Upgrade to Pro — share decks privately, control downloads, hide ads and more …

«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.

OWASP Moscow
December 06, 2019
Programming
1
380

«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.

Видео https://www.youtube.com/watch?v=hJ6KYU1A2x8

Встреча Московского отделения OWASP, 6.12.2019 (https://www.meetup.com/OWASP-Moscow/events/266925142/)

OWASP Moscow

December 06, 2019
Tweet

More Decks by OWASP Moscow

See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
330
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
520
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
760
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
450
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
400
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
460
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
450
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
390
«Свой среди чужих», Антон Лопаницын
owaspmoscow
0
370

Other Decks in Programming

See All in Programming
入門 AWS Amplify Gen2 / Introduction to AWS Amplify Gen2
genkiogasawara
1
310
StreamlitとTerraformでデータカタログを作った話
gussan0223
0
290
From Spring Boot 2 to Spring Boot 3 with Java 22 and Jakarta EE
ivargrimstad
0
860
AWS Application Composerで始める、 サーバーレスなデータ基盤構築 / 20240406-jawsug-hokuriku-shinkansen
kasacchiful
1
250
Site Reliability Engineering for GMO
pyama86
6
840
Folding Cheat Sheet #2
philipschwarz
PRO
0
110
本格ローグライク制作にEbitengineを選んでみた
nagainaganawa
0
290
TYPO3 v13 – The road to LTS: What's new and new APIs
luisasofie_xoxo
0
180
OpenTelemetry のサービスという概念について
azukiazusa1
2
1.1k
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
340
HUIT新歓2024「競技プログラミング、やってみませんか?」
slephy2784
1
250
#phpcon_odawara オープン・クローズドなテストフィクスチャを求めて / open closed test fixtures
77web
3
210

Featured

See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
265
19k
[RailsConf 2023] Rails as a piece of cake
palkan
22
3.9k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
103
6.6k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
How to Ace a Technical Interview
jacobian
272
22k
The Illustrated Children's Guide to Kubernetes
chrisshort
28
46k
Designing the Hi-DPI Web
ddemaree
276
33k
Fontdeck: Realign not Redesign
paulrobertlloyd
75
4.9k
Mobile First: as difficult as doing things right
swwweet
216
8.6k
Reflections from 52 weeks, 52 projects
jeffersonlam
343
19k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Learning to Love Humans: Emotional Interface Design
aarron
266
39k

Transcript

  1. CTFZONE: How I Learned to Stop Researching and Love the

    CTF

  2. whoami • Co-founder BalalaikaCr3w • LC/BC • CTFZONE tech lead

    • OFFZONE CFP etc.

  3. CTFZONE 2016 • Individual CTF • Zeronights 2016 • Self-made

    scoreboard (go, reactjs) • 15+ tasks • Jeopardy

  4. WTF Jeopardy • Web • Crypto • Reverse • PWN

    • PPC • MISC (OSINT/Stego/forensics/admin)

  5. CTFZONE 2017 quals • 20 tasks • 36 hours •

    24/7 support • Dynamic scoring

  6. CTFZONE 2017 quals infrastructure • Vscale • Docker • Task

    checker • Primitive Development flow • Grafana • Logstash Problems • High CPU on some tasks • Vscale support

  7. CTFZONE Finals • Onsite • 10 teams • Self-made scoring

    system • Attack/Defense • Zeronights

  8. WTF Attack/Defense • Every team gets same vulnbox • N

    services(n=5) • Checker system • Flag accept Service • 16 hours • DDoS is prohibited • DoS is okay • All packets come from NAT Scoring: • SLA • Attacks • Defense

  9. CTFZONE Finals infrastructure • Checker every 5 minutes • Hypervisor

    with hypervisors • Network UP/DOWN switch • NAT • Moloch

  10. CTFZONE Finals • Hardware tasks • PvP tasks • Armwars

    • Risky game

  11. CTFZONE 2019 – development process • Infra team • 6

    tasks teams (WEB, Reverse, crypto, forensics, pwn, ppc) Development (1st September start) • Teams (2 weeks) • Concept and PoC (1 week) • Concept check (50% readiness) (3 weeks) • Task ready (2 weeks) • Test (2 weeks) • Deployment (1 week)

  12. CTFZONE 2019 – development process

  13. CTFZONE 2019 - concept • Forensics harder than strings •

    Good crypto • Real world web • Modern ppc • 1 ucucuga

  14. CTFZONE 2019 - concept • Forensics harder than strings •

    Good crypto • Real world web • Modern ppc • 1 ucucuga Expectation

  15. CTFZONE 2019 - concept • Forensics harder than strings •

    Good crypto • Real world web • Modern ppc • 1 ucucuga Expectation Reality

  16. CTFZONE 2019 • Gcloud • Kubernetes • Helm • Terraform

    • Prometheus • Grafana • Graylog

  17. CTFZONE 2019 - problems • Google cloud netpolicy • Too

    big RPS on start • Unstable tasks because of logic and RCE • Not enough deployment tests

  18. CTFZONE 2019 – in numbers • 6500 loc code in

    infra • 29 tasks • 634 solutions • 27 tasks top – 1 • 16 tasks top-10

  19. Questions