We are about to start the next talk right
here. So, I am very happy to introduce
Hanemile. Who is going to talk a little
bit about the struggles you are facing
when trying to find the next capture the
flag (CTF) adventure and how he is
proposing to solve the problem.
Please join me in welcoming Emile.
Hi, I am going to talk about CTF in a box.
It is the story of what problems we
found when playing CTFs. How we plan
to solve the problems; we built a
prototype, tested it and the problems
that came after that. So, first who am I
I am Emile, @hanmile at post platforms.
Studying computer science at Düsseldorf.
Playing CTF with @flexerilla or sometimes
as a single player.
Lets start with the current solutions.
Playing CTF we currently have, like, 3
main platforms. The most used framework
used currently is CTFd.
CTFd is the first thing you'll find if you
google "hey I want to host a CTF, what
do I do?"
Second thing is hack the box
that is another case study, well case
study. More so a framework to host CTFs
but you can't use it, because it is
actually close sourced. Meaning that
you can only play with that. The last
solution is custom frameworks. So,
these are frameworks used by teams.
They build them themselves, like
at this years CTF.
So, CTFd looks like this. People may have
played CTF may have seen it since most
CTFs are hosted on CTFd. Overall
it is pretty basic, looks bit bootstrappy.
I´ll come back to what the problems are
later. Hack the box, the people who have
not seen it, it looks like this. This is
the machine view. Because hack the
box differentiate between machines
and challenges. Challenges are simply
files from where you need to find the
flag. Machines are a bit more, where
you an actual machine from where
you need to find the flag in the actual
services running on the machine.
So, it is a bit more.
And custom ones. This is an image of
a current CTF organised by HXV.
It is pretty much CTFd but, but built by
their own.
So, what are the problems with this?
Well, lets start with CTFd, where there
aren't actual problems, in my opinion.
It is mostly a static hoster, for files
you want people to use for the CTF and
some custom infrastructure for score
board, registration and stuff like that.
Hack the box is kind of close sourced,
why I say "kind of" because you can
actually use it, you can see how it is
built up, you could build it your self
and the problem we had when playing
with hack the box was that we had some
reverse shells at the root of the
challenges. As well as other problems like
multiple people writing in to some
challenges and that some files where
there, that should not have been. Which
was really annoying sometimes. Like we
started a challenges and saw that there
is a reverse shell for getting root in
root, you don't have to do anything.
There are shared challenge instances
the problem we saw that was you
have multiple hundre people playing the
same instance, where we could see what
other people where uploading to the
instance. Which kind of helped us and
found out that it could be kind of
optimised. The third problem, well
problem, but it is custom frameworks.
You might find errors in custom frameworks
allowing to get flags that aren't used
without solving the challenge. So, it is
now a ping pong between finding a problem
and finding a solution. The simplest
solution we tried to implement at our CTF
at a local hackrrspace was to generate
a single challenge instance for every
player/ team. This means that every
challenge we built was simply a docker
container somewhere and for everyone
who wanted to play it started a new docker
contianer. We first thought that this
would bring a lot of overhead, but it
didn't. We started multiple hundred
containers and it worked out fine. The
problem with this is that if you put
everything in a doker container docker
escapes and sandbox escapes get really
useful. It would be fatal if someone could
breakout of the container. We got
solutions for the possible problems.
You could place everything in a VM or
nsjail in order to isolate the process.
Stopping people from actually breaking
out. Another possible solution would be
to make it possible for people to break
out, which you don't actually want to
make possible. But you don't want people
to have anything in case; custom flags
for custom teams.
We did by implementing our docker
containers as - or we implemented the
challenges or the flags get put into the
docker via environment variables.
So when you are starting your docker
container you just set an environment
variable with you flag. And in the docker
container you have a little scrip that is
pushing your flag to the place you want
it to be. Then unsetting the environment
variable and deleting everything else.
Meaning no trace of the flag, where there
should not be. That worked out pretty
well. So, that is the CIRCUS prototype
that we used.
A little story for that - we had the
18th anniversary of our hackerspace
this year and we thought that we
need a CTF for that.
In a week before we realised that it is
in a week so we quickly started building
a prototype for it.
And called it CIRCUS.
Because it looks like a circus.
That is a graph showing how the
containers interact with each other.
The goal with this was that we wanted a
place where the teams could register
and get a known companion.
A companion in our system was a place
where people could go and spawn
individual contianers.
Because companion spawns in VPN
containers impacts s all other containers
in to that network.
So, people would go and get the VPN
config and can access the challenges.
It is really similar to how hack the box
works. A problem with this was that
we got one companion container per user
or per team. And we got n challenges
that can be spawn. Meaning that we got
n teams with m challenge computers
we end up with a lot of containers.
What you are seeing here is just a listing
of all the containers that we had spawn
after day 1 of the CTF, with 10
participants or so. But we had like
50 containers at that point.
Which was quite a bit.
At the end of the CTF we had about
120 container up and running.
You might think that a lot of contianers
and people doing stuff in the contaienrs
that must cost a lot of computational
power. But it actually worked out.
We had set up a virtual machine
8 core 16 bit of RAM, and it always
looked like nothing at all was
happening. Until someone set up
a cryptominer and had fun with that.
Since, we went on a machine and saw
"Where is this load coming from?"
We identified that this was a container
that some of the team set up.
Not me.
We had some people try with names,
we screwed up the sanitation a bit
because it was all really quick and that
is a learning for everything - that
it doesn't work.
The XSS you are seeing here didn't also
work for the person trying it
- which was kind of weird.
We did set up a super basic scoreboard.
So, as you can see we tried to build a
CTF framework on our own.
And it kind of worked, it was all
built in a few days and very much
like shitty CTFd.
What we want to do now is to find out
what we want to do and what we don't.
What we want to do is to allow
people to spawn containers
with their challenges. So, we solved
the problem of multiple people
acting on one challenge or instance
of a challenge.
By allowing this we don't allow them to
spawn infinite containers.
Maybe some of you have played Alice CTF
or GM CTF.
That was pretty fun because there
was a challenge exciting
devops challenge and it was exactly like
this. You could spawn containers/
a complete set up for you to play in.
But you had to do a proof of work, meaning
to calculate something so that you could
not just spawn challenge instances as much
as you liked.
Another thing you might keep in mind
when doing this is to not mount the
docker socket into everything.
As fun as it is to spawn docker
containers from docker containers, it is
a giant security risk. If people have
access to the docker socket they can
docker containers and do shit.
Dos and don'ts.
A lot of players do execute stuff in
containers. Just having a container with
just static files are fun, but we wanted
to have more. Allowing people to
execute stuff in containers can be
problem, but you can limit what people can
do. Meaning that allow people to do stuff
but don't allow them to do too much.
And that worked out in our case.
As said before, we tried it with like 10
people in our local CTF.
Seeing where the problems get when we
put really good CTF teams on it, and to
see if they can break out would be really
interesting to see.
As I said, don't allow, or allow people
to do stuff, but don't allow them to do
too much stuff.
Implement techniques so that it works
out. One thing that I had to keep in mind
was to keep things simple.
During the CTF I realised that, we built
a lot of stuff and it was a little bit
overcomplicated and made things a little
bit too hard to fix. I would keep in mind
for future CTF frameworks to keep it as
simpel as possible, in case anything
breaks it will be a 5 minute job to fix it
If you where to lazy to lisen, here is a
recap. Create new platforms, CTF
platforms are really interesting.
I found a lot of topics I could work in to
while building this and I am not at the
end yet. There is still a lot of things
that I need to look into. But to allow
for a place to play the game and limit
the bad stuff. For people thinking why
docker, people at our local hackerspace
ask all the time "why are you using docker
since there are so many known exploits for
that?"
Finding alternativs would have been an
option, but I am used to docker - and
I actually wanted to used docker.
So, that was kind of nice.
So if you know a better solution: find the
solution, implement it and try out the
CTF. Another thing I wanted to say here
that while using docker it might be
insecure, but you could also implement a
lot of stuff inorder to secure it.
Like implementing custom flags for teams,
so if a teams has got a custom flag
it can't just break out of the container
and get the flag from another team.
Since it is really team specific.
That was what we wanted to do with the
environment variable in the challenge
containers. Because then we could start
the containers as we went.
That's actually the end.
What I still want to say is that sometimes
next year we want to play the CIRCLE CTF
with the platform we built, just to try it
out, but at a larger scale. So, if you
are an active CTF player we are going to
be there and organise a complete new CTF
with us with fun challenges.
I got some of the challenges with me so,
if you are interested in how this might
look or what can be done then just come
to my table.
Also, if you are interested in discussing
solutions on how this could be done better
then just drop by.
If you got questions, watching the live
stream then just tweet me at: @hanemile.
That was it.
Does anyone got any direct questions.
Thanks again Emile.
Translated by CS (ITKST56 course assignment at JYU.FI)