«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.

«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.

Видео https://www.youtube.com/watch?v=hJ6KYU1A2x8

Встреча Московского отделения OWASP, 6.12.2019 (https://www.meetup.com/OWASP-Moscow/events/266925142/)

47a3212bc9721c62f1135ead56569f17?s=128

OWASP Moscow

December 06, 2019
Tweet

Transcript

  1. CTFZONE: How I Learned to Stop Researching and Love the

    CTF
  2. whoami • Co-founder BalalaikaCr3w • LC/BC • CTFZONE tech lead

    • OFFZONE CFP etc.
  3. CTFZONE 2016 • Individual CTF • Zeronights 2016 • Self-made

    scoreboard (go, reactjs) • 15+ tasks • Jeopardy
  4. WTF Jeopardy • Web • Crypto • Reverse • PWN

    • PPC • MISC (OSINT/Stego/forensics/admin)
  5. CTFZONE 2017 quals • 20 tasks • 36 hours •

    24/7 support • Dynamic scoring
  6. CTFZONE 2017 quals infrastructure • Vscale • Docker • Task

    checker • Primitive Development flow • Grafana • Logstash Problems • High CPU on some tasks • Vscale support
  7. CTFZONE Finals • Onsite • 10 teams • Self-made scoring

    system • Attack/Defense • Zeronights
  8. WTF Attack/Defense • Every team gets same vulnbox • N

    services(n=5) • Checker system • Flag accept Service • 16 hours • DDoS is prohibited • DoS is okay • All packets come from NAT Scoring: • SLA • Attacks • Defense
  9. CTFZONE Finals infrastructure • Checker every 5 minutes • Hypervisor

    with hypervisors • Network UP/DOWN switch • NAT • Moloch
  10. CTFZONE Finals • Hardware tasks • PvP tasks • Armwars

    • Risky game
  11. CTFZONE 2019 – development process • Infra team • 6

    tasks teams (WEB, Reverse, crypto, forensics, pwn, ppc) Development (1st September start) • Teams (2 weeks) • Concept and PoC (1 week) • Concept check (50% readiness) (3 weeks) • Task ready (2 weeks) • Test (2 weeks) • Deployment (1 week)
  12. CTFZONE 2019 – development process

  13. CTFZONE 2019 - concept • Forensics harder than strings •

    Good crypto • Real world web • Modern ppc • 1 ucucuga
  14. CTFZONE 2019 - concept • Forensics harder than strings •

    Good crypto • Real world web • Modern ppc • 1 ucucuga Expectation
  15. CTFZONE 2019 - concept • Forensics harder than strings •

    Good crypto • Real world web • Modern ppc • 1 ucucuga Expectation Reality
  16. CTFZONE 2019 • Gcloud • Kubernetes • Helm • Terraform

    • Prometheus • Grafana • Graylog
  17. CTFZONE 2019 - problems • Google cloud netpolicy • Too

    big RPS on start • Unstable tasks because of logic and RCE • Not enough deployment tests
  18. CTFZONE 2019 – in numbers • 6500 loc code in

    infra • 29 tasks • 634 solutions • 27 tasks top – 1 • 16 tasks top-10
  19. Questions