Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Lessons Learned from Five Years of Building Cap...
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
vito
February 18, 2018
Programming
510
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Lessons Learned from Five Years of Building Capture the Flag
SECCON 2017
Feb. 18, 2018
vito
February 18, 2018
More Decks by vito
See All by vito
Modernizing SQL Injection CTF Challenges
vito
0
260
Raw Water: Quenching Your Thirst for SQL Injection
vito
0
110
What I've Learned Writing CTF Challenges
vito
0
180
Capture the Flag: An Owner's Manual
vito
0
110
Building DEF CON CTF with Ruby
vito
0
610
Other Decks in Programming
See All in Programming
AIキャラアプリkaiwaの低遅延音声通話基盤をどう作ったか - AWS Gravitonで支える低遅延・低コストAI Agent基盤
mogamit
0
170
AI がコードを書く時代における新卒エンジニアの仕事風景 (2026) / New Graduate Engineers in the Era of AI Coding (2026)
sushichan044
0
210
「正の参照」と 「負の導出」で組む ハーネスエンジニアリング
cottpan
1
130
AI 輔助遺留系統現代化的經驗分享
jame2408
1
1.2k
AIエージェントで 変わるAndroid開発環境
takahirom
2
490
AI時代の仕事技芸論〜ソフトウェア開発で「遊ぶように働く」職人的熟達のすすめ(スクフェス仙台 2026バージョン)
kuranuki
0
570
1B+ /day規模のログを管理する技術
broadleaf
0
130
自作OSでスライド発表する
uyuki234
1
3.7k
act2-costs.pdf
sumedhbala
0
100
信頼性について考えてみる(SRE NEXT 2026 miniLT)
hayama17
0
100
コンテキストの使い捨てをやめる — ビジネスルール駆動開発と miko —
ioki
0
270
ローカルLLMでどこまでコードが書けるか -拡張版 / How much code can be written on a local LLM Extended
kishida
12
4.7k
Featured
See All Featured
How STYLIGHT went responsive
nonsquared
100
6.2k
From Legacy to Launchpad: Building Startup-Ready Communities
dugsong
0
260
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.5k
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
madoxten
63
55k
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
katarinadahlin
PRO
1
3.7k
Public Speaking Without Barfing On Your Shoes - THAT 2023
reverentgeek
1
460
Become a Pro
speakerdeck
PRO
31
6k
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
ryanjones
0
180
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
270
The Hidden Cost of Media on the Web [PixelPalooza 2025]
tammyeverts
2
340
Statistics for Hackers
jakevdp
799
230k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
21
1.5k
Transcript
Lessons Learned from Five Years of Building Capture the Flag
Vito Genovese SECCON 2017 Feb. 18, 2018
Good Morning!
None
Capture the Flag "CTF"
DEF CON
1996 first game
2000 formalized how it was run
2002-2004 ghettohackers
2005-2008 Kenshoto
2009-2012 ddtek
2013-2017 Legitimate Business Syndicate
2018-? Order of the Overflow
Two Distinct Formats
None
Jeopardy Style Scoreboard
Jeopardy Style Prompt
None
Jeopardy Style Solving
None
Jeopardy Style Points
None
Jeopardy Style DEF CON CTF Quals
Photo: robbje @ Eat Speep Pwn Repeat
asby From SHA2017 CTF
asby Get file
None
asby Identify Windows STDIO .exe
asby Determine goal
None
asby Guess the correct input
asby •Reverse engineer a Windows binary •Guess each character by
hand •Write a program
asby Write program
None
None
None
asby Get solution
None
asby Get points
None
Jeopardy Style 1. Get challenge 2. Solve it 3. Get
points
None
Attack-Defense •Reverse engineer •Patch flaws •Exploit others •Don't break it
⚑ Attack-Defense PPP atmail scorebot Shellphish
Attack-Defense PPP atmail scorebot Shellphish deposit ⚑
Shellphish Attack-Defense PPP atmail scorebot steal ⚑
Shellphish Attack-Defense PPP atmail scorebot redeem ⚑
Shellphish Attack-Defense PPP atmail scorebot availability okay availability check
Shellphish Attack-Defense PPP atmail scorebot failed availability ☠ ☠can’t steal
Attack-Defense DEF CON CTF Finals
Rubix
Rubix
Rubix 54 Rubik's cube instructions …becomes shellcode
Lab RATs on Rubix Lab RATs posted a write-up: https://blog.rpis.ec/2017/08/defcon-
finals-2017-introduction-rubix.html
Lab RATs on Rubix 1. write 9-bit to 8-bit netcat
2. analyze 9-bit strings in libc 3. symbolize libc 4. figure out how main() gets called
Lab RATs on Rubix Now the actual analysis starts…
Attack-Defense •How is it supposed to work? •How can we
attack it? •How can we defend it?
Attack-Defense •Get points by capturing flags •Lose points by having
flags captured •Lose lots of points by failing checks
Attack-Defense Complicated, frustrating, fun!
CTF Extremely ambitious
CTF •Running Smoothly •Fair Contest •Fun Challenges
Running Smoothly
Running Smoothly Starts early
Running Smoothly Who's on the team?
Legitimate Business Syndicate •Half 2005-2007 university team •Half 2012 coworkers
Legitimate Business Syndicate in 2006
Legitimate Business Syndicate •August 2012: ddtek steps down •December 2012:
Gyno starts recruiting •February 2013: Proposal submitted •March 2013: Proposal accepted
Legitimate Business Syndicate •"Reverse engineers" 3/4 of the group •Different
specialties •Radio: 2014, badger •Hardware: 2015, the year of single- board computers •Esoteric computing: 2017, cLEMENCy
Legitimate Business Syndicate 100% dependent on Selir's amazing infrastructure
Legitimate Business Syndicate I started for the database backed web
application
Team Building People grow and change
Team Building Roles grow and change
Team Building •Who do you know? •Who do you trust?
•Who do you like?
Communication “It's good.”
Communication async (chat) is great weekly meetings are great
None
Smooth Operation Support your team
Smooth Operation CTF software is software
Smooth Operation Automate testing and deployment
CTF •Running Smoothly •Fair Contest •Fun Challenges
Fair Contest
Fair Contest CTF is computer hacking
Fair Contest CTF is computer system
Fair Contest Hack the right thing the wrong way
Fair Contest Hack the wrong thing
Fair Contest Fix a thing the "wrong" way
Fair Contest Restrict players more
Qualifiers •Services on separate hosts •Multiple hosts in different locations
•Connections get separate container •xinetd and runc •Limit system calls •seccomp
Finals More complex game More complex problems
Finals •Keep the game about reverse engineering •(Not OS administration)
Finals •2013: unprivileged team account, unprivileged service accounts •2014: understood
"Superman defense" better
Superman Defense •Block opponent IPs •Prevent reading the flag
Cyber Grand Challenge US Defense Advanced Research Projects Agency (DARPA)
project starting in 2014
Cyber Grand Challenge CTF for autonomous computers
Cyber Grand challenge Extremely formalized
Challenge Binaries •"CBs" •32-bit i386 •Special CGCEF executable format •Limited
system calls •No retained state
Proof of Vulnerability •"PoVs" •32-bit i386 CGCEF •Demonstrate a vulnerability:
•Register control •Memory disclosure •Run by scoring system
Offline Evaluation •Team interface gives out binaries •Team interface collects
replacement CBs, PoVs •Runs availability checks and PoVs in isolation •Designed for reproducibility and audibility
Finals •2015: restrict system calls •2016: use CGC game format
•2017: everything in limited emulator
Fair Contest Release scoring information
Fair Contest Think about accessibility
CTF •Running Smoothly •Fair Contest •Fun Challenges
Fun Challenges Break expectations
dosfun4u •Discover that it's a DOS binary •Debug and patch
IDA Pro •Start actual reverse engineering
badger •MSP-430 on physical hardware •custom CDMA radio network
None
Consensus Evaluation •CGC's big attack-defense innovation •Everyone sees everyone else's
patched binaries •Explosion in number of binaries that need reversing
1000 cuts / crackme2000 Push teams into automated analysis Hundreds
of binaries
Consensus Evaluation in 2016 Player asks about losing points Service
being attacked, that's why "But we're using the same binariess as the winning team"
Consensus Evaluation in 2017 Rubix expected shellcode to work in
availability checks Defenders would add checks to block "evil" or allow "good" shellcode Attackers would build new shellcode to pass checks "Felt like a multiplayer game against humans"
CTF •Running Smoothly •Fair Contest •Fun Challenges
CTF Still more to learn!
CTf More work ahead of us
CTF Opportunity to grow for more players
CTF Best way to learn is to do
Five years with the best group of people I've ever
worked with
Five years building a contest for the friendliest and smartest
community I know
Thanks for making it amazing!
None
[email protected]
@vito_lbs