Rules of WhiteHat Grand Prix 2018 - Legends of Viet Nam - Final round

Discussion in 'WhiteHat Grand Prix 2018' started by administrator, 19/10/18, 06:10 PM.

  1. administrator

    administrator Moderator

    Tham gia: 27/08/16, 01:08 PM
    Messages: 27
    Likes Received: 0
    Trophy Points:

    I. General introduction

    • The Final Round of WhiteHat Grand Prix 2018 includes 3 parts: CTF - Jeopardy on IoT devices, Attack/Defense on-site and ACM with AI application.

    • Time: 8 hours, from 8:00 to 16:00 (UTC+7) on November 1, 2018.

    • The final score of each team will be the total score of Jeopardy, Attack/Defense and ACM.
    II. Jeopardy IoT Security

    Each team will be provided a system that simulates a company network with IoT devices such as: Router, Wi-Fi modem, surveillance camera, central control system, terminal equipment, etc. Each team has to exploit the vulnerabilities on IoT devices and get score after each challenge.
    Map IoT.png
    Score calculation
    1. The initial points of each challenge will be the same and will be lowered corresponding to the number of teams solving such challenge.

    2. The first team to successfully solve a challenge will be rewarded 50 points.

    3. Unless otherwise stated, flag format will be random (no quotes)

    IoT gateway – the central controller is developed on Arduino platform. Teams should prepare tools and be equipped with knowledge of vulnerabilities on terminal equipment such as Router, Wi-Fi modem, Camera, etc. especially the knowledge of Arduino devices.

    Besides the competition system, the teams will be provided with a prototype to study device reverse engineering.

    After a certain time of opening Jeopardy IoT challenges, the Organizer will open Attack/Defense part.


    In this part, all teams will compete directly. Each team will be assigned a server running active services, protected by a Firewall and placed in the same network with other teams’ systems.

    Each team will play the role of system administrator, protecting their system against attacks. While attacking other teams' systems to get Flags, they must ensure the availability of their system's services.

    The Organizer will provide firewall administration information to each team, while information of services of all teams including access links, binary files (if any) will be made public.

    Services will be opened in turn as scheduled by the Organizer, and the automated monitoring system will be activated right from the beginning.

    Services and resources of the teams:
    • Service server:
      • A server which contains vulnerabilities in its services, corresponding to challenges.

      • Teams are not granted the rights of server admin, modifying, patching binary files.

      • Each service, at a given time, has a Flag (without standard format).

      • All services, except Flags, are the same with all teams.
    • Firewall:
      • Protect service server

      • Each team is granted root access and uses this firewall to apply defensive measures for the service server.
    Score calculation
    • The competition is divided into rounds. Each round will be from 15 to 20 minutes.

    • Each team can earn 2 types of points, attack and defense. The final score of Attack Defense is the sum of attack and defense points

    • After each round, services will be reset, Flags will be changed. Attack/defense points will be added accordingly.

    • Attack score: successfully attacking a service of other teams and collecting 1 Flag will be added 10 attack points

    • Defense score: At the beginning of each round, each team will be added 100 defense points per service. Each time a Flag is taken by other teams, 10 defense points will be deducted.
    Note: If the Organize finds that a service of one team is not available for most of the time of one Round, the team's remaining defensive score of the service will not be counted. If one team’s flag is not captured by any other team and their services are still available after a round finishes, this team will be rewarded extra score (10 points per service).

    IV. ACM with AI

    The Organizer will provide each team with a playground and a sample code of a snake (BOT). Each team will program a snake to compete with other teams’ snakes.
    Score calculation
    • This part will be divided in several round turns. (One team will compete with other teams in round turns to get points).
    • In each round, winners will get X points, losers will get 0 point. If it is a draw, each team will get X/3 points.
    During one round, teams will be not allowed to update their snake (BOT).
    • Between rounds, there is break time. Teams can update their snakes during break time. Update must be completed before starting a new round.
    V. Prohibition
    • Strictly prohibit any destructive attack targeting the scoring server or other entities not included in the challenge requirements.

    • DOS/DDOS infrastructure or preventing the performance of other teams.

    • Strictly prohibit sharing flags with other teams.

    • Other fraudulent activities
    • Any violation, depending on its severity, will be warned, penalized or disqualified from the competition.

    VI. General regulations

    • Decisions of the Organizer are final decisions.

    • In case of necessity, the Organizer reserves the right to change the rules and will inform the teams via email./.

    Attached Files:

    Last edited: 31/10/18, 09:10 PM