Building DEF CON CTF with Ruby

by vito

Slide 1

Slide 1 text

Slide 2

Slide 2 text

Hello Vito Genovese @vito_lbs [email protected]

Slide 3

Slide 3 text

Building DEF CON CTF •DEF CON and CTF •Team building •Qualiﬁcations •Finals

Slide 4

Slide 4 text

What is DEF CON? “DEF CON is one of the oldest continuous running hacker conventions around, and also one of the largest.” - DEF CON FAQ

Slide 5

Slide 5 text

What is DEF CON? “Black Hat… is more the university… DEF CON is the fraternity party.” - USA Today, “Suits and punks convene in Las Vegas for hacker conferences,” Aug. 1 2006

Slide 6

Slide 6 text

What is DEF CON?

Slide 7

Slide 7 text

What is DEF CON?

Slide 8

Slide 8 text

What is CTF? (Capture The Flag)

Slide 9

Slide 9 text

Jeopardy-Style CTF •Pick a problem •Hack it •Get points

Slide 10

Slide 10 text

Attack-Defense CTF 1. Hack services 2. Steal tokens every round 3. Get points 1. Patch services 2. Pass SLA checks 3. Don’t lose points

Slide 11

Slide 11 text

Competing in CTF •Build a team •Get really good at assembly •Get good at web vulns and crypto too •Compete and solve problems •Write up solutions

Slide 12

Slide 12 text

Competing in CTF

Slide 13

Slide 13 text

Sample Challenges http://hypeman.shallweplayaga.me http://worsemedicine.shallweplayaga.me

Slide 14

Slide 14 text

Hour 30

Slide 15

Slide 15 text

Building DEF CON CTF •DEF CON and CTF •Team building •Qualiﬁcations •Finals

Slide 16

Slide 16 text

Team Building “Dark Tangent is looking for new CTF organizers, want to help write a proposal?”

Slide 17

Slide 17 text

Team Building Software vulnerability experts Hardware engineers Network ops deity Web application generalist

Slide 18

Slide 18 text

Team Building •Opinionated smart people •That need to work together •On a software project with dozens of moving parts •On a very public stage •With immovable deadlines

Slide 19

Slide 19 text

Team Building Always have an exit strategy

Slide 20

Slide 20 text

Building DEF CON CTF •DEF CON and CTF •Team building •Qualiﬁcations •Finals

Slide 21

Slide 21 text

Qualiﬁcations “Quals”

Slide 22

Slide 22 text

Quals “Jeopardy-style” Self-contained questions Open Entry 48 hours over a weekend

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

Quals Scoreboard Rails Unicorn Heroku 1GB Dynos $50/month Postgres

Slide 25

Slide 25 text

Quals Scoreboard No Redis No memcached

Slide 26

Slide 26 text

Quals Scoreboard No push Only polling

Slide 27

Slide 27 text

Quals Scoreboard

Slide 28

Slide 28 text

Quals Scoreboard

Slide 29

Slide 29 text

Quals Scoreboard Game Start Adjusting dynos

Slide 30

Slide 30 text

Quals Challenges •Sinatra •PHP •Python •x86 •Golang •ARM

Slide 31

Slide 31 text

Sinatra Used Heroku It ruled

Slide 32

Slide 32 text

PHP, Python, x86, Golang EC2 Started with Micro Upgraded to Large

Slide 33

Slide 33 text

PHP, Python, x86, Golang Never use Micro instances

Slide 34

Slide 34 text

PHP, Python, x86, Golang Sometimes you get DoS’d

Slide 35

Slide 35 text

ARM Challenges

Slide 36

Slide 36 text

Quals Problems I slept… Through a part where we had to edit a question and put something on S3.

Slide 37

Slide 37 text

Quals Problems Some challenges weren’t ready until halfway through the game

Slide 38

Slide 38 text

https://twitter.com/roman_soft/status/346325078369263616

Slide 39

Slide 39 text

Quals •IRC and Twitter: invaluable •Have a reset password ﬂow •Don’t forget public views •Fight bus numbers

Slide 40

Slide 40 text

Building DEF CON CTF •DEF CON and CTF •Team building •Qualiﬁcations •Finals

Slide 41

Slide 41 text

Finals OMG

Slide 42

Slide 42 text

No content

Slide 43

Slide 43 text

Finals http://www.cnbc.com/id/101179977

Slide 44

Slide 44 text

Finals

Slide 45

Slide 45 text

Finals

Slide 46

Slide 46 text

Finals Twenty Teams Twenty Servers One Network

Slide 47

Slide 47 text

Finals •Attack-defense style •Teams get a server running services •Find vulnerabilities in services •Patch own vulnerabilities •Exploit vulnerabilities on other teams

Slide 48

Slide 48 text

Finals Scoring Fifty-thousand ﬂags Five-minute rounds Tokens from services redeemed for ﬂags Flags lost when stolen and downtime Zero-sum for game theory reasons

Slide 49

Slide 49 text

Finals Scoreboard Rails, Apache, Passenger, Postgres Ubuntu on Mac Mini HTTPS Client Certiﬁcates Kibana (Logstash, Elasticsearch) No push, no polling, just meta refresh

Slide 50

Slide 50 text

Finals Scoreboard Client certs rule No password resets No hacking, no sniﬃng Twenty CDs of certs and keys… eh

Slide 51

Slide 51 text

Kibana

Slide 52

Slide 52 text

No content

Slide 53

Slide 53 text

No content

Slide 54

Slide 54 text

Kibana Log Everything

Slide 55

Slide 55 text

Tokens and Uptime Console Ruby script Restartable in a sensible fashion Use Postgres and wall clock time as state Save immediately, don’t queue

Slide 56

Slide 56 text

Tokens and Uptime Two weeks prior: “I’m just going to call a shell script, everyone else write your own uptime checker.”

Slide 57

Slide 57 text

Tokens and Uptime Three hours in: “Uh, how do we make these shell scripts time out?”

Slide 58

Slide 58 text

Tokens and Uptime Ten hours in: “We should run these in parallel.”

Slide 59

Slide 59 text

Tokens and Uptime Sixteen hours in: “Huh some team is puking binary out.”

Slide 60

Slide 60 text

Finals Problems Teams could score on themselves

Slide 61

Slide 61 text

Finals Problems Flags didn’t get redistributed correctly

Slide 62

Slide 62 text

Finals Problems Have a better way to ﬁnd issues than rails console, SQL, and log queries

Slide 63

Slide 63 text

No content

Slide 64

Slide 64 text

Finals Problems API Documentation

Slide 65

Slide 65 text

Finals Problems Life’s easy when you have 160 users and they’re all right there

Slide 66

Slide 66 text

Finals Team Boxes

Slide 67

Slide 67 text

Finals Team Boxes Services run as dedicated users Teams have sudo to service No root

Slide 68

Slide 68 text

No content

Slide 69

Slide 69 text

Finals Lessons Scheduled downtime is the best

Slide 70

Slide 70 text

Building DEF CON CTF •DEF CON and CTF •Team building •Qualiﬁcations •Finals

Slide 71

Slide 71 text

Lessons Stuﬀ will break

Slide 72

Slide 72 text

Lessons Own your mistakes

Slide 73

Slide 73 text

Lessons Fight scope creep

Slide 74

Slide 74 text

Lessons JFDI

Slide 75

Slide 75 text

Thanks Vito Genovese @vito_lbs [email protected] https://legitbs.net http://bit.ly/br-ctf

Slide 76

Slide 76 text

Bonus Slides

Slide 77

Slide 77 text

DEF CON and Jeopardy

Slide 78

Slide 78 text

Quals Expenses What How much Heroku $126 AWS $138 Cloudﬂare $20 Whisky $340

Slide 79

Slide 79 text

Finals Services ARM binaries ASLR, NX bit, some PIE

Slide 80

Slide 80 text

Finals Services Release new services Update existing services

Slide 81

Slide 81 text

Finals Team Boxes Boot from MicroSD Start container from iSCSI