Building DEF CON CTF with Ruby

Transcript

1. Building DEF CON CTF with Ruby

2. Hello Vito Genovese @vito_lbs [email protected]

3. Building DEF CON CTF •DEF CON and CTF •Team building

   •Qualifications •Finals

4. What is DEF CON? “DEF CON is one of the

   oldest continuous running hacker conventions around, and also one of the largest.” - DEF CON FAQ

5. What is DEF CON? “Black Hat… is more the university…

   DEF CON is the fraternity party.” - USA Today, “Suits and punks convene in Las Vegas for hacker conferences,” Aug. 1 2006

6. What is DEF CON?

7. What is DEF CON?

8. What is CTF? (Capture The Flag)

9. Jeopardy-Style CTF •Pick a problem •Hack it •Get points

10. Attack-Defense CTF 1. Hack services 2. Steal tokens every round

    3. Get points 1. Patch services 2. Pass SLA checks 3. Don’t lose points

11. Competing in CTF •Build a team •Get really good at

    assembly •Get good at web vulns and crypto too •Compete and solve problems •Write up solutions

12. Competing in CTF

13. Sample Challenges http://hypeman.shallweplayaga.me http://worsemedicine.shallweplayaga.me

14. Hour 30

15. Building DEF CON CTF •DEF CON and CTF •Team building

    •Qualifications •Finals

16. Team Building “Dark Tangent is looking for new CTF organizers,

    want to help write a proposal?”

17. Team Building Software vulnerability experts Hardware engineers Network ops deity

    Web application generalist

18. Team Building •Opinionated smart people •That need to work together

    •On a software project with dozens of moving parts •On a very public stage •With immovable deadlines

19. Team Building Always have an exit strategy

20. Building DEF CON CTF •DEF CON and CTF •Team building

    •Qualifications •Finals

21. Qualifications “Quals”

22. Quals “Jeopardy-style” Self-contained questions Open Entry 48 hours over a

    weekend
23. None

24. Quals Scoreboard Rails Unicorn Heroku 1GB Dynos $50/month Postgres

25. Quals Scoreboard No Redis No memcached

26. Quals Scoreboard No push Only polling

27. Quals Scoreboard

28. Quals Scoreboard

29. Quals Scoreboard Game Start Adjusting dynos

30. Quals Challenges •Sinatra •PHP •Python •x86 •Golang •ARM

31. Sinatra Used Heroku It ruled

32. PHP, Python, x86, Golang EC2 Started with Micro Upgraded to

    Large

33. PHP, Python, x86, Golang Never use Micro instances

34. PHP, Python, x86, Golang Sometimes you get DoS’d

35. ARM Challenges

36. Quals Problems I slept… Through a part where we had

    to edit a question and put something on S3.

37. Quals Problems Some challenges weren’t ready until halfway through the

    game

38. https://twitter.com/roman_soft/status/346325078369263616

39. Quals •IRC and Twitter: invaluable •Have a reset password flow

    •Don’t forget public views •Fight bus numbers

40. Building DEF CON CTF •DEF CON and CTF •Team building

    •Qualifications •Finals

41. Finals OMG

42. None

43. Finals http://www.cnbc.com/id/101179977

44. Finals

45. Finals

46. Finals Twenty Teams Twenty Servers One Network

47. Finals •Attack-defense style •Teams get a server running services •Find

    vulnerabilities in services •Patch own vulnerabilities •Exploit vulnerabilities on other teams

48. Finals Scoring Fifty-thousand flags Five-minute rounds Tokens from services redeemed

    for flags Flags lost when stolen and downtime Zero-sum for game theory reasons

49. Finals Scoreboard Rails, Apache, Passenger, Postgres Ubuntu on Mac Mini

    HTTPS Client Certificates Kibana (Logstash, Elasticsearch) No push, no polling, just meta refresh

50. Finals Scoreboard Client certs rule No password resets No hacking,

    no sniffing Twenty CDs of certs and keys… eh

51. Kibana

52. None
53. None

54. Kibana Log Everything

55. Tokens and Uptime Console Ruby script Restartable in a sensible

    fashion Use Postgres and wall clock time as state Save immediately, don’t queue

56. Tokens and Uptime Two weeks prior: “I’m just going to

    call a shell script, everyone else write your own uptime checker.”

57. Tokens and Uptime Three hours in: “Uh, how do we

    make these shell scripts time out?”

58. Tokens and Uptime Ten hours in: “We should run these

    in parallel.”

59. Tokens and Uptime Sixteen hours in: “Huh some team is

    puking binary out.”

60. Finals Problems Teams could score on themselves

61. Finals Problems Flags didn’t get redistributed correctly

62. Finals Problems Have a better way to find issues than

    rails console, SQL, and log queries
63. None

64. Finals Problems API Documentation

65. Finals Problems Life’s easy when you have 160 users and

    they’re all right there

66. Finals Team Boxes

67. Finals Team Boxes Services run as dedicated users Teams have

    sudo to service No root
68. None

69. Finals Lessons Scheduled downtime is the best

70. Building DEF CON CTF •DEF CON and CTF •Team building

    •Qualifications •Finals

71. Lessons Stuff will break

72. Lessons Own your mistakes

73. Lessons Fight scope creep

74. Lessons JFDI

75. Thanks Vito Genovese @vito_lbs [email protected] https://legitbs.net http://bit.ly/br-ctf

76. Bonus Slides

77. DEF CON and Jeopardy

78. Quals Expenses What How much Heroku $126 AWS $138 Cloudflare

    $20 Whisky $340

79. Finals Services ARM binaries ASLR, NX bit, some PIE

80. Finals Services Release new services Update existing services

81. Finals Team Boxes Boot from MicroSD Start container from iSCSI