HackBattle - new competition at PHDays

This is a totally technical writeup on the organisation of HackBattle competition. You have been warned!

At PHDays'7 (2017) me and my colleague Alexander Morozov decided to create a brand new competition to make it fun and interesting for hackers, not sales! The motivation was that there are not many realtime streams (at least i know none) which offer you a chance to see the hacker's thinking process while approaching a certain challenge. At that point we decided to create some task which two talented hackers would solve to win the trophy. The same time, the crowd could enjoy the show and learn something new on approaching the problems.

The idea seems pretty good, though the competing hackers should qulify first, that's why we have developed a full task-based CTF which difficulty level was kept low.

In 2018 we decided to repeat the contest, but make it technically better. This year we were more prepared and had Dmitry G. as a part our team. That's why i am going to tell you about 2018: how we faced and defeated many of the problems which at first were not seen.

Problem 1: stream both competitors to the main screen

This problem seems to be pretty straight forward, but still takes some time to solve. To stream, we chose VNC protocol. It was x11vnc on one side and vncviewer (tigervnc) on the other side. To make both competitors more consistent in terms of streaming their X11, we decided to forbid their own computers and asked them to use ours with setuped Kali Linux. Both computers were having x11vnc -viewonly run in their backgroud, which was launched in while true to make some kind of failsafe mode.

Then we took another computer (i made it debian but that does not really matter) which can be connected to the main screen. At our hall the main screen was huge, and local staff made an HDMI input, which our computer did have! Now we connect to both hackers using vncviewer -fullscreen -viewonly. Note, that all three computers must be in the same network. The problem is that fullscreen mode in vncviewer makes it difficult to switch between the screens of the competitors in a reasonble amount of time, so i used two linux virtual terminals (ctrl + alt + f1 (f2, f3)) each having a single streaming session running in a loop. To switch to a different hacker, ctrl + alt + f_n can be used which grants a really tiny lag.

NOTE: in this setup you highly rely on network connectivity, vnc programs and Xorg. Yes, the latter can break and did break in our live stream on one of the competitors. Luckily, the second stream was working well

Problem 2: distingiush the competitors while watching the main screen

osd_cat with DISPLAY enviceronment variable was used. It is launched as echo text | DISPLAY=:1 osd_cat

Problem 3: make the quals available for people w/o their computers

All that is necessary for addressing this problem is simply a computer with the setuped network. The problem raises: a lot of people would first look for browser history to find some hints left from the previous guy, which is pretty bad for us. We decided to set up virtual machines with Kali Linux and grant the access not to the host, but to the virtual machine. After the player finishes his session, the VM is reverted to the snaphost.

As a task-based platform we took CTFd and fixed it's logic for our needs. After a new user registered in the system, a 30 minute timer is started in the background. When the time is up, an HTTP request is sent to the host machine telling that the session is over, now it is time to restart. The host has a NodeJS server running which reverts the VM. VirtualBox offeres a CLI interface (VBoxManage) which allows to do such things. So the Node application simply runs Bash commands to power off, revert and then start back the virutal machine.