Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Durian Conference 2017 - Capture the Flag Secret Recipes: Organizer and Players

Nafiez
April 08, 2017

Durian Conference 2017 - Capture the Flag Secret Recipes: Organizer and Players

A presentation in Durian Security Conference 2017 held in Malaysia with the content of Capture the Flag 101.

Nafiez

April 08, 2017
Tweet

More Decks by Nafiez

Other Decks in Research

Transcript

  1. Capture the Flag Secret
    Recipes - Organizer and
    Players
    Zeifan, Yeh & j00dan

    View full-size slide

  2. Disclaimer
    It is our own opinion. No harm :)

    View full-size slide

  3. Introduction
    nafiez - Fuzzing & Memory Corruption fans
    Yeh - Reverser & binary developer
    j00dan
    - $dayjob - #threathunting #threatintel #DFIR
    - HITB CTF Overlord 3.0 & Scoreboard developer

    View full-size slide

  4. Hacking is
    Art of Problem Solving

    View full-size slide

  5. Capture the Flag
    ● Competition in information security
    ● Gain technical knowledge and experience in information security
    ● Understanding of how is the real world attack like
    ○ Defenders know how to defence when they understand how to attack
    ● Knowledge sharing platform
    ● Cyber drill isn’t the only way to gain technical knowledge in information security
    ● Where you can begin your information security journey

    View full-size slide

  6. continue
    ● Art of problem solving too!
    ● Desire to learn - everything is custom
    ● Of course meet new friend (chances to get a new job too)
    ● Sleepless (if the game 2 days)
    ● Legal!
    ● Your organization need more good people - find talent

    View full-size slide

  7. Weekly Event

    View full-size slide

  8. World Team Rating

    View full-size slide

  9. Organizer Perspective

    View full-size slide

  10. Make sure it is free registration!

    View full-size slide

  11. Game Design
    ● Plan properly
    ● Be creative e.g. implement real world like Nuclear, Scada
    ● Easy to understand
    ● Logging capability
    ● Complete control of the game
    ● You know what you’re doing :)

    View full-size slide

  12. Scoring
    ● Always test the scoring system with real game play scenarios
    ● Ensure the scoring system is fair to every team
    ● Never implement very complicated scoring system
    ● Flag only can be submitted ONCE
    ● Randomize flag rotation

    View full-size slide

  13. Scoreserver
    ● Game logic and scoring mechanism
    ● 99% Bulletproof
    ● Scoreboard graphic projected nicely

    View full-size slide

  14. Network
    ● Fully NATed
    ● Hide your f*cking scoreserver IP address
    ● Control the security of network, including ARP spoofing, limiting the bandwidth
    ● Restrict player’s access to your (organizer) network
    ● Deploy network monitoring tool
    ● If Jeopardy style, it will be more easier :)

    View full-size slide

  15. Jeopardy: Challenges
    ● Around 5 different categories of challenges
    ○ Web
    ○ Binary
    ○ Network
    ○ Cryptography
    ○ Forensics
    ● Numbers of difficulty for each category
    ● In a sequence of “Easy to Super Hard” or reverse way
    ● Ensure the score is map to the difficulty of the challenge and total amount of
    time that require to solve the challenge
    ● Bonus Challenges as well :)

    View full-size slide

  16. Attack & Defense: Daemons / Services
    ● Non-blocking socket to prevent DoS
    ● Runs in low privilege and separate user with different daemons
    ● Ensure all daemons are exploitable
    ● Ensure the daemons can be solved within game time

    View full-size slide

  17. Ideas
    ● Exploitation Technique
    ○ 12 bits of randomization - ASLR issue in Ubuntu (4096 max tries) - old issues since Ubuntu
    12.04
    ○ Injecting payload into 12 bytes of buffer is almost impossible
    ● Backdooring the OS
    ○ Installed backdoor as part of the legitimate services
    ○ We have deployed backdoor 2 years in row
    ● SCTP Protocol
    ○ We used SCTP protocol to send flag over the wire. No one noticed the flag is in the air \0/
    ● We fuzzed our own binary / services before it gets out to production
    ○ We will fixed any issue that found during fuzzing on the spot :)

    View full-size slide

  18. If in doubt, asked players to provide
    solution :)

    View full-size slide

  19. Players Perspective

    View full-size slide

  20. Jeopardy
    1. Solve as fast, as much as you can
    2. Make sure you love puzzles and
    maths!
    3. King of the hill \0/
    Attack & Defense
    1. Make sure you control your box /
    server
    2. Jailed your system
    3. Make sure none of the services are
    running as root
    4. Your programming skills in terms of
    offensive and defensive

    View full-size slide

  21. How do I start CTF journey?
    ● You still need a basic if you don’t!

    View full-size slide

  22. Continue...
    ● Thousands of write up out there to learn from
    ● Learn from seniors
    ● Don’t be shy
    ● CTF is almost every week!
    ○ They even have calendar for it at CTFtime.org

    View full-size slide

  23. What to prepare?
    ● You always need to be ready!
    ● Team work or you can play alone xD
    ○ Each team member shall has different skills
    ● If you’re on site, make sure to bring your power gang, switch, own internet
    access, food, and drink (Recommended to bring Red Bull)
    ● Backup everything before someone pwn you
    ● Make sure you have your own wiki
    ○ Store everything whatever you have done in the CTF
    ● Bring your 0-day! Sometimes you need it :)

    View full-size slide

  24. Be clever
    ● To target the high profile team
    ● To capture others exploit
    ● To win some $$$
    ● Some challenges are almost the same like the other CTF too
    ● For some reason, you will always need “Galactus”

    View full-size slide

  25. Things you need to aware with
    ● Some team play CTF just for $$$
    ● “Things that you haven’t see before!”
    ● “Seems like a complex mathematics”
    ● “It looks simple but tedious”
    ● Complex code e.g. obfuscation, etc.
    ● “This doesn’t seem exploitable”
    ● “It’s damn freaking complicated”
    ● “That team can solve it much faster”

    View full-size slide

  26. You should avoid
    ● Scanning entire network in the game - LAME
    ● Launch DDoS attack
    ● Attacking scoreserver
    ● Watch WWE wrestling
    ● Texting your girlfriend LOL

    View full-size slide

  27. We have many stuff haven’t covered yet!
    Looking forward :)

    View full-size slide

  28. Things that we have done
    ● wargames.my 2011
    ○ Malaysia first online Capture the Flag competition
    ○ This is where we got recruited :)
    ● HITB KUL CTF 2011
    ○ Jeopardy style
    ● HITB KUL CTF Competition 2012
    ○ CTF Weapons of Mass Destruction – Fallout Apocalypse
    ○ 32 Hours non stop competition
    ○ CTF Crew 1.0 + CTF Crew 2.0 + CTF Crew 3.0 organized together
    ● HITB KUL CTF Competition 2013
    ○ CTF WMD: War of the World
    ● HITB KUL CTF Competition 2014
    ○ CTF: Age of Extinction
    ● HITB GSEC 2016
    ○ Jeopardy style, collaboration with Facebook Security Team (to introduced their CTF platform)

    View full-size slide