Capture the Flag Secret Recipes - Organizer and Players Zeifan, Yeh & j00dan

Disclaimer It is our own opinion. No harm :)

Introduction nafiez - Fuzzing & Memory Corruption fans Yeh - Reverser & binary developer j00dan - $dayjob - #threathunting #threatintel #DFIR - HITB CTF Overlord 3.0 & Scoreboard developer

Hacking is Art of Problem Solving

Capture the Flag ● Competition in information security ● Gain technical knowledge and experience in information security ● Understanding of how is the real world attack like ○ Defenders know how to defence when they understand how to attack ● Knowledge sharing platform ● Cyber drill isn’t the only way to gain technical knowledge in information security ● Where you can begin your information security journey

continue ● Art of problem solving too! ● Desire to learn - everything is custom ● Of course meet new friend (chances to get a new job too) ● Sleepless (if the game 2 days) ● Legal! ● Your organization need more good people - find talent

No content

No content

Weekly Event

World Team Rating

Organizer Perspective

Make sure it is free registration!

Less sleep!

No content

Game Design ● Plan properly ● Be creative e.g. implement real world like Nuclear, Scada ● Easy to understand ● Logging capability ● Complete control of the game ● You know what you’re doing :)

Scoring ● Always test the scoring system with real game play scenarios ● Ensure the scoring system is fair to every team ● Never implement very complicated scoring system ● Flag only can be submitted ONCE ● Randomize flag rotation

Scoreserver ● Game logic and scoring mechanism ● 99% Bulletproof ● Scoreboard graphic projected nicely

Network ● Fully NATed ● Hide your f*cking scoreserver IP address ● Control the security of network, including ARP spoofing, limiting the bandwidth ● Restrict player’s access to your (organizer) network ● Deploy network monitoring tool ● If Jeopardy style, it will be more easier :)

Jeopardy: Challenges ● Around 5 different categories of challenges ○ Web ○ Binary ○ Network ○ Cryptography ○ Forensics ● Numbers of difficulty for each category ● In a sequence of “Easy to Super Hard” or reverse way ● Ensure the score is map to the difficulty of the challenge and total amount of time that require to solve the challenge ● Bonus Challenges as well :)

Attack & Defense: Daemons / Services ● Non-blocking socket to prevent DoS ● Runs in low privilege and separate user with different daemons ● Ensure all daemons are exploitable ● Ensure the daemons can be solved within game time

Ideas ● Exploitation Technique ○ 12 bits of randomization - ASLR issue in Ubuntu (4096 max tries) - old issues since Ubuntu 12.04 ○ Injecting payload into 12 bytes of buffer is almost impossible ● Backdooring the OS ○ Installed backdoor as part of the legitimate services ○ We have deployed backdoor 2 years in row ● SCTP Protocol ○ We used SCTP protocol to send flag over the wire. No one noticed the flag is in the air \0/ ● We fuzzed our own binary / services before it gets out to production ○ We will fixed any issue that found during fuzzing on the spot :)

If in doubt, asked players to provide solution :)

Players Perspective

Jeopardy 1. Solve as fast, as much as you can 2. Make sure you love puzzles and maths! 3. King of the hill \0/ Attack & Defense 1. Make sure you control your box / server 2. Jailed your system 3. Make sure none of the services are running as root 4. Your programming skills in terms of offensive and defensive

How do I start CTF journey? ● You still need a basic if you don’t!

Continue... ● Thousands of write up out there to learn from ● Learn from seniors ● Don’t be shy ● CTF is almost every week! ○ They even have calendar for it at CTFtime.org

What to prepare? ● You always need to be ready! ● Team work or you can play alone xD ○ Each team member shall has different skills ● If you’re on site, make sure to bring your power gang, switch, own internet access, food, and drink (Recommended to bring Red Bull) ● Backup everything before someone pwn you ● Make sure you have your own wiki ○ Store everything whatever you have done in the CTF ● Bring your 0-day! Sometimes you need it :)

Be clever ● To target the high profile team ● To capture others exploit ● To win some $$$ ● Some challenges are almost the same like the other CTF too ● For some reason, you will always need “Galactus”

Things you need to aware with ● Some team play CTF just for $$$ ● “Things that you haven’t see before!” ● “Seems like a complex mathematics” ● “It looks simple but tedious” ● Complex code e.g. obfuscation, etc. ● “This doesn’t seem exploitable” ● “It’s damn freaking complicated” ● “That team can solve it much faster”

You should avoid ● Scanning entire network in the game - LAME ● Launch DDoS attack ● Attacking scoreserver ● Watch WWE wrestling ● Texting your girlfriend LOL

Strategy

No content

Thank you!

We have many stuff haven’t covered yet! Looking forward :)

Things that we have done ● wargames.my 2011 ○ Malaysia first online Capture the Flag competition ○ This is where we got recruited :) ● HITB KUL CTF 2011 ○ Jeopardy style ● HITB KUL CTF Competition 2012 ○ CTF Weapons of Mass Destruction – Fallout Apocalypse ○ 32 Hours non stop competition ○ CTF Crew 1.0 + CTF Crew 2.0 + CTF Crew 3.0 organized together ● HITB KUL CTF Competition 2013 ○ CTF WMD: War of the World ● HITB KUL CTF Competition 2014 ○ CTF: Age of Extinction ● HITB GSEC 2016 ○ Jeopardy style, collaboration with Facebook Security Team (to introduced their CTF platform)