Capture The Flag at Agility 2018

This year, for the first time ever during our Agility conference, we will host a Capture The Flag game during our Tuesday night event.  The game is designed for eight teams (4 people per team) to compete against one another to see who can capture the most flags, earn the most virtual money, and keep their web application safe from attack.  The teams will be chosen prior to the event, so if you want to be included in one of the teams, make sure you reach out to your Sales Engineer and get the invitation.  We are calling the event "Hack to the Future" and the entire evening will be themed with tons of cool 80s stuff related to the classic movie series.

We expect a big crowd that night, so most attendees won't be directly participating in the Capture the Flag game.  But, fear not!  We have lots of awesome activities for everyone to enjoy throughout the evening.  As the teams compete during the game, you can certainly gather around the action and watch the game, but we will have several "breakout" areas where all the other attendees can interact and have lots of fun.  Some of these breakout areas are actually tied directly to the game itself, so if you want to be involved in the game, you can.  Some of the breakouts are not tied to the game at all, and you can just hang out and enjoy the fun times of those activities as well.  Here's a list of the breakout areas:

  • Doc Brown’s Garage – Non-game participants will have an opportunity to jump in the game and wreak havoc (i.e. launch attacks) against the participating teams
  • The Biff Tannen Learning Center – Various 5-minute or less demonstrations – Learn how different attacks work and how to perform them. We’ll even provide instructions in case you want to visit Doc Brown’s Garage and try a few in real time!
  • The George and Lorraine McFly Center – Various 5-minute demonstrations where you will learn ‘White Hat’ hacking techniques and maybe even give a few a try in real time
  • The F5 Capacitor Theater – These lightning-fast demonstrations and presentations will show you how to better run your F5 environment
  • The Hill Valley Arcade – A place to test your ability at various 80s themed video games. High scorers will have a chance to win a NES Classic Edition Console or an Atari Flashback console

So, as you can see, even if you aren't playing in the game itself, you can still have lots of fun!  With that said, I know many of you would love to know what the game is all about, so I'm going to walk you through the basics of how it works.  Here goes...

 

The Game...

Your team will be assigned ahead of time, and you will be given a short presentation on how the game works before it all begins that night.  The game is designed so that your team will have a virtual bank account and a web application to protect (and keep available).  Your web application will have a BIG-IP in front of it, so you will have all the options of BIG-IP modules to help protect it.  Be prepared for attacks from the audience and/or the game admins!

In addition, your team will have the opportunity to solve various challenges, thus capturing flags and earning money for your bank account.  One important note about how to get money in your bank account (other than hacking into other people's accounts)...throughout the course of the game, the game system will automatically monitor your web application at regular intervals to see if it is available.  If it passes the monitor check, then your team will get $2,000 in your bank account.  If it's not available, then you miss out on that particular deposit...you aren't charged any money, but you miss out on the chance to make money for that specific monitor check.  If you can get your web application back up and running before the next check, then you'll get the next $2,000 deposit.  As you'll see in a minute, the money in your bank account will be critical to unlocking challenges for flags that your team can capture.  

There is also a "game portal" that houses all the flag challenges and shows the overall score for each team.  To start things off, your team will be given login instructions to the game portal, and it will look something like this:

 

Once you login successfully, you will see the main page that shows you a snapshot of your team name, current game level, bank account balance, flags captured, and other notifications from around the game.  The screenshot below shows the status for Team #1 named Team Brown.

 

Across the top of the page, you'll notice some dropdown menu items where you can access the flag challenges of the game.  When you click on the "Game" dropdown, you'll see an option for "Missions" and you'll see various levels that you can access.  In this example, I already unlocked "Level 1" so the challenges from that level are available on my screen.  Remember the note above about the importance of your bank account?  Well, to unlock a specific level (except for Level 0) you have to spend $2,000+ out of your bank account.  Now, when you unlock the level, you will have access to multiple flags that are worth $500+ each.  So, it's an investment to unlock the level, but it can more than pay for itself if you are able to solve the challenges and capture the flags.  The screenshot below shows some example categories for each level.  Each category will have multiple flags for you to capture.  Notice that Level 2 has not been unlocked yet because I don't currently have enough money in my account to unlock it.  I need to capture some flags or keep my web application available (or both) to get more money to unlock that next level!

 

Once you select one of the categories (I chose Level 1 - Poorly Written DVWA below), then you will have access to the challenges for that category.  You can read the information given for that category and then simply click on the challenge to see the details of what you need to do to solve that challenge and capture that flag.  

 

As the game progresses, teams will be capturing flags and earning money.  You can always click on the scoreboard tab at the top of the page to get a real-time look at the standings in the game.  

 

At the end of the game (2 hours), the team with the most money in their bank account will be declared the winner.  There's an element of strategy here in that you have to keep your web application availabe but you'll also need to capture flags to earn money for your account.  The teams might want to divide and conquer by assigning some members to protect the web application and others to go get flags.  If along the way all teams capture a specific flag, we will have F5 experts around the room ready to explain to all the attendess exactly how that particular flag was caputured.  You might also see none other than "Doc Brown" and "Marty McFly" at the event as MCs for the evening.

This event is sure to be a big hit, so make sure you are there on Tuesday night at Agility.  See you there!

 

 

Published Jun 20, 2018
Version 1.0
  • Hi John,

     

    I done a CTF at the F5 user group in Glasgow, the premise was to find the vulnerability, exploit it and then use ASM to mitigate the attack after it was found. It was really good and insightful.

     

    My question is, will this CTF be made public after Agility in the public domain in the form of VM images? With possible walkthroughs?

     

    Cheers,

     

    Thomas.

     

  • @Thomas, we are still in the planning phases of making this available after Agility. I'll keep everyone posted on what we decided. But, we certainly want to keep the momentum going with this, so hopefully we can figure out a way to put it out there for everyone!

     

  • @Sebastian, I'd recommend working with your Sales Engineer on getting a team together. They are currently looking for people to fill up teams right now. Thanks!