< Return to Video

36C3 ChaosWest: CTF in a box

  • 0:19 - 0:21
    We are about to start the next talk right
  • 0:21 - 0:23
    here. So, I am very happy to introduce
  • 0:23 - 0:26
    Hanemile. Who is going to talk a little
  • 0:26 - 0:28
    bit about the struggles you are facing
  • 0:28 - 0:31
    when trying to find the next capture the
  • 0:31 - 0:33
    flag (CTF) adventure and how he is
  • 0:33 - 0:34
    proposing to solve the problem.
  • 0:36 - 0:38
    Please join me in welcoming Emile.
  • 0:43 - 0:46
    Hi, I am going to talk about CTF in a box.
  • 0:46 - 0:48
    It is the story of what problems we
  • 0:48 - 0:51
    found when playing CTFs. How we plan
  • 0:51 - 0:52
    to solve the problems; we built a
  • 0:52 - 0:55
    prototype, tested it and the problems
  • 0:56 - 1:00
    that came after that. So, first who am I
  • 1:00 - 1:05
    I am Emile, @hanmile at post platforms.
  • 1:05 - 1:07
    Studying computer science at Düsseldorf.
  • 1:07 - 1:09
    Playing CTF with @flexerilla or sometimes
  • 1:09 - 1:11
    as a single player.
  • 1:12 - 1:15
    Lets start with the current solutions.
  • 1:15 - 1:19
    Playing CTF we currently have, like, 3
  • 1:19 - 1:23
    main platforms. The most used framework
  • 1:23 - 1:26
    used currently is CTFd.
  • 1:26 - 1:30
    CTFd is the first thing you'll find if you
  • 1:30 - 1:33
    google "hey I want to host a CTF, what
  • 1:33 - 1:34
    do I do?"
  • 1:34 - 1:36
    Second thing is hack the box
  • 1:37 - 1:40
    that is another case study, well case
  • 1:40 - 1:45
    study. More so a framework to host CTFs
  • 1:45 - 1:48
    but you can't use it, because it is
  • 1:48 - 1:50
    actually close sourced. Meaning that
  • 1:50 - 1:52
    you can only play with that. The last
  • 1:53 - 1:55
    solution is custom frameworks. So,
  • 1:56 - 1:58
    these are frameworks used by teams.
  • 1:58 - 1:59
    They build them themselves, like
  • 2:00 - 2:02
    at this years CTF.
  • 2:02 - 2:05
    So, CTFd looks like this. People may have
  • 2:05 - 2:08
    played CTF may have seen it since most
  • 2:08 - 2:11
    CTFs are hosted on CTFd. Overall
  • 2:11 - 2:15
    it is pretty basic, looks bit bootstrappy.
  • 2:15 - 2:17
    I´ll come back to what the problems are
  • 2:17 - 2:22
    later. Hack the box, the people who have
  • 2:22 - 2:23
    not seen it, it looks like this. This is
  • 2:23 - 2:26
    the machine view. Because hack the
  • 2:26 - 2:29
    box differentiate between machines
  • 2:29 - 2:32
    and challenges. Challenges are simply
  • 2:32 - 2:34
    files from where you need to find the
  • 2:34 - 2:36
    flag. Machines are a bit more, where
  • 2:36 - 2:39
    you an actual machine from where
  • 2:39 - 2:41
    you need to find the flag in the actual
  • 2:41 - 2:43
    services running on the machine.
  • 2:43 - 2:44
    So, it is a bit more.
  • 2:44 - 2:46
    And custom ones. This is an image of
  • 2:46 - 2:52
    a current CTF organised by HXV.
  • 2:52 - 2:56
    It is pretty much CTFd but, but built by
  • 2:56 - 2:58
    their own.
  • 2:58 - 3:00
    So, what are the problems with this?
  • 3:00 - 3:02
    Well, lets start with CTFd, where there
  • 3:02 - 3:04
    aren't actual problems, in my opinion.
  • 3:04 - 3:06
    It is mostly a static hoster, for files
  • 3:06 - 3:10
    you want people to use for the CTF and
  • 3:10 - 3:13
    some custom infrastructure for score
  • 3:13 - 3:18
    board, registration and stuff like that.
  • 3:18 - 3:27
    Hack the box is kind of close sourced,
  • 3:27 - 3:28
    why I say "kind of" because you can
  • 3:28 - 3:29
    actually use it, you can see how it is
  • 3:29 - 3:33
    built up, you could build it your self
  • 3:33 - 3:40
    and the problem we had when playing
  • 3:40 - 3:42
    with hack the box was that we had some
  • 3:42 - 3:43
    reverse shells at the root of the
  • 3:43 - 3:45
    challenges. As well as other problems like
  • 3:45 - 3:47
    multiple people writing in to some
  • 3:47 - 3:49
    challenges and that some files where
  • 3:49 - 3:52
    there, that should not have been. Which
  • 3:52 - 3:55
    was really annoying sometimes. Like we
  • 3:55 - 3:58
    started a challenges and saw that there
  • 3:58 - 4:00
    is a reverse shell for getting root in
  • 4:00 - 4:03
    root, you don't have to do anything.
  • 4:03 - 4:08
    There are shared challenge instances
  • 4:08 - 4:10
    the problem we saw that was you
  • 4:10 - 4:13
    have multiple hundre people playing the
  • 4:13 - 4:17
    same instance, where we could see what
  • 4:17 - 4:21
    other people where uploading to the
  • 4:21 - 4:23
    instance. Which kind of helped us and
  • 4:23 - 4:25
    found out that it could be kind of
  • 4:25 - 4:28
    optimised. The third problem, well
  • 4:28 - 4:32
    problem, but it is custom frameworks.
  • 4:32 - 4:35
    You might find errors in custom frameworks
  • 4:35 - 4:38
    allowing to get flags that aren't used
  • 4:38 - 4:45
    without solving the challenge. So, it is
  • 4:45 - 4:47
    now a ping pong between finding a problem
  • 4:47 - 4:52
    and finding a solution. The simplest
  • 4:52 - 4:55
    solution we tried to implement at our CTF
  • 4:55 - 4:57
    at a local hackrrspace was to generate
  • 4:57 - 4:59
    a single challenge instance for every
  • 4:59 - 5:01
    player/ team. This means that every
  • 5:01 - 5:04
    challenge we built was simply a docker
  • 5:04 - 5:06
    container somewhere and for everyone
  • 5:06 - 5:08
    who wanted to play it started a new docker
  • 5:08 - 5:12
    contianer. We first thought that this
  • 5:12 - 5:15
    would bring a lot of overhead, but it
  • 5:15 - 5:16
    didn't. We started multiple hundred
  • 5:16 - 5:20
    containers and it worked out fine. The
  • 5:20 - 5:21
    problem with this is that if you put
  • 5:21 - 5:24
    everything in a doker container docker
  • 5:24 - 5:27
    escapes and sandbox escapes get really
  • 5:27 - 5:30
    useful. It would be fatal if someone could
  • 5:30 - 5:34
    breakout of the container. We got
  • 5:34 - 5:36
    solutions for the possible problems.
  • 5:36 - 5:45
    You could place everything in a VM or
  • 5:45 - 5:49
    nsjail in order to isolate the process.
  • 5:49 - 5:54
    Stopping people from actually breaking
  • 5:54 - 5:56
    out. Another possible solution would be
  • 5:56 - 6:00
    to make it possible for people to break
  • 6:00 - 6:01
    out, which you don't actually want to
  • 6:01 - 6:04
    make possible. But you don't want people
  • 6:04 - 6:08
    to have anything in case; custom flags
  • 6:08 - 6:10
    for custom teams.
  • 6:10 - 6:12
    We did by implementing our docker
  • 6:12 - 6:15
    containers as - or we implemented the
  • 6:15 - 6:20
    challenges or the flags get put into the
  • 6:20 - 6:22
    docker via environment variables.
  • 6:22 - 6:25
    So when you are starting your docker
  • 6:25 - 6:27
    container you just set an environment
  • 6:27 - 6:29
    variable with you flag. And in the docker
  • 6:29 - 6:30
    container you have a little scrip that is
  • 6:30 - 6:32
    pushing your flag to the place you want
  • 6:32 - 6:34
    it to be. Then unsetting the environment
  • 6:34 - 6:36
    variable and deleting everything else.
  • 6:36 - 6:38
    Meaning no trace of the flag, where there
  • 6:38 - 6:40
    should not be. That worked out pretty
  • 6:40 - 6:43
    well. So, that is the CIRCUS prototype
  • 6:43 - 6:44
    that we used.
  • 6:44 - 6:47
    A little story for that - we had the
  • 6:47 - 6:49
    18th anniversary of our hackerspace
  • 6:49 - 6:50
    this year and we thought that we
  • 6:50 - 6:52
    need a CTF for that.
  • 6:52 - 6:54
    In a week before we realised that it is
  • 6:54 - 6:57
    in a week so we quickly started building
  • 6:57 - 6:58
    a prototype for it.
  • 6:58 - 6:59
    And called it CIRCUS.
  • 6:59 - 7:01
    Because it looks like a circus.
  • 7:01 - 7:03
    That is a graph showing how the
  • 7:03 - 7:06
    containers interact with each other.
  • 7:08 - 7:10
    The goal with this was that we wanted a
  • 7:10 - 7:12
    place where the teams could register
  • 7:12 - 7:13
    and get a known companion.
  • 7:13 - 7:16
    A companion in our system was a place
  • 7:16 - 7:17
    where people could go and spawn
  • 7:17 - 7:19
    individual contianers.
  • 7:19 - 7:21
    Because companion spawns in VPN
  • 7:21 - 7:23
    containers impacts s all other containers
  • 7:23 - 7:25
    in to that network.
  • 7:25 - 7:27
    So, people would go and get the VPN
  • 7:27 - 7:30
    config and can access the challenges.
  • 7:30 - 7:32
    It is really similar to how hack the box
  • 7:32 - 7:35
    works. A problem with this was that
  • 7:35 - 7:40
    we got one companion container per user
  • 7:40 - 7:41
    or per team. And we got n challenges
  • 7:41 - 7:44
    that can be spawn. Meaning that we got
  • 7:44 - 7:47
    n teams with m challenge computers
  • 7:47 - 7:49
    we end up with a lot of containers.
  • 7:49 - 7:52
    What you are seeing here is just a listing
  • 7:52 - 7:54
    of all the containers that we had spawn
  • 7:54 - 7:56
    after day 1 of the CTF, with 10
  • 7:56 - 7:59
    participants or so. But we had like
  • 7:59 - 8:01
    50 containers at that point.
  • 8:03 - 8:04
    Which was quite a bit.
  • 8:04 - 8:07
    At the end of the CTF we had about
  • 8:07 - 8:09
    120 container up and running.
  • 8:10 - 8:12
    You might think that a lot of contianers
  • 8:12 - 8:14
    and people doing stuff in the contaienrs
  • 8:14 - 8:16
    that must cost a lot of computational
  • 8:16 - 8:17
    power. But it actually worked out.
  • 8:17 - 8:21
    We had set up a virtual machine
  • 8:21 - 8:25
    8 core 16 bit of RAM, and it always
  • 8:25 - 8:26
    looked like nothing at all was
  • 8:26 - 8:30
    happening. Until someone set up
  • 8:30 - 8:32
    a cryptominer and had fun with that.
  • 8:32 - 8:34
    Since, we went on a machine and saw
  • 8:34 - 8:36
    "Where is this load coming from?"
  • 8:36 - 8:39
    We identified that this was a container
  • 8:39 - 8:40
    that some of the team set up.
  • 8:40 - 8:41
    Not me.
  • 8:43 - 8:46
    We had some people try with names,
  • 8:46 - 8:48
    we screwed up the sanitation a bit
  • 8:48 - 8:50
    because it was all really quick and that
  • 8:50 - 8:52
    is a learning for everything - that
  • 8:52 - 8:53
    it doesn't work.
  • 8:53 - 8:56
    The XSS you are seeing here didn't also
  • 8:56 - 8:59
    work for the person trying it
  • 8:59 - 9:00
    - which was kind of weird.
  • 9:00 - 9:02
    We did set up a super basic scoreboard.
  • 9:02 - 9:04
    So, as you can see we tried to build a
  • 9:04 - 9:06
    CTF framework on our own.
  • 9:06 - 9:08
    And it kind of worked, it was all
  • 9:08 - 9:11
    built in a few days and very much
  • 9:11 - 9:14
    like shitty CTFd.
  • 9:16 - 9:17
    What we want to do now is to find out
  • 9:18 - 9:20
    what we want to do and what we don't.
  • 9:21 - 9:23
    What we want to do is to allow
  • 9:23 - 9:25
    people to spawn containers
  • 9:25 - 9:26
    with their challenges. So, we solved
  • 9:26 - 9:28
    the problem of multiple people
  • 9:28 - 9:31
    acting on one challenge or instance
  • 9:31 - 9:32
    of a challenge.
  • 9:33 - 9:37
    By allowing this we don't allow them to
  • 9:37 - 9:39
    spawn infinite containers.
  • 9:39 - 9:42
    Maybe some of you have played Alice CTF
  • 9:42 - 9:43
    or GM CTF.
  • 9:43 - 9:46
    That was pretty fun because there
  • 9:46 - 9:47
    was a challenge exciting
  • 9:47 - 9:50
    devops challenge and it was exactly like
  • 9:50 - 9:52
    this. You could spawn containers/
  • 9:52 - 9:55
    a complete set up for you to play in.
  • 9:55 - 9:57
    But you had to do a proof of work, meaning
  • 9:58 - 10:00
    to calculate something so that you could
  • 10:00 - 10:03
    not just spawn challenge instances as much
  • 10:03 - 10:04
    as you liked.
  • 10:04 - 10:07
    Another thing you might keep in mind
  • 10:07 - 10:10
    when doing this is to not mount the
  • 10:10 - 10:13
    docker socket into everything.
  • 10:13 - 10:16
    As fun as it is to spawn docker
  • 10:16 - 10:17
    containers from docker containers, it is
  • 10:18 - 10:21
    a giant security risk. If people have
  • 10:21 - 10:23
    access to the docker socket they can
  • 10:23 - 10:27
    docker containers and do shit.
  • 10:29 - 10:31
    Dos and don'ts.
  • 10:31 - 10:32
    A lot of players do execute stuff in
  • 10:32 - 10:34
    containers. Just having a container with
  • 10:34 - 10:38
    just static files are fun, but we wanted
  • 10:38 - 10:41
    to have more. Allowing people to
  • 10:41 - 10:44
    execute stuff in containers can be
  • 10:44 - 10:48
    problem, but you can limit what people can
  • 10:48 - 10:51
    do. Meaning that allow people to do stuff
  • 10:51 - 10:54
    but don't allow them to do too much.
  • 10:54 - 10:57
    And that worked out in our case.
  • 10:57 - 10:59
    As said before, we tried it with like 10
  • 11:00 - 11:01
    people in our local CTF.
  • 11:01 - 11:04
    Seeing where the problems get when we
  • 11:04 - 11:05
    put really good CTF teams on it, and to
  • 11:05 - 11:07
    see if they can break out would be really
  • 11:07 - 11:07
    interesting to see.
  • 11:09 - 11:12
    As I said, don't allow, or allow people
  • 11:12 - 11:14
    to do stuff, but don't allow them to do
  • 11:14 - 11:15
    too much stuff.
  • 11:15 - 11:18
    Implement techniques so that it works
  • 11:19 - 11:23
    out. One thing that I had to keep in mind
  • 11:23 - 11:25
    was to keep things simple.
  • 11:25 - 11:29
    During the CTF I realised that, we built
  • 11:29 - 11:31
    a lot of stuff and it was a little bit
  • 11:31 - 11:33
    overcomplicated and made things a little
  • 11:33 - 11:37
    bit too hard to fix. I would keep in mind
  • 11:37 - 11:40
    for future CTF frameworks to keep it as
  • 11:40 - 11:42
    simpel as possible, in case anything
  • 11:42 - 11:44
    breaks it will be a 5 minute job to fix it
  • 11:48 - 11:51
    If you where to lazy to lisen, here is a
  • 11:51 - 11:54
    recap. Create new platforms, CTF
  • 11:54 - 11:56
    platforms are really interesting.
  • 11:56 - 11:59
    I found a lot of topics I could work in to
  • 11:59 - 12:02
    while building this and I am not at the
  • 12:02 - 12:05
    end yet. There is still a lot of things
  • 12:05 - 12:08
    that I need to look into. But to allow
  • 12:08 - 12:10
    for a place to play the game and limit
  • 12:10 - 12:12
    the bad stuff. For people thinking why
  • 12:13 - 12:15
    docker, people at our local hackerspace
  • 12:15 - 12:17
    ask all the time "why are you using docker
  • 12:17 - 12:19
    since there are so many known exploits for
  • 12:19 - 12:19
    that?"
  • 12:20 - 12:23
    Finding alternativs would have been an
  • 12:23 - 12:26
    option, but I am used to docker - and
  • 12:26 - 12:28
    I actually wanted to used docker.
  • 12:28 - 12:29
    So, that was kind of nice.
  • 12:29 - 12:34
    So if you know a better solution: find the
  • 12:34 - 12:36
    solution, implement it and try out the
  • 12:36 - 12:39
    CTF. Another thing I wanted to say here
  • 12:39 - 12:43
    that while using docker it might be
  • 12:43 - 12:45
    insecure, but you could also implement a
  • 12:45 - 12:47
    lot of stuff inorder to secure it.
  • 12:47 - 12:51
    Like implementing custom flags for teams,
  • 12:51 - 12:53
    so if a teams has got a custom flag
  • 12:53 - 12:55
    it can't just break out of the container
  • 12:55 - 12:58
    and get the flag from another team.
  • 12:58 - 12:59
    Since it is really team specific.
  • 12:59 - 13:01
    That was what we wanted to do with the
  • 13:01 - 13:04
    environment variable in the challenge
  • 13:04 - 13:09
    containers. Because then we could start
  • 13:10 - 13:11
    the containers as we went.
  • 13:13 - 13:15
    That's actually the end.
  • 13:17 - 13:20
    What I still want to say is that sometimes
  • 13:21 - 13:23
    next year we want to play the CIRCLE CTF
  • 13:23 - 13:25
    with the platform we built, just to try it
  • 13:25 - 13:27
    out, but at a larger scale. So, if you
  • 13:28 - 13:31
    are an active CTF player we are going to
  • 13:31 - 13:35
    be there and organise a complete new CTF
  • 13:35 - 13:39
    with us with fun challenges.
  • 13:39 - 13:42
    I got some of the challenges with me so,
  • 13:42 - 13:44
    if you are interested in how this might
  • 13:44 - 13:47
    look or what can be done then just come
  • 13:47 - 13:49
    to my table.
  • 13:55 - 13:58
    Also, if you are interested in discussing
  • 13:58 - 13:59
    solutions on how this could be done better
  • 14:00 - 14:02
    then just drop by.
  • 14:02 - 14:05
    If you got questions, watching the live
  • 14:05 - 14:08
    stream then just tweet me at: @hanemile.
  • 14:10 - 14:11
    That was it.
  • 14:20 - 14:23
    Does anyone got any direct questions.
  • 14:46 - 14:48
    Thanks again Emile.
  • 14:48 - 14:49
    Translated by CS (ITKST56 course assignment at JYU.FI)
Title:
36C3 ChaosWest: CTF in a box
Description:

more » « less
Video Language:
English
Duration:
15:20

English subtitles

Revisions