The Trials and Tribulations of Building Your Own CTF and Shooting Gallery Topher Timzen @TTimzen 

Disclaimer ALL CONTENT, OPINIONS, ASSERTIONS, CLAIMS, EXHORTATIONS, DENIALS (or anything else I say or write) ARE MY OWN AND IN NO WAY REPRESENT THE VIEWS OF MY EMPLOYER (or anyone but myself) 

#whoami Topher Timzen ● Red Team at a Fortune 50 ○ Vulnerability Enthusiast ○ Causes constructive mischief ● 3 letters of government fun ● Would rather be mountain biking @TTimzen https://tophertimzen.com 

Agenda Why Train Offensively CTF Shooting Gallery Playing, Building, and Deploying Challenges Infrastructure and Hosting 

Why Train Offensively 

Offense [ < | > ] Defense? [ < | > ] != True Security Training from an offensive standpoint is important for defenders to know and understand what attackers do - In “Cyber” they call these Tools, Tactics & Procedures (“TTP”) - Helps to instill the necessity to write defensive code - Helps answer: - “What to look for in a seemingly endless cloud of logs?” - What parts of my app would/could an attacker hit Offensive teams knowing what defenders are looking for is also important - Other talks cover that. This is not that talk. 

Capture The Flag (CTF) 

CTF Increasingly popular at security conferences and inside of organizations Information Security Competitions in which players solve challenges in order to obtain a “flag” Demonstrates proficiency or excellence in an area ● Binary exploitation, web exploitation, reverse engineering, forensics, cryptography, programming, etc. ● Organizers choice which areas are stressed for a particular event 

Types Jeopardy ● You’ve seen the show ○ BSidesPDX CTF this year! Attack & Defense ● Teams attack each other's services in a contained environment 

Boot2root Exactly as the name suggests Boot a vulnerable machine, and root it! ● Intentionally vulnerable ● Enumeration, Vulnerability Discovery, Access/Exploitation, Privilege Escalation (EVAP) ○ Remember the killchain? Thanks to Vulnhub for popularizing the term, as well as several other resources ● hackthebox is growing in popularity 

Kill Chain 

Kill chain https://www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-Expanded-Cyber-Kill-Chain-Model-To-Increase-Attack-Resiliency.pdf 

Kill chain https://www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-Expanded-Cyber-Kill-Chain-Model-To-Increase-Attack-Resiliency.pdf Shooting Gallery / boot2root 

Shooting Gallery 

Shooting Gallery Internal isolated playing ground to practice offensive security techniques Hosting internally solves problems and barriers to entry Mentorship capabilities along with internal tracking and monitoring - Mimic your internal organization for practice! - Import pre-made vulnerable boxes with skills you want to test or teach! 

Shooting Gallery Reduced Overhead needing only (as a minimum) KVM / Libvirt - Deployment Scripts are EASY*. - But no, really Vagrant - If possible to build your own boxes (Vulnhub is nice to use in Shooting Gallery, although adds more steps) Puppet (Or your choice of provisioner) OpenVPN Internal Builds for your organization 

Shooting Gallery Topology openVPN clients given IP in 192.168.5.0/23 from connection to 192.168.1.3 (openVPN server) Vulnerable hosts in 192.168.3.0/23 

Then What? Restart Service for vulnerable VMs inside tunnel - PWK/OSCP method for shared vulnerable target management - Restart service in tunnel - API endpoint on hosting infrastructure to ‘virsh snapshot-revert’ or ‘virsh reboot’ - Easy to prevent malplay. Run on virtual interfaces. Leaderboard - CTFd (What BSidesPDX CTF is using this year) 

Show me the Source! Deployment of VMs into KVM, OpenVPN Configuration, Barebone Restart Service Pending approval from my employer ● https://github.com/tophertimzen/shooting-gallery-infrastructure 

Playing, Building, and Deploying Challenges 

Participating Just do it! Babies first challenges are really great for starting! Some CTF events target beginners ● BSidesPDX! https://ctftime.org shows a ton of CTFs happening all over the world https://trailofbits.github.io/ctf/ https://github.com/apsdehal/awesome-ctf 

Creating You do not have to be a good developer, the intention is to hack your code! Write a challenge (boot2root, binary, web, more) you would want to solve and send it to friends, tweet it, etc See what other people write for challenges and get inspiration ● CTF content creators should open source their work! Write-ups are aplenty, not a lot of challenge source! ● Pwn 100 and Pwn 200 for BSidesPDX CTF this year are spinoffs of other challenges ○ As well as the initial concept for infra! Thanks BSidesSF! 

Creating Open sourcing challenge concepts and source is useful to move BSides and CTF forward Base reference implementation on building CTF and infra saves time ● Shout out to BSidesSF! Get involved with an organizer of a CTF! ● We are open sourcing our CTF at https://github.com/BSidesPDX/CTF-2017 ● Talk to me about being involved next year! 

Infrastructure and Hosting This is the painful part and could be a talk in and of itself VMS ● First CTF I organized we gave people “.ova” machines Shooting Gallery Concept ● Self-contained, automated infrastructure Docker / Kubernetes ● Hosting this and last years BSidesPDX CTF 

Resources ● Vito_lbs has been blogging about @LegitBS_CTF ● https://www.reddit.com/r/securityCTF/comments/1ntoue/what_does_the_infrastructure_of_var ious_ctfs_look/ ○ 4 years old, but helpful. Perhaps worth revisiting and forming a discussion. ● https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-35 70b99b4dd0 ○ Like anything, CTFs need an Attack Model. What are you giving to the competitors? Is there accepted risk anywhere? ■ We used k8s for BSidesPDX this year, we had to solve problems. 

Overlay 

Come play CTF! Event room https://bsidespdxctf.party/ https://bsidespdx.org/events/2017/ctf.html Help us organize next years! 

Conclusion Offensive skills help defenders Defensive skills help offense CTF is a good way to challenge yourself and grow skills Deploy a Shooting Gallery in your organization Go forth and Hack The ______! Deployment scripts will be on github pending approval from my employer. @TTimzen will tweet out links when published. 

Thanks Could not have done the CTF this year without my team Challenges: @pwnpnw Infra: @yalam96 @andrewkrug @mozilla 

EOF