Files from my DEFCON CTF VM.
Perl Shell C Other
Switch branches/tags
Nothing to show
Clone or download


This repository contains the files necessary for the DEFCON CTF VM that I created. You can grab a copy of the VM itself from my blog.

To use this VM, simply start it up in VMware and do the following to connect to a given service:

nc defcon.local <port>  # for TCPv4 services
nc6 defcon.local <port>  # for TCPv6 services

NOTE: Your network settings may not resolve "defcon.local" as a hostname. You can log in and run ifconfig from inside the VM to get its IP address. You can also try using just "defcon" or "defcon." and see if those work.

Getting the flag for each service is, obviously, an exercise left to the reader.

List of Services

DEFCON 13 (2005)

  • Organizers: Kenshoto
  • Operating System: FreeBSD 5.4

NOTE: Check /root/ for how to run these services! Many of these were xinetd services that don't contain their own server setup code.

Service Name User Port Protocol Notes
apachectl ????? ????? ?????? NOT RUNNING
befunge bfg ????? ?????? NOT RUNNING: Requires the PyFunge library
bparkd bparkd ????? ?????? NOT RUNNING: Requires enigma and .bpconfig to run
echod ????? ????? ?????? NOT RUNNING
fingerd ????? ????? ?????? NOT RUNNING
fucktcpd ????? ????? ?????? NOT RUNNING frat ????? ?????? NOT RUNNING
inetd ????? ????? ?????? NOT RUNNING kmud ????? ?????? NOT RUNNING pub ????? ?????? NOT RUNNING
named ????? ????? ?????? NOT RUNNING
postfix ????? ????? ?????? NOT RUNNING
tomcat50ctl www ????? ?????? NOT RUNNING
transformd transform ????? ?????? NOT RUNNING: Requires joshua to run? ????? ????? ?????? NOT RUNNING
wumpus wumpus ????? ?????? NOT RUNNING

Other binaries I've come across that may have been part of this year:

  • alice
  • b16
  • kstrings
  • nettoe
  • readmail
  • smtpd
  • vacation

DEFCON 14 (2006)

  • Organizers: Kenshoto
  • Operating System: Solaris ???

Notably absent from the VM are the services from DEFCON 14. These challenges were built for and ran on Solaris. Since I haven't created a Solaris VM to host them (and a Solaris translation layer for FreeBSD doesn't appear to exist), I can't get them running. I do, however, have what I think are all of the services if anyone would like to play with them. Their names are:

  • CookieMonster
  • CustomHeap
  • FingerLickinGood
  • FuckTcpd2
  • Heisenberg
  • IFallDown
  • InMyMemory
  • KuFtpd
  • NPComplete
  • OhShitD
  • SpamMe
  • Vanilla
  • YouHadMeAtHello

DEFCON 15 (2007)

  • Organizers: Kenshoto
  • Operating System: FreeBSD 6.3?

NOTE: Many of the following services require the compat6x-i386 package to be installed.

Service Name User Port Protocol Notes
arpsd arps 1331 TCPv4
blowlogd blowlog 1500 UDPv4
hfd hfd 1024 TCPv4 Needs server.pem, dh1024.pem, root.pem in /home/hfd
kftpd kftp 2121 TCPv4
kimjong kimjong 9999 TCPv4
kuftpd kuftpd 21 TCPv4
madlibd madlib 4042 TCPv4 Needs articles.txt, nouns.txt, objects.txt, verbs.txt in /home/madlib
menageatrois menageatrois 3339 TCPv4
neurod wintermute 5953 TCPv4 Requires the dlmalloc package to be installed
perudo perudo 3822 TCPv4
rolodex rolodex 8224 TCPv4
sammichd sammich 8365 TCPv4
shellcat shellcat 7890 TCPv4
sor sor 9051 TCPv4
supd sup ????? ????? NOT RUNNING: Requires python2.5 and the socket module (also may actually have been from DEFCON 16..? need to confirm with someone)

Other binaries I've come across that may have been part of this year:

  • xserver (looks like a web challenge...drops to user "xserver")
  • UserAdder and makeuser? (looks like just a way to create users...drops to user "makeuser")
  • I have a "serverd" somehow that I have listed as being from this year, but honestly no idea where this is from or what it's for

DEFCON 16 (2008)

  • Organizers: Kenshoto
  • Operating System: FreeBSD 6.3
Service Name User Port Protocol Notes
antipastod antipasto 7482 TCPv4
aspd asp ????? ????? NOT RUNNING: Won't run for some reason...just prints "Done"
bakalakadakaChat durka 15641 TCPv4
barista barista ????? ????? NOT RUNNING: 1: Syntax error: ")" unexpected
catdoord catdoor 4341 TCPv4
duckshootd duckshoot 3888 TCPv4
EmergencyBrake EmergencyBrake 2028 TCPv4
grimcreeper.d grimcreeper 9001 TCPv4
hashpiped hashpipe 5641 TCPv4
iMagick iMagick 4141 TCPv4
kdnsd kdns ????? ????? NOT RUNNING: Requires kdns.conf, python2.5, and the socket module to run
kmaild kmail 17722 TCPv4
kmsgd kmsg 10001 TCPv4
kryptod krypto 20020 TCPv4
lockstep lockstep ????? ????? NOT RUNNING: Requires python2.5 and the md5 module
moatd moat 6810 TCPv4
roflcode roflcode 4000 TCPv4
sockringd sockring 14340 TCPv4
supd sup ????? ????? NOT RUNNING
superd super 8126 TCPv4

Other binaries I've come across that may have been part of this year:

  • SupaFlyTNT
  • Something that would have used a user named "nubbin"?

DEFCON 17 (2009)

  • Organizers: DDTEK
  • Operating System: FreeBSD 7.2
Service Name User Port Protocol Notes
baaaad sheepc ????? ????? NOT RUNNING: Unable to register (MESSAGEPROG, MESSAGEVERS, udp)
casino casino ????? ????? NOT RUNNING: syntax error on line 1 cheese ????? ????? NOT RUNNING: Some web service..? Not sure I even have this on the VM right now...
cmd cm 4546 TCPv4 Requires cjd in /usr/local/sbin
deltad delta 1787 TCPv4
deuced deuce 2056 TCPv4
elfd buddy 7331 TCPv4
lazrus lazrus 1905 TCPv4
magicd magic 4343 TCPv4
mdljserver mdlj ????? ????? NOT RUNNING: Requires a .pem, .crt, and .key file, fails to load private key, and subsequently dies with SSL ERROR (certs are currently in /home/mdlj but don't work)
mymqld mymql 4242 TCPv4
nickd nickster 2337 TCPv4
rsatesp rsatesp 5500 TCPv4 Requires sqlite3 package and has an auth.db created by in /home/rsatesp that don't appear to work
tucod tuco 57005 TCPv4
wwcd wwcd 6977 TCPv4

DEFCON 18 (2010)

  • Organizers: DDTEK
  • Operating System: FreeBSD 8.0
Service Name User Port Protocol Notes
cohend cohend 7532 TCPv4
ddftpd ddftp 1776 UDPv4
diablo diablo ????? ???? NOT RUNNING: Requires diablo-jvm 1.6.10 or something (might also require Launcher.class and a few other things?)
food food ????? ???? NOT RUNNING: Requires (and is a frozen python2.6 service that complains about no module named "_socket")
houdini houdini ????? ???? NOT RUNNING: This is a PE binary and I have no idea how it ever ran (WINE as a custom kernel module?) - very aptly named service
libra libra 1495 TCPv4
mashup mashup 5539 TCPv4
memix memix 9911 ???? NOT RUNNING: Appears to not be able to read a "local auth file" and is also missing the patch it downloaded from DDTEK's servers to make it vulnerable
mqdbd mqdb 2001 TCPv4
nadel nadel 3248 TCPv4
natord nator 2985 TCPv4
noprotas noprotas 23945 UDPv4
santad santa ????? ???? NOT RUNNING: Won't run for some reason...just prints "Done"
slickd slick 7391 TCPv4
spelunk spelunk 8362 TCPv4 Requires adv.key and adv.rec in /home/spelunk
sushid sushi RAWv4

DEFCON 19 (2011)

  • Organizers: DDTEK
  • Operating System: FreeBSD 8.2

NOTE: In addition to the services below, there was also a service called "finch" that interacted with some remote control cars in a chicken coop. To my knowledge, no team ever figured out how to score successfully (you were supposed to drive your car into the lighted area matching your car's color). Since "finch" was a Linux binary that was meant to run on your own machine, it isn't included below.

Service Name User Port Protocol Notes
bowser bowser NONE TCPv6 Local service with usage: /usr/local/sbin/bowser <host>
bunny bunny 15323 TCPv6
castle castle 7629 TCPv6 Requires sandy in /usr/local/sbin
cleaner cleaner 26987 TCPv6
forgetu forgetu 3128 TCPv6
gold gold 2069 TCPv6
hiver hiver 44366 TCPv6
htlame htlame 42737 TCPv6
pisa pisa 6765 TCPv6
rotary rotary 3375 TCPv6
sheepster sheepster 5775 TCPv6
telephone bell 1477 TCPv6
tomato tomato 6391 TCPv6
war war 14273 TCPv6

DEFCON 20 (2012)

  • Organizers: DDTEK
  • Operating System: FreeBSD 9.0

NOTE: All these services bound the interface em1 in the game, but I patched them to bind em0 for the VM to work.

Service Name User Port Protocol Notes
cashew cashew 7979 TCPv6
cherry cherry 24359 TCPv6
coney coney 65214 TCPv6
desheepd desheepd 547 UDPv6
dog dog ????? ???v6 NOT RUNNING: Cannot open /usr/local/ctp/lib/perl5/5.16.0/i386-freebsd/CORE/
gallows gallows 6666 TCPv6
intception dealer 8888 TCPv6
jerkin jerkin 63715 TCPv6
mixology mixology 35575 TCPv6
nom nom 7368 TCPv6
nssds nssds 54339 TCPv6
ocrd ocrd 31967 TCPv6
parrot parrot ????? ???v6 NOT RUNNING: Cannot open /usr/local/ctp/lib/perl5/5.16.0/i386-freebsd/CORE/
ralph ralph 57553 TCPv6
scool scool 4637 TCPv6
semem semem 6941 TCPv6
tictactoe tictactoe 25375 TCPv6
torqux torqux ????? ???v6 NOT RUNNING: Must be run with python2.7 directly (still doesn't seem to work?)
zul zul 25201 TCPv6

Setting Up Your Own VM

In case you don't like the VM I've created, here's some quick documentation on how I set up the VM myself!

Initial Setup

The initial setup is simple:

  • Installed FreeBSD 9.1 with default options from the i386 install media
  • Uncommented and set "PermitRootLogin" to "yes" in /etc/ssh/sshd_config with vi
  • Ran /etc/rc.d/sshd restart so I could SSH/SCP

NOTE: In the real CTF, each team would actually get a FreeBSD jail, rather than a VM. For simplicity, I've set everything up outside of a jail. I hope to find my documentation on jails and include it here in the future if anyone wants to set things up more authentically. For now, you'll just have to make do with this approximation.

Service Setup

Setting up services was a little more involved. In order to run a given service, you will generally have to create a user and home directory for that user. This is because most DEFCON CTF services will "drop" privileges from root to an unprivileged user specific to the service, just like real services. The ownership of the binary will also need to be changed to prevent unwanted modifications. To do this:

# create a user with a given name (-n), shell (-s), and home directory (-m)
pw useradd -n <username> -s /usr/bin/false -m
chmod 750 /usr/home/<username>
chown root:<username> /path/to/service
chmod 750 /path/to/service

Binaries before DEFCON 19 were located inside each service's home folder. Starting in DEFCON 19, however, they were moved to /usr/local/sbin. Either approach is fine, but I found it easier to place all the services in /usr/local/sbin.

Flags were typically stored in a file called "key" inside of each user's home directory. A kernel module was used to change these out periodically (about once every 2-5 minutes or so). Since I don't have a similar kernel module, I just placed the sha1sum of the service into the flag file:

sha1 /path/to/service | cut -d' ' -f4 > /usr/home/<username>/key
chmod 540 /usr/home/<username>/key

At this point, running the service should be as easy as:

/path/to/service &

You can check if it is running/listening by doing:

ps aux | grep <service>  # check if it is running
sockstat | grep <service>  # check if it is listening (and on what port)

If that doesn't work, check the table above to see if there are any caveats for a particular service. Some services require extra stuff to be installed, configured, or otherwise present in order for it to function. Some were also not actually network services and had to be run locally.

Once a service is running, you should be able to use netcat to connect to it:

nc <hostname or address> <port>  # for IPv4
nc6 <hostname or address> <port>  # for IPv6

Note that services won't start up by default unless you create an /etc/rc.d startup script for them. The template I created for these, if you'd like to develop your own, is called rc_d_template in the top level of this repository.