Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Durian Conference 2017 - Capture the Flag Secret Recipes: Organizer and Players

April 08, 2017

Durian Conference 2017 - Capture the Flag Secret Recipes: Organizer and Players

A presentation in Durian Security Conference 2017 held in Malaysia with the content of Capture the Flag 101.


April 08, 2017

More Decks by Nafiez

Other Decks in Research


  1. Introduction nafiez - Fuzzing & Memory Corruption fans Yeh -

    Reverser & binary developer j00dan - $dayjob - #threathunting #threatintel #DFIR - HITB CTF Overlord 3.0 & Scoreboard developer
  2. Capture the Flag • Competition in information security • Gain

    technical knowledge and experience in information security • Understanding of how is the real world attack like ◦ Defenders know how to defence when they understand how to attack • Knowledge sharing platform • Cyber drill isn’t the only way to gain technical knowledge in information security • Where you can begin your information security journey
  3. continue • Art of problem solving too! • Desire to

    learn - everything is custom • Of course meet new friend (chances to get a new job too) • Sleepless (if the game 2 days) • Legal! • Your organization need more good people - find talent
  4. Game Design • Plan properly • Be creative e.g. implement

    real world like Nuclear, Scada • Easy to understand • Logging capability • Complete control of the game • You know what you’re doing :)
  5. Scoring • Always test the scoring system with real game

    play scenarios • Ensure the scoring system is fair to every team • Never implement very complicated scoring system • Flag only can be submitted ONCE • Randomize flag rotation
  6. Network • Fully NATed • Hide your f*cking scoreserver IP

    address • Control the security of network, including ARP spoofing, limiting the bandwidth • Restrict player’s access to your (organizer) network • Deploy network monitoring tool • If Jeopardy style, it will be more easier :)
  7. Jeopardy: Challenges • Around 5 different categories of challenges ◦

    Web ◦ Binary ◦ Network ◦ Cryptography ◦ Forensics • Numbers of difficulty for each category • In a sequence of “Easy to Super Hard” or reverse way • Ensure the score is map to the difficulty of the challenge and total amount of time that require to solve the challenge • Bonus Challenges as well :)
  8. Attack & Defense: Daemons / Services • Non-blocking socket to

    prevent DoS • Runs in low privilege and separate user with different daemons • Ensure all daemons are exploitable • Ensure the daemons can be solved within game time
  9. Ideas • Exploitation Technique ◦ 12 bits of randomization -

    ASLR issue in Ubuntu (4096 max tries) - old issues since Ubuntu 12.04 ◦ Injecting payload into 12 bytes of buffer is almost impossible • Backdooring the OS ◦ Installed backdoor as part of the legitimate services ◦ We have deployed backdoor 2 years in row • SCTP Protocol ◦ We used SCTP protocol to send flag over the wire. No one noticed the flag is in the air \0/ • We fuzzed our own binary / services before it gets out to production ◦ We will fixed any issue that found during fuzzing on the spot :)
  10. Jeopardy 1. Solve as fast, as much as you can

    2. Make sure you love puzzles and maths! 3. King of the hill \0/ Attack & Defense 1. Make sure you control your box / server 2. Jailed your system 3. Make sure none of the services are running as root 4. Your programming skills in terms of offensive and defensive
  11. Continue... • Thousands of write up out there to learn

    from • Learn from seniors • Don’t be shy • CTF is almost every week! ◦ They even have calendar for it at CTFtime.org
  12. What to prepare? • You always need to be ready!

    • Team work or you can play alone xD ◦ Each team member shall has different skills • If you’re on site, make sure to bring your power gang, switch, own internet access, food, and drink (Recommended to bring Red Bull) • Backup everything before someone pwn you • Make sure you have your own wiki ◦ Store everything whatever you have done in the CTF • Bring your 0-day! Sometimes you need it :)
  13. Be clever • To target the high profile team •

    To capture others exploit • To win some $$$ • Some challenges are almost the same like the other CTF too • For some reason, you will always need “Galactus”
  14. Things you need to aware with • Some team play

    CTF just for $$$ • “Things that you haven’t see before!” • “Seems like a complex mathematics” • “It looks simple but tedious” • Complex code e.g. obfuscation, etc. • “This doesn’t seem exploitable” • “It’s damn freaking complicated” • “That team can solve it much faster”
  15. You should avoid • Scanning entire network in the game

    - LAME • Launch DDoS attack • Attacking scoreserver • Watch WWE wrestling • Texting your girlfriend LOL
  16. Things that we have done • wargames.my 2011 ◦ Malaysia

    first online Capture the Flag competition ◦ This is where we got recruited :) • HITB KUL CTF 2011 ◦ Jeopardy style • HITB KUL CTF Competition 2012 ◦ CTF Weapons of Mass Destruction – Fallout Apocalypse ◦ 32 Hours non stop competition ◦ CTF Crew 1.0 + CTF Crew 2.0 + CTF Crew 3.0 organized together • HITB KUL CTF Competition 2013 ◦ CTF WMD: War of the World • HITB KUL CTF Competition 2014 ◦ CTF: Age of Extinction • HITB GSEC 2016 ◦ Jeopardy style, collaboration with Facebook Security Team (to introduced their CTF platform)