Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Lessons Learned from Five Years of Building Cap...
Search
vito
February 18, 2018
Programming
0
470
Lessons Learned from Five Years of Building Capture the Flag
SECCON 2017
Feb. 18, 2018
vito
February 18, 2018
Tweet
Share
More Decks by vito
See All by vito
Modernizing SQL Injection CTF Challenges
vito
0
88
Raw Water: Quenching Your Thirst for SQL Injection
vito
0
67
What I've Learned Writing CTF Challenges
vito
0
140
Capture the Flag: An Owner's Manual
vito
0
84
Building DEF CON CTF with Ruby
vito
0
580
Other Decks in Programming
See All in Programming
テストコード文化を0から作り、変化し続けた組織
kazatohiei
2
1.5k
Haze - Real time background blurring
chrisbanes
1
520
わたしの星のままで一番星になる ~ 出産を機にSIerからEC事業会社に転職した話 ~
kimura_m_29
0
180
From Translations to Multi Dimension Entities
alexanderschranz
2
140
命名をリントする
chiroruxx
1
420
バグを見つけた?それAppleに直してもらおう!
uetyo
0
180
競技プログラミングへのお誘い@阪大BOOSTセミナー
kotamanegi
0
360
テストコード書いてみませんか?
onopon
2
150
アクターシステムに頼らずEvent Sourcingする方法について
j5ik2o
4
300
PHPとAPI Platformで作る本格的なWeb APIアプリケーション(入門編) / phpcon 2024 Intro to API Platform
ttskch
0
280
MCP with Cloudflare Workers
yusukebe
2
220
なまけものオバケたち -PHP 8.4 に入った新機能の紹介-
tanakahisateru
1
120
Featured
See All Featured
Navigating Team Friction
lara
183
15k
Optimizing for Happiness
mojombo
376
70k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
RailsConf 2023
tenderlove
29
940
Designing Experiences People Love
moore
138
23k
How To Stay Up To Date on Web Technology
chriscoyier
789
250k
Mobile First: as difficult as doing things right
swwweet
222
9k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
0
99
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Building a Scalable Design System with Sketch
lauravandoore
460
33k
Optimising Largest Contentful Paint
csswizardry
33
3k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.2k
Transcript
Lessons Learned from Five Years of Building Capture the Flag
Vito Genovese SECCON 2017 Feb. 18, 2018
Good Morning!
None
Capture the Flag "CTF"
DEF CON
1996 first game
2000 formalized how it was run
2002-2004 ghettohackers
2005-2008 Kenshoto
2009-2012 ddtek
2013-2017 Legitimate Business Syndicate
2018-? Order of the Overflow
Two Distinct Formats
None
Jeopardy Style Scoreboard
Jeopardy Style Prompt
None
Jeopardy Style Solving
None
Jeopardy Style Points
None
Jeopardy Style DEF CON CTF Quals
Photo: robbje @ Eat Speep Pwn Repeat
asby From SHA2017 CTF
asby Get file
None
asby Identify Windows STDIO .exe
asby Determine goal
None
asby Guess the correct input
asby •Reverse engineer a Windows binary •Guess each character by
hand •Write a program
asby Write program
None
None
None
asby Get solution
None
asby Get points
None
Jeopardy Style 1. Get challenge 2. Solve it 3. Get
points
None
Attack-Defense •Reverse engineer •Patch flaws •Exploit others •Don't break it
⚑ Attack-Defense PPP atmail scorebot Shellphish
Attack-Defense PPP atmail scorebot Shellphish deposit ⚑
Shellphish Attack-Defense PPP atmail scorebot steal ⚑
Shellphish Attack-Defense PPP atmail scorebot redeem ⚑
Shellphish Attack-Defense PPP atmail scorebot availability okay availability check
Shellphish Attack-Defense PPP atmail scorebot failed availability ☠ ☠can’t steal
Attack-Defense DEF CON CTF Finals
Rubix
Rubix
Rubix 54 Rubik's cube instructions …becomes shellcode
Lab RATs on Rubix Lab RATs posted a write-up: https://blog.rpis.ec/2017/08/defcon-
finals-2017-introduction-rubix.html
Lab RATs on Rubix 1. write 9-bit to 8-bit netcat
2. analyze 9-bit strings in libc 3. symbolize libc 4. figure out how main() gets called
Lab RATs on Rubix Now the actual analysis starts…
Attack-Defense •How is it supposed to work? •How can we
attack it? •How can we defend it?
Attack-Defense •Get points by capturing flags •Lose points by having
flags captured •Lose lots of points by failing checks
Attack-Defense Complicated, frustrating, fun!
CTF Extremely ambitious
CTF •Running Smoothly •Fair Contest •Fun Challenges
Running Smoothly
Running Smoothly Starts early
Running Smoothly Who's on the team?
Legitimate Business Syndicate •Half 2005-2007 university team •Half 2012 coworkers
Legitimate Business Syndicate in 2006
Legitimate Business Syndicate •August 2012: ddtek steps down •December 2012:
Gyno starts recruiting •February 2013: Proposal submitted •March 2013: Proposal accepted
Legitimate Business Syndicate •"Reverse engineers" 3/4 of the group •Different
specialties •Radio: 2014, badger •Hardware: 2015, the year of single- board computers •Esoteric computing: 2017, cLEMENCy
Legitimate Business Syndicate 100% dependent on Selir's amazing infrastructure
Legitimate Business Syndicate I started for the database backed web
application
Team Building People grow and change
Team Building Roles grow and change
Team Building •Who do you know? •Who do you trust?
•Who do you like?
Communication “It's good.”
Communication async (chat) is great weekly meetings are great
None
Smooth Operation Support your team
Smooth Operation CTF software is software
Smooth Operation Automate testing and deployment
CTF •Running Smoothly •Fair Contest •Fun Challenges
Fair Contest
Fair Contest CTF is computer hacking
Fair Contest CTF is computer system
Fair Contest Hack the right thing the wrong way
Fair Contest Hack the wrong thing
Fair Contest Fix a thing the "wrong" way
Fair Contest Restrict players more
Qualifiers •Services on separate hosts •Multiple hosts in different locations
•Connections get separate container •xinetd and runc •Limit system calls •seccomp
Finals More complex game More complex problems
Finals •Keep the game about reverse engineering •(Not OS administration)
Finals •2013: unprivileged team account, unprivileged service accounts •2014: understood
"Superman defense" better
Superman Defense •Block opponent IPs •Prevent reading the flag
Cyber Grand Challenge US Defense Advanced Research Projects Agency (DARPA)
project starting in 2014
Cyber Grand Challenge CTF for autonomous computers
Cyber Grand challenge Extremely formalized
Challenge Binaries •"CBs" •32-bit i386 •Special CGCEF executable format •Limited
system calls •No retained state
Proof of Vulnerability •"PoVs" •32-bit i386 CGCEF •Demonstrate a vulnerability:
•Register control •Memory disclosure •Run by scoring system
Offline Evaluation •Team interface gives out binaries •Team interface collects
replacement CBs, PoVs •Runs availability checks and PoVs in isolation •Designed for reproducibility and audibility
Finals •2015: restrict system calls •2016: use CGC game format
•2017: everything in limited emulator
Fair Contest Release scoring information
Fair Contest Think about accessibility
CTF •Running Smoothly •Fair Contest •Fun Challenges
Fun Challenges Break expectations
dosfun4u •Discover that it's a DOS binary •Debug and patch
IDA Pro •Start actual reverse engineering
badger •MSP-430 on physical hardware •custom CDMA radio network
None
Consensus Evaluation •CGC's big attack-defense innovation •Everyone sees everyone else's
patched binaries •Explosion in number of binaries that need reversing
1000 cuts / crackme2000 Push teams into automated analysis Hundreds
of binaries
Consensus Evaluation in 2016 Player asks about losing points Service
being attacked, that's why "But we're using the same binariess as the winning team"
Consensus Evaluation in 2017 Rubix expected shellcode to work in
availability checks Defenders would add checks to block "evil" or allow "good" shellcode Attackers would build new shellcode to pass checks "Felt like a multiplayer game against humans"
CTF •Running Smoothly •Fair Contest •Fun Challenges
CTF Still more to learn!
CTf More work ahead of us
CTF Opportunity to grow for more players
CTF Best way to learn is to do
Five years with the best group of people I've ever
worked with
Five years building a contest for the friendliest and smartest
community I know
Thanks for making it amazing!
None
[email protected]
@vito_lbs