The Trials and Tribulations of Building Your Own CTF and Shooting Gallery

Transcript

1. The Trials and Tribulations of Building Your Own CTF and

   Shooting Gallery Topher Timzen @TTimzen

2. Disclaimer ALL CONTENT, OPINIONS, ASSERTIONS, CLAIMS, EXHORTATIONS, DENIALS (or anything

   else I say or write) ARE MY OWN AND IN NO WAY REPRESENT THE VIEWS OF MY EMPLOYER (or anyone but myself)

3. #whoami Topher Timzen • Red Team at a Fortune 50

   ◦ Vulnerability Enthusiast ◦ Causes constructive mischief • 3 letters of government fun • Would rather be mountain biking @TTimzen https://tophertimzen.com

4. Agenda Why Train Offensively CTF Shooting Gallery Playing, Building, and

   Deploying Challenges Infrastructure and Hosting

5. Why Train Offensively

6. Offense [ < | > ] Defense? [ < |

   > ] != True Security Training from an offensive standpoint is important for defenders to know and understand what attackers do - In “Cyber” they call these Tools, Tactics & Procedures (“TTP”) - Helps to instill the necessity to write defensive code - Helps answer: - “What to look for in a seemingly endless cloud of logs?” - What parts of my app would/could an attacker hit Offensive teams knowing what defenders are looking for is also important - Other talks cover that. This is not that talk.

7. Capture The Flag (CTF)

8. CTF Increasingly popular at security conferences and inside of organizations

   Information Security Competitions in which players solve challenges in order to obtain a “flag” Demonstrates proficiency or excellence in an area • Binary exploitation, web exploitation, reverse engineering, forensics, cryptography, programming, etc. • Organizers choice which areas are stressed for a particular event

9. Types Jeopardy • You’ve seen the show ◦ BSidesPDX CTF

   this year! Attack & Defense • Teams attack each other's services in a contained environment

10. Boot2root Exactly as the name suggests Boot a vulnerable machine,

    and root it! • Intentionally vulnerable • Enumeration, Vulnerability Discovery, Access/Exploitation, Privilege Escalation (EVAP) ◦ Remember the killchain? Thanks to Vulnhub for popularizing the term, as well as several other resources • hackthebox is growing in popularity

11. Kill Chain

12. Kill chain https://www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-Expanded-Cyber-Kill-Chain-Model-To-Increase-Attack-Resiliency.pdf

13. Kill chain https://www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-Expanded-Cyber-Kill-Chain-Model-To-Increase-Attack-Resiliency.pdf Shooting Gallery / boot2root

14. Shooting Gallery

15. Shooting Gallery Internal isolated playing ground to practice offensive security

    techniques Hosting internally solves problems and barriers to entry Mentorship capabilities along with internal tracking and monitoring - Mimic your internal organization for practice! - Import pre-made vulnerable boxes with skills you want to test or teach!

16. Shooting Gallery Reduced Overhead needing only (as a minimum) KVM

    / Libvirt - Deployment Scripts are EASY*. - But no, really Vagrant - If possible to build your own boxes (Vulnhub is nice to use in Shooting Gallery, although adds more steps) Puppet (Or your choice of provisioner) OpenVPN Internal Builds for your organization

17. Shooting Gallery Topology openVPN clients given IP in 192.168.5.0/23 from

    connection to 192.168.1.3 (openVPN server) Vulnerable hosts in 192.168.3.0/23

18. Then What? Restart Service for vulnerable VMs inside tunnel -

    PWK/OSCP method for shared vulnerable target management - Restart service in tunnel - API endpoint on hosting infrastructure to ‘virsh snapshot-revert’ or ‘virsh reboot’ - Easy to prevent malplay. Run on virtual interfaces. Leaderboard - CTFd (What BSidesPDX CTF is using this year)

19. Show me the Source! Deployment of VMs into KVM, OpenVPN

    Configuration, Barebone Restart Service Pending approval from my employer • https://github.com/tophertimzen/shooting-gallery-infrastructure

20. Playing, Building, and Deploying Challenges

21. Participating Just do it! Babies first challenges are really great

    for starting! Some CTF events target beginners • BSidesPDX! https://ctftime.org shows a ton of CTFs happening all over the world https://trailofbits.github.io/ctf/ https://github.com/apsdehal/awesome-ctf

22. Creating You do not have to be a good developer,

    the intention is to hack your code! Write a challenge (boot2root, binary, web, more) you would want to solve and send it to friends, tweet it, etc See what other people write for challenges and get inspiration • CTF content creators should open source their work! Write-ups are aplenty, not a lot of challenge source! • Pwn 100 and Pwn 200 for BSidesPDX CTF this year are spinoffs of other challenges ◦ As well as the initial concept for infra! Thanks BSidesSF!

23. Creating Open sourcing challenge concepts and source is useful to

    move BSides and CTF forward Base reference implementation on building CTF and infra saves time • Shout out to BSidesSF! Get involved with an organizer of a CTF! • We are open sourcing our CTF at https://github.com/BSidesPDX/CTF-2017 • Talk to me about being involved next year!

24. Infrastructure and Hosting This is the painful part and could

    be a talk in and of itself VMS • First CTF I organized we gave people “.ova” machines Shooting Gallery Concept • Self-contained, automated infrastructure Docker / Kubernetes • Hosting this and last years BSidesPDX CTF

25. Resources • Vito_lbs has been blogging about @LegitBS_CTF • https://www.reddit.com/r/securityCTF/comments/1ntoue/what_does_the_infrastructure_of_var

    ious_ctfs_look/ ◦ 4 years old, but helpful. Perhaps worth revisiting and forming a discussion. • https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-35 70b99b4dd0 ◦ Like anything, CTFs need an Attack Model. What are you giving to the competitors? Is there accepted risk anywhere? ▪ We used k8s for BSidesPDX this year, we had to solve problems.

26. Overlay

27. Come play CTF! Event room https://bsidespdxctf.party/ https://bsidespdx.org/events/2017/ctf.html Help us organize

    next years!

28. Conclusion Offensive skills help defenders Defensive skills help offense CTF

    is a good way to challenge yourself and grow skills Deploy a Shooting Gallery in your organization Go forth and Hack The ______! Deployment scripts will be on github pending approval from my employer. @TTimzen will tweet out links when published.

29. Thanks Could not have done the CTF this year without

    my team Challenges: @pwnpnw Infra: @yalam96 @andrewkrug @mozilla

30. EOF