Welcome BSides San Antonio 2014

Social Engineering CTF Rules and Info

Welcome to the beginning of the 2014 World Championship of Social Engineering. Participants will have the opportunity and freedom to try out and conduct any and all social engineering skills and tactics without any worry or risk. We have created a social engineering sandbox for all of you to learn and enjoy.

Here is your objective:

You are given the target company name upon registration of the game, which is a live sponsor of the BSidesSF event. You will then have to conduct recon/OSINT on the company through the job interview process. Then use that information to attack the designated target’s webmail portal.

How this works:

At BSidesSATX each contestant will be handed a resume 3 minutes ahead of a job interview with the target company. The contestant must read the resume as fast as possible and formulate an identity based off of the resume. Using this new identity you must proceed into the job interview with the intention of conducting recon for a later red team pentest/breaking into their webmail portal. You must maintain your cover while extracting important pieces of information about the company from their HR department and representatives during the interview. Be careful as to not arouse suspicion, and be aware of your timeframe. You will have only a short window to get as much information as you can launch your attack and write your report.

Once you have completed this process you will need to document everything and fill out your SE CTF report file, which is available below on this site. You will not be eligible to win the Golden Squirrel trophy if you do not completely fill out your report. In past those that won, were the only ones who filed out their report. It’s just like real life, no report…no money.

WTF, this is hard? Yes this is not a simple task, you will need to keep track of information to document for your report as well as find ways to get the information quickly out of the company’s HR department. You will need to use all of your Social Engineering skills to pull this one off. You will need to manage your time well and take control of the conversation and situation. Some targets might not be easy to crack. Try pivoting your attacks and refocusing your approach. This will not be easy, but it will allow you to test your social engineering skills to the max.

1. No physical contact with anyone, period. (Includes awkward hugs.)
2. No interaction with BSides San Antonio staff.
3. No interaction with the venue staff, service providers, sponsors and venue designated employees.
4. No interaction with any entity outside of the game. Your targets are clearly marked and are the ONLY ones that have information about the game.
5. Use of automated tools and tools/programs/apps is prohibited in the attack or finger-printing of the target company’s web site and webmail portal. It is a social engineering game, tools will not be needed.
6. Final reports will not be submitted with malware/backdoors/malicious payloads/etc. Keep it clean and simple, otherwise…bad things will happen.
7. No direct/intentional sabotage of the game/resources/target or fellow players. It will actually just waste your time.
8. Players may team up but remember there is only one trophy.
9. No DOS or DDOS of any of the game components/websites/programs/players.
10. Only assets clearly marked with the target company’s logo on it are allowed to be interacted with or touched.
11. Rules are subject to change at any time during the game and will be announced via our twitter feed @squirrelsnabrrl ONLY to ensure the safety of players.
12. Use common sense.
13. When in doubt ask a question in person or hit us up on our twitter account. @squirrelsnabrrl
14. Interaction on a personal level, including DOXing of the game organizers or participants is not allowed.
15. All reports must be submitted by the designated time upon the game’s start, please submit via email to: feedback [AT] squirrelsinabarrel.com if you have any questions or need to set up different arrangements please see us in person.
16. Keep it simple.
17. No reverse engineering of ANY of the game components is allowed. This is an SE CTF not a reverse engineering competition.
18. Absolutely NO interaction or interfacing with the service providers of the target company’s web site or the Squirrels in a Barrel web sites. This will end the game immediately and is being closely monitored.
19. Most important of all… HAVE FUN!!!

Download EZ Report Template

Remember the first rule of lock picking, check the door to see if it is already open.