It is said that “the best defense is a good offense” which means organizations and defenders need to think offensively in order to detect and evade threats. A good method for instilling an offensive mindset into defenders is to place them in offensive scenarios. This is where the CTF and Shooting Gallery concepts comes into play. By creating an internal shooting gallery in your organization, you can have an isolated playground for anyone to practice offensive security techniques. Furthermore, Capture The Flag (CTF) events are becoming increasingly popular at security conferences and inside of organizations. Unfortunately, there is a barrier of entry for those that have never played CTF before and occasionally individuals feel overwhelmed with all there is to know about participating, creating or hosting one. Over the last 2 years Topher has put together several CTF events - each being hosted in a drastically different way. This talk will cover the basics of building a shooting gallery, CTF challenges along with hosting and deploying them in order to increase organizational effectiveness and knowledge.
The Trials and Tribulations
of Building Your Own CTF
and Shooting Gallery
ALL CONTENT, OPINIONS, ASSERTIONS, CLAIMS, EXHORTATIONS,
DENIALS (or anything else I say or write) ARE MY OWN AND IN NO
WAY REPRESENT THE VIEWS OF MY EMPLOYER (or anyone but
● Red Team at a Fortune 50
○ Vulnerability Enthusiast
○ Causes constructive mischief
● 3 letters of government fun
● Would rather be mountain biking
Why Train Offensively
Playing, Building, and Deploying Challenges
Infrastructure and Hosting
Why Train Offensively
Offense [ < | > ] Defense?
[ < | > ] != True
Security Training from an offensive standpoint is important for defenders to know
and understand what attackers do
- In “Cyber” they call these Tools, Tactics & Procedures (“TTP”)
- Helps to instill the necessity to write defensive code
- Helps answer:
- “What to look for in a seemingly endless cloud of logs?”
- What parts of my app would/could an attacker hit
Offensive teams knowing what defenders are looking for is also important
- Other talks cover that. This is not that talk.
Capture The Flag (CTF)
Increasingly popular at security conferences and inside of organizations
Information Security Competitions in which players solve challenges in order to
obtain a “flag”
Demonstrates proficiency or excellence in an area
● Binary exploitation, web exploitation, reverse engineering, forensics,
cryptography, programming, etc.
● Organizers choice which areas are stressed for a particular event
● You’ve seen the show
○ BSidesPDX CTF this year!
Attack & Defense
● Teams attack each other's services in a contained environment
Exactly as the name suggests
Boot a vulnerable machine, and root it!
● Intentionally vulnerable
● Enumeration, Vulnerability Discovery, Access/Exploitation, Privilege
○ Remember the killchain?
Thanks to Vulnhub for popularizing the term, as well as several other resources
● hackthebox is growing in popularity
Shooting Gallery / boot2root
Internal isolated playing ground to practice offensive security techniques
Hosting internally solves problems and barriers to entry
Mentorship capabilities along with internal tracking and monitoring
- Mimic your internal organization for practice!
- Import pre-made vulnerable boxes with skills you want to test or teach!
Reduced Overhead needing only (as a minimum)
KVM / Libvirt
- Deployment Scripts are EASY*.
- But no, really
- If possible to build your own boxes (Vulnhub is nice to use in Shooting Gallery, although adds more
Puppet (Or your choice of provisioner)
Internal Builds for your organization
Shooting Gallery Topology
openVPN clients given IP in
connection to 192.168.1.3
Vulnerable hosts in
Restart Service for vulnerable VMs inside tunnel
- PWK/OSCP method for shared vulnerable target management
- Restart service in tunnel
- API endpoint on hosting infrastructure to ‘virsh snapshot-revert’ or ‘virsh reboot’
- Easy to prevent malplay. Run on virtual interfaces.
- CTFd (What BSidesPDX CTF is using this year)
Show me the Source!
Deployment of VMs into KVM, OpenVPN Configuration, Barebone Restart Service
Pending approval from my employer
Playing, Building, and Deploying
Just do it!
Babies first challenges are really great for starting!
Some CTF events target beginners
https://ctftime.org shows a ton of CTFs happening all over the world
You do not have to be a good developer, the intention is to hack your code!
Write a challenge (boot2root, binary, web, more) you would want to solve and send it to friends,
tweet it, etc
See what other people write for challenges and get inspiration
● CTF content creators should open source their work! Write-ups are aplenty, not a lot of
● Pwn 100 and Pwn 200 for BSidesPDX CTF this year are spinoffs of other challenges
○ As well as the initial concept for infra! Thanks BSidesSF!
Open sourcing challenge concepts and source is useful to move BSides and CTF forward
Base reference implementation on building CTF and infra saves time
● Shout out to BSidesSF!
Get involved with an organizer of a CTF!
● We are open sourcing our CTF at https://github.com/BSidesPDX/CTF-2017
● Talk to me about being involved next year!
Infrastructure and Hosting
This is the painful part and could be a talk in and of itself
● First CTF I organized we gave people “.ova” machines
Shooting Gallery Concept
● Self-contained, automated infrastructure
Docker / Kubernetes
● Hosting this and last years BSidesPDX CTF
● Vito_lbs has been blogging about @LegitBS_CTF
○ 4 years old, but helpful. Perhaps worth revisiting and forming a discussion.
○ Like anything, CTFs need an Attack Model. What are you giving to the competitors? Is
there accepted risk anywhere?
■ We used k8s for BSidesPDX this year, we had to solve problems.
Come play CTF!
Help us organize next years!
Offensive skills help defenders
Defensive skills help offense
CTF is a good way to challenge yourself and grow skills
Deploy a Shooting Gallery in your organization
Go forth and Hack The ______!
Deployment scripts will be on github pending approval from my employer.
@TTimzen will tweet out links when published.
Could not have done the CTF this year without my team