1

A few friends and I want to run some kind of CTF competition in which we both have identical OSes that we can attack and defend as teams/individuals.

I was looking on the web and I found some good stuff like Metasploitable and some stuff on vulnhub.com

I'm basically looking for any advice as to what the best way to implement this thing is and whether there are any other cool goodies like the above mentioned.

How would you set this competition up? What would you make the goals? How much time should we have to secure the system and how much time should we have to attack? Any advice is welcome. We are very novice to computer security (but all work in IT) and just need an idea of how to start it and how to grade it.

Anders
  • 65,582
  • 24
  • 185
  • 221
Ethereal
  • 703
  • 1
  • 6
  • 6
  • Can you elaborate some more? Is the setup: both of you get identical machines with identical setup and time to secure each one machine, then the machines are left alone for the other to attack? – Tobi Nary Mar 28 '16 at 23:28
  • I would use vulnhub.com, specially these CTF virtual machines. The advantage is that they are already setup and goals are already set (easy, right?). One idea could be that each "team" picks one of those machines (without the other team knowing which), and the first team to reach the goal wins. – lepe Mar 29 '16 at 00:45
  • @SmokeDispenser Yes thats right.. Unless you guys have a better idea as to how to do it. – Ethereal Mar 29 '16 at 01:18

1 Answers1

2

The problem with Metasploitable and alike is that these are mostly for demonstration purposes and contain far too many vulnerabilities which also aren't easy to fix either. Also in a CTF, you don't want people to corrupt the complete VM but only get a token out of a single service.

I would suggest looking at the iCTF, they have some sample services. If you all are IT affine and do CTFs for fun and educational purpose, writing your own vulnerable services is a good idea. They can be simple web or CLI apps, there are extensive design guides on iCTF. They also have a complete framework for any kind of CTF.

AdHominem
  • 3,036
  • 1
  • 18
  • 28