Getting Started Guide: Cyber Range Blue Team CTF v1.0
What is Capture the Flag?
Capture the Flag (or CTF) is a cybersecurity competition where participants compete individually or in teams using different security tactics in a gameplay environment. There are three major types of CTF events in the market today: Jeopardy, Attack-defend and Mixed.
CTFs are a way for cybersecurity professionals to hone their skills and techniques. These CTF competitions provide hands-on learning and networking opportunities for participants. All three styles of Capture the Flag events are hosted in WWT's Cyber Range within the Advanced Technology Center (ATC). WWT's Cyber Range provides a flexible and scalable platform to facilitate these large-scale CTF simulations.
Finally, the objective of the competition is to solve practical cyber challenges in a simulated environment. The goal of each cyber challenge is to find a "flag" to receive points. These tasks and challenges award varying amounts of points depending on difficulty. The team with the most points at the end of the competition wins.
Types of CTFs:
Jeopardy CTFs have questions or tasks that are arranged in specific cybersecurity categories. Participants get points for solving questions or tasks correctly. Tasks can be arranged to unlock new tasks or allow participants to go to newer levels or stages. The format of this type of CTF can be Red Teaming, Blue Teaming or even a mixture of both.
Attack-defend CTFs are set up for teams to have their own network containing a host or group of hosts. Teams have time to patch their vulnerable hosts and ready tools to defend. Additionally, the teams also prepare tools and exploits to attack other teams. The organizers connect participants, and the wargame starts between participants or teams who need to attack and defend their environments. Participants get points for successfully defending or attacking the other team environments.
Mixed CTFs are a combination of Jeopardy and Attack-defend CTFs where there are elements of both styles present in the game.
Code of Conduct
By logging in to the WWT Cyber Range, players affirm their agreement with the WWT Capture the Flag Competition Official Rules.
No cooperation between teams. Sharing keys or providing revealing hints to other teams is cheating. Don't do it.
Attacking the scoreboard
Don't attack the scoreboard infrastructure. If vulns are found, please alert the range admins immediately.
No brute forcing of challenge flag/keys against the scoreboard infrastructure. Choose another way to flex your skills.
Denial of Service
DoSing the underlying platform is forbidden. Stay within the game space of 192.168.0.0/16 and 172.16.0.0/16.
Participants will complete challenges and navigate the environment from Kali Linux Machines.
- Member roles: 1 team leader, up to 4 team players
- Each team will be assigned 4 virtual machines (VMs) to play.
Work amongst your teams to decide which player to assign to each VM workspace. Please note that if there are more than 4 team members, players will have to share a VM workspace.
What Does a Flag Look Like?
A flag in a Capture the Flag event is essentially an answer to a question or a challenge. A flag can take on many forms. These are the answers that you submit into a platform like CTFd.io which contains the scoreboard for individuals and teams. It is where the grading occurs for the CTF competition.
It might be a full qualified domain name or FQDN like this:
It could be a string of text from an html script:
It could be a user password combination that is found:
It could be clear text within a flag file that was found:
in the fileflag.txt, clear text inside is:
Flags can also be in the form of answers to Multiple Choice, True/False, and Word Bank answers as well. These are just a few examples of flags that can be expected in WWT Cyber Range CTF events. Also, flag structure and hints might be called out directly in the CTFd platform located inside the game. Please refer to CTFd for the correct formatting of the flags.
*Hint: If you see a strict structure like Xxxx xx X xxXx Then its likely the response would match the structure. [ This is A flAg } would be a properly formatted answer.
Please refer to the Player Orientation Guide that is attached and specific to the scenario for your Cyber Range CTF event.
Individual learning and team game success in the WWT Cyber Range CTF events is based on the use of Cyber tools in the games. Depending on the scenario (Blue Team, Red Team, or Both) participants could be using a myriad of different tools designed for specific scenarios. The tools in WWT Cyber Range can be open-source or off-the-shelf OEM/Vendor specific toolsets.
Logging into the game
Event page details
1. Details Tab: Specifies the details of the event
2. Resources Tab: Provides resources to be utilized prior and during the Cyber Range event
3. Team Tab: Displays CTFd and Rocket.Chat credentials, as well as team members. Only the team/teammates have access to this tab.
4. Event Overview: Provides details about the Cyber Range event
5. What to Expect / Goals and Objectives/ Agenda: Scroll to see additional information about the event.
6. Launch Gamespace: Clicking this button launches the lab in a new tab. This button is not clickable until the start of the event. Please see additional details under Gameplay – ATC Lab Gateway and Chat Platform section.
7. Date/Time: Day and start time of the Cyber Range event
8. Host: Host of the Cyber Range event
Gameplay: ATC Lab Gateway and Chat Platform
Clicking Launch Gamespace opens the ATC Lab Gateway and chat in a new tab. Please see below for additional details. (note: your desktop may not appear exactly the same due to operating system differences, but all resources are still available)
1. Player Desktops: There are four desktops available for each team. Team members can view each desktop. Click the arrow within the tab of each player desktop to open the desktop in a new tab.
2. Live Chat: Provides a way to submit a technical support request. The Live Chat screen will open at the bottom right of the player desktop. Enter your name and email then select an option with the Cyber Range Support Agent and a support representative will be in contact.
3. Rocket Chat: Enter the Rocket Chat credentials provided on the event page team tab (see above). All game play videos, messages, and hints are deployed through Rocket Chat. Click the arrow within the tab of each player desktop to open the desktop in a new tab.
4. gameInfo: Document with necessary credentials
5. Zenmap: Nmap tool
6. Putty: SSHTelnet client players can use to access systems
7. Chrome Shortcut: Click to access the the CTFd tool and the Iron Guardian website. Within the CTFd tool, users can view challenges, view the scoreboard, and submit flags. Team credentials to access CTFd are provided on the event page team tab (see above). For additional CTFd details, please see the section titled Submitting Flags and Viewing Scoreboard - CTFd.
8. Wireshark: Opensource network protocol analyzer tool
9. Network Diagram: Ironguardian's network diagram
10. Statement of Work: Game rules for players
11. Team Specific Player Chat Channel: Each player has access to a team specific chat. Only team members and the Cyber Range Admin can see this chat. The team's name is located within the Event Page.
12. Announcements Player Chat Channel: Each player has access to view this channel. Game play videos, messages, and hints are deployed within this channel.
13. General Player Chat Channel: Each player has access to a general chat for all players. This channel is utilized to interact with proctors and other teams within the game. The name of the general chat channel is the event title.
Gameplay: ATC Lab Gateway Copy/Paste Settings
Copy/Paste from your host system to a system in the ATC through the ATC Lab Gateway is possible with several restrictions.
- Target systems can support copy/paste when accessed through rdp, ssh, or telnet.
- Proxied web pages support copy/paste natively because the page is being loaded directly in the browser.
- The ATC lab Gateway supports copy/paste in Google Chrome and Microsoft Edge.
- When users first access the ATC Lab Gateway, a prompt will display. To enable copy/paste select Allow. Please note the below snapshots are for Chrome.
To update the settings, click the pad-loc icon next to the site URL. Click Reset Permissions. Toggle the Clipboard to on/off.
Submitting Flags and Viewing Scoreboard – CTFd
The CTFd tool is accessed via the Chrome shortcut on the player desktops in the ATC Lab Gateway (please see above snapshot). The CTFd tool is used for submitting flags and accessing the scoreboard. Challenge flags are submitted to CTFd under the Challenges tab, and the scoreboard is accessed via the Scoreboard tab within the CTFd tool.
- The Cyber Range Admin team is monitoring flag submissions. There is only one account per team for scoring.
- The CTFd platform is not a target of an attack.
- Players can complete early-stage challenges/flag submissions at any time.
- Later-stage challenges/flag submission is not possible until certain in-game events occur.