Slide 1

Slide 1 text

Capture the Flag Secret Recipes - Organizer and Players Zeifan, Yeh & j00dan

Slide 2

Slide 2 text

Disclaimer It is our own opinion. No harm :)

Slide 3

Slide 3 text

Introduction nafiez - Fuzzing & Memory Corruption fans Yeh - Reverser & binary developer j00dan - $dayjob - #threathunting #threatintel #DFIR - HITB CTF Overlord 3.0 & Scoreboard developer

Slide 4

Slide 4 text

Hacking is Art of Problem Solving

Slide 5

Slide 5 text

Capture the Flag ● Competition in information security ● Gain technical knowledge and experience in information security ● Understanding of how is the real world attack like ○ Defenders know how to defence when they understand how to attack ● Knowledge sharing platform ● Cyber drill isn’t the only way to gain technical knowledge in information security ● Where you can begin your information security journey

Slide 6

Slide 6 text

continue ● Art of problem solving too! ● Desire to learn - everything is custom ● Of course meet new friend (chances to get a new job too) ● Sleepless (if the game 2 days) ● Legal! ● Your organization need more good people - find talent

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

Weekly Event

Slide 10

Slide 10 text

World Team Rating

Slide 11

Slide 11 text

Organizer Perspective

Slide 12

Slide 12 text

Make sure it is free registration!

Slide 13

Slide 13 text

Less sleep!

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

Game Design ● Plan properly ● Be creative e.g. implement real world like Nuclear, Scada ● Easy to understand ● Logging capability ● Complete control of the game ● You know what you’re doing :)

Slide 16

Slide 16 text

Scoring ● Always test the scoring system with real game play scenarios ● Ensure the scoring system is fair to every team ● Never implement very complicated scoring system ● Flag only can be submitted ONCE ● Randomize flag rotation

Slide 17

Slide 17 text

Scoreserver ● Game logic and scoring mechanism ● 99% Bulletproof ● Scoreboard graphic projected nicely

Slide 18

Slide 18 text

Network ● Fully NATed ● Hide your f*cking scoreserver IP address ● Control the security of network, including ARP spoofing, limiting the bandwidth ● Restrict player’s access to your (organizer) network ● Deploy network monitoring tool ● If Jeopardy style, it will be more easier :)

Slide 19

Slide 19 text

Jeopardy: Challenges ● Around 5 different categories of challenges ○ Web ○ Binary ○ Network ○ Cryptography ○ Forensics ● Numbers of difficulty for each category ● In a sequence of “Easy to Super Hard” or reverse way ● Ensure the score is map to the difficulty of the challenge and total amount of time that require to solve the challenge ● Bonus Challenges as well :)

Slide 20

Slide 20 text

Attack & Defense: Daemons / Services ● Non-blocking socket to prevent DoS ● Runs in low privilege and separate user with different daemons ● Ensure all daemons are exploitable ● Ensure the daemons can be solved within game time

Slide 21

Slide 21 text

Ideas ● Exploitation Technique ○ 12 bits of randomization - ASLR issue in Ubuntu (4096 max tries) - old issues since Ubuntu 12.04 ○ Injecting payload into 12 bytes of buffer is almost impossible ● Backdooring the OS ○ Installed backdoor as part of the legitimate services ○ We have deployed backdoor 2 years in row ● SCTP Protocol ○ We used SCTP protocol to send flag over the wire. No one noticed the flag is in the air \0/ ● We fuzzed our own binary / services before it gets out to production ○ We will fixed any issue that found during fuzzing on the spot :)

Slide 22

Slide 22 text

If in doubt, asked players to provide solution :)

Slide 23

Slide 23 text

Players Perspective

Slide 24

Slide 24 text

Jeopardy 1. Solve as fast, as much as you can 2. Make sure you love puzzles and maths! 3. King of the hill \0/ Attack & Defense 1. Make sure you control your box / server 2. Jailed your system 3. Make sure none of the services are running as root 4. Your programming skills in terms of offensive and defensive

Slide 25

Slide 25 text

How do I start CTF journey? ● You still need a basic if you don’t!

Slide 26

Slide 26 text

Continue... ● Thousands of write up out there to learn from ● Learn from seniors ● Don’t be shy ● CTF is almost every week! ○ They even have calendar for it at CTFtime.org

Slide 27

Slide 27 text

What to prepare? ● You always need to be ready! ● Team work or you can play alone xD ○ Each team member shall has different skills ● If you’re on site, make sure to bring your power gang, switch, own internet access, food, and drink (Recommended to bring Red Bull) ● Backup everything before someone pwn you ● Make sure you have your own wiki ○ Store everything whatever you have done in the CTF ● Bring your 0-day! Sometimes you need it :)

Slide 28

Slide 28 text

Be clever ● To target the high profile team ● To capture others exploit ● To win some $$$ ● Some challenges are almost the same like the other CTF too ● For some reason, you will always need “Galactus”

Slide 29

Slide 29 text

Things you need to aware with ● Some team play CTF just for $$$ ● “Things that you haven’t see before!” ● “Seems like a complex mathematics” ● “It looks simple but tedious” ● Complex code e.g. obfuscation, etc. ● “This doesn’t seem exploitable” ● “It’s damn freaking complicated” ● “That team can solve it much faster”

Slide 30

Slide 30 text

You should avoid ● Scanning entire network in the game - LAME ● Launch DDoS attack ● Attacking scoreserver ● Watch WWE wrestling ● Texting your girlfriend LOL

Slide 31

Slide 31 text

Strategy

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

Thank you!

Slide 34

Slide 34 text

We have many stuff haven’t covered yet! Looking forward :)

Slide 35

Slide 35 text

Things that we have done ● wargames.my 2011 ○ Malaysia first online Capture the Flag competition ○ This is where we got recruited :) ● HITB KUL CTF 2011 ○ Jeopardy style ● HITB KUL CTF Competition 2012 ○ CTF Weapons of Mass Destruction – Fallout Apocalypse ○ 32 Hours non stop competition ○ CTF Crew 1.0 + CTF Crew 2.0 + CTF Crew 3.0 organized together ● HITB KUL CTF Competition 2013 ○ CTF WMD: War of the World ● HITB KUL CTF Competition 2014 ○ CTF: Age of Extinction ● HITB GSEC 2016 ○ Jeopardy style, collaboration with Facebook Security Team (to introduced their CTF platform)