Designing a challenge for the CTF

Why should I go through all this work?

Why would you possibly want to write a challenge?

Many reasons! Let us list a few:

Want to submit multiple challenges? The more the merrier!

Still with us? Great! Let us explain the requirements we have for submitting challenges.

Warning

Please remember that if you submit a challenge, you will not be able to play the THCon 22 CTF in a competitive fashion.

You can still play of course, but you (or your team if you are playing together with other players) cannot receive prizes if you win. This constraint is there to achieve a spirit of fairness to other competitors.

If you really desire to participate to win prizes, please refrain from submitting challenges.

Second warning

If the previous warning was not ominous enough for you, here is a second one:

Please submit original challenges.

By that we do not mean that the challenge have to use some brand new attack method or anything of the sort! There is absolutely nothing wrong with reusing/redemonstrating old and proven challenge types.

We simply mean to emphasize this: do not recycle existing challenges. Contestants may already have seen them, which would give them an unfair advantage.

Challenge categories

Challenges must be in on of the following category (you can always contact us if you believe there is need for another category):

Storing the challenge on our git server

Ultimately, we will have to host a copy of your challenge on our gitlab server. If you do not have access to it, please drop us a line explaining the idea behind your challenge and we will be happy to let you in!

The repository name on the serveur must follow this template: <challenge category>-<author handle>-<challenge name>.

File organization

We ask you to create some files in the root of your git repository:

The following files are optional:

No information outside of these files will be given to the contestants. As a consequence, if your challenge is to be solved offline (e.g. steganography), the public.zip file is thus mandatory.

On the other hand, if you provide an online challenge (e.g. pwn), the Dockerfile and solving scripts are mandatory too (or else we won't be able to deploy your challenge).

Flag format

Each challenge must have the following flag format: THCon22{*whatever you want*}. We reserve the right to change the flag right before the start of the challenges, as well as during the competition in the event where a flag is suspected to have been shared/leaked.

Online challenges

Challenge environment (online challenges only)

Online challenges will all run as docker containers. This is why you must supply us with a Dockerfile as well as all the files needed to generate your docker image. Please do not use docker-compose, and supply a single challenge image instead.

If the flag is not stored inside your binary but in a dedicated file instead, we recommend you mount it in the docker container as a volume (e.g. using the VOLUME /path/to/flag.txt instruction in the Dockerfile). This will greatly ease the work of our team if we need to update the flag in the event of a leak.

Your docker container must listen to TCP requests on the port 1314. This is the port that will be exposed to contestants. Note that we will reassign the ports on our end so that challenges from each creator listend to a distinct port. If you need to listen on more than one port, you believe docker cannot be used for running your challenge, or if your environment requires specific non-standard system parameters (like disabling ASLR), please reach out to discuss it with us!

Solver scripts (online challenges only)

This year, we ask authors to write a bash/python script for each of their remote challenges. This script must solve the challenge in the same way a constestant could. This allows us to ensure that your challenge works as expected and to validate it keeps working during the course of the event.

You can call upon bash, python3, perl, curl, openssl and other well-known utilities in the script.

If you need a specific program or library, please reach out to us to discuss it further. The script must respect the following format: no input parameters/stdin, and return the challenge flag as output on stdout (you can of course print other messages, but the script must print at least the flag).

Miscellaneous

Regarding the files you wish to give to the contestants (binaries, code, etc.), please group all of them in the public.zip file in the root of your git repository. No other file will be accessible to the contestants.

In case you need help or something isn't clear, please reach out to contact <at> nightmared.fr/@thobys:inpt.fr on [matrix]/nightmared#1907 on Discord. He will try to answer you directly, or failing that, will grant you access to a dedicated discord channel where others could help you.