Tokémon - Collect Them All

[The Game] - top

Tokémon is a hacking game designed to be both challenging and fun. Ok, its really meant to be more fun than anything! The idea is based around providing game players access to a specially designed network that is loaded with vulnerabilities.

Discover and exploit a vulnerability, and you gain a token. Log that token in against your account, and you get some points. Which are redeemable... for beer :) Consider it a self-regulating Hawkes Handicap System(tm).

Tokemon will be held on the Saturday night of Kiwicon, at Shooters bar (the venue for last year's Hax0r Quiz, if you remember it). Because it's at a bar, it's necessarily R18.

A teaser image to whet your whistle:

[Tokens] - top

Token values will differ based on the type, interest factor or complexity of the vulnerability. Some servers may have an easily gained token and another that is only discovered through more exploration or exploitation. Simple to exploit vulnerabilities that are more subtle might be worth more than easily discovered bugs.

Vulnerabilities will not be focused within one area and will include things such as;

  • * Network Level
  • * Configuration Faults
  • * Server Issues
  • * Weak Passwords
  • * Database Problems
  • * Web Application Vulnerabilities

[Who Can Play] - top

Anyone who wants to. Teams can range from 1 player to who ever you can pull away from the bar long enough to help you. Because Tokemon will be held in a bar, you must meet the legal requirements to be in the bar, drinking a beer. That means you should be old enough, accompanied by a parent or guardian, and not sufficiently intoxicated that you get thrown out. Somewhere between those two goalposts, huh? The game has been designed to be 'playable' by anyone with an interest in security. So you don't need to be a full time 'security d00d' to play, enjoy, and even win Tokémon.

To assist in the organisation if would be appreciated if interested teams dropped us an email at with team name and number of players.

[Someone Say Prizes?] - top

The winner of Tokémon will be the individual or team that has scored the most points. Insomnia Security, who have designed and are running the game, have put forward a Black 20GB ASUS EEE PC 900 as the prize for the winner. There may also be other spot prizes etc, but there is is no second best in this game of frantic hacking and exploitation.

There is also a fairly serious bartab, and even if you only hack a few simple things, you'll be sure to get a few beers out of it. So even if you're not hardcore, going for the win, you'll still have fun and soothe your parched throat while you're at it. Can't ask for more than that!

[Suggested l2nhax] - top

While there should be wireless connectivity to the Interweb, the following is a list of some suggested stuffs;

  • * Network scanning tools
       nmap, nmap, nmap, ping
  • * Network VA tools
       nessus, saint, qualys appliance, ISS scanner
  • * Password cracker of choice
       cain, jtr, lophtcrack, pen and paper
  • * Exploit tool of choice
       Metasploit, Canvas, Saint Exploit, Core, wget -r
  • * Web vulnerability scanner
       For spidering and brute forcing stuffs
  • * Script command shells of various flavours
  • * Data encoder/decoder and hashing
       base64, sha1, urlencode
  • * Web application exploitation documents
       XML/LDAP/SQL Injection, File inclusion/upload tricks, XSS, CRLF, ACR/ONYM
  • * Database connectivty tools
        MSSQL, MySQL, Oracle, Flat file, CVS

Obviously some of the above is NOT in the game, we weren't about to give you a list of what to expect ;)