Rules in the Final Round of WhiteHat Grand Prix 06
03:43:00 | 19-11-2019

I. Introduction

  • The Final Round of WhiteHat Grand Prix 06 includes 3 parts: Warm-up, Speed-up and Finish.
  • Time: 8 hours, from 02:30 to 10:30 (UTC+0) on December 27, 2020.
  • The final score of each team will be the total score of 3 parts: Warm-up, Speed-up and Finish. After being released, the challenges will remain open until the end of the competition.
  • The automated monitoring system will be activated during the competition.

II. Warm-up

In this first part, teams will compete in CTF – Jeopardy challenges including Reverse engineering, Web Security, Cryptography, Pwnable and Miscellaneous.

Score calculation:

  • Score= 1,000 – (n-1)*50 (n= the number of teams solving the challenge successfully)
  • The first team to successfully solve a challenge will be rewarded Firstblood = 50 points.
  • Unless stated otherwise, flag will be in form of WhiteHat{SHA1(this_is_a_flag)}

Notes:

After a certain time of opening Warm-up challenges, the Organizer will release Speed-up part.

III. Speed-up

In this part, teams will compete directly in Attack/Defense format.

Each team will be assigned a server running active services and protected by a Firewall.

Each team will protect their system against attacks to ensure the availability of the services while attacking other teams' systems to get Flags.

The Organizer will provide Firewall administration information to each team while information of services of all teams will be made public.

Services will be opened in turn as scheduled by the Organizer. Services and resources of the teams include:

  • Service server:
    • A server which contains vulnerabilities in its services corresponding to the challenges.
    • Teams are not granted with server administration, binary files modification and patching.
    • Each service, at a given time, has a flag (without standard format).
    • All services, except flags, are the same with all teams.
  • Firewall:
    • Protect the service server
    • Each team is granted root access and uses this Firewall to apply defensive measures for the service server.

Score calculation:

  • The competition is divided into rounds. Each round will be from 20 to 30 minutes.
  • Each team can earn 3 types of points: attack point, defense point and service availability point. The score of each round is the sum of these 3 point types.
  • After each round, services will be reset, flags will be changed.
  • Attack point: successfully attacking a service of other teams and collecting 1 flag, teams will earn 20 attack points.
  • Defense point: Before each round starts, 100 points per service will be given to each team. Each time a team is captured the flag by another team, 10 points will be deducted. In case a team is attacked by all other teams and therefore get their flags captured, the defense point of that team will be 0.
  • Service availability point: The original service being available when the Organizer makes a random check during a round of each team. The maximum is 100 points per service. Specifically:

Notes:
  • If the service score is 0, the defense score is also 0.
  • Upon the first successful submission of a service, teams will collect a key part. Combining these key parts will help teams get the complete key to use in the Finish. Teams are not required to get all these key parts, but if you do, your competition in the Finish will be more convenient.  

IV. Finish

This is the IoT Jeopardy part. The task of teams is to attack the security management system of an organization, exploit security vulnerabilities, then perform privilege escalation attacks to gain control of the devices on the system. The organization's security system consists of many components, which are challenges that teams must overcome.

Score calculation:

  • One of the challenges is to compromise the security system and disable the lighting control system. Completing this challenge, teams will be awarded 1,000 points.
  • The remaining two challenges are time-based, so teams must compete with time to complete the challenges as quickly as possible, thereby preserving the points given by the Organizer. The original score for each team in this part includes: 2,000 points for the camera challenge and 1,500 points for the sensor challenge. Teams must race against time. The longer the problem is solved, the more points are deducted. Points get deducted after certain time periods.
  • Successfully submitting all 3 challenges, teams will get the final flag and be awarded 500 points.

Notes: IoT gateway – the central controller is developed on Arduino platform.

V. Prohibitions

  • Strictly prohibit any destructive attacks targeting the scoring server or other subjects not included in the competition’s requirements.
  • Perform DOS/DDOS attacks targeting infrastructure or preventing the performance of other teams.
  • Strictly prohibit sharing flags with other teams.
  • Other fraudulent activities

VI. General regulations

  • Decisions of the Organizer are final decisions.
  • Any violation, depending on its severity, will be warned, penalized or disqualified from the competition.
  • In case of necessity, the Organizer reserves the right to change the rules and will inform the teams via email.

------------------------------------

Rules in the Qualification Round of WhiteHat Grand Prix 06

1. GENERAL

1.1. Groups, individuals participating in the competition are willing and voluntary to comply with the Rules of WhiteHat Grand Prix (WGP). 

1.2. All information about WGP can be found on https://Grandprix.WhiteHatVN.comhttps://ctftime.org/event/942/

2. PURPOSES

2.1. Promote the development of information security human resources.

2.2. Stimulate and inspire the learning and skill improvement.

2.3. Strengthen the ability to work collectively, exchange, learn and share experiences internationally

2.4. Find, detect, and assist in fixing vulnerabilities on critical systems and popular software.

3. THEME: Vietnam Today

4. GUARANTOR: Vietnam Ministry of Information and Communications

5. ORGANIZERS:

Authority of Information Security – Vietnam Ministry of Information and Communications

Vietnam Cyber Security Community WhiteHat.vn

6. SPONSOR: Bkav Corporation

7. CHALLENGE AUTHORS: Authority of Information Security, Bkav Team, CyStack, Duy Tan University

8. PRIZES

The total prize that a team can receive contains bounties from Private Bug Bounty program and the prizes of Attack/Defense competition in the Final Round.

8.1 Attack/Defense

- 1st Prize: 230 million dong (equivalent to 10,000 USD), Champion cup, Certificate from Organizer

- 2nd Prize: 45 million dong (equivalent to 2,000 USD), Certificate from Organizer

- 3rd Prize: 23 million dong (equivalent to 1,000 USD), Certificate from Organizer

8.2 Private Bug Bounty

- Teams will participate in the Private Bug Bounty program on the simulated system. With each Bug found, teams will earn points according to the levels of: Critical, Important, Medium and Low severity.

- Teams will receive additional bonuses from the points earned in the Private Bug Bounty program.

9. SCOPE AND PARTICIPANTS 

9.1. Who can participate: Groups and individuals from countries and territories all over the world can participate. There is no limit to the number of teams participating.

9.2. Individuals and organizations of the Organizer, admins of WhiteHat.vn are not allowed to participate.

9.3. Individuals and organizations (directly or partially support creating the challenges) of challenge authors are not allowed to participate.

10. HOW TO COMPETE

10.1. The Qualification Round: Select Top 10 teams to the Final Round.

Format: Online CTF - Jeopardy at GrandPrix.WhiteHatVN.com with the contents of: Reverse engineering, Web Security, Cryptography, Pwnable, Miscellaneous.

How to choose 10 teams to the Final Round: Top 10 teams with score top-down. Each country is allowed to have a maximum of 3 teams to the Final Round. The information of country will be checked before the Final Round. Each team is considered to be valid if at least one member of that team has the nationality of that country.

Time to register: 06 December 2019 until the end of the Qualification Round

Time of competition: From 09:00 Saturday, January 04, 2020 to 09:00 Sunday, January 05, 2020 (UTC+7)

How to register: Register online at https://GrandPrix.WhiteHatVN.com or https://ctftime.org/event/942/

10.2. Final Round: Top 10 teams to the Final Round will compete directly to find Top 3 best teams.

Format: Private Bug Bounty and Attack/Defense

Private Bug Bounty is a program finding vulnerabilities dedicated to Top 10 in the Final Round. The program takes place during the Final Round.

11. REGULATIONS AND NOTES

11.1. Strictly prohibit any destructive attack targeting the scoring server or other entities not included in the challenge requirements, DOS/DDOS infrastructure or preventing the performance of other teams.

11.2. Strictly prohibit sharing flags with other teams

11.3. Unless stated otherwise, flag will be in form of “WhiteHat{SHA1(this_is_a_flag)}”.

11.4. On detecting any problems with the challenges, teams should inform the Organizer immediately.

11.5. Strictly comply with the rules and regulations of WGP. Any violation, depending on its severity, will be warned, penalized or disqualified from the competition. Decisions of the Organizer are final decisions.

11.6. There might be hints for the challenges, depending on the performance of teams.

11.7. In case teams achieve the same score, the ranking will be prioritized to the team that submits sooner.

11.8. Teams to the Final Round must send write-up of challenges solved to the Organizer.

10.9. Teams are not allowed to change the country information since the Qualifier officially starts.

12. ISSUANCE

This set of rules is regulated by the Organizer and takes effect from the date of issuance. If there is any adjustment and/or change, the Organizer will have timely notification to teams and update on https://Grandprix.WhiteHatVN.com.

=============================

  • How scores are calculated in the Qualification Round:

1. Point = 500 – (number of teams solved chall)*10 (500>=Point>=100)

2. Firstblood = 10 (Bonus points for the first team solves)

3. Unless stated otherwise, flag will be in form of WhiteHat{SHA1(this_is_a_flag)}

4. Top 10 teams qualified to the Final round shall send the Organizer write-ups for the challenges they solved.

5. Top 10 teams with the highest points from the online qualifier will be invited to compete in the Final Round (expected to be in early 2020).

6. How to choose 10 teams to the Final Round: Top 10 teams with score top-down. Each country/territory has only maximum 3 teams to participate (with the highest points). The registration of country flags will be checked before the Final Round. One team is considered as valid if at least one member of that team is the citizen of that country/territory.

7. Support channel:

Slack: https://whitehatgrandprix06.slack.com/

Invite link: https://bit.ly/2FhPM9b

Facebook: https://www.facebook.com/whitehatvn