Upgrade to Pro — share decks privately, control downloads, hide ads and more …

«CTFZone, или как перестать ресёрчить и полюбит...

OWASP Moscow
December 06, 2019
Programming
1
460

«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.

Видео https://www.youtube.com/watch?v=hJ6KYU1A2x8

Встреча Московского отделения OWASP, 6.12.2019 (https://www.meetup.com/OWASP-Moscow/events/266925142/)

OWASP Moscow

December 06, 2019
Tweet

More Decks by OWASP Moscow

See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
420
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
600
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
850
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
560
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
470
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
540
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
530
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
470
«Свой среди чужих», Антон Лопаницын
owaspmoscow
0
450

Other Decks in Programming

See All in Programming
Remix on Hono on Cloudflare Workers
yusukebe
1
280
AWS Lambdaから始まった
Serverlessの「熱」とキャリアパス / It started with AWS Lambda Serverless “fever” and career path
seike460
PRO
1
250
アジャイルを支えるテストアーキテクチャ設計/Test Architecting for Agile
goyoki
9
3.3k
EventSourcingの理想と現実
wenas
6
2.3k
A Journey of Contribution and Collaboration in Open Source
ivargrimstad
0
880
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
2
350
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
1
100
現場で役立つモデリング 超入門
masuda220
PRO
15
3.2k
リアーキテクチャxDDD 1年間の取り組みと進化
hsawaji
1
220
「今のプロジェクトいろいろ大変なんですよ、app/services とかもあって……」/After Kaigi on Rails 2024 LT Night
junk0612
5
2.1k
AWS IaCの注目アップデート 2024年10月版
konokenj
3
3.3k
Ethereum_.pdf
nekomatu
0
460

Featured

See All Featured
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Facilitating Awesome Meetings
lara
50
6.1k
The Cult of Friendly URLs
andyhume
78
6k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k
YesSQL, Process and Tooling at Scale
rocio
169
14k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
GraphQLとの向き合い方2022年版
quramy
43
13k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
A Modern Web Designer's Workflow
chriscoyier
693
190k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k

Transcript

  1. CTFZONE: How I Learned to Stop Researching and Love the

    CTF

  2. whoami • Co-founder BalalaikaCr3w • LC/BC • CTFZONE tech lead

    • OFFZONE CFP etc.

  3. CTFZONE 2016 • Individual CTF • Zeronights 2016 • Self-made

    scoreboard (go, reactjs) • 15+ tasks • Jeopardy

  4. WTF Jeopardy • Web • Crypto • Reverse • PWN

    • PPC • MISC (OSINT/Stego/forensics/admin)

  5. CTFZONE 2017 quals • 20 tasks • 36 hours •

    24/7 support • Dynamic scoring

  6. CTFZONE 2017 quals infrastructure • Vscale • Docker • Task

    checker • Primitive Development flow • Grafana • Logstash Problems • High CPU on some tasks • Vscale support

  7. CTFZONE Finals • Onsite • 10 teams • Self-made scoring

    system • Attack/Defense • Zeronights

  8. WTF Attack/Defense • Every team gets same vulnbox • N

    services(n=5) • Checker system • Flag accept Service • 16 hours • DDoS is prohibited • DoS is okay • All packets come from NAT Scoring: • SLA • Attacks • Defense

  9. CTFZONE Finals infrastructure • Checker every 5 minutes • Hypervisor

    with hypervisors • Network UP/DOWN switch • NAT • Moloch

  10. CTFZONE Finals • Hardware tasks • PvP tasks • Armwars

    • Risky game

  11. CTFZONE 2019 – development process • Infra team • 6

    tasks teams (WEB, Reverse, crypto, forensics, pwn, ppc) Development (1st September start) • Teams (2 weeks) • Concept and PoC (1 week) • Concept check (50% readiness) (3 weeks) • Task ready (2 weeks) • Test (2 weeks) • Deployment (1 week)

  12. CTFZONE 2019 – development process

  13. CTFZONE 2019 - concept • Forensics harder than strings •

    Good crypto • Real world web • Modern ppc • 1 ucucuga

  14. CTFZONE 2019 - concept • Forensics harder than strings •

    Good crypto • Real world web • Modern ppc • 1 ucucuga Expectation

  15. CTFZONE 2019 - concept • Forensics harder than strings •

    Good crypto • Real world web • Modern ppc • 1 ucucuga Expectation Reality

  16. CTFZONE 2019 • Gcloud • Kubernetes • Helm • Terraform

    • Prometheus • Grafana • Graylog

  17. CTFZONE 2019 - problems • Google cloud netpolicy • Too

    big RPS on start • Unstable tasks because of logic and RCE • Not enough deployment tests

  18. CTFZONE 2019 – in numbers • 6500 loc code in

    infra • 29 tasks • 634 solutions • 27 tasks top – 1 • 16 tasks top-10

  19. Questions