Home

Awesome

DEFCON CTF VM Files

This repository contains the files necessary for the DEFCON CTF VM that I created. You can grab a copy of the VM itself from my blog.

To use this VM, simply start it up in VMware and do the following to connect to a given service:

nc defcon.local <port>  # for TCPv4 services
nc6 defcon.local <port>  # for TCPv6 services

NOTE: Your network settings may not resolve "defcon.local" as a hostname. You can log in and run ifconfig from inside the VM to get its IP address. You can also try using just "defcon" or "defcon.<your local domain>" and see if those work.

Getting the flag for each service is, obviously, an exercise left to the reader.

List of Services

DEFCON 13 (2005)

NOTE: Check /root/kinit.py for how to run these services! Many of these were xinetd services that don't contain their own server setup code.

Service NameUserPortProtocolNotes
apachectl????????????????NOT RUNNING
befungebfg???????????NOT RUNNING: Requires the PyFunge library
bparkdbparkd???????????NOT RUNNING: Requires enigma and .bpconfig to run
echod????????????????NOT RUNNING
fingerd????????????????NOT RUNNING
fucktcpd????????????????NOT RUNNING
HowAreYouToday.pyfrat???????????NOT RUNNING
inetd????????????????NOT RUNNING
kmud.pykmud???????????NOT RUNNING
kpub.pypub???????????NOT RUNNING
named????????????????NOT RUNNING
postfix????????????????NOT RUNNING
tomcat50ctlwww???????????NOT RUNNING
transformdtransform???????????NOT RUNNING: Requires joshua to run?
UserAdder.py????????????????NOT RUNNING
wumpuswumpus???????????NOT RUNNING

Other binaries I've come across that may have been part of this year:

DEFCON 14 (2006)

Notably absent from the VM are the services from DEFCON 14. These challenges were built for and ran on Solaris. Since I haven't created a Solaris VM to host them (and a Solaris translation layer for FreeBSD doesn't appear to exist), I can't get them running. I do, however, have what I think are all of the services if anyone would like to play with them. Their names are:

DEFCON 15 (2007)

NOTE: Many of the following services require the compat6x-i386 package to be installed.

Service NameUserPortProtocolNotes
arpsdarps1331TCPv4
blowlogdblowlog1500UDPv4
hfdhfd1024TCPv4Needs server.pem, dh1024.pem, root.pem in /home/hfd
kftpdkftp2121TCPv4
kimjongkimjong9999TCPv4
kuftpdkuftpd21TCPv4
madlibdmadlib4042TCPv4Needs articles.txt, nouns.txt, objects.txt, verbs.txt in /home/madlib
menageatroismenageatrois3339TCPv4
neurodwintermute5953TCPv4Requires the dlmalloc package to be installed
perudoperudo3822TCPv4
rolodexrolodex8224TCPv4
sammichdsammich8365TCPv4
shellcatshellcat7890TCPv4
sorsor9051TCPv4
supdsup??????????NOT RUNNING: Requires python2.5 and the socket module (also may actually have been from DEFCON 16..? need to confirm with someone)

Other binaries I've come across that may have been part of this year:

DEFCON 16 (2008)

Service NameUserPortProtocolNotes
antipastodantipasto7482TCPv4
aspdasp??????????NOT RUNNING: Won't run for some reason...just prints "Done"
bakalakadakaChatdurka15641TCPv4
baristabarista??????????NOT RUNNING: 1: Syntax error: ")" unexpected
catdoordcatdoor4341TCPv4
duckshootdduckshoot3888TCPv4
EmergencyBrakeEmergencyBrake2028TCPv4
grimcreeper.dgrimcreeper9001TCPv4
hashpipedhashpipe5641TCPv4
iMagickiMagick4141TCPv4
kdnsdkdns??????????NOT RUNNING: Requires kdns.conf, python2.5, and the socket module to run
kmaildkmail17722TCPv4
kmsgdkmsg10001TCPv4
kryptodkrypto20020TCPv4
locksteplockstep??????????NOT RUNNING: Requires python2.5 and the md5 module
moatdmoat6810TCPv4
roflcoderoflcode4000TCPv4
sockringdsockring14340TCPv4
supdsup??????????NOT RUNNING
superdsuper8126TCPv4

Other binaries I've come across that may have been part of this year:

DEFCON 17 (2009)

Service NameUserPortProtocolNotes
baaaadsheepc??????????NOT RUNNING: Unable to register (MESSAGEPROG, MESSAGEVERS, udp)
casinocasino??????????NOT RUNNING: syntax error on line 1
cheese.plcheese??????????NOT RUNNING: Some web service..? Not sure I even have this on the VM right now...
cmdcm4546TCPv4Requires cjd in /usr/local/sbin
deltaddelta1787TCPv4
deuceddeuce2056TCPv4
elfdbuddy7331TCPv4
lazruslazrus1905TCPv4
magicdmagic4343TCPv4
mdljservermdlj??????????NOT RUNNING: Requires a .pem, .crt, and .key file, fails to load private key, and subsequently dies with SSL ERROR (certs are currently in /home/mdlj but don't work)
mymqldmymql4242TCPv4
nickdnickster2337TCPv4
rsatesprsatesp5500TCPv4Requires sqlite3 package and has an auth.db created by createdb.sh in /home/rsatesp that don't appear to work
tucodtuco57005TCPv4
wwcdwwcd6977TCPv4

DEFCON 18 (2010)

Service NameUserPortProtocolNotes
cohendcohend7532TCPv4
ddftpdddftp1776UDPv4
diablodiablo?????????NOT RUNNING: Requires diablo-jvm 1.6.10 or something (might also require Launcher.class and a few other things?)
foodfood?????????NOT RUNNING: Requires libutil.so.8 (and is a frozen python2.6 service that complains about no module named "_socket")
houdinihoudini?????????NOT RUNNING: This is a PE binary and I have no idea how it ever ran (WINE as a custom kernel module?) - very aptly named service
libralibra1495TCPv4
mashupmashup5539TCPv4
memixmemix9911????NOT RUNNING: Appears to not be able to read a "local auth file" and is also missing the patch it downloaded from DDTEK's servers to make it vulnerable
mqdbdmqdb2001TCPv4
nadelnadel3248TCPv4
natordnator2985TCPv4
noprotasnoprotas23945UDPv4
santadsanta?????????NOT RUNNING: Won't run for some reason...just prints "Done"
slickdslick7391TCPv4
spelunkspelunk8362TCPv4Requires adv.key and adv.rec in /home/spelunk
sushidsushiRAWv4

DEFCON 19 (2011)

NOTE: In addition to the services below, there was also a service called "finch" that interacted with some remote control cars in a chicken coop. To my knowledge, no team ever figured out how to score successfully (you were supposed to drive your car into the lighted area matching your car's color). Since "finch" was a Linux binary that was meant to run on your own machine, it isn't included below.

Service NameUserPortProtocolNotes
bowserbowserNONETCPv6Local service with usage: /usr/local/sbin/bowser <host>
bunnybunny15323TCPv6
castlecastle7629TCPv6Requires sandy in /usr/local/sbin
cleanercleaner26987TCPv6
forgetuforgetu3128TCPv6
goldgold2069TCPv6
hiverhiver44366TCPv6
htlamehtlame42737TCPv6
pisapisa6765TCPv6
rotaryrotary3375TCPv6
sheepstersheepster5775TCPv6
telephonebell1477TCPv6
tomatotomato6391TCPv6
warwar14273TCPv6

DEFCON 20 (2012)

NOTE: All these services bound the interface em1 in the game, but I patched them to bind em0 for the VM to work.

Service NameUserPortProtocolNotes
cashewcashew7979TCPv6
cherrycherry24359TCPv6
coneyconey65214TCPv6
desheepddesheepd547UDPv6
dogdog????????v6NOT RUNNING: Cannot open /usr/local/ctp/lib/perl5/5.16.0/i386-freebsd/CORE/libperl.so
gallowsgallows6666TCPv6
intceptiondealer8888TCPv6
jerkinjerkin63715TCPv6
mixologymixology35575TCPv6
nomnom7368TCPv6
nssdsnssds54339TCPv6
ocrdocrd31967TCPv6
parrotparrot????????v6NOT RUNNING: Cannot open /usr/local/ctp/lib/perl5/5.16.0/i386-freebsd/CORE/libperl.so
ralphralph57553TCPv6
scoolscool4637TCPv6
sememsemem6941TCPv6
tictactoetictactoe25375TCPv6
torquxtorqux????????v6NOT RUNNING: Must be run with python2.7 directly (still doesn't seem to work?)
zulzul25201TCPv6

Setting Up Your Own VM

In case you don't like the VM I've created, here's some quick documentation on how I set up the VM myself!

Initial Setup

The initial setup is simple:

NOTE: In the real CTF, each team would actually get a FreeBSD jail, rather than a VM. For simplicity, I've set everything up outside of a jail. I hope to find my documentation on jails and include it here in the future if anyone wants to set things up more authentically. For now, you'll just have to make do with this approximation.

Service Setup

Setting up services was a little more involved. In order to run a given service, you will generally have to create a user and home directory for that user. This is because most DEFCON CTF services will "drop" privileges from root to an unprivileged user specific to the service, just like real services. The ownership of the binary will also need to be changed to prevent unwanted modifications. To do this:

# create a user with a given name (-n), shell (-s), and home directory (-m)
pw useradd -n <username> -s /usr/bin/false -m
chmod 750 /usr/home/<username>
chown root:<username> /path/to/service
chmod 750 /path/to/service

Binaries before DEFCON 19 were located inside each service's home folder. Starting in DEFCON 19, however, they were moved to /usr/local/sbin. Either approach is fine, but I found it easier to place all the services in /usr/local/sbin.

Flags were typically stored in a file called "key" inside of each user's home directory. A kernel module was used to change these out periodically (about once every 2-5 minutes or so). Since I don't have a similar kernel module, I just placed the sha1sum of the service into the flag file:

sha1 /path/to/service | cut -d' ' -f4 > /usr/home/<username>/key
chmod 540 /usr/home/<username>/key

At this point, running the service should be as easy as:

/path/to/service &

You can check if it is running/listening by doing:

ps aux | grep <service>  # check if it is running
sockstat | grep <service>  # check if it is listening (and on what port)

If that doesn't work, check the table above to see if there are any caveats for a particular service. Some services require extra stuff to be installed, configured, or otherwise present in order for it to function. Some were also not actually network services and had to be run locally.

Once a service is running, you should be able to use netcat to connect to it:

nc <hostname or address> <port>  # for IPv4
nc6 <hostname or address> <port>  # for IPv6

Note that services won't start up by default unless you create an /etc/rc.d startup script for them. The template I created for these, if you'd like to develop your own, is called rc_d_template in the top level of this repository.