Прочитайте чек-лист по цифровой безопасности в России-2022. Несоблюдение этих правил может стоить вам свободы — и жизни STAY ~/ CTF – Telegram
STAY ~/ CTF
280 subscribers
11 photos
15 links
Let's go and play big A/D CTF by C4T BuT S4D. Actually, don't go anywhere. Stay home and play online. And remember to wash your hands!

Chat: @cbsctf
Chat in English: @cbsctf_en
Download Telegram
You’ll have ~30 minutes to download everything from the boxes. After that, they’ll stopped and permanently removed.
The last information for today and we are free. We organize our CTFs and trainings on a regular basis. Though our infrastructure is cost-optimized, it is not 0. So we are open for donations if you want to support us. Vulnbox costs ~3$ per team.

Paypal: https://www.paypal.me/pomomondreganto
Tinkoff (roubles or if you have a multi wallet card): https://www.tinkoff.ru/sl/3JBSc9Kgiy0
DStream: https://donate.stream/cbsctf
Bitcoin: 1F6XjKjCMvHseScedHyH2xFpLybFGAfgZP
Hope to see you soon on our next training. Information will be posted in @cbsctf_c channel and in @cbsctf_en chat. I believe it will use community-created tasks, so we can see a lot new ideas never seen before. Sincerely, C4T BuT S4D CTF team.
Oops!

We completely forgot to congratulate our winners! Gratz teams

1) Bushwhackers
2) ZenHack
3) Suicide Apelsin

Today you were the best!
Everything useful after the CTF is here: https://stay.cbsctf.live/.

We’ve also have published the scoreboard on https://ctftime.org/event/1024, so feel free to vote 🙂
Forwarded from A&D trainings (channel) (kekov)
🔥🌚🔥
On the 14th of June we are holding our second Attack-Defense blitz.

The competition is planned to start at 11:00 UTC, and we’ll be playing for around 2 hours in total, including 30 minutes of closed network.

No more than 2 people are allowed to be in a single team.

You can register using this Telegram bot: @cbsctf_bot.

Competition chats are at @cbsctf_en (international) or @cbsctf (Russian).
Competition channel is at @cbsctf_c.

Service(s) languages are: NodeJs, Lua, Php, C.
More technical information will be posted later.
[email protected]:~/$ cd ..
Permission denied: stay the fuck home!
[email protected]:~/$ date
Sun 06 Feb 2022 10:00:00 UTC
[email protected]:~/$ cat chats.txt
🇷🇺 @cbsctf
🇺🇸 @cbsctf_en
[email protected]:~/$ cat announcement.txt
Two years have passed as the world is wearing medical masks. The influx of covid waves will be the envy of any coast, and there are so many strains of the virus that you can assemble a platinum collection of the Greek alphabet. There was some hope for collective immunity a year ago, but so far only collective stupidity has won. Or maybe we can produce a new megavaccine?
[email protected]:~/$ cat announcement_ru.txt
Два года как мир облачён в медицинские маски. Наплыву ковид-волн позавидует любое побережье, а штаммов вируса стало столько, что из них можно собрать платиновую коллекцию греческого алфавита. Ещё год назад была хоть какая-то надежда на коллективный иммунитет, но пока что побеждает только коллективная тупость. А может… Мы сможем произвести новую сверхвакцину?

Эксперименты с вакцинацией начнём 6 февраля в 13:00 по Москве, а в 21:00 узнаем, кто добьётся наилучшего результата.
[email protected]:~/$ cat registration.txt
@cbsctf_regbot or register.cbsctf.live
[email protected]:~/$ man

Game will start at 10:00 UTC on 6th of February.

Game timeline:

— 09:30 password-protected configs archive and services archive are loaded to the bot, so you can download them with /game command.
— 10:00 password is posted in the channel
— 10:30 tokens are loaded to the bot, so you can get them with /game command
— 11:00 game networks opens and the game officially begins

Checksystem:

https://github.com/pomo-mondreganto/ForcAD

What tokens are for:

After you've connected to the flag submission system, you must provide your token to submit flags.

Teams ips: 10.80.[0-N].2 (N is the number of teams).
There also will be an NPC team (with ip 10.80.0.2 )
Flag regex: [A-Z0-9]{31}=
Scoreboard will be available on http://10.10.10.10 inside the wireguard network and on cbsctf.live in global network.
Flags are accepted at <TO BE ANNOUNCED>

Scoring system:

- There are no defence points
- Each service has its own points
- Services points are not correlated
- When you attack opponent's service, the more service points difference between victim and you, the more points you will get
- Each service has its own SLA - uptime percentage
- Service points are multiplied by SLA (50% SLA = only 50% of total points)

Actual formula of service points change can be found here:

https://github.com/pomo-mondreganto/ForcAD/blob/master/backend/scripts/create_functions.sql

Service statuses:

- OK: service works perfectly
- DOWN: service is inaccessible
- CORRUPT: checker can't get one of the old flags
- CHECK FAILED: organizers mistake, oops
- MUMBLE: everything else

IMPORTANT
There will also be checksystem api route to help you during the game. It will be accessible on http://10.10.10.10/api/attack_data during the game and will contains JSON data of the following format:

{
"task_name": {
"ip1": ["hint1", "hint2", ...],
"ip2": ["hint1", "hint2", ...]
}
}

Hints are useful for situations when there are a lot of traffic on services and you can't find users with flags.
So hints will be ids, usernames, etc of users with alive flags.
Note that attack data will be provided only for some services.

Information about hints for each service will be posted after the game start. So will be the authors of services.

Configs archive:

- 20 configs for team members
- 1 config for vulnbox (*)
- readme.txt, here you can find information about connection to your cloud machine

(*)
If you choose Cloud hosting, you don't need it. Config will be automatically loaded to the your machine. Services can be found in /tasks directory.
If you choose Self-Hosted, you have to activate vulnbox config with wireguard and download services from bot with /game command.

You can find organizers either in telegram @cbsctf or @cbsctf_en.
Game information:
- Round duration: 2m
- Flag lifetime: 10 rounds
- Checksystem address: 10.10.10.10
- Checksystem port: 80
- Flag submission: curl -s -H 'X-Team-Token: your_secret_token' -X PUT -d '["PNFP4DKBOV6BTYL9YFGBQ9006582ADC=", "STH5LK9R9OMGXOV4E06YZD71F746F53=", "0I7DUCYPX8UB2HP6D6UGN86BA26F2FE=", "PTK3DAGZ6XU4LPETXJTN7CE30EC0B54="]' 10.10.10.10/flags
- Checksystem protocol: https://github.com/DestructiveVoice/DestructiveFarm/blob/master/server/protocols/ructf_http.py

Attack data:
- Available at: 10.10.10.10/api/client/attack_data
- modelrna: user id
- virush: username and sha256(flag) for flood protection
- 5Go: name of the document
- kuar: username
- vacc_ex: public vaccine id
- sputnik_v8: vm id
Tasks will be available at /tasks on a vulnbox and in the channel for self-hosted teams
Teams ips are 10.80.0-111.2
Password-protected configs and sumbission tokens are available on the site and in the bot!
Password protected services can be downloaded on https://storage.yandexcloud.net/stay-home-2022/services.zip !
Password for configs and services is 82db8bfef0fd2594d155d917142c5372
Let the game begin!
Network is open! Attack!!!!