Q: Is there a root CA for the CTF that we can trust?
No. A couple servers employ self-signed certificates - fingerprints below.
secure.openid.ctf.csail.mit.edu SHA1 Fingerprint=39:20:1D:3E:B1:0E:E3:E4:8D:08:73:D9:DA:4E:F3:6E:68:1C:0E:CE
scoreboard.ctf.csail.mit.edu SHA1 Fingerprint=77:FC:E5:32:F2:A7:9C:D4:59:A5:FF:4E:4C:A9:49:D4:4E:0F:CB:41
Q: My VM doesn't power off when I run "shutdown now". Why?!
I'm not sure. What it does do is drop into single-user mode in console, giving you little control of anything if you're working via SSH. Use the following instead:
# shutdown -h now
Q: I'm being prompted for a password when logging into Team VM. Why isn't my pubkey working?
SSH tries to guess which pubkey to use, and occasionally gets it wrong. You can give it some hints by including the following in your ~/.ssh/config:
Host teamX.ctf.csail.mit.edu
PubkeyAuthentication yes
IdentityFile ~/.ssh/<name_of_priv_key_file>
Q: What am I allowed to change on the Team VM?
You can do anything you want to the team VM (you'll have root-level access); however, some things will break our graders and you won't get points. Here's a list of things you SHOULDN'T CHANGE:
- Apache MUST run on port 80
- OpenID-based registration MUST be enabled in Wordpress
- Login process MUST bring the user back to main page
- Widgets for activated services MUST exist on the main page
- NTP service MUST be running
- Wordpress theme MUST be "Twenty Eleven 1.3"
Q: There used to be a scrimmage event on the calendar for Sunday, October 28, but it's no longer there. Has it been cancelled?
Yes, the scrimmage has been cancelled, unfortunately, due to staffing constraints.
Q: The slides from the first Wed talk indicate that the contest VMs can be accessed by teams *before* contest day. Can teams use this to harden the VMs ahead of time? Does this access include remote acces, or do students have to be physically present at MIT to do this?
We're still working out the details for how to make this happen; we'll keep you posted. Once the teams are given access, they can do whatever they want to the VMs. Remote access will be provided via SSH, though we are also looking into alternatives.
Q: The notes also indicate that, once turned on, other teams can access the VMs. Does this mean the contest can start before the contest?
Once turned on, the VMs are publicly accessible, and there's little that we can do (aside from asking nicely) to prevent other teams from trying to attack you. The challenges will be given out at the beginning of the competition, so you'll be getting a reasonably secure VM by default (SSH will be the only service enabled). However, this will require extra care in setting up firewall rules, etc, to prevent others from having inadvertent access to your VM before you're ready.
Q: The WordPress in the CTF VM is 3.3.1, but the current version is 3.4.2. Is it OK as part of the contest start up for teams to upgrade to this newer version to plug known security holes?
Certainly. Players are encouraged to install and upgrade whatever they want; however, any changes they make are at their own risk - we will not have tested our plugins to work with newer/different software versions.
Q: How will WordPress plug-ins be provided to teams during the contest?
Each plugin will come with a shell script that installs the plugin and sets up the backend service.
Q: In the 2011 MIT/LL CTF, new plug-ins were installed every few hours as the contest progressed. Will that happen this time?
Yes, challenges will be released throughout the competition.
Q: How will the teams be able to identify PII (flags)?
The PII will consist of strings of the form "piiXX_[random string]", where XX is the challenge number.
Q: What is the mechanism for turning PII into money?
PII is submitted on the "black market" (a page on the scoreboard). The algorithm for how this affects bank balance is being tweaked - the updated will be presented on Wed, 10/24 lecture.
