gateway is also used as a staging environment for attacks. If you lose control of your box, don't sweat it, just pop someone else using the gateway and find a new home for your team.
- Spoofing the gateway in any way is NOT permitted. Teams should feel that their connection into the gateway is secure (against other wargame players at least).
- Using/obtaining other team accounts on the gateway IS permissible, however accessing staff or system accounts is off limits. Any team caught trying to compromise the security of the system or staff accounts will be IMMEDIATELY disqualified, no questions asked. Don't even try it.
(C) Grace Period
The grace period is intended to give all teams a chance to understand and secure their box without risk of compromise. Use this time wisely! Staff recommends you divvy tasks up among your team ahead of time so you don't step on each others toes.
- The grace period begins when all teams are given root access to a fresh *nix machine on the wargame network. Teams should document the OS version, kernel, and versions of any critical packages before making any major changes.
- The grace period typically lasts for 24 hours (check your game info to be sure) and gives every team a chance to secure or otherwise mangle their box. Staff recommends you spend this time learning the basics of your OS and securing the necessary services.
- During grace period there are NO attacks allowed against other teams. This means no sniffing, no port scans, no traffic to other hosts! The only thing staff wants to see during this time is traffic between the gateway and your team box. Any attack will result in disqualification for the whole team. It's not fun to disqualify people so don't make us do it!
- Social Engineering is allowed during the grace period, however you may not use any credentials or information you've gathered to attack until the grace period is over.
- Teams should document all major changes made to the box. You don't need to give away your secret sauce, but people are here to learn and every team is expected to turn in a whitepaper at the end of the game.
- TEAMS MUST NOT install any sort of kernel with stack protection, grsec, or other general kernel level protections against common exploits. A major part of the game is learning about detecting and recovering from compromises, so from time to time staff might need to do things to encourage compromise.
(D) Open Season
After the grace period ends, open season begins. This is the meat of the wargame and is when the cool stuff starts to happen. We recommend maintaining a balance between defense and offense during this time. Going full defense won't net you many points, and going full offense will likely leave you with nothing as well.
- Teams SHOULD keep documentation (format doesn't matter much) of their attempted and successful attacks. Assigning a team member to keep and submit the documentation is a prudent decision. We don't need a novel or lots of explicit details, just an overview of what you wanted to do and what you did and what worked. A portion of your final score will come directly from the quality of your whitepaper
- During open season, staff may ask teams to open/install specific services to keep the game from getting stagnant. Staff has final say on all issues
- Nearly all attacks are permitted during open season, however, Denial of Service attacks are NEVER permitted. DoSing will result in a disqualification.
- Open season will typically last about a week (check your game info to be sure)
Each team is expected to submit a whitepaper at the conclusion of the game. See previous wargame whitepapers for an idea of what we're looking for. It doesn't need to be fancy, it doesn't need to be lengthy, it just needs to be entertaining and/or educational. Whitepapers typically contain several types of info:
- Grace Period defense and box/OS info: describe the environment you were given, high level changes made, and any other interesting information
- Open Season defense: describe steps taken to defend and maintain security on your box(es) during open season
- Open Season offense: describe attempted and successful attacks against other teams. Attaining root is worth more points than attaining a less privileged account, so describe any privilege escalation!
- Stories: any other events of note that happened during the game, good SE stories, funny fuckups, butterzone hacks, whatever your team wants to share.
- Journal: these can be especially fun to read, so consider keeping a short log of your thoughts as you navigate your way through the game.
Points are awarded for performance during the game, for writing up interesting, educational or entertaining whitepapers, and for style. For the first several games, points will be given at the discretion of staff. The goal is to gather information in order to create a more formal scoring system that incentivizes the games for action and entertainment.
(0-30 points) General security and Grace Period activities
You should secure your box to the best of your team's abilities throughout the game. Staff recommends planning to recover access and lock everything down in the event of a successful compromise of your box. Obviously the success of your defense will depend on the skills of your opponents as well as your own skill. A little cyber-stalking and threat modeling can go a long way in these games.
- (0-10 points) General security of the box
- (0-5 points) Correctly identifying the OS and Software versions
- (0-5 points) Identifying and patching vulnerable services
- (0-10 points) Miscellaneous. Mostly we want to see neat and entertaining stuff in the whitepapers and on the network!
(0-55 points) Open season performance
All teams will be required to run at least 3 potentially vulnerable services at any given time during open season unless otherwise specified by staff. Open season is about compromising the boxes of other teams and securing their services while maintaining control over your team's boxes.
- (0-5 points) Maintaining a log of game events that involve your team
- (0-10 points) Handling attacks against your team and recovering access if necessary
- (0-20 points) Attacking other teams and compromising services and boxes
- (0-10 points) Attaining root on other boxes
- (0-10 points) Variety of attacks. If your team is a one trick pony don't expect many points from this category.
(0-25 points) Whitepapers
See above for detail on what we're looking for in the whitepapers. Whitepapers should be plain ascii only, save that complicated document format garbage for your phishing victims.
- (0-5 points) Submitting a whitepaper in the proper format.
- (0-15 points) Quality of the whitepaper. Be funny, be brutal, above all, just be you. Extra points for some sick ascii art and a twenty page long greetz section.
- (0-5 points) Detail of the whitepaper. The more practical detail you include the better others will be able to learn from your paper. If you plan to re-use some attack or defense measures, it might be a good idea to withhold some of the more crucial details. Expect other teams to have read all your previous papers. We're not looking for a step by step how-to here, just some info on what you did beyond "hacked some goons"
(0-20 points) Style
Staff always appreciates teams with a flair for the dramatic. These points are given entirely at the discretion of staff and boring teams should expect to receive a 0 here. If you're successfully hacking the gibson from the roof of a building while a teammate holds your sick gentoo thinkpad while you work it into a frenzy with that mouseclit and you can provide proof, expect full points. Really though, we want this to be entertaining for everyone, so we're looking for stuff like successful intimidation and trash talking over irc, gloating about acquiring access (and then maintaining it!), giving compromised teams a public countdown until you lock them out, etc.
Still here? Really!?! We're impressed already.
As we've said before, these games are supposed to be fun and educational, so don't be an asshole. All rules are enforced at the discretion of the staff, and staff has final say in ALL decisions and disputes.
Whitepapers will become public domain upon publishing them on the website, so don't include anything you don't want public. Alternatively, you can request staff redact portions of your whitepaper if you're concerned about it.
We're not sticklers here. When in doubt, ask questions of the staff, but please make sure you're actually talking to a staff member first! Keep an eye out for tricky SE!