We are about to start the next talk right here. So, I am very happy to introduce Hanemile. Who is going to talk a little bit about the struggles you are facing when trying to find the next capture the flag (CTF) adventure and how he is proposing to solve the problem. Please join me in welcoming Emile. Hi, I am going to talk about CTF in a box. It is the story of what problems we found when playing CTFs. How we plan to solve the problems; we built a prototype, tested it and the problems that came after that. So, first who am I I am Emile, @hanmile at post platforms. Studying computer science at Düsseldorf. Playing CTF with @flexerilla or sometimes as a single player. Lets start with the current solutions. Playing CTF we currently have, like, 3 main platforms. The most used framework used currently is CTFd. CTFd is the first thing you'll find if you google "hey I want to host a CTF, what do I do?" Second thing is hack the box that is another case study, well case study. More so a framework to host CTFs but you can't use it, because it is actually close sourced. Meaning that you can only play with that. The last solution is custom frameworks. So, these are frameworks used by teams. They build them themselves, like at this years CTF. So, CTFd looks like this. People may have played CTF may have seen it since most CTFs are hosted on CTFd. Overall it is pretty basic, looks bit bootstrappy. I´ll come back to what the problems are later. Hack the box, the people who have not seen it, it looks like this. This is the machine view. Because hack the box differentiate between machines and challenges. Challenges are simply files from where you need to find the flag. Machines are a bit more, where you an actual machine from where you need to find the flag in the actual services running on the machine. So, it is a bit more. And custom ones. This is an image of a current CTF organised by HXV. It is pretty much CTFd but, but built by their own. So, what are the problems with this? Well, lets start with CTFd, where there aren't actual problems, in my opinion. It is mostly a static hoster, for files you want people to use for the CTF and some custom infrastructure for score board, registration and stuff like that. Hack the box is kind of close sourced, why I say "kind of" because you can actually use it, you can see how it is built up, you could build it your self and the problem we had when playing with hack the box was that we had some reverse shells at the root of the challenges. As well as other problems like multiple people writing in to some challenges and that some files where there, that should not have been. Which was really annoying sometimes. Like we started a challenges and saw that there is a reverse shell for getting root in root, you don't have to do anything. There are shared challenge instances the problem we saw that was you have multiple hundre people playing the same instance, where we could see what other people where uploading to the instance. Which kind of helped us and found out that it could be kind of optimised. The third problem, well problem, but it is custom frameworks. You might find errors in custom frameworks allowing to get flags that aren't used without solving the challenge. So, it is now a ping pong between finding a problem and finding a solution. The simplest solution we tried to implement at our CTF at a local hackrrspace was to generate a single challenge instance for every player/ team. This means that every challenge we built was simply a docker container somewhere and for everyone who wanted to play it started a new docker contianer. We first thought that this would bring a lot of overhead, but it didn't. We started multiple hundred containers and it worked out fine. The problem with this is that if you put everything in a doker container docker escapes and sandbox escapes get really useful. It would be fatal if someone could breakout of the container. We got solutions for the possible problems. You could place everything in a VM or nsjail in order to isolate the process. Stopping people from actually breaking out. Another possible solution would be to make it possible for people to break out, which you don't actually want to make possible. But you don't want people to have anything in case; custom flags for custom teams. We did by implementing our docker containers as - or we implemented the challenges or the flags get put into the docker via environment variables. So when you are starting your docker container you just set an environment variable with you flag. And in the docker container you have a little scrip that is pushing your flag to the place you want it to be. Then unsetting the environment variable and deleting everything else. Meaning no trace of the flag, where there should not be. That worked out pretty well. So, that is the CIRCUS prototype that we used.