Capture the Flag ● Competition in information security ● Gain technical knowledge and experience in information security ● Understanding of how is the real world attack like ○ Defenders know how to defence when they understand how to attack ● Knowledge sharing platform ● Cyber drill isn’t the only way to gain technical knowledge in information security ● Where you can begin your information security journey
continue ● Art of problem solving too! ● Desire to learn - everything is custom ● Of course meet new friend (chances to get a new job too) ● Sleepless (if the game 2 days) ● Legal! ● Your organization need more good people - find talent
Game Design ● Plan properly ● Be creative e.g. implement real world like Nuclear, Scada ● Easy to understand ● Logging capability ● Complete control of the game ● You know what you’re doing :)
Scoring ● Always test the scoring system with real game play scenarios ● Ensure the scoring system is fair to every team ● Never implement very complicated scoring system ● Flag only can be submitted ONCE ● Randomize flag rotation
Network ● Fully NATed ● Hide your f*cking scoreserver IP address ● Control the security of network, including ARP spoofing, limiting the bandwidth ● Restrict player’s access to your (organizer) network ● Deploy network monitoring tool ● If Jeopardy style, it will be more easier :)
Jeopardy: Challenges ● Around 5 different categories of challenges ○ Web ○ Binary ○ Network ○ Cryptography ○ Forensics ● Numbers of difficulty for each category ● In a sequence of “Easy to Super Hard” or reverse way ● Ensure the score is map to the difficulty of the challenge and total amount of time that require to solve the challenge ● Bonus Challenges as well :)
Attack & Defense: Daemons / Services ● Non-blocking socket to prevent DoS ● Runs in low privilege and separate user with different daemons ● Ensure all daemons are exploitable ● Ensure the daemons can be solved within game time
Ideas ● Exploitation Technique ○ 12 bits of randomization - ASLR issue in Ubuntu (4096 max tries) - old issues since Ubuntu 12.04 ○ Injecting payload into 12 bytes of buffer is almost impossible ● Backdooring the OS ○ Installed backdoor as part of the legitimate services ○ We have deployed backdoor 2 years in row ● SCTP Protocol ○ We used SCTP protocol to send flag over the wire. No one noticed the flag is in the air \0/ ● We fuzzed our own binary / services before it gets out to production ○ We will fixed any issue that found during fuzzing on the spot :)
Jeopardy 1. Solve as fast, as much as you can 2. Make sure you love puzzles and maths! 3. King of the hill \0/ Attack & Defense 1. Make sure you control your box / server 2. Jailed your system 3. Make sure none of the services are running as root 4. Your programming skills in terms of offensive and defensive
Continue... ● Thousands of write up out there to learn from ● Learn from seniors ● Don’t be shy ● CTF is almost every week! ○ They even have calendar for it at CTFtime.org
What to prepare? ● You always need to be ready! ● Team work or you can play alone xD ○ Each team member shall has different skills ● If you’re on site, make sure to bring your power gang, switch, own internet access, food, and drink (Recommended to bring Red Bull) ● Backup everything before someone pwn you ● Make sure you have your own wiki ○ Store everything whatever you have done in the CTF ● Bring your 0-day! Sometimes you need it :)
Be clever ● To target the high profile team ● To capture others exploit ● To win some $$$ ● Some challenges are almost the same like the other CTF too ● For some reason, you will always need “Galactus”
Things you need to aware with ● Some team play CTF just for $$$ ● “Things that you haven’t see before!” ● “Seems like a complex mathematics” ● “It looks simple but tedious” ● Complex code e.g. obfuscation, etc. ● “This doesn’t seem exploitable” ● “It’s damn freaking complicated” ● “That team can solve it much faster”
You should avoid ● Scanning entire network in the game - LAME ● Launch DDoS attack ● Attacking scoreserver ● Watch WWE wrestling ● Texting your girlfriend LOL
Things that we have done ● wargames.my 2011 ○ Malaysia first online Capture the Flag competition ○ This is where we got recruited :) ● HITB KUL CTF 2011 ○ Jeopardy style ● HITB KUL CTF Competition 2012 ○ CTF Weapons of Mass Destruction – Fallout Apocalypse ○ 32 Hours non stop competition ○ CTF Crew 1.0 + CTF Crew 2.0 + CTF Crew 3.0 organized together ● HITB KUL CTF Competition 2013 ○ CTF WMD: War of the World ● HITB KUL CTF Competition 2014 ○ CTF: Age of Extinction ● HITB GSEC 2016 ○ Jeopardy style, collaboration with Facebook Security Team (to introduced their CTF platform)
nafiez
shurain
pw
arumakan
masatoto
koharite
nttcom
ghtaro
joisino
yumulab
mertcooking
kionawalker
kastner
bkeepers
bryan
destraynor
smashingmag
jensimmons
ddemaree
kneath
rasmusluckow
brad_frost
andyhume
danielanewman