As you already know by now, at its core CTF365 is not a game. CTF365 it’s a top notch “Training Platform for IT industry with a focus on Security Professionals, System Administrators and Web Developers” that implements CTF (Capture The Flag) concepts and leverages gamification mechanics to improve retention rate and speed up the learning/training curve.

The platform is designed to be used by security professionals and students, system administrators and web developers, security training companies, Red, Blue and CERT/CSIRT Teams etc.

Though we’re in Alpha, testing the platform, adding new functionalities and some specific features, we already decided over our business model. As a product, we address over B2B (Business to Business).

What’s the business model?

CTF365 Security Training Platform will run a credit subscription model based on customer segments and necessities. Before we get into details, our B2B customers that we address are as follows:

• Security Training Companies – Educational, Continuous Improvement, Learning and Training
• InfoSec Vendors (Cisco, McAfee, Rapid7 etc) – Testing their products through gamification and crowdsourcing
• InfoSec Organizations (OWASP, ENISA etc) – Improving Internet Security Awareness
• InfoSec Conferences – Entertaining, Challenging, Community Driven
• Security Management Companies – Continuous Training and Improvement
• Red, Blue, CERT/CSIRT Teams
• Information Security Recruiters
• CS faculties – Educational, Challenging, Hands on
• Web developing companies – Improving and Training for Defensive Security
• Web Hosting Companies – Defensive Security Trainings
• Data Centres

What means credit subscription?

The Companies/Organizations will be able to get credit packages according with their needs and use them as they want, when they want and not monthly based.

As a customer, the biggest advantage is that instead to pay a monthly based subscription where whatever you do (using it or not), you still have to pay monthly, credit subscription means that once you purchase a credit package that credit package can be used at your will.

Another important advantage is that the Company/Organization will be able to offer training access to those employees that are in scope and needed within a few clicks.

Why credit subscription?

Because different customers with different needs from light to heavy when comes to security learning, training and improving. When we choose credits business model, we did think over the different size and necessities for our customer segments. For example, small companies not security related (4-8 users) but web business based, always will perfect fit into the smallest credit package, a medium security training company may need a medium package and a security management company that manage Red and Blue Teams will need a larger credit package as well as Computer Science Faculties where students need hands on trainings.

On the other hand, Information Security Recruiters, get spikes and scattered needs when live, hands on testing the candidates.

The point is that Companies/Organizations to get only what they really need and use it when they want it.

Bellow we present an example of goods that you’ll be able to pay with purchased credits.

 Why only B2B?

Our goal is to make CTF365 affordable for anyone that wants to use it but not for everyone that doesn’t behave accordingly with white hat security ethics. Like in martial arts, please remember that being a white hat is not about skills, it’s about ethics.

If you are a business owner or representative that think CTF365 can be a good asset to your company and want access to Alpha Stage, just send us an email to support [at] ctf365.com with Subject line: Alpha Access and we’ll grant your access.

Alpha stage is for information security company representatives, computer security faculty, companies that have information security departments that need continuous training, infosec conferences organizers, CERT/CSIRT as well as any organization such OWASP or infosec focused to test and see how CTF365 can help them.

CTF365 it’s a top notch training platform with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services regarding training, learning and improving offensive and defensive web security.

Stay secure while having fun.

Being in Alpha we want to see how things goes among our users activities, how our platform works, what bugs are there and what features can be added to enrich your experience whether you’re web developer, system administrator or security professional.

Alpha stage is for web developing companies, security company representatives, computer security faculty, companies that have information security departments that need continuous training, infosec conferences organizers, CERT/CSIRT as well as any organization such as OWASP or infosec focused to test and see how CTF365 can help them.

Attack Side of the Platform

Up till now, looks like there are serious hacking activity which proves that our idea to build a Security Training Platform for IT industry, is a good one. Teams started to hack into servers developing new attack strategies or using what they already know.

(image courtesy to Shodan CTF365 Team )

As we stated before, we encourage you to setup your fortress with as many web apps and services as possible and let them run. After all like this real internet works. Have no inspiration? Read Get your Team and Pimp that Server.

When a scoring is reported and approved, we only announce that team X have hacked/scored again without pointing at the team that have been hacked and we assign points for the team and points and badges for the user who have reported.

Disclaimer: We know the points system and the way we assign is not perfect but we working on this too and if you want to find out more, you can read CTF365 – Points, Scoring System and Rules.

Defense Side of the Platform

If things for offensive teams are clear, what about the team that had its fortress penetrated/hacked? How CTF365 can help users to improve their defensive tactics to get better and better? How can we improve the way web developers, system administrators and Blue Teams can speed up their defensive counter measures when they get hacked?

We have the solution.

Starting from now on, when a scoring will be approved, we’ll send a private email to that hacked fortress team members letting them know that someone got into their system.

This will help the defeated team to act in a very short period of time to fix their vulnerability, improve their defence tactics and learn from the attacks.

The email will have specific subjects and clear specifications like:

Subject line – If there was found an XSS, then the subject will be something of the form:

Subject: CTF365 Fortress Hacked – XSS Founded – Take Action

Hi there,

Your CTF365 Fortress have been compromised by (Subject line – e.g. XSS). The url is:

http://Your_Fortress/ViewProfile.html?hash=localhash%22/%3E%3Cimg+src=abc+onerror=alert%28%22c-base.org%22%29%3E

Immediate action require.

Stay secure while having fun.

 

CTF365 Team

You will have a snapshot where possible like the one bellow for TakeOver.

Beside that Fortress’s Team can take immediate action, the biggest and coolest advantage is that you don’t have to be connected 24/7 on CTF365.

We’ll take care to keep you informed like in real life threatening/breaching alerts. This will help security professionals, web developers and system administrators to stay focused on their real activities while gets best training environment.

Designed for security professionals, system administrators and web developers, CTF365 it’s a top notch training platform that offers five stars services regarding training, learning and improving offensive and defensive web security.

If you are a business owner or representative that think CTF365 can be a good asset to your company and want access to Alpha Stage, just send us an email to support [at] ctf365.com with Subject line: Alpha Access and we’ll grant your access.

Stay secure while having fun.

This will guide you through all the process to set up your CTF365 VPN connection for Mac users. For Windows or Linux,  we recommend OpenVPN, but whatever floats your boat it’s ok.

If you got Access Granted on CTF365, then you should see that VPN menu into your dropdown menu

Click on it to download your VPN files. Once you click, you’ll get this window bellow

=== Version 1 ===

Step 1.
Go to https://code.google.com/p/tunnelblick/wiki/DownloadsEntry#Tunnelblick_Stable_Release and download the latest version (you can try the beta, but it’s not recommended).

Step 2.
When opening the .dmg file, open the installer. It will present you with an authentication window, so it can install itself.

Step 3.
After installing, you will be presented with a window that tells you there are no configurations installed. Click “I have configuration files”. On the second menu click “OpenVPN Configuration(s)”. On the third one, just click “Done”.

Step 4.
On the desktop, you will find a folder called “Empty Tunnelblick VPN Configuration”. Open it, and copy all of the things you downloaded from the website (client.conf, ta.key, ca.crt, cl1.crt cl1.key, auth-user-pass.conf) into it. Rename the folder into “ctf354.tblk’”, and double click it, to open it in Tunnelblick.

Step 5.
When trying to connect, it might say that it cannot install the connection. If that is the case, move at the “auth-user-pass.conf” file to some other directory, and modify “client.conf” to point to the correct path.

=== Version 2 ===

Step 1.
Go to http://www.sparklabs.com/viscosity/ and download the latest version. Install the app.

Step 2.
Create a new folder on the desktop and proceed to copy all of the files downloaded from the website into that folder, like we tried in the first version, step 4.

Step 3.
Double-click “client.conf” and use the username and password combination found in the “auth-user-pass.conf” file when prompted.

In case you have other method, we’d be happily to hear about it.

Stay secure while having fun.

This article is for web developers as well as for Team Leaders that have CTF365 Alpha Stage Access. We’ve collected some great open source projects that can be used to speed up your fortress build process. We do recommend to have a web developer and a web designer as part of your CTF365 team. When use these applications, please remember that by doing it, we Help Open Source Projects to Improve their Security. It’s your contribution to open source community.

Question & Answer Platforms

In case you want to mimic StackExchange, you can use these Q&A open source platforms

URL: http://www.question2answer.org/

URL: http://www.osqa.net/

URL: http://www.lampcms.com/

eCommerce Open Source Platforms

AgoraCart

AgoraCart is one of the early open source ecommerce shopping cart software solutions offering small businesses and online retailers more flexibility, power, and customization on a larger scale. AgoraCart can be easily installed on your existing website or it can be hosted for you.

URL: http://www.agoracart.com/

Broadleaf Commerce

Broadleaf Commerce is an open source eCommerce platform company that specializes in customized enterprise eCommerce solutions.

Official Site: http://www.broadleafcommerce.com/
GitHub Source: https://github.com/BroadleafCommerce/BroadleafCommerce

Loaded Commerce

Designed not just for the challenges of today, but tomorrow. Loaded 7 is Made for Mobile. Using HTML 5 Responsive Bootstrap 3 means there is no extra cost to start selling on mobile devices. There is no cost at all. It’s completely free to download.

URL: http://loadedcommerce.com/home/download/

Magento

Magento offers an enterprise-class ecommerce platform, supported by a global ecosystem of solution partners and third-party developers. Acquired by eBay in 2011, Magento is part of eBay’s X.commerce business unit.
“The most flexible enterprise-class eCommerce platform to power your business”

URL: http://magento.com/

OpenCart

The OpenCart shopping cart helps storeowners to quickly and easily install, select a template, add products and start taking online orders. The built-in template system lets you switch between different templates or migrate your site’s current design into OpenCart.

URL: http://www.opencart.com/

osCommerce

osCommerce Online Merchant v2.3 is a complete self-hosted online store solution that contains both a catalog frontend and an administration tool backend which can be easily installed and configured through a web-based installation procedure.

URL: http://www.oscommerce.com/Products

PrestaShop

PrestaShop is a customizable, PCI-DSS compliant, ecommerce solution that will handle everything from Web store set-up to managing customers and orders.

URL: http://www.prestashop.com/

Zen Cart

Free and open source shopping cart designed by a group of shop owners, programmers, designers and consultants.

URL: http://www.zen-cart.com/

ZeusCart

Web-based PHP/My SQL shopping cart that boasts a rich user interface and a highly usable shopping cart.

URL: http://www.zeuscart.com/

Video Content Management Systems

Kaltura

“Free & Open Source Video Solutions – Media Management System, Online Video Player, Video Editor and more”

URL: http://www.kaltura.org/

MediaDrop

“MediaDrop is built on a combination of open source technologies that are enterprise class. “

URL: http://mediadrop.net/

Plumi

Plumi is a Free Software video-sharing web application based on Plone and produced by EngageMedia in collaboration with Unweb.me.

URL: http://blog.plumi.org/

ClipBucket

ClipBucket is an OpenSource Multimedia Management Script Provided Free to the Community.”

URL: http://clip-bucket.com/

MediaGlobin

“MediaGoblin is a free software media publishing platform that anyone can run. You can think of it as a decentralized alternative to Flickr, YouTube, SoundCloud, etc.”

URL: http://mediagoblin.org/

MOOC Platforms (Massive Online Open Course)

OpenMOOC

“OpenMOOC is an open source platform (Apache license 2.0) that implements a fully open MOOC solution.

URL: http://openmooc.org/

Class2Go

“Class2Go is Stanford’s internal open-source platform for on-line education. A team of eight built the first version over Summer 2012.”

URL: https://github.com/Stanford-Online/class2go/

Open edX

“Open edX – where developers around the globe are working to create a next-generation online learning platform to bring quality education to students around the world.”

URL: https://github.com/edx/edx-platform

Social Network Open Source Platforms

Oxwall

“Oxwall® is unbelievably flexible and easy to use PHP/MySQL social networking software platform. “

URL: http://www.oxwall.org/

SocialEngine

“SocialEngine is the best way to create your own social website or online community. No coding or design skills needed. Launch in minutes.”

URL: http://www.socialengine.com/features/php

Elgg

Elgg is an award-winning open source social networking engine that provides a robust framework on which to build all kinds of social environments, from a campus wide social network for your university, school or college or an internal collaborative platform for your organization through to a brand-building communications tool for your company and its clients.

URL: http://elgg.org

Anahita

“Social networking platform for building apps and services that connect people, places, and things. “

URL: http://www.getanahita.com/
Source Code: https://github.com/anahitasocial/anahita

Dolphin

“… advanced software platform for building vibrant custom social networks and online communities”

URL: http://www.boonex.com/dolphin

BuddyPress

“BuddyPress is Social Networking, the WordPress way. Easily create a fully featured social network inside your WordPress.org powered site.”

URL: http://buddypress.org/

BuddyCloud

“Distributed by design, buddycloud has pioneered a set of tools, open source software and protocols to help you build a completely new kind of social network.”

URL: http://buddycloud.com/

There are plenty of Open Source Social Network Platforms and if you want to dig deeper, you may consider this article:

Top 40 Free Downloadable Open Source Social Networking Software

Some nice Open Source Projects too

MediaCrush

“We make sharing media easy and fast. We also do some fancy tricks like converting GIFs to HTML5 video so that they load even faster:”

URL: https://mediacru.sh/

Source Code: https://github.com/MediaCrush/MediaCrush

ESME

Apache ESME (Enterprise Social Messaging Environment) is a secure and highly scalable microsharing and micromessaging platform that allows people to discover and meet one another and get controlled access to other sources of information.

URL: http://esme.apache.org/index.html

The Internet is full of great Open Source projects that can be used on CTF365 Platform. In case you have some other great major open source projects to recommend, we’d gladly update the list.

Designed for security professionals, system administrators and web developers, CTF365 it’s a top notch training platform that offers five stars services regarding training, learning and improving offensive and defensive web security.

Stay secure while having fun.

Looks like we grow faster than anticipated which is a good thing twice. For us as a startup project and for some of you as a great opportunity in case you’re student that want to work and get experience in information security related niche. That for we declare:

Internship Opportunity Announcement

Where: CTF365 Platform
How long: Winter/Spring

POSITION TITLE:

Web Developer Intern

DUTIES/JOB DESCRIPTION:

Creating different setups using various open source software

Monitoring created setups.

HOURS:

Flexible – Being a remote working, the biggest advantage is that you can manage your time.

REQUIREMENTS:

OS: Linux Debian

Coding: Anything you’re good at will be just fine (e.g. PHP, Python, Ruby on Rails etc). We’re flexible.

HTML: Your choice as long as you know you love what you do (CSS3, HTML5, Twitter Bootstrap etc)

Data Base: your choice ( SQL, NoSQL)

What’s in it for you as an Intern:

Learning defensive security – Learning how real security professionals will attack your setups will make you improve your defensive security.

Prospective career path – Information Security is a trendy job and will become more important in years to come.

Best team mates ever – We’re international team working remotely driven by our passion for the project.

Opportunity to become part of CTF365 team – Prove us you’re good at and we’ll want to keep you beside us.

Full Access to the best Security Training Platform.

Best recommendation ever.

HOW TO APPLY:

Students can submit an email to support [at] ctf365 [dot] com with Subject Line: Web Developer Intern and telling us what you’re good at, giving us some links in case you have some projects you’ve been working on (show off — we love that).

Stay secure while having fun.

This is a list with all fortresses created in Alpha Stage on CTF365 as of January 13. We curated for you in case you don’t want to make a blind scan. Yes you can perform blind scan too. Most of them already running different web applications and some of them are in the process to run different web applications. We already open DNS service where users can register their domain.ctf to make it look like the real Internet.

In case you are part of Alpha and want to register one or more domain.ctf/domain.365, send a request to support@ctf365.com with Subject line: CTF365 Domain Registration and make sure in the body text you add the domains you want to have it and the NS to point at. Usually we offer wildcard domains (e.g. *.domain.ctf).

I suggest you to ask for more domains registration. That will look more natural when you’ll setup those 3 required apps beside your email client and the 2 CMSs. Take our examples

http://crow.ctf = twitter
http://googu.ctf = google
gnail = gmail (not used yet)
http://gograndpa.ctf = godaddy

Note:

You can access the fortresses/servers only if you have Alpha Access

Here you have it: Team Name followed by their fortress IP address:

TeamCubed, http://10.194.0.93
TI-GOW-TEAM, http://10.194.0.89
SPARSA, http://10.194.0.87
Lollicaust, http://10.194.0.83
null0p, http://10.194.0.80
LiNib0m, http://10.194.0.77
xTeam, http://10.194.0.73
_NetDisarmament, http://10.194.0.67
3x3cUt10n, http://10.194.0.92
WolvesAtNight, http://10.194.0.91
ar0s@1na, http://10.194.0.90
BallSoHard, http://10.194.0.88
Team Honey Badger, http://10.194.0.86
legion, http://10.194.0.79
La DoSa Nostra, http://10.194.0.76
Wolf_Den, http://10.194.0.68
MADr00tSTR, http://10.194.0.64
Post Office Social Club, http://10.194.0.62
The Little Pwnies, http://10.194.0.47
dumptcp, http://10.194.0.40
Guinneapode Crew, http://10.194.0.39
kaskelix, http://10.194.0.33
TE4M-THS, http://10.194.0.22
2CS, http://10.194.0.5
Snow, http://10.194.0.4
VulnHub, http://10.194.0.85
Beaver only, http://10.194.0.84
HHS, http://10.194.0.82
Cigar City Crew, http://10.194.0.81
Giza, http://10.194.0.78
BRAinZ, http://10.194.0.75
elite, http://10.194.0.74
cmsu warriors of cyber, http://10.194.0.71
penisland, http://10.194.0.70
JagerBombers, http://10.194.0.69
Shinigami, http://10.194.0.66
breakthings, http://10.194.0.65
Stranded Hax0rs, http://10.194.0.60
Ember, http://10.194.0.58
Pebkac, http://10.194.0.57
Shodan, http://10.194.0.56
CTF365, http://10.194.0.53
tempepenyet, http://10.194.0.48
0xCOFFEE, http://10.194.0.35
Highsec, http://10.194.0.34
Untrust, http://10.194.0.30
NESIT, http://10.194.0.29
Faca na Caveira, http://10.194.0.21
guechas, http://10.194.0.19
0x90_n0p, http://10.194.0.12
Team Coco, http://10.194.0.7
With Love From Chile, http://10.194.0.3
RainbowPwnyClub, http://10.194.0.55
0x90_n0p, http://10.194.0.54
KnightSec, http://10.194.0.52
Giza, http://10.194.0.51
StrikeForce, http://10.194.0.50
Team Coco, http://10.194.0.49
Zingzillas, http://10.194.0.46
Unallocated Ninja Squirrels, http://10.194.0.45
DL, http://10.194.0.44
USSR is back, http://10.194.0.43
Treehouse, http://10.194.0.42
FuckIT, http://10.194.0.41
Cigar City Crew, http://10.194.0.38
D3Lt4Force666, http://10.194.0.37
cbdm, http://10.194.0.36
PaulDotCom, http://10.194.0.32
Terror Squad, http://10.194.0.31
42 Dinosaurs, http://10.194.0.28
Glock, http://10.194.0.27
LETHAL, http://10.194.0.26
xTeam, http://10.194.0.25
Joyjoy, http://10.194.0.24
root.sh, http://10.194.0.23
@d1kT3d, http://10.194.0.20
SPARSA, http://10.194.0.18
MOOSEDOJO, http://10.194.0.17
CTFUK, http://10.194.0.16
AmuSecd, http://10.194.0.15
3x3cUt10n, http://10.194.0.14
Digital Intercept, http://10.194.0.13
hex hex, http://10.194.0.11
CTF365, http://10.194.0.10
CTF365, http://10.194.0.9
Ionut, http://10.194.0.8

List of domains already in use and that can be hacked at will:

http://googu.ctf
http://crow.ctf
http://shodan.ctf
http://ctfuk.ctf
http://ionut.king
gograndpa.ctf
http://snackexchange.ctf
http://giza.ctf
http://gizasystem.ctf
http://sparsa.ctf
http://lol.ctf
http://txtbin.ctf
http://mainbrain.ctf
http://madr0ot.ctf
http://madstr.ctf
http://cryspace.ctf
http://0xCOFFEE.ctf
http://cmsu.ctf
http://bankldn.365

CTF365 it’s a top notch Security Training Platform with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services regarding training, learning and improving offensive and defensive web security.

Starting January 20 2014, we will perform some maintenance on CTF365 . During maintenance period, users will be unable to connect to VPN/fortress and the website. The maintenance will take 1 – 3 days upgrading some hardware. This maintenance is part of our steps to Beta stage. Sorry for the inconvenience.

CTF365 Team

On my VM’s i make a litle script that will show all runing fortress .

This script check even your firewall is deny any ICMP and show if machine is up un runing .

So have fun guys.

The page is still basic .. wil go on bootstrap but now is just for fun.

You need to be connected to VPN to have access to the webpage.

ionut

The Points

At this moment our scoring points is pretty straight and simple:

Deface – 75 points

XSS – 200

SQLi – 500

Private Enumeration – 600

TakeOver – 1000

The idea was to keep it simple for Alpha and Beta where points matter only as User Experience and game design to see it works. When we’ll go live things will be a little bit more different when we’ll talk about points rewards.

For example, our  first observation was that before to implement public key first sign in fortresses, many users didn’t change their default user passwords and that’s for the easily got 1000 points at the time. 1000 points for a lazy admin (defeated server) and not for a hard work (to the attacker) which leads to big gaps between top teams and the rest. Another problem, was that while some lucky but sharp Reds (attackers) got their thousands, other Reds, hard working got 75-200 points after 45-60 minutes for Deface or XSS.

No more easy points after we’ll go live.

Our next scoring system will be an algorithm based on a set of inputs with different biases. Some of the inputs will be a combination of multiple factors like Uptime/Downtime, Success Attacks vs Unsuccessful once, Running Services and so on. There will be services checkers coming from different/spoofing IPs to exclude possible blocking blocks IP classes over IP tables and WAFs and some other tricky tricks to trick users tricks.

The point is that by mimic the real world Internet, servers should act as real ones.

Scoring System

When it comes to CTFs, most of the CTFs have automatic Scoring Servers. Others call it GameServers. Their mission: to receive “flags” send it by users, verify them and approve if are true. Some of them are checkers only some of them are a bit more than checkers.

We have a Scoring System. We name it Scoring System because of its hybrid nature and sophistication. Part automatic, part manual the system incorporate parallel and redundant measures when it comes to monitor, measure and approve scores.

It may sound complicated but when it comes to offer a five stars service training platform to special breads like security professionals and system administrators, nothing is “too much” and everything has to be perfect or at least close to perfection.

The Score Sending Rules

Yes, after over a month in Alpha looks like there must be some rules as well when users over send /spam our scoring system. As I’ve told you, someone supervise everything scoring included and over sending scorings waste our time and others user’s time too.

We’ll introduce some scoring report rules such as:

If a user send us multiple times same score, beside the system will block the second one, that user will receive  some warnings followed by penalties and  finally game exclusion if it keeps going. Also is considered double (spam) if users send us slightly previous scoring vectors. Who do we try to fool here?

If a user send us different scorings with different vectors but negative/false ones, first we’ll inform him that next time it should double check before submit, followed by delay timing analisys followed by another warning and exclusion finally.

Bellow you have a snapshot of wrong and right scoring submissions

My advice, thing twice before you do it. Ask your mates. They are your “365 familly”, trust them until prove otherwise. After all you teamed up right?

So these are few thoughts, facts and future moves regarding Points, Scoring System and Rules.

Stay secure while having fun.

When it comes about information security one of the major problems is to set your PenTest Tools Arsenal. The truth is there are too many tools out there and it would take forever to try half of them to see if it fit your needs. Over the years, there are some well established tools that most of security professionals use them but that doesn’t mean that out there are not unknown still very good pentest tools.

We wanted to make a list of the pentest tools but we find that there are plenty of places where to look and explore such tools. You can find lists of pentest tools on SecTools or GitHub and there are a lot more places to look for.

With over 2.6 millions Security Professionals world wide the landscape of Penetration tools exploded lately and choosing your pentest tools arsenal become difficult not because you don’t have what to start with but because we always tend to ask ourself if what we have is the best.

For that reason we want to contribute to infosec community and create a bigger picture about security professionals Pentest Tools Arsenal and for that today we launch a survey where we invite infosec community to share their tools arsenal they use and express their opinion about trending new tools.

The survey goal is to get a better picture over the Landscape of Penetration Tools used by Security Professionals and help the new comers to make good choices when setup their Pentest Toolbox. The survey will last for a month and after that we’ll publish the results as an InfoGraphic.

In case you want to help with this infosec survey, all you have to do is copy or embed this article as it is on your blog and let us know. We’ll thanks and add you as our contributor to the survey.

You can start the survey HERE

Stay secure while having fun.

We can’t find the words to tell you how excited we are for this moment and no matter how hard, difficult, frustrating and challenging was this journey to Beta Stage, we do feel as a complete A-team.

After three months of CTF365 Alpha Stage, we gladly announce that we’re moving to Beta! In Alpha we tried to find bugs/vulnerabilities, see how users interacts and how useful would be for IT community with a focus on infosec, sysadmin and web developers.

We have special thanks to say for the people that found vulnerabilities/flaws and reported them to help us better secure our platform. These special thanks goes to:

Leon Teale

Matt Robey

Bud Handyman

In case we’ve missed your name in our list, please do send us an email and we’ll add it. We’d love to have you here. Soon we’ll create our Hall of Fame Page and you’ll be listed in there as a reward for your contribution on CTF365 Platform.

There have been hundreds of in-game attacks, and most of them successful. This proved that CTF365 indeed it’s a top notch “Security Training Platform for IT industry” with a focus on Security Professionals, System Administrators and Web Developers that implements CTF (Capture The Flag) concepts and leverages gamification mechanics to improve retention rate and speed up the learning/training curve. You can check our score board to see how teams do.

Moving to Beta means that we’ve made changes where needed and added new features/services.

What’s new?

CTF365 Free Arena – It’s time for to give back to InfoSec Community

Starting with Beta Stage, all registered users get instant access to CTF365 Free Arena (Basic Account). This arena is for web security light trainings filled with “Vulnerable by Design” servers like Metasploitable2, DVWA and more to come. However there will be no Scorings Reports, Points or Badges for it. Its purpose is to help security students, security wannabe, web developers, and new system administrators to play and train on vulnerable by design servers and web applications.

Once you’ll register on CTF365 and setup your VPN, you can access http://metasploitable.ctf or http://DVWA.ctf (Damn Vulnerable Web Application).

Private Hack Notification – No need to be 24/7 connected

This feature will help our users to focus on their day by day duties without worrying about their CTF365 fortress. You can read more on Private Hack Notification.

Hardware

We doubled our hardware capacity (wasn’t necessary but soon will be) which means that CTF365 easily can host hundreds  of “Fortresses” (servers).

CTF365 DNS Registration

We’ve introduce our own DNS Registration System which means now you can get your own domain on our network (e.g. YourTeamName.365 or YourDomain.ctf ). For now, if you’re part of Alpha/Beta stage, you can send a request to support [at] ctf365 [dot] com with Subject Line: CTF365 Domain Registration saying what domain you want to register for what team. Only team leaders with Fortresses can request Domain Registration. Soon we’ll implement Automatic Domain Registration at http://gograndpa.ctf and http://gograndpa.365 (URLs works only if you have Alpha/Beta access).

Beta will bring a bigger scale to the battle field, new features to follow those above and a step forward towards our live release.

Who can join Beta

• Security Training Companies
• InfoSec Vendors
• InfoSec Organizations
• InfoSec Conferences
• Security Management Companies
• Red, Blue, CERT/CSIRT Teams
• Information Security Recruiters
• CS faculties
• Web developing companies
• Web Hosting Companies
• Data Centres

Want CTF365 Beta Access?

Just send us an email with Subject line: “Request Beta Stage Access” at support [at] ctf365 [dot] com telling us about you, and more importantly about your work as an information security professional, web developer or system administrator and why you want to join Beta and we’ll activate your access if you’ll be beneficial to our Beta stage.

CTF365 it’s a top notch training platform with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services regarding training, learning and improving offensive and defensive web security.

Stay secure while having fun.

There is no doubt that the best way to learn Information Security is hands-on, and to make this easier the guys from Rapid7 – Metasploit created Metasploitable, a vulnerable by design server. Beside their vulnerability as a server, they added more special “ingredients” (vulnerable by design applications) like Damn Vulnerable Web Application from RandomStorm or Mutillidae from OWASP.

Metasploitable represents the perfect “dish” for learning penetration testing (light intro level). Its popularity spread across InfoSec community and became a study framework for most of the infosec students as well as for some InfoSec Training Companies. One reason why had become so popular is that Metasploit  framework is the most popular PenTest framework according with this survey where it got an whoop 82% among PenTest frameworks – if you want to test Metasploit, you can always can test it on… Metasploitable. Moreover, Metasploitable isn’t mentioned only because of Metasploit Framework popularity… many PenTest OS, vendors like famous Offensive-Security’s BackTrack/Kali Linux, recommend it to practice their operating systems. There are 1800+ videos on  YouTube alone for “Metasploitable”

“Never heard about Metasploitable? Then you’re not into InfoSec Industry”. Yes, that’s how popular it has become.

Metasploitable it’s free, open source and if you want to use it, there are some specific steps to follow in order you to get it properly installed in your virtual environment. That was until… Today.

Today, we gladly announce that there is a new way to access Metasploitable, and practice FREE of charge in the cloud. Besides Helping Open Source Projects to Improve Their Security, we decided it is our duty to bring another free and open contribution to InfoSec Community, by offering Metasploitable in the cloud.

Why is special besides the fact that is free?

1) Being over The Internet, it’s close to real thing.

2) If you need someone to help you, you can use the CTF365 IRC service

3) You can create a video tutorial on the fly, without the need to create your own virtual environment

4) If you want to study using tutorials like the one from Offensive-Security Metasploit Unleashed

5) For your students, as a InfoSec instructors

6) If you want to test new PenTest Tools.

And I’m quite sure you can find few more reasons why.

At this moment it is deployment is as a non persistent image which means that we set up some period of time when we reset it to its initial state in case one of you will breaks it. In the future we hope to get enough hardware to make it an individual (persistent) instance .

All registered users get FREE access to Metasploitable 2. Once you register into CTF365 and setup your VPN you’ll be able to access Metasploitable at http://metasploitable.ctf. Please remember: No VPN, no access.

CTF365 it’s a top notch training platform with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services regarding training, learning and improving offensive and defensive web security.

Any questions? Glad to answer. Stay secure while having fun.

This article is focused on people and companies that work and act in the Information Security field. If you’re a Blue/Red/CERT/CSIRT team member, Security Professional or student, Security Vendor, Data Center, PenTest Company or Security Management representative, then you might find it useful.

CFO asks CEO: “What happens if we invest in developing our people and they leave us?”

CEO: “What happens if we don’t, and they stay?”

- Unknown

When it comes to information security training, Security Professionals or Security Students have a few choices – like Security PenTest Labs, Vulnerable by Design Servers/Applications or InfoSec Conferences CTFs.

PenTest Labs – Vulnerable by design, they are sophisticated, complex networks ranging from some easy vulnerabilities all the way up to complex ones. PenTest labs are pretty static networks in that their infrastructure doesn’t often change. There won’t be surprising funny new servers/applications any time  you sign in.

Vulnerable by Design Servers/Applications – Specially designed for light training (entry level) their goal is to let new comers to security get used to ethical hacking. In case you want to play with them, you must download them, create a VM and deploy it. You can find a such list of Vulnerable by Design Servers/Applications on VulnHub. They curated the list for you to make your life easier.

InfoSec Conferences CTFs – They are “icing on the cake” to every InfoSec Conference. Special designed to prove participants hacking skills, while having fun. Conferences CTFs are like shooting stars: They glow as long as the conference takes place. After that it fall into oblivion regardless how much fun and challenging they were. Too bad.

CTF365 have all these three training methods in one place and more.

1) PenTest Lab 2.0 – Because unlike usual PenTest Labs, CTF365 it’s changing almost every day. Because all the servers and applications you find in it are build and maintained by real users, once you find a vulnerability it is for real and not vulnerable by design. The excitement of finding a real vulnerability into a system that is not vulnerable by design is like hacking into The Real Thing.

2) Vulnerable by Design 2.0 – That’s because we put some of the most known “Vulnerable by Design” servers and applications in The Cloud. For you as a new security comer, this means that you don’t need to download and deploy these servers/applications. You can just start and hack directly on our CTF365 platform.

3) You can’t be a real security professional if you don’t love to play CTFs. It’s where you sharpen your hacking skills and improve your tactics. If there is no conference you’re attending, you can always play CTFs over the weekend on our Hacker’s Dome. Moreover, all your accomplishments will remain and show on your CTF365 account letting people know what you are good at. Want to build your own CTF and challenge your work mates and friends? No problem, Hacker’s Dome is the place.

4) Your Security Professional Certificate is a good asset when comes to hiring but your skills are more important –  no problem if you use CTF365 for any of the above, your achievements will stand as a proof of your hacking skills.

5) CTF365 act as an internet where you can train and experience all forbidden actions that the real Internet doesn’t allow us to perform like Brute Force, Deface, XSS, DoS, DDoS etc.

You don’t have to take our word for it, here are some opinions from security professionals from different companies around the world, in no particular order:

LEON TALE – NCC

“CTF365, is one of the top resources I would recommend to any one starting out in IT security and wanting to train their skills or beginner to advanced users participating in a vast competitive and realistic capture the flag. “

CHRISTOPHER THOMAS – SCS

“I think the main thing is that its more of a real world setup not these vulnerable by design labs but real world targets”

MATT ROBEY – Security Professional

“- A fabulous concept, Brilliantly executed.”

Marius Avram Gabriel – RandomStorm

“If you want to improve your skills then CTF365 is by far the best place! Great platform for infosec trainings.”

Hardy Mansen – Unibet

“World Class Support. Thanks!”

Sean Williams – Facebook

“It seems like you have a fun and potentially challenging CTF setup going on. I really like the ongoing, always-on aspect.”

Who is it for?

• Security Training Companies
• InfoSec Vendors
• InfoSec Organizations
• InfoSec Conferences
• Security Management Companies
• Red, Blue, CERT/CSIRT Teams
• Information Security Recruiters
• CS faculties
• Web developing companies
• Web Hosting Companies
• Data Centres

Bottom line, CTF365 it’s a top notch Security Training Platform that offers five star services for Security Professionals

Stay secure while having fun.

This article is focused on Blue Teams, System Administrators and CTOs. If your organization holds a network infrastructure, then you’ll probably find it useful.

“Hackers are like water: Once they’ll find a crack into your system, they will flood in”

Defensive Security is not a “set it and forget it” thing. Systems and Networks need continuous monitoring and System Administrators and Response Teams need continuous  training. Below are five reasons why you, as a System Administrator, CTO or Blue Team member, should consider using CTF365 as a Security Training Platform.

1) Defensive Security:

If attackers are determined enough, they will find a hole regardless how many security solution are deployed. That’s why, using CTF365 Platform you can develop and test new defensive processes to reduce damages and improve your reaction time and minimize any impact.

2) Incident Response:

As a System Administrator, you’ll be in the line of fire where you’ll get massive attacks from all directions. On CTF365 you’ll train your skills and improve risk mitigation plans through data collection processes, analytics to spot incidents before serious damage occurs.

3) Network Analysis:

Deploying defensive security software in place is not enough nowadays. As the Internet grows, there are ten of thousands of types of malware but only a finite number of ways to get into your system. Build your network, monitor and see where networks are vulnerable or where attackers would try to get in.

4) New Setups/Configurations:

With new technologies and networks growing, you’ll have to optimize and improve your network infrastructure. CTF365 gives you the opportunity to test new setups and improve security through better configurations.

5) Real Threats from Real Users within a safe environment:

There is one rule; that there are no rules. This makes CTF365 a perfect place for Blue Teams, System Administrators and CTOs to test their setups and train their skills. In the wild.

Who is it for?

• Security Training Companies
• InfoSec Vendors
• InfoSec Organizations
• InfoSec Conferences
• Security Management Companies
• Red, Blue, CERT/CSIRT Teams
• Information Security Recruiters
• CS faculties
• Web developing companies
• Web Hosting Companies
• Data Centres

As Dave Marcus – Chief Architect, Advanced Research and Threat Intelligence McAfee – state on his 2012 TakeDownCon presentation:

“Defensive InfoSec has lost its hacker mentality and edge. Defensive security has lost its ability to be agile like the attacker. That is why it fails.

To truly be a hacker is to take nothing for granted. It is to take technology or ideas in new directions if only to challenge the assumptions the original answer was based on. Yet today the hacking mentality only seems to have taken r00t on the offensive infosec side. Has defensive infosec ever really stepped back and examined or challenged its original assumptions? Maybe it’s time for defensive hacking.”

You can watch his presentation below.

You’ll have to look at the number and size of attacks to realize that is not going a way and Defensive Security Trainings is a must regardless your infrastructure size.

CTF365 it’s a top notch training platform with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services regarding training, learning and improving offensive and defensive web security.

Stay secure while having fun.

When it comes to Information Security, there’s a great way to learn, train and keep sharp your skills. This can be done using gamification mechanics to speed up the learning curve and improve retention rate. Capture The Flag competitions use gamification mechanics and represent one of the best ways to learn security hands on.

We’ve created Hacker’s Dome as a place for CTF365  users to play weekend CTFs with great prizes. In order to get access to Hacker’s Dome, the first thing you need is a registered and confirmed CTF365 account.

Although we’re at the start of our journey, the goal of Hacker’s Dome is to become your weekend security training – where fun, entertainment and awesome prizes will be at its best.

Hacker’s Dome is a CTF Platform where you can deploy your own CTF and invite web developers, system administrators and security professionals to take your challenges. Think RackSpace, of CTF Competitions.

Hacker’s Dome – First Blood

First Blood is our first CTF and will start on May 17 2014 15:00 UTC.

Difficulty Grade: Low to Medium

The Prizes:

We have awesome prizes packages worth > $ 6000 US

First Place Package:

• WiFi Pineapple Mark V Ultra Bundle (because you love to hack)
• One year CTF365 Premium Access (because you love to train your skills)
• Personalized T-shirt and Hat with your CodeName on it. (because you deserve to show off)
• “Hacker’s Dome” + “Hacker’s Dome – First Blood” stickers

Second Place Package:

• WiFi Pineapple Mark V Tactical Bundle (because you love to hack)
• 6 Months CTF365 Premium Access (because you love to train your skills)
• Personalized T-shirt and Hat with your CodeName on it. (because you deserve to show off)
• “Hacker’s Dome” + “Hacker’s Dome – First Blood” stickers

Third Place Package:

• WiFi Pineapple Mark V Travel Bundle (because you love to hack)
• 3 Months CTF365 Premium Access (because you love to train your skills)
• Personalized T-shirt and Hat with your CodeName on it. (because you deserve to show off)
• “Hacker’s Dome” + “Hacker’s Dome – First Blood” stickers

The Raffle

Yes! We have a raffle with a King Prize thanks to Rapid7 – Metasploit guys.

Raffle King Prize – Full Year Metasploit Pro Licence

The fact that Metasploit gave us the opportunity to run a raffle off such great King Prize, makes us proud of what we’ve done and it encourages us to keep up our good work.

We can’t wait to see who will be the Lucky One.

And also more raffle prizes:

• RASPBERRY PI & 8GB SD BUNDLE – 4 pcs.
• HACKER’S DOME HAT – 20 pcs.
• HACKER’S DOME T-SHIRT – 20 pcs.

If we got your attention, then all you have to do is to get your Hacker’s Dome Access and prepare for First Blood CTF

Stay secure while having fun.

We publish this information to clarify some of the aspects of the competition for the members eager to find out more. Some aspects of this document will change until the first CTF is online. However, the general idea and the spirit of the competition is here. We know you don’t like reading long documents. We will try to compress the information in less words, if possible.

CTF general information and rules:

1. The ranking in the competition is based on the time it takes you to complete the challenges. In order to make it a fair game for all our participants, the time counter starts when you connect to the VPN for the first time until you submit the trophy or trophies. We may impose an upper limit for the VPN access, such as to be able to have access for maximum 24 hours into a 48 hours time frame. We are still discussing this aspect.

2. The trophies are listed as such:

a) superuser-trophy.txt – found into the home directory or the desktop directory of the superuser (root in case of unices, Administrator if we’re going to introduce Windows challenges in the future)

b) user-trophy.txt – found into the home directory or the desktop of the unprivileged user that may be used to get a foothold on the machine. This trophy is not present for the machines that can be compromised without having the need to elevate your privileges (aka having a remote root vulnerability). Most of the time, it won’t be the case.

3. The trophies are SHA-1 hashes of 32 pseudo-random characters. That means: it makes no sense to try to brute-force our submission form. We won’t accept invalid trophies in order to provide you the opportunity to reset the machine if something goes wrong. If you abuse the form, you will get dropped from the competition. Besides, we also need a “proof of work” in order to be eligible for a prize.

4. In order to validate your time, we ask you for a “proof of work” in the next 24 hours after the competition finishes. That means:

a) a screenshot showing your superuser access, or unprivileged access if you didn’t get any further.

b) a technical report describing in detail all your steps needed for compromising the machine.

Please remember: document each step. Because we don’t have unlimited eyes for reading reports, we will review just the reports for the positions which qualify for receiving one of our prizes. We need to be able to reproduce your work based on your report in order to obtain the same result. If the report is incomplete, we won’t be able to provide you the prize. You will be disqualified and the next contestant will take your place. Bear in mind that the product of a penetration testing is your final report. While it isn’t as much fun as breaking machines, it is necessary. Besides, we only ask for a technical report as your work doesn’t need to be presented to a CEO of a large corporation, therefore an executive report is useless for the purpose of the CTF.

5. You don’t need to compromise anything in order to qualify for the raffle, if we’re going to have one. All participants are eligible for it, therefore it all depends on your luck and the entropy collected by random.org.

6. After the competition is finished and the winners are announced, we will publish the configuration that we used for creating the machine or the machines that were part of the CTF. We will also publish any information for creating the base image for the configuration deployment. The configuration will be published as SaltStack state and the files that were deployed onto the CTF machine. For reference, we use salt-ssh for deploying the configuration as it is a setup that doesn’t use a master – minion architecture. We will also publish our unit tests for validating the fact that the CTF machine holds the proper configuration.

7. In case of disputes, we may publish the reports of the people that were disqualified in order to be peer-reviewed by the community. We may also publish the reports of the winners for the same purpose. We won’t make this information to be available for the public eyes. The published reports, if the situation asks, are going to be available just for the participants. We design the challenges with public vulnerabilities or known misconfigurations. Most of them can be found on exploit-db.com or other public sources. We don’t target 0-day vulnerabilities, so you won’t have to disclose your knowledge about arcane methods for getting access to a machine. We use Kali and the basic tools for the purpose of demonstrating the concept of a CTF challenge when we discuss the technical aspects of a competition.

8. The use of mass-vulnerability scanners is discouraged. It will likely drop your VPN connection or freeze the target machine. We don’t design the challenges to be one-click pwn. The proper information gathering is the key for success. You should think before you act. Our challenges are not script kiddie friendly, especially if we’re going for tiered competitions where multiple levels are provided in order to advance.

9. We don’t provide any hints during the competition. We provide you the same advice as the awesome folks at Offensive Security: Try Harder™ . However, we will answer properly formulated questions about certain aspects of the competition if there are technical problems. A properly formulated question is something like: “I tried to use the tool foo with the arguments bar over the protocol baz in order to obtain information X”. Even though we make our best to be sure that the challenges are reliable, edge cases may appear. We kindly ask not to abuse the support during the challenges. Most of the time if the information you’re looking for isn’t there, then it isn’t there. Think of this competition as of a proper penetration test. There’s no hand holding there, and even more, in a proper penetration test don’t have the luxury of resetting a machine if you crash the services or the machine goes into a kernel panic. You do have this luxury here.

We all love InfoSec Conferences. They represent a big opportunity to get in touch with latest findings, great training sessions, meet new security professionals, quality networking and having a great, great time.

What many attendees don’t know, is the effort to create great conferences, the tremendous work behind the scenes before, during and after such events occur. The people behind the conference are the real heroes that handle all logistics while attendees are having fun. At most of the conferences the organizer staff members are volunteers and they’re doing it for and with passion, and for that deserve all our respect.

Management, Finance,  Agenda, Venue, Accommodation, Logistics, Staff just to mention a few tasks that need it to take care of when want to organize such event.

The hardest task of everything is getting sponsorship and the task becomes more difficult if you’re not one of the most popular conferences.

As an organizer, you know that the revenue you expect from registrations is often not enough to cover the costs, and sponsors can bridge the difference – whether they come in with cash or products that your attendees would love to have.

The InfoSec Community has helped us a lot and now it’s time for us to give back.

If you’re about to organize an InfoSec conference we’d like to hear about it and help you with by offering CTF365 Premium Accounts for a raffle or as a prize, if you have a CTF (Capture The Flag) session at your conference.

If you’re interested, send us an email at support@ctf365.com with Subject Line: “InfoSec Conference Sponsorship” and tell us about it.

Any questions? We’d be glad to answer.

Stay secure while having fun.

We have received lots of CTF365 Beta Access requests and because of that, CTF365 took another step forward. Starting today, we’re opening the Bronze Account for anyone who wants to train, learn and improve their Information Security skills.

Bronze Account is subscription based and here is what you get:

- Access CTF365 Main Arena where we already have 80+ servers that run 300+ different web applications. We remind you that all the servers are hand made by real users and not “Vulnerable by Design. This means that you will train on a real life Internet simulator unlike any other PenTest Lab.

- Scoring, Point and Badges – All your Scoring submissions are manually verified to make sure everything is accordingly. However expect us not to approve all your submissions.

Bonus:

- Once you buy Bronze Account, you’ll get free entry on Hacker’s Dome First Blood weekend CTF competition which will start May 17 2014 15:00 UTC.

This is a great opportunity for Security Professionals to improve their skills on a Real Life Internet Simulator where all the targets/Fortresses are not made “Vulnerable by Design” but real ones with real people.

Also this would be a good opportunity for companies to test their PenTest Tools Arsenal, develop new attack strategies and improve team cooperation over real targets made by real users.

Our next roadmap goal is to make our Silver and Gold Accounts live – which will be credits based. Silver Account 100 credits, Gold Account 250 credits.

Different customers have different needs from light to heavy when comes to security learning, training and improving. When we choose a credits based business model, we though of the different size and necessities for our customer segments.

Companies/Organizations will be able to get credit packages according with their needs and use them as they want, when they want and not monthly based.

At this moment we’re working on the goodies that you’ll be able to get on Silver/Gold Accounts. Bellow you have an example of how it’ll look like and how many credits the items will cost. Except the 1 position (Play/Access CTF365 Main Arena) all items are subject to change (we’re trying hard to find ways to reduce them).

CTF365 it’s a top notch training platform with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services regarding training, learning and improving offensive and defensive web security.

The Platform implements CTF concepts and leverage gamification mechanics to improve retention rate and speed up the learning/training curve when comes to Information Security.

Any questions? Glad to answer. Stay secure while having fun.

Giving Back to the InfoSec Community

We’ve created CTF365 Free Account so anyone can experience light, beginner-friendly hacking. It is designed for those who want to take their first steps toward entering the security industry. We believe a will is the only requirement needed to start down the InfoSec path. Everything else should be free of charge and, more importantly, should take place in specially designed places. This is why we’ve created CTF365 Free Account.

When we launched, we added Metasploitable in the Cloud so our users could obtain practical, hands-on experience. Now we’ve introduced bWAPP, another well known “vulnerable-by-design” web application.

bWAPP in the Cloud

bWAPP was developed by Malik Messellem, an awesome Dutch guy who has 15+ years of experience in penetration testing and security training. Malik is obsessed with Windows and web application (in)security and has always had a passion for ethical hacking and penetration testing. In 2010, he started MME BVBA, a company that specializes in IT security analysis, vulnerability assessment, penetration testing, and security training.

We want to expand our cloud-based collection of “vulnerable-by-design” virtual machines. If you have a recommendation worth mentioning, add it in a comment below and we’ll consider adding it.

To access bWAPP in the cloud and start having fun, all you need to do is:

1. Create a free CTF365 account
2. Connect to the CTF365 VPN
3. Go to http://bwapp.ctf

Keep in mind, our goal is to make CTF365 Free Account your first step toward entering the world of ethical hacking and information security.

Stay secure while having fun.

Fear, frustration, stress, panic, exhaustion, relief, happiness, success, and confidence. These are just some of the feelings that we, the CTF365 team, experienced during the Hacker’s Dome First Blood CTF competition.

It was an emotional roller coaster that caused adrenaline to pump through our veins for 48 hours straight; but it was such an amazing experience that we want to do it all over again. So, we’ve made it the Hacker’s Dome goal to host weekly weekend-long CTF competitions for our CTF365 users.

Organizing and executing the competition was no easy task but we rose to the challenge and, in the end, we succeeded. The embrace from the community and the thanks from the competitors, however, is what ultimately gave us this sense of success. Their feedback made the frustration and the sleep depravation seem like a small sacrifice. 

We know that First Blood wasn’t perfect but we’re going to look at the upside. The upside is that we were able to learn a lot from our experience; and we’re going to take what we’ve learned and apply it towards crafting an even better Hacker’s Dome CTF in the future.

Prior to the competition, we agreed that we were going to prepare for the worst and hope for the best. We also agreed that, if the worst were to come, we’d keep the competition moving forward and never quit.

Downtimes:

Like any other CTF competition, we had our downtimes; but we didn’t let them defeat us. Instead, our team came together and fixed them.

Lesson Learned: We are now better prepared to manage, reduce, and correct downtimes in future CTFs.

Communications:

We are a global team with members spread across Romania, South Africa, and the United States. Therefore, all of our team communications and collaborations had to be held remotely.

During the competition, we were confronted with a number of urgent issues that required immediate team collaboration. Aside from some minor glitches, we were pleased with how we handled communications and responded to these types of issues. 

Lesson Learned: Video conferencing applications should be leveraged to improve the efficiency and reliability of communications during future CTFs. 

Support Handling:

We received a high volume of support issues/ requests from the competitors. We were able to handle most of them but, unfortunately, there were some that we couldn’t. To those of you who submitted a support request that went unresolved, we apologize.

Lesson Learned: By improving the structure and comprehensiveness of our rules, we can minimize the potential for misinterpretations and confusion. Performing more pre-launch tests will help us refine the rules and create a more fluid competition.

Statistics:

Total Registered Users: 124

Total Login/ Access Attempts: 1,534

Total Active Hours: 1,260 (Avg. 10 hours per user)

Number of Countries: 24

Top 5 Country Players:

1. USA – 71

2. Canada – 8

3. France – 6

4. Germany – 5

5. United Kingdom – 5

Any questions? Glad to answer.

Stay secure while having fun.