Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Building DEF CON CTF with Ruby
Search
vito
February 21, 2014
Programming
0
600
Building DEF CON CTF with Ruby
Presented at Big Ruby Conference, Grapevine, TX, Feb. 20 2014
vito
February 21, 2014
Tweet
Share
More Decks by vito
See All by vito
Modernizing SQL Injection CTF Challenges
vito
0
160
Raw Water: Quenching Your Thirst for SQL Injection
vito
0
74
Lessons Learned from Five Years of Building Capture the Flag
vito
0
490
What I've Learned Writing CTF Challenges
vito
0
150
Capture the Flag: An Owner's Manual
vito
0
90
Other Decks in Programming
See All in Programming
20250808_AIAgent勉強会_ClaudeCodeデータ分析の実運用〜競馬を題材に回収率100%の先を目指すメソッドとは〜
kkakeru
0
130
MCP連携で加速するAI駆動開発/mcp integration accelerates ai-driven-development
bpstudy
0
290
ワープロって実は計算機で
pepepper
2
1.2k
新しいモバイルアプリ勉強会(仮)について
uetyo
1
250
Bedrock AgentCore ObservabilityによるAIエージェントの運用
licux
9
600
#QiitaBash TDDで(自分の)開発がどう変わったか
ryosukedtomita
1
360
オホーツクでコミュニティを立ち上げた理由―地方出身プログラマの挑戦 / TechRAMEN 2025 Conference
lemonade_37
2
460
Terraform やるなら公式スタイルガイドを読もう 〜重要項目 10選〜
hiyanger
12
3k
CEDEC2025 長期運営ゲームをあと10年続けるための0から始める自動テスト ~4000項目を50%自動化し、月1→毎日実行にした3年間~
akatsukigames_tech
0
120
バイブスあるコーディングで ~PHP~ 便利ツールをつくるプラクティス
uzulla
1
330
Webinar: AI-Powered Development: Transformiere deinen Workflow mit Coding Tools und MCP Servern
danielsogl
0
110
React 使いじゃなくても知っておきたい教養としての React
oukayuka
18
5.5k
Featured
See All Featured
The Art of Programming - Codeland 2020
erikaheidi
54
13k
Code Review Best Practice
trishagee
69
19k
Balancing Empowerment & Direction
lara
1
540
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
880
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
110
19k
Git: the NoSQL Database
bkeepers
PRO
431
65k
Agile that works and the tools we love
rasmusluckow
329
21k
Rebuilding a faster, lazier Slack
samanthasiow
83
9.1k
Measuring & Analyzing Core Web Vitals
bluesmoon
8
550
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
8
440
What's in a price? How to price your products and services
michaelherold
246
12k
Transcript
Building DEF CON CTF with Ruby
Hello Vito Genovese @vito_lbs
[email protected]
Building DEF CON CTF •DEF CON and CTF •Team building
•Qualifications •Finals
What is DEF CON? “DEF CON is one of the
oldest continuous running hacker conventions around, and also one of the largest.” - DEF CON FAQ
What is DEF CON? “Black Hat… is more the university…
DEF CON is the fraternity party.” - USA Today, “Suits and punks convene in Las Vegas for hacker conferences,” Aug. 1 2006
What is DEF CON?
What is DEF CON?
What is CTF? (Capture The Flag)
Jeopardy-Style CTF •Pick a problem •Hack it •Get points
Attack-Defense CTF 1. Hack services 2. Steal tokens every round
3. Get points 1. Patch services 2. Pass SLA checks 3. Don’t lose points
Competing in CTF •Build a team •Get really good at
assembly •Get good at web vulns and crypto too •Compete and solve problems •Write up solutions
Competing in CTF
Sample Challenges http://hypeman.shallweplayaga.me http://worsemedicine.shallweplayaga.me
Hour 30
Building DEF CON CTF •DEF CON and CTF •Team building
•Qualifications •Finals
Team Building “Dark Tangent is looking for new CTF organizers,
want to help write a proposal?”
Team Building Software vulnerability experts Hardware engineers Network ops deity
Web application generalist
Team Building •Opinionated smart people •That need to work together
•On a software project with dozens of moving parts •On a very public stage •With immovable deadlines
Team Building Always have an exit strategy
Building DEF CON CTF •DEF CON and CTF •Team building
•Qualifications •Finals
Qualifications “Quals”
Quals “Jeopardy-style” Self-contained questions Open Entry 48 hours over a
weekend
None
Quals Scoreboard Rails Unicorn Heroku 1GB Dynos $50/month Postgres
Quals Scoreboard No Redis No memcached
Quals Scoreboard No push Only polling
Quals Scoreboard
Quals Scoreboard
Quals Scoreboard Game Start Adjusting dynos
Quals Challenges •Sinatra •PHP •Python •x86 •Golang •ARM
Sinatra Used Heroku It ruled
PHP, Python, x86, Golang EC2 Started with Micro Upgraded to
Large
PHP, Python, x86, Golang Never use Micro instances
PHP, Python, x86, Golang Sometimes you get DoS’d
ARM Challenges
Quals Problems I slept… Through a part where we had
to edit a question and put something on S3.
Quals Problems Some challenges weren’t ready until halfway through the
game
https://twitter.com/roman_soft/status/346325078369263616
Quals •IRC and Twitter: invaluable •Have a reset password flow
•Don’t forget public views •Fight bus numbers
Building DEF CON CTF •DEF CON and CTF •Team building
•Qualifications •Finals
Finals OMG
None
Finals http://www.cnbc.com/id/101179977
Finals
Finals
Finals Twenty Teams Twenty Servers One Network
Finals •Attack-defense style •Teams get a server running services •Find
vulnerabilities in services •Patch own vulnerabilities •Exploit vulnerabilities on other teams
Finals Scoring Fifty-thousand flags Five-minute rounds Tokens from services redeemed
for flags Flags lost when stolen and downtime Zero-sum for game theory reasons
Finals Scoreboard Rails, Apache, Passenger, Postgres Ubuntu on Mac Mini
HTTPS Client Certificates Kibana (Logstash, Elasticsearch) No push, no polling, just meta refresh
Finals Scoreboard Client certs rule No password resets No hacking,
no sniffing Twenty CDs of certs and keys… eh
Kibana
None
None
Kibana Log Everything
Tokens and Uptime Console Ruby script Restartable in a sensible
fashion Use Postgres and wall clock time as state Save immediately, don’t queue
Tokens and Uptime Two weeks prior: “I’m just going to
call a shell script, everyone else write your own uptime checker.”
Tokens and Uptime Three hours in: “Uh, how do we
make these shell scripts time out?”
Tokens and Uptime Ten hours in: “We should run these
in parallel.”
Tokens and Uptime Sixteen hours in: “Huh some team is
puking binary out.”
Finals Problems Teams could score on themselves
Finals Problems Flags didn’t get redistributed correctly
Finals Problems Have a better way to find issues than
rails console, SQL, and log queries
None
Finals Problems API Documentation
Finals Problems Life’s easy when you have 160 users and
they’re all right there
Finals Team Boxes
Finals Team Boxes Services run as dedicated users Teams have
sudo to service No root
None
Finals Lessons Scheduled downtime is the best
Building DEF CON CTF •DEF CON and CTF •Team building
•Qualifications •Finals
Lessons Stuff will break
Lessons Own your mistakes
Lessons Fight scope creep
Lessons JFDI
Thanks Vito Genovese @vito_lbs
[email protected]
https://legitbs.net http://bit.ly/br-ctf
Bonus Slides
DEF CON and Jeopardy
Quals Expenses What How much Heroku $126 AWS $138 Cloudflare
$20 Whisky $340
Finals Services ARM binaries ASLR, NX bit, some PIE
Finals Services Release new services Update existing services
Finals Team Boxes Boot from MicroSD Start container from iSCSI