Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Durian Conference 2017 - Capture the Flag Secret Recipes: Organizer and Players

April 08, 2017

Durian Conference 2017 - Capture the Flag Secret Recipes: Organizer and Players

A presentation in Durian Security Conference 2017 held in Malaysia with the content of Capture the Flag 101.


April 08, 2017

More Decks by Nafiez

Other Decks in Research


  1. Capture the Flag Secret Recipes - Organizer and Players Zeifan,

    Yeh & j00dan
  2. Disclaimer It is our own opinion. No harm :)

  3. Introduction nafiez - Fuzzing & Memory Corruption fans Yeh -

    Reverser & binary developer j00dan - $dayjob - #threathunting #threatintel #DFIR - HITB CTF Overlord 3.0 & Scoreboard developer
  4. Hacking is Art of Problem Solving

  5. Capture the Flag • Competition in information security • Gain

    technical knowledge and experience in information security • Understanding of how is the real world attack like ◦ Defenders know how to defence when they understand how to attack • Knowledge sharing platform • Cyber drill isn’t the only way to gain technical knowledge in information security • Where you can begin your information security journey
  6. continue • Art of problem solving too! • Desire to

    learn - everything is custom • Of course meet new friend (chances to get a new job too) • Sleepless (if the game 2 days) • Legal! • Your organization need more good people - find talent
  7. None
  8. None
  9. Weekly Event

  10. World Team Rating

  11. Organizer Perspective

  12. Make sure it is free registration!

  13. Less sleep!

  14. None
  15. Game Design • Plan properly • Be creative e.g. implement

    real world like Nuclear, Scada • Easy to understand • Logging capability • Complete control of the game • You know what you’re doing :)
  16. Scoring • Always test the scoring system with real game

    play scenarios • Ensure the scoring system is fair to every team • Never implement very complicated scoring system • Flag only can be submitted ONCE • Randomize flag rotation
  17. Scoreserver • Game logic and scoring mechanism • 99% Bulletproof

    • Scoreboard graphic projected nicely
  18. Network • Fully NATed • Hide your f*cking scoreserver IP

    address • Control the security of network, including ARP spoofing, limiting the bandwidth • Restrict player’s access to your (organizer) network • Deploy network monitoring tool • If Jeopardy style, it will be more easier :)
  19. Jeopardy: Challenges • Around 5 different categories of challenges ◦

    Web ◦ Binary ◦ Network ◦ Cryptography ◦ Forensics • Numbers of difficulty for each category • In a sequence of “Easy to Super Hard” or reverse way • Ensure the score is map to the difficulty of the challenge and total amount of time that require to solve the challenge • Bonus Challenges as well :)
  20. Attack & Defense: Daemons / Services • Non-blocking socket to

    prevent DoS • Runs in low privilege and separate user with different daemons • Ensure all daemons are exploitable • Ensure the daemons can be solved within game time
  21. Ideas • Exploitation Technique ◦ 12 bits of randomization -

    ASLR issue in Ubuntu (4096 max tries) - old issues since Ubuntu 12.04 ◦ Injecting payload into 12 bytes of buffer is almost impossible • Backdooring the OS ◦ Installed backdoor as part of the legitimate services ◦ We have deployed backdoor 2 years in row • SCTP Protocol ◦ We used SCTP protocol to send flag over the wire. No one noticed the flag is in the air \0/ • We fuzzed our own binary / services before it gets out to production ◦ We will fixed any issue that found during fuzzing on the spot :)
  22. If in doubt, asked players to provide solution :)

  23. Players Perspective

  24. Jeopardy 1. Solve as fast, as much as you can

    2. Make sure you love puzzles and maths! 3. King of the hill \0/ Attack & Defense 1. Make sure you control your box / server 2. Jailed your system 3. Make sure none of the services are running as root 4. Your programming skills in terms of offensive and defensive
  25. How do I start CTF journey? • You still need

    a basic if you don’t!
  26. Continue... • Thousands of write up out there to learn

    from • Learn from seniors • Don’t be shy • CTF is almost every week! ◦ They even have calendar for it at CTFtime.org
  27. What to prepare? • You always need to be ready!

    • Team work or you can play alone xD ◦ Each team member shall has different skills • If you’re on site, make sure to bring your power gang, switch, own internet access, food, and drink (Recommended to bring Red Bull) • Backup everything before someone pwn you • Make sure you have your own wiki ◦ Store everything whatever you have done in the CTF • Bring your 0-day! Sometimes you need it :)
  28. Be clever • To target the high profile team •

    To capture others exploit • To win some $$$ • Some challenges are almost the same like the other CTF too • For some reason, you will always need “Galactus”
  29. Things you need to aware with • Some team play

    CTF just for $$$ • “Things that you haven’t see before!” • “Seems like a complex mathematics” • “It looks simple but tedious” • Complex code e.g. obfuscation, etc. • “This doesn’t seem exploitable” • “It’s damn freaking complicated” • “That team can solve it much faster”
  30. You should avoid • Scanning entire network in the game

    - LAME • Launch DDoS attack • Attacking scoreserver • Watch WWE wrestling • Texting your girlfriend LOL
  31. Strategy

  32. None
  33. Thank you!

  34. We have many stuff haven’t covered yet! Looking forward :)

  35. Things that we have done • wargames.my 2011 ◦ Malaysia

    first online Capture the Flag competition ◦ This is where we got recruited :) • HITB KUL CTF 2011 ◦ Jeopardy style • HITB KUL CTF Competition 2012 ◦ CTF Weapons of Mass Destruction – Fallout Apocalypse ◦ 32 Hours non stop competition ◦ CTF Crew 1.0 + CTF Crew 2.0 + CTF Crew 3.0 organized together • HITB KUL CTF Competition 2013 ◦ CTF WMD: War of the World • HITB KUL CTF Competition 2014 ◦ CTF: Age of Extinction • HITB GSEC 2016 ◦ Jeopardy style, collaboration with Facebook Security Team (to introduced their CTF platform)