Confidence - (24-25.05 2011 Krakow)
Language: polski | engish

Good vs. Evil aka Kev. vs. Tsu.

Contest Description

There it is. A contest you have not seen before! You or your team can create or rebuild a safe solution to comply with given specifications or attempt to find vulnerabilities in a prepared system.

Participants are divided into three categories:

  • Defender – The task of security team is to configure an IPS system and border device in such a way that a standard set of applications delivered as a VMWare image is protected. We know that the applications listed below are susceptible (that includes Bind v. 9.4, Wordpress 2.5.1, Squirremail 1.2.7, Apache Tomcat 5.5.0). Updating applications In the real environment can bring considerable difficulties. We assume that the administrator does not have the time to upgrade running software or does not have adequate knowledge. The administrator will trust professionals and buy a dedicated solution that will protect his resources. Many manufacturers boast that their stand-alone solution will defend such system and thus provide the administrator with a peace of mind. Is it so sure? Manufacturers – Prove your thesis and effectively defend our server!

  • Fortress – A person or team is supposed to prepare a system that will be tested for in account of its configuration. The choice of solution depends on the applicant team for the competition. We do not care if it is a commercial solution (such as Microsoft Server 2008R2, etc.) or open source (Linux, xBSD etc). Administrators receive a set of specific applications (DNS server, any version of WordPress, the mail server, http to Tomcat, webmail), which must be run under a given operating system. In this case, we assume that the administrators have specific knowledge and it is not a problem for them to prepare an up to date system and patched applications running on it. Create your secure platform!

  • Pentesters – the easiest, yet the most difficult category:) The easiest because you do not have to prepare anything in advance (operating system, configuration, IDS), and the hardest because you have to have extensive knowledge and experience in testing systems in order to find errors and flows in specially prepared solutions. Something for those who prefer a more offensive approach to work. Pentesters task will be to test applications and systems. The more detailed report they prepare,the better will they be scored by the jury. Remember that you can use any viable technique!

The contest

  • Teams providing Defender and Fortress systems provide their systems before the competition, Fortresses systems are delivered as virtual machine images.

  • Fortresses systems are placed in the server room. Defenders can provide the organizers whole system to set it up in the server room.

  • Pentesters report every found vulnerability to the jury. What is important is a description of the vulnerability together with a timestamp on the time it is sent. Only the first report on a certain identified vulnerability is accounted for a score.

Winners and rankings

There are three separate classifications for defenders, a fortresses, and pentesters.

  • Points are arbitrarily granted by the jury.

  • In classification for fortresses and defenders the supplier of the system, which accumulates the least number of points wins. Whenever a pentester submits a valid vulnerability flaw, the supplier gets points. The points are only added once for every weakness of the system. Multiple submissions on the same flaw in a given system do not stack.

  • In Classification for pentesters whoever gets the highest number of points, wins. Points are added for successful attacks, and summarize for every successful attack on any fortresses or defenders system. Only one flaw of a certain type on a given system counts, so the fastest pentesters get the score.

Flood attacks, DoS / DDoS attacks are not allowed. Contestants who do not obey to that rule, will be disqualified from the contest.


  1. I am not alone, I would like to work as a team, what do I do?

    Nothing – you have to sign in for the contest and send a notification to the organizers. We do not care whether the success by a group or an individual. What is important is the final result. However, the maximum number of official team members is four.

  2. What are the important dates for the contest?

    We are waiting for the delivery of ‘fortress’ and ‘defender’ systems until May 10th. Between 16th and 20th May there will be a level for the pentesters. The list of IP addresses will be circulated by mail to the participants.

  3. What prize awaits the winners?

    Any team that wins will receive 20 minutes to present their work at the conference and we will reimburse their CONFidence participation. There will also be other prizes, however those are not yet specified.

  4. Where do I sign up?

    Just send a description of the team along with team members names to andrzej.targosz {@} < /a>

  5. What if I find some private data on test machines? Is there anything threatening to me then?

    Try emacs by sendmail ;-) Of course you do not risk anything, anyone who submits to the competition knows what are the rules and take into account the fact that unprotected data on machines available in the competition may become the prey of evil, bad hackers.

  6. What do I need to know to enter the contest

    We leave it up to your opinion.

  7. What is supposed to be run on the Fortress machine?

    Services running on the server:

    • DNS server
    • any version of WordPress
    • mail server
    • http on Tomcat
    • webmail

  8. What applications are to be taken into account when designing a Defender system?

    Applications running on the protected server are:

    • Bindv. 9.4
    • Wordpress 2.5.1
    • Squirremail 1.2.7
    • Apache Tomcat 5.5.0