Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Trials and Tribulations of Building Your Own CTF and Shooting Gallery

The Trials and Tribulations of Building Your Own CTF and Shooting Gallery

It is said that “the best defense is a good offense” which means organizations and defenders need to think offensively in order to detect and evade threats. A good method for instilling an offensive mindset into defenders is to place them in offensive scenarios. This is where the CTF and Shooting Gallery concepts comes into play. By creating an internal shooting gallery in your organization, you can have an isolated playground for anyone to practice offensive security techniques. Furthermore, Capture The Flag (CTF) events are becoming increasingly popular at security conferences and inside of organizations. Unfortunately, there is a barrier of entry for those that have never played CTF before and occasionally individuals feel overwhelmed with all there is to know about participating, creating or hosting one. Over the last 2 years Topher has put together several CTF events - each being hosted in a drastically different way. This talk will cover the basics of building a shooting gallery, CTF challenges along with hosting and deploying them in order to increase organizational effectiveness and knowledge.


Topher Timzen

October 21, 2017


  1. The Trials and Tribulations of Building Your Own CTF and

    Shooting Gallery Topher Timzen @TTimzen

    else I say or write) ARE MY OWN AND IN NO WAY REPRESENT THE VIEWS OF MY EMPLOYER (or anyone but myself)
  3. #whoami Topher Timzen • Red Team at a Fortune 50

    ◦ Vulnerability Enthusiast ◦ Causes constructive mischief • 3 letters of government fun • Would rather be mountain biking @TTimzen https://tophertimzen.com
  4. Agenda Why Train Offensively CTF Shooting Gallery Playing, Building, and

    Deploying Challenges Infrastructure and Hosting
  5. Why Train Offensively

  6. Offense [ < | > ] Defense? [ < |

    > ] != True Security Training from an offensive standpoint is important for defenders to know and understand what attackers do - In “Cyber” they call these Tools, Tactics & Procedures (“TTP”) - Helps to instill the necessity to write defensive code - Helps answer: - “What to look for in a seemingly endless cloud of logs?” - What parts of my app would/could an attacker hit Offensive teams knowing what defenders are looking for is also important - Other talks cover that. This is not that talk.
  7. Capture The Flag (CTF)

  8. CTF Increasingly popular at security conferences and inside of organizations

    Information Security Competitions in which players solve challenges in order to obtain a “flag” Demonstrates proficiency or excellence in an area • Binary exploitation, web exploitation, reverse engineering, forensics, cryptography, programming, etc. • Organizers choice which areas are stressed for a particular event
  9. Types Jeopardy • You’ve seen the show ◦ BSidesPDX CTF

    this year! Attack & Defense • Teams attack each other's services in a contained environment
  10. Boot2root Exactly as the name suggests Boot a vulnerable machine,

    and root it! • Intentionally vulnerable • Enumeration, Vulnerability Discovery, Access/Exploitation, Privilege Escalation (EVAP) ◦ Remember the killchain? Thanks to Vulnhub for popularizing the term, as well as several other resources • hackthebox is growing in popularity
  11. Kill Chain

  12. Kill chain https://www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-Expanded-Cyber-Kill-Chain-Model-To-Increase-Attack-Resiliency.pdf

  13. Kill chain https://www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-Expanded-Cyber-Kill-Chain-Model-To-Increase-Attack-Resiliency.pdf Shooting Gallery / boot2root

  14. Shooting Gallery

  15. Shooting Gallery Internal isolated playing ground to practice offensive security

    techniques Hosting internally solves problems and barriers to entry Mentorship capabilities along with internal tracking and monitoring - Mimic your internal organization for practice! - Import pre-made vulnerable boxes with skills you want to test or teach!
  16. Shooting Gallery Reduced Overhead needing only (as a minimum) KVM

    / Libvirt - Deployment Scripts are EASY*. - But no, really Vagrant - If possible to build your own boxes (Vulnhub is nice to use in Shooting Gallery, although adds more steps) Puppet (Or your choice of provisioner) OpenVPN Internal Builds for your organization
  17. Shooting Gallery Topology openVPN clients given IP in from

    connection to (openVPN server) Vulnerable hosts in
  18. Then What? Restart Service for vulnerable VMs inside tunnel -

    PWK/OSCP method for shared vulnerable target management - Restart service in tunnel - API endpoint on hosting infrastructure to ‘virsh snapshot-revert’ or ‘virsh reboot’ - Easy to prevent malplay. Run on virtual interfaces. Leaderboard - CTFd (What BSidesPDX CTF is using this year)
  19. Show me the Source! Deployment of VMs into KVM, OpenVPN

    Configuration, Barebone Restart Service Pending approval from my employer • https://github.com/tophertimzen/shooting-gallery-infrastructure
  20. Playing, Building, and Deploying Challenges

  21. Participating Just do it! Babies first challenges are really great

    for starting! Some CTF events target beginners • BSidesPDX! https://ctftime.org shows a ton of CTFs happening all over the world https://trailofbits.github.io/ctf/ https://github.com/apsdehal/awesome-ctf
  22. Creating You do not have to be a good developer,

    the intention is to hack your code! Write a challenge (boot2root, binary, web, more) you would want to solve and send it to friends, tweet it, etc See what other people write for challenges and get inspiration • CTF content creators should open source their work! Write-ups are aplenty, not a lot of challenge source! • Pwn 100 and Pwn 200 for BSidesPDX CTF this year are spinoffs of other challenges ◦ As well as the initial concept for infra! Thanks BSidesSF!
  23. Creating Open sourcing challenge concepts and source is useful to

    move BSides and CTF forward Base reference implementation on building CTF and infra saves time • Shout out to BSidesSF! Get involved with an organizer of a CTF! • We are open sourcing our CTF at https://github.com/BSidesPDX/CTF-2017 • Talk to me about being involved next year!
  24. Infrastructure and Hosting This is the painful part and could

    be a talk in and of itself VMS • First CTF I organized we gave people “.ova” machines Shooting Gallery Concept • Self-contained, automated infrastructure Docker / Kubernetes • Hosting this and last years BSidesPDX CTF
  25. Resources • Vito_lbs has been blogging about @LegitBS_CTF • https://www.reddit.com/r/securityCTF/comments/1ntoue/what_does_the_infrastructure_of_var

    ious_ctfs_look/ ◦ 4 years old, but helpful. Perhaps worth revisiting and forming a discussion. • https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-35 70b99b4dd0 ◦ Like anything, CTFs need an Attack Model. What are you giving to the competitors? Is there accepted risk anywhere? ▪ We used k8s for BSidesPDX this year, we had to solve problems.
  26. Overlay

  27. Come play CTF! Event room https://bsidespdxctf.party/ https://bsidespdx.org/events/2017/ctf.html Help us organize

    next years!
  28. Conclusion Offensive skills help defenders Defensive skills help offense CTF

    is a good way to challenge yourself and grow skills Deploy a Shooting Gallery in your organization Go forth and Hack The ______! Deployment scripts will be on github pending approval from my employer. @TTimzen will tweet out links when published.
  29. Thanks Could not have done the CTF this year without

    my team Challenges: @pwnpnw Infra: @yalam96 @andrewkrug @mozilla
  30. EOF