The Trials and Tribulations of Building Your Own CTF and Shooting Gallery

Transcript

1. The Trials and Tribulations
   of Building Your Own CTF
   and Shooting Gallery
   Topher Timzen
   @TTimzen
   

   View Slide

2. Disclaimer
   ALL CONTENT, OPINIONS, ASSERTIONS, CLAIMS, EXHORTATIONS,
   DENIALS (or anything else I say or write) ARE MY OWN AND IN NO
   WAY REPRESENT THE VIEWS OF MY EMPLOYER (or anyone but
   myself)
   

   View Slide

3. #whoami
   Topher Timzen
   ● Red Team at a Fortune 50
   ○ Vulnerability Enthusiast
   ○ Causes constructive mischief
   ● 3 letters of government fun
   ● Would rather be mountain biking
   @TTimzen
   https://tophertimzen.com
   

   View Slide

4. Agenda
   Why Train Offensively
   CTF
   Shooting Gallery
   Playing, Building, and Deploying Challenges
   Infrastructure and Hosting
   

   View Slide

5. Why Train Offensively
   

   View Slide

6. Offense [ < | > ] Defense?
   [ < | > ] != True
   Security Training from an offensive standpoint is important for defenders to know
   and understand what attackers do
   - In “Cyber” they call these Tools, Tactics & Procedures (“TTP”)
   - Helps to instill the necessity to write defensive code
   - Helps answer:
   - “What to look for in a seemingly endless cloud of logs?”
   - What parts of my app would/could an attacker hit
   Offensive teams knowing what defenders are looking for is also important
   - Other talks cover that. This is not that talk.
   

   View Slide

7. Capture The Flag (CTF)
   

   View Slide

8. CTF
   Increasingly popular at security conferences and inside of organizations
   Information Security Competitions in which players solve challenges in order to
   obtain a “flag”
   Demonstrates proficiency or excellence in an area
   ● Binary exploitation, web exploitation, reverse engineering, forensics,
   cryptography, programming, etc.
   ● Organizers choice which areas are stressed for a particular event
   

   View Slide

9. Types
   Jeopardy
   ● You’ve seen the show
   ○ BSidesPDX CTF this year!
   Attack & Defense
   ● Teams attack each other's services in a contained environment
   

   View Slide

10. Boot2root
    Exactly as the name suggests
    Boot a vulnerable machine, and root it!
    ● Intentionally vulnerable
    ● Enumeration, Vulnerability Discovery, Access/Exploitation, Privilege
    Escalation (EVAP)
    ○ Remember the killchain?
    Thanks to Vulnhub for popularizing the term, as well as several other resources
    ● hackthebox is growing in popularity
    

    View Slide

11. Kill Chain
    

    View Slide

12. Kill chain
    https://www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-Expanded-Cyber-Kill-Chain-Model-To-Increase-Attack-Resiliency.pdf
    

    View Slide

13. Kill chain
    https://www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-Expanded-Cyber-Kill-Chain-Model-To-Increase-Attack-Resiliency.pdf
    Shooting Gallery / boot2root
    

    View Slide

14. Shooting Gallery
    

    View Slide

15. Shooting Gallery
    Internal isolated playing ground to practice offensive security techniques
    Hosting internally solves problems and barriers to entry
    Mentorship capabilities along with internal tracking and monitoring
    - Mimic your internal organization for practice!
    - Import pre-made vulnerable boxes with skills you want to test or teach!
    

    View Slide

16. Shooting Gallery
    Reduced Overhead needing only (as a minimum)
    KVM / Libvirt
    - Deployment Scripts are EASY*.
    - But no, really
    Vagrant
    - If possible to build your own boxes (Vulnhub is nice to use in Shooting Gallery, although adds more
    steps)
    Puppet (Or your choice of provisioner)
    OpenVPN
    Internal Builds for your organization
    

    View Slide

17. Shooting Gallery Topology
    openVPN clients given IP in
    192.168.5.0/23 from
    connection to 192.168.1.3
    (openVPN server)
    Vulnerable hosts in
    192.168.3.0/23
    

    View Slide

18. Then What?
    Restart Service for vulnerable VMs inside tunnel
    - PWK/OSCP method for shared vulnerable target management
    - Restart service in tunnel
    - API endpoint on hosting infrastructure to ‘virsh snapshot-revert’ or ‘virsh reboot’
    - Easy to prevent malplay. Run on virtual interfaces.
    Leaderboard
    - CTFd (What BSidesPDX CTF is using this year)
    

    View Slide

19. Show me the Source!
    Deployment of VMs into KVM, OpenVPN Configuration, Barebone Restart Service
    Pending approval from my employer
    ● https://github.com/tophertimzen/shooting-gallery-infrastructure
    

    View Slide

20. Playing, Building, and Deploying
    Challenges
    

    View Slide

21. Participating
    Just do it!
    Babies first challenges are really great for starting!
    Some CTF events target beginners
    ● BSidesPDX!
    https://ctftime.org shows a ton of CTFs happening all over the world
    https://trailofbits.github.io/ctf/
    https://github.com/apsdehal/awesome-ctf
    

    View Slide

22. Creating
    You do not have to be a good developer, the intention is to hack your code!
    Write a challenge (boot2root, binary, web, more) you would want to solve and send it to friends,
    tweet it, etc
    See what other people write for challenges and get inspiration
    ● CTF content creators should open source their work! Write-ups are aplenty, not a lot of
    challenge source!
    ● Pwn 100 and Pwn 200 for BSidesPDX CTF this year are spinoffs of other challenges
    ○ As well as the initial concept for infra! Thanks BSidesSF!
    

    View Slide

23. Creating
    Open sourcing challenge concepts and source is useful to move BSides and CTF forward
    Base reference implementation on building CTF and infra saves time
    ● Shout out to BSidesSF!
    Get involved with an organizer of a CTF!
    ● We are open sourcing our CTF at https://github.com/BSidesPDX/CTF-2017
    ● Talk to me about being involved next year!
    

    View Slide

24. Infrastructure and Hosting
    This is the painful part and could be a talk in and of itself
    VMS
    ● First CTF I organized we gave people “.ova” machines
    Shooting Gallery Concept
    ● Self-contained, automated infrastructure
    Docker / Kubernetes
    ● Hosting this and last years BSidesPDX CTF
    

    View Slide

25. Resources
    ● Vito_lbs has been blogging about @LegitBS_CTF
    ● https://www.reddit.com/r/securityCTF/comments/1ntoue/what_does_the_infrastructure_of_var
    ious_ctfs_look/
    ○ 4 years old, but helpful. Perhaps worth revisiting and forming a discussion.
    ● https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-35
    70b99b4dd0
    ○ Like anything, CTFs need an Attack Model. What are you giving to the competitors? Is
    there accepted risk anywhere?
    ■ We used k8s for BSidesPDX this year, we had to solve problems.
    

    View Slide

26. Overlay
    

    View Slide

27. Come play CTF!
    Event room
    https://bsidespdxctf.party/
    https://bsidespdx.org/events/2017/ctf.html
    Help us organize next years!
    

    View Slide

28. Conclusion
    Offensive skills help defenders
    Defensive skills help offense
    CTF is a good way to challenge yourself and grow skills
    Deploy a Shooting Gallery in your organization
    Go forth and Hack The ______!
    Deployment scripts will be on github pending approval from my employer.
    @TTimzen will tweet out links when published.
    

    View Slide

29. Thanks
    Could not have done the CTF this year without my team
    Challenges:
    @pwnpnw
    Infra:
    @yalam96
    @andrewkrug
    @mozilla
    

    View Slide

30. EOF
    

    View Slide