Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Capture the Flag: An Owner's Manual
Search
vito
January 27, 2016
Programming
0
90
Capture the Flag: An Owner's Manual
From USENIX Enigma 2016
vito
January 27, 2016
Tweet
Share
More Decks by vito
See All by vito
Modernizing SQL Injection CTF Challenges
vito
0
120
Raw Water: Quenching Your Thirst for SQL Injection
vito
0
71
Lessons Learned from Five Years of Building Capture the Flag
vito
0
490
What I've Learned Writing CTF Challenges
vito
0
150
Building DEF CON CTF with Ruby
vito
0
600
Other Decks in Programming
See All in Programming
ts-morph実践:型を利用するcodemodのテクニック
ypresto
1
530
💎 My RubyKaigi Effect in 2025: Top Ruby Companies 🌐
yasulab
PRO
1
130
Reactive Thinking with Signals, Resource API, and httpResource @Devm.io Angular 20 Launch Party
manfredsteyer
PRO
0
130
RubyKaigi Hack Space in Tokyo & 函館最速 "予習" 会 / RubyKaigi Hack Space in Tokyo & The Fastest Briefing of RubyKaigi 2026 in Hakodate
moznion
1
120
ワンバイナリWebサービスのススメ
mackee
10
7.4k
コンポーネントライブラリで実現する、アクセシビリティの正しい実装パターン
schktjm
1
650
UPDATEがシステムを複雑にする? イミュータブルデータモデルのすすめ
shimomura
0
140
REST API設計の実践 – ベストプラクティスとその落とし穴
kentaroutakeda
2
310
Doma で目指す ORM 最適解
nakamura_to
1
160
抽象データ型について学んだ
ryounasso
0
200
eBPFを用いたAIネットワーク監視システム論文の実装 / eBPF Japan Meetup #4
yuukit
3
600
rbs-traceを使ってWEARで型生成を試してみた After RubyKaigi 2025〜ZOZO、ファインディ、ピクシブ〜 / tried rbs-trace on WEAR
oyamakei
0
1k
Featured
See All Featured
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
45
9.6k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
750
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
15
890
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
180
53k
The Cost Of JavaScript in 2023
addyosmani
49
8k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
32
5.8k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
42
2.3k
Faster Mobile Websites
deanohume
307
31k
The Power of CSS Pseudo Elements
geoffreycrofte
76
5.8k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
21k
It's Worth the Effort
3n
184
28k
Transcript
Capture the Flag An Owner’s Manual Vito Genovese USENIX Enigma,
January 27, 2016
What is CTF?
Qualifiers May 20 through May 22 FREE FUN OMG wow
Finals August 5 through August 7
Best of the Best Quals >1400 teams Finals 15-20 teams
Winner
Best of the Best
Engineer a Non-Frustrating Game
Operate a Reliable Game
Have the Empathy to Make the Game Fun
Engineering
Engineering Process 1. Define problem 2. Research 3. Decide requirements
4. Brainstorm solutions 5. Pick the best solution 6. Build it 7. See if it's good enough 8. Redo what’s not
What kind of game? Jeopardy vs. Attack-defense
None
Jeopardy is Easy Scoreboard Standalone challenges
Jeopardy is Easy No complex networking No complex admin work
(for players)
Attack-Defense is Hard Complex network Sensitive to connectivity Teams host
services? We host services? Slow services Unavailable services Superman defenses Metagaming
Theming Banking Stuxnet Board Game Marijuana culture Money Laundering Botnet
SCADA Wizardterrorism Generic hacker
Theming web crypto forensics reverse engineering programming shellcode
Jeopardy Scoring SELECT t.id AS team_id, t.name AS team_name, SUM(c.points)
AS score, MAX(s.created_at) AS last_solve FROM teams AS t INNER JOIN solutions AS s ON s.team_id = t.id INNER JOIN challenges AS c ON s.challenge_id = c.id WHERE team_id != 1 GROUP BY t.id ORDER BY score DESC, MAX(s.created_at) ASC, MAX(s.id) ASC
Attack-Defense Scoring aww jeez
Attack-Defense Game Flow PPP atmail scorebot Shellphish
Attack-Defense Game Flow PPP atmail scorebot Shellphish deposit
Shellphish Attack-Defense Game Flow PPP atmail scorebot steal
Shellphish Attack-Defense Game Flow PPP atmail scorebot redeem
Shellphish Attack-Defense Game Flow PPP atmail scorebot availability okay availability
check
Shellphish Attack-Defense Game Flow PPP atmail scorebot failed availability ☠
☠ can’t steal
Attack-Defense Metagaming Any sufficiently complex game is metagameable
Downtime vs. Being Hacked
Reflection
First Blood
Attack-Defense Scoring Zero Sum Finite number of flags Flags per-service
Attack-Defense Scoring Can lose N-1 flags to steals per round
Stolen flags split among stealers Remainders redistributed fairly
Attack-Defense Scoring Downtime means lost steal opportunity Teams lose 2(N-1)
flags to downtime
Attack-Defense Scoring Remainder and downtime flags are the flags of
the people
Science of Challenges • Think of cool bugs • Write
bugs, tool to check vulnerability • Wrap ‘em in analysis surface • Write smoke test and health checks
Art of Challenges The machine is your canvas and the
only limit is ~your imagination~
Art of Challenges Historic interest Uniqueness Inherent humor
Challenges and Team Size Smaller teams don’t solve challenges slower
Bigger teams can solve more challenges at once
Challenges and Team Size Fewer and Harder Smaller and Smarter
Challenges and Team Size
Challenges and Operations Engineering great, fun, reliable challenges is the
best ops improvement you can make.
Operations
CTF Operations The dream is for the organizing team to
just party and be jerks to teams during the game
CTF Operations “Is this down or broken?” “Is this actually
exploitable?”
CTF Operations It only has to work for a weekend
CTF Operations Start on time by being ready early
Jeopardy Operations Boston Key Party Servers $27 Quals 2013 Servers
$284 Quals 2013 Booze $340
Attack-Defense Operations
Attack-Defense Operations
Attack-Defense Operations We bring hardware to Vegas
Bring Hardware Weird architectures
Bring Hardware Teams don't want to bring hardware
Bring Hardware Don’t trust the uplink
Exceptions • Stratum Auhuur who trusted the uplink at cccamp
• Also shout out to Shellfish for bringing a server rack to compete at DEF CON
Attack-Defense Operations
Attack-Defense Dynamics
Attack-Defense Dynamics Player time is a limited resource 1 shower
2 meals 3 hours of sleep
Attack-Defense Dynamics 1. Player 1 solves Service A 2. Player
1 starts Service B 3. Service A’ is released 4. Player 1 has a choice
Defecators & Ventilators Sometimes challenges break
Defecators & Ventilators 10 hours / 1 Tester = 10
Hours 10 hours / 20 Teams = 30 Minutes 10 hours / 1000 Teams = 36 Seconds
Defecators & Ventilators Perverse incentives
Empathy
Challenges and Empathy The game is for the players Players
want good, fun, working challenges
Empathy • We do it for the users/players/audience • picture
of CLU goes here
Empathy Run the game you want to play
Empathy Don’t lie to players Deceive the players iff it
makes the game more fun
Frustration Trivia & Memes are hit or miss Think of
non-US and non-English teams
Guessing and Large Solution Spaces Writing a solver for a
28 solution space is fun Writing and paying for a 216 space isn't
Preserve Player Agency No hints once a challenge has been
solved Think carefully about force-unlocking Jeopardy challenges
Preserve Player Enjoyment Force-unlock easy challenges for teams to learn
from Force-unlock hard challenges early enough they'll be solvable
Hacking Computers is Fun!
Engineer a Non-Frustrating Game
Operate a Reliable Game
Have the Empathy to Make the Game Fun
Qualifiers May 20 through May 22 https://legitbs.net/ FREE FUN OMG
wow
Thanks Vito Genovese
[email protected]
@vito_lbs GPG B07D616143CAA77B https://legitbs.net @legitbs_ctf