Awesome

DEFCON CTF VM Files

This repository contains the files necessary for the DEFCON CTF VM that I created. You can grab a copy of the VM itself from my blog.

To use this VM, simply start it up in VMware and do the following to connect to a given service:

nc defcon.local <port>  # for TCPv4 services
nc6 defcon.local <port>  # for TCPv6 services

NOTE: Your network settings may not resolve "defcon.local" as a hostname. You can log in and run ifconfig from inside the VM to get its IP address. You can also try using just "defcon" or "defcon.<your local domain>" and see if those work.

Getting the flag for each service is, obviously, an exercise left to the reader.

List of Services

DEFCON 13 (2005)

Organizers: Kenshoto
Operating System: FreeBSD 5.4

NOTE: Check /root/kinit.py for how to run these services! Many of these were xinetd services that don't contain their own server setup code.

Service Name	User	Port	Protocol	Notes
apachectl	?????	?????	??????	NOT RUNNING
befunge	bfg	?????	??????	NOT RUNNING: Requires the `PyFunge` library
bparkd	bparkd	?????	??????	NOT RUNNING: Requires `enigma` and `.bpconfig` to run
echod	?????	?????	??????	NOT RUNNING
fingerd	?????	?????	??????	NOT RUNNING
fucktcpd	?????	?????	??????	NOT RUNNING
HowAreYouToday.py	frat	?????	??????	NOT RUNNING
inetd	?????	?????	??????	NOT RUNNING
kmud.py	kmud	?????	??????	NOT RUNNING
kpub.py	pub	?????	??????	NOT RUNNING
named	?????	?????	??????	NOT RUNNING
postfix	?????	?????	??????	NOT RUNNING
tomcat50ctl	www	?????	??????	NOT RUNNING
transformd	transform	?????	??????	NOT RUNNING: Requires `joshua` to run?
UserAdder.py	?????	?????	??????	NOT RUNNING
wumpus	wumpus	?????	??????	NOT RUNNING

Other binaries I've come across that may have been part of this year:

alice
b16
kstrings
nettoe
readmail
smtpd
vacation

DEFCON 14 (2006)

Organizers: Kenshoto
Operating System: Solaris ???

Notably absent from the VM are the services from DEFCON 14. These challenges were built for and ran on Solaris. Since I haven't created a Solaris VM to host them (and a Solaris translation layer for FreeBSD doesn't appear to exist), I can't get them running. I do, however, have what I think are all of the services if anyone would like to play with them. Their names are:

CookieMonster
CustomHeap
FingerLickinGood
FuckTcpd2
Heisenberg
IFallDown
InMyMemory
KuFtpd
NPComplete
OhShitD
SpamMe
Vanilla
YouHadMeAtHello

DEFCON 15 (2007)

Organizers: Kenshoto
Operating System: FreeBSD 6.3?

NOTE: Many of the following services require the compat6x-i386 package to be installed.

Service Name	User	Port	Protocol	Notes
arpsd	arps	1331	TCPv4
blowlogd	blowlog	1500	UDPv4
hfd	hfd	1024	TCPv4	Needs `server.pem`, `dh1024.pem`, `root.pem` in `/home/hfd`
kftpd	kftp	2121	TCPv4
kimjong	kimjong	9999	TCPv4
kuftpd	kuftpd	21	TCPv4
madlibd	madlib	4042	TCPv4	Needs `articles.txt`, `nouns.txt`, `objects.txt`, `verbs.txt` in `/home/madlib`
menageatrois	menageatrois	3339	TCPv4
neurod	wintermute	5953	TCPv4	Requires the `dlmalloc` package to be installed
perudo	perudo	3822	TCPv4
rolodex	rolodex	8224	TCPv4
sammichd	sammich	8365	TCPv4
shellcat	shellcat	7890	TCPv4
sor	sor	9051	TCPv4
supd	sup	?????	?????	NOT RUNNING: Requires `python2.5` and the socket module (also may actually have been from DEFCON 16..? need to confirm with someone)

Other binaries I've come across that may have been part of this year:

xserver (looks like a web challenge...drops to user "xserver")
UserAdder and makeuser? (looks like just a way to create users...drops to user "makeuser")
I have a "serverd" somehow that I have listed as being from this year, but honestly no idea where this is from or what it's for

DEFCON 16 (2008)

Organizers: Kenshoto
Operating System: FreeBSD 6.3

Service Name	User	Port	Protocol	Notes
antipastod	antipasto	7482	TCPv4
aspd	asp	?????	?????	NOT RUNNING: Won't run for some reason...just prints "Done"
bakalakadakaChat	durka	15641	TCPv4
barista	barista	?????	?????	NOT RUNNING: `1: Syntax error: ")" unexpected`
catdoord	catdoor	4341	TCPv4
duckshootd	duckshoot	3888	TCPv4
EmergencyBrake	EmergencyBrake	2028	TCPv4
grimcreeper.d	grimcreeper	9001	TCPv4
hashpiped	hashpipe	5641	TCPv4
iMagick	iMagick	4141	TCPv4
kdnsd	kdns	?????	?????	NOT RUNNING: Requires `kdns.conf`, `python2.5`, and the `socket` module to run
kmaild	kmail	17722	TCPv4
kmsgd	kmsg	10001	TCPv4
kryptod	krypto	20020	TCPv4
lockstep	lockstep	?????	?????	NOT RUNNING: Requires `python2.5` and the `md5` module
moatd	moat	6810	TCPv4
roflcode	roflcode	4000	TCPv4
sockringd	sockring	14340	TCPv4
supd	sup	?????	?????	NOT RUNNING
superd	super	8126	TCPv4

Other binaries I've come across that may have been part of this year:

SupaFlyTNT
Something that would have used a user named "nubbin"?

DEFCON 17 (2009)

Organizers: DDTEK
Operating System: FreeBSD 7.2

Service Name	User	Port	Protocol	Notes
baaaad	sheepc	?????	?????	NOT RUNNING: Unable to register (MESSAGEPROG, MESSAGEVERS, udp)
casino	casino	?????	?????	NOT RUNNING: syntax error on line 1
cheese.pl	cheese	?????	?????	NOT RUNNING: Some web service..? Not sure I even have this on the VM right now...
cmd	cm	4546	TCPv4	Requires `cjd` in `/usr/local/sbin`
deltad	delta	1787	TCPv4
deuced	deuce	2056	TCPv4
elfd	buddy	7331	TCPv4
lazrus	lazrus	1905	TCPv4
magicd	magic	4343	TCPv4
mdljserver	mdlj	?????	?????	NOT RUNNING: Requires a `.pem`, `.crt`, and `.key` file, fails to load private key, and subsequently dies with SSL ERROR (certs are currently in `/home/mdlj` but don't work)
mymqld	mymql	4242	TCPv4
nickd	nickster	2337	TCPv4
rsatesp	rsatesp	5500	TCPv4	Requires `sqlite3` package and has an `auth.db` created by `createdb.sh` in `/home/rsatesp` that don't appear to work
tucod	tuco	57005	TCPv4
wwcd	wwcd	6977	TCPv4

DEFCON 18 (2010)

Organizers: DDTEK
Operating System: FreeBSD 8.0

Service Name	User	Port	Protocol	Notes
cohend	cohend	7532	TCPv4
ddftpd	ddftp	1776	UDPv4
diablo	diablo	?????	????	NOT RUNNING: Requires `diablo-jvm` 1.6.10 or something (might also require Launcher.class and a few other things?)
food	food	?????	????	NOT RUNNING: Requires `libutil.so.8` (and is a frozen `python2.6` service that complains about no module named "_socket")
houdini	houdini	?????	????	NOT RUNNING: This is a PE binary and I have no idea how it ever ran (WINE as a custom kernel module?) - very aptly named service
libra	libra	1495	TCPv4
mashup	mashup	5539	TCPv4
memix	memix	9911	????	NOT RUNNING: Appears to not be able to read a "local auth file" and is also missing the patch it downloaded from DDTEK's servers to make it vulnerable
mqdbd	mqdb	2001	TCPv4
nadel	nadel	3248	TCPv4
natord	nator	2985	TCPv4
noprotas	noprotas	23945	UDPv4
santad	santa	?????	????	NOT RUNNING: Won't run for some reason...just prints "Done"
slickd	slick	7391	TCPv4
spelunk	spelunk	8362	TCPv4	Requires `adv.key` and `adv.rec` in `/home/spelunk`
sushid	sushi		RAWv4

DEFCON 19 (2011)

Organizers: DDTEK
Operating System: FreeBSD 8.2

NOTE: In addition to the services below, there was also a service called "finch" that interacted with some remote control cars in a chicken coop. To my knowledge, no team ever figured out how to score successfully (you were supposed to drive your car into the lighted area matching your car's color). Since "finch" was a Linux binary that was meant to run on your own machine, it isn't included below.

Service Name	User	Port	Protocol	Notes
bowser	bowser	NONE	TCPv6	Local service with usage: `/usr/local/sbin/bowser <host>`
bunny	bunny	15323	TCPv6
castle	castle	7629	TCPv6	Requires `sandy` in `/usr/local/sbin`
cleaner	cleaner	26987	TCPv6
forgetu	forgetu	3128	TCPv6
gold	gold	2069	TCPv6
hiver	hiver	44366	TCPv6
htlame	htlame	42737	TCPv6
pisa	pisa	6765	TCPv6
rotary	rotary	3375	TCPv6
sheepster	sheepster	5775	TCPv6
telephone	bell	1477	TCPv6
tomato	tomato	6391	TCPv6
war	war	14273	TCPv6

DEFCON 20 (2012)

Organizers: DDTEK
Operating System: FreeBSD 9.0

NOTE: All these services bound the interface em1 in the game, but I patched them to bind em0 for the VM to work.

Service Name	User	Port	Protocol	Notes
cashew	cashew	7979	TCPv6
cherry	cherry	24359	TCPv6
coney	coney	65214	TCPv6
desheepd	desheepd	547	UDPv6
dog	dog	?????	???v6	NOT RUNNING: Cannot open `/usr/local/ctp/lib/perl5/5.16.0/i386-freebsd/CORE/libperl.so`
gallows	gallows	6666	TCPv6
intception	dealer	8888	TCPv6
jerkin	jerkin	63715	TCPv6
mixology	mixology	35575	TCPv6
nom	nom	7368	TCPv6
nssds	nssds	54339	TCPv6
ocrd	ocrd	31967	TCPv6
parrot	parrot	?????	???v6	NOT RUNNING: Cannot open `/usr/local/ctp/lib/perl5/5.16.0/i386-freebsd/CORE/libperl.so`
ralph	ralph	57553	TCPv6
scool	scool	4637	TCPv6
semem	semem	6941	TCPv6
tictactoe	tictactoe	25375	TCPv6
torqux	torqux	?????	???v6	NOT RUNNING: Must be run with `python2.7` directly (still doesn't seem to work?)
zul	zul	25201	TCPv6

Setting Up Your Own VM

In case you don't like the VM I've created, here's some quick documentation on how I set up the VM myself!

Initial Setup

The initial setup is simple:

Installed FreeBSD 9.1 with default options from the i386 install media
Uncommented and set "PermitRootLogin" to "yes" in /etc/ssh/sshd_config with vi
Ran /etc/rc.d/sshd restart so I could SSH/SCP

NOTE: In the real CTF, each team would actually get a FreeBSD jail, rather than a VM. For simplicity, I've set everything up outside of a jail. I hope to find my documentation on jails and include it here in the future if anyone wants to set things up more authentically. For now, you'll just have to make do with this approximation.

Service Setup

Setting up services was a little more involved. In order to run a given service, you will generally have to create a user and home directory for that user. This is because most DEFCON CTF services will "drop" privileges from root to an unprivileged user specific to the service, just like real services. The ownership of the binary will also need to be changed to prevent unwanted modifications. To do this:

# create a user with a given name (-n), shell (-s), and home directory (-m)
pw useradd -n <username> -s /usr/bin/false -m
chmod 750 /usr/home/<username>
chown root:<username> /path/to/service
chmod 750 /path/to/service

Binaries before DEFCON 19 were located inside each service's home folder. Starting in DEFCON 19, however, they were moved to /usr/local/sbin. Either approach is fine, but I found it easier to place all the services in /usr/local/sbin.

Flags were typically stored in a file called "key" inside of each user's home directory. A kernel module was used to change these out periodically (about once every 2-5 minutes or so). Since I don't have a similar kernel module, I just placed the sha1sum of the service into the flag file:

sha1 /path/to/service | cut -d' ' -f4 > /usr/home/<username>/key
chmod 540 /usr/home/<username>/key

At this point, running the service should be as easy as:

/path/to/service &

You can check if it is running/listening by doing:

ps aux | grep <service>  # check if it is running
sockstat | grep <service>  # check if it is listening (and on what port)

If that doesn't work, check the table above to see if there are any caveats for a particular service. Some services require extra stuff to be installed, configured, or otherwise present in order for it to function. Some were also not actually network services and had to be run locally.

Once a service is running, you should be able to use netcat to connect to it:

nc <hostname or address> <port>  # for IPv4
nc6 <hostname or address> <port>  # for IPv6

Note that services won't start up by default unless you create an /etc/rc.d startup script for them. The template I created for these, if you'd like to develop your own, is called rc_d_template in the top level of this repository.