Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A History of the BSidesPDX CTF

Topher Timzen
April 24, 2019
110

A History of the BSidesPDX CTF

This presentation summarizes the BSidesPDX CTF over the last 4 years. This presentation was given on the first PDX Hack Boat!

Topher Timzen

April 24, 2019
Tweet

Transcript

  1. A History of the BSidesPDX CTF
    @TTimzen

    View Slide

  2. Agenda
    ● Whoami
    ● Intro to CTF
    ● A walk down memory lane
    ● New ideas and inspiration
    ● CTF Infrastructure
    ● DEMO
    ● Call to action
    ● EOF

    View Slide

  3. Topher Timzen (@TTimzen)
    C# Malware is <3
    Principle Vulnerability Enthusiast
    Red Team at Oracle Cloud Infrastructure
    Would rather be on 70000 Tons of Metal
    Whoami

    View Slide

  4. Intro to CTF

    View Slide

  5. CTF
    Increasingly popular at security conferences and inside of organizations
    Information Security Competitions in which players solve challenges in
    order to obtain a “flag”
    Demonstrates proficiency or excellence in an area
    ● Binary exploitation, web exploitation, reverse engineering, forensics,
    cryptography, programming, etc.
    ● Organizers choice which areas are stressed for a particular event

    View Slide

  6. Types
    Jeopardy
    ● You’ve seen the show
    ○ BSidesPDX CTF this year!
    Attack & Defense
    ● Teams attack each other's services in a contained environment

    View Slide

  7. BSidesPDX CTF
    Unlike CTFs at other conferences ours is not meant to be
    intimidating and there are some challenges that any attendee
    should be able to solve! Come and learn some new skills or
    freshen up on some of the basics, which are easily forgotten.

    View Slide

  8. A walk down memory lane

    View Slide

  9. Sasquatch CTF!
    Live deployment of a web store was hacked and much $ cat
    flag
    BSidesPDX CTF 2015

    View Slide

  10. BSidesPDX CTF 2016
    CWE Top 25
    - Single binaries targeting MITRE CWE Top 25
    - Web excluded
    - 3 web challenges, full end to end boot2root scenarios
    Hosted on CTF Platform

    View Slide

  11. BSidesPDX CTF 2017
    16 challenges across 4 domains
    ● Web exploitation
    ● Binary exploitation
    ● Shellcoding
    ● Reverse Engineering
    Hosted on BSidesPDX CTF Platform

    View Slide

  12. BSidesPDX OMSI CTF 2018
    Ran at OMSI Portland Mini Maker Faire
    6 challenges across 3 domains
    ● Binary exploitation
    ● Reverse Engineering
    ● Web
    Hosted on BSidesPDX CTF Platform

    View Slide

  13. BSidesPDX CTF 2018
    12 challenges across 4 domains
    ● Web exploitation
    ● Binary exploitation/Reverse Engineering
    ● OSINT
    ● Forensics
    Hosted on BSidesPDX CTF Platform

    View Slide

  14. BSidesPDX CTF 2019
    Sometime in like October….
    or something

    View Slide

  15. BSidesPDX CTF Metrics
    2017 - 62 players, 41 unique solves, 13 teams
    solved at least one challenge
    2018 - 89 players, 70 unique solves, 26 teams
    solved at least one challenge

    View Slide

  16. New ideas and inspiration

    View Slide

  17. CTF Infrastructure

    View Slide

  18. BSidesPDX CTF Infra
    Infrastructure overview
    ● Kubernetes in AWS via Amazon EKS
    ● Network policies to restrict pod network access
    ● kube2iam to provide restricted IAM roles to pods
    ● Disabled ServiceAccount token mount inside pods
    ● RBAC enabled

    View Slide

  19. BSidesPDX Local CTF Infra
    Docker with compose!
    1. sudo apt install gcc-multilib gcc-mipsel-linux-gnu gcc-arm-linux-gnueabi
    g++-multilib linux-libc-dev:i386
    2. make
    3. docker-compose build && docker-compose up -d
    4. Containers are viewable at localhost:PORT (view with docker-compose ps)
    5. docker-compose kill to stop the containers
    6. make clean to clean the source folders

    View Slide

  20. DEMO

    View Slide

  21. Call To Action

    View Slide

  22. Creating
    You do not have to be a good developer, the intention is to hack your code!
    Write a challenge (boot2root, binary, web, more) you would want to solve and
    send it to friends, tweet it, etc
    See what other people write for challenges and get inspiration
    ● CTF content creators should open source their work! Write-ups are aplenty,
    not a lot of challenge source!
    ● Pwn 100 and Pwn 200 for the 2018 BSidesPDX CTF are spinoffs of other
    challenges
    ○ As well as the initial concept for infra! Thanks BSidesSF!

    View Slide

  23. Creating
    Open sourcing challenge concepts and source is useful to move
    BSides and CTF forward
    Base reference implementation on building CTF and infra saves
    time
    ● Shout out to BSidesSF!
    Get involved with an organizer of a CTF!
    ● We open source ours!!!
    ● Talk to me about being involved next year!

    View Slide

  24. CTF Thanks
    Could not have done the CTF any of these years without awesome people
    ● fdcarl
    ● aagallag
    ● dade
    ● Arinerron
    ● Jessemichael
    ● Pwnpnw
    ● Yalam96
    ● Andrewkrug
    ● Many more . . . .

    View Slide

  25. All challenges are open sourced!!!!
    ● https://github.com/BSidesPDX
    ○ https://github.com/BSidesPDX/CTF-2018
    ○ https://github.com/BSidesPDX/OMSI-CTF-2018
    ○ https://github.com/BSidesPDX/CTF-2017
    Want to be involved next year? Planning? Challenge writing? Infra?
    ● @TTimzen
    BSidesPDX CTF

    View Slide

  26. View Slide