A History of the BSidesPDX CTF @TTimzen

Agenda ● Whoami ● Intro to CTF ● A walk down memory lane ● New ideas and inspiration ● CTF Infrastructure ● DEMO ● Call to action ● EOF

Topher Timzen (@TTimzen) C# Malware is <3 Principle Vulnerability Enthusiast Red Team at Oracle Cloud Infrastructure Would rather be on 70000 Tons of Metal Whoami

Intro to CTF

CTF Increasingly popular at security conferences and inside of organizations Information Security Competitions in which players solve challenges in order to obtain a “flag” Demonstrates proficiency or excellence in an area ● Binary exploitation, web exploitation, reverse engineering, forensics, cryptography, programming, etc. ● Organizers choice which areas are stressed for a particular event

Types Jeopardy ● You’ve seen the show ○ BSidesPDX CTF this year! Attack & Defense ● Teams attack each other's services in a contained environment

BSidesPDX CTF Unlike CTFs at other conferences ours is not meant to be intimidating and there are some challenges that any attendee should be able to solve! Come and learn some new skills or freshen up on some of the basics, which are easily forgotten.

A walk down memory lane

Sasquatch CTF! Live deployment of a web store was hacked and much $ cat flag BSidesPDX CTF 2015

BSidesPDX CTF 2016 CWE Top 25 - Single binaries targeting MITRE CWE Top 25 - Web excluded - 3 web challenges, full end to end boot2root scenarios Hosted on CTF Platform

BSidesPDX CTF 2017 16 challenges across 4 domains ● Web exploitation ● Binary exploitation ● Shellcoding ● Reverse Engineering Hosted on BSidesPDX CTF Platform

BSidesPDX OMSI CTF 2018 Ran at OMSI Portland Mini Maker Faire 6 challenges across 3 domains ● Binary exploitation ● Reverse Engineering ● Web Hosted on BSidesPDX CTF Platform

BSidesPDX CTF 2018 12 challenges across 4 domains ● Web exploitation ● Binary exploitation/Reverse Engineering ● OSINT ● Forensics Hosted on BSidesPDX CTF Platform

BSidesPDX CTF 2019 Sometime in like October…. or something

BSidesPDX CTF Metrics 2017 - 62 players, 41 unique solves, 13 teams solved at least one challenge 2018 - 89 players, 70 unique solves, 26 teams solved at least one challenge

New ideas and inspiration

CTF Infrastructure

BSidesPDX CTF Infra Infrastructure overview ● Kubernetes in AWS via Amazon EKS ● Network policies to restrict pod network access ● kube2iam to provide restricted IAM roles to pods ● Disabled ServiceAccount token mount inside pods ● RBAC enabled

BSidesPDX Local CTF Infra Docker with compose! 1. sudo apt install gcc-multilib gcc-mipsel-linux-gnu gcc-arm-linux-gnueabi g++-multilib linux-libc-dev:i386 2. make 3. docker-compose build && docker-compose up -d 4. Containers are viewable at localhost:PORT (view with docker-compose ps) 5. docker-compose kill to stop the containers 6. make clean to clean the source folders

DEMO

Call To Action

Creating You do not have to be a good developer, the intention is to hack your code! Write a challenge (boot2root, binary, web, more) you would want to solve and send it to friends, tweet it, etc See what other people write for challenges and get inspiration ● CTF content creators should open source their work! Write-ups are aplenty, not a lot of challenge source! ● Pwn 100 and Pwn 200 for the 2018 BSidesPDX CTF are spinoffs of other challenges ○ As well as the initial concept for infra! Thanks BSidesSF!

Creating Open sourcing challenge concepts and source is useful to move BSides and CTF forward Base reference implementation on building CTF and infra saves time ● Shout out to BSidesSF! Get involved with an organizer of a CTF! ● We open source ours!!! ● Talk to me about being involved next year!

CTF Thanks Could not have done the CTF any of these years without awesome people ● fdcarl ● aagallag ● dade ● Arinerron ● Jessemichael ● Pwnpnw ● Yalam96 ● Andrewkrug ● Many more . . . .

All challenges are open sourced!!!! ● https://github.com/BSidesPDX ○ https://github.com/BSidesPDX/CTF-2018 ○ https://github.com/BSidesPDX/OMSI-CTF-2018 ○ https://github.com/BSidesPDX/CTF-2017 Want to be involved next year? Planning? Challenge writing? Infra? ● @TTimzen BSidesPDX CTF

No content