-
We are about to start the next talk right
-
Not Synced
here. So, I am very happy to introduce
-
Not Synced
Hanemile. Who is going to talk a little
-
Not Synced
bit about the struggles you are facing
-
Not Synced
when trying to find the next capture the
-
Not Synced
flag (CTF) adventure and how he is
-
Not Synced
proposing to solve the problem.
-
Not Synced
Please join me in welcoming Emile.
-
Not Synced
Hi, I am going to talk about CTF in a box.
-
Not Synced
It is the story of what problems we
-
Not Synced
found when playing CTFs. How we plan
-
Not Synced
to solve the problems; we built a
-
Not Synced
prototype, tested it and the problems
-
Not Synced
that came after that. So, first who am I
-
Not Synced
I am Emile, @hanmile at post platforms.
-
Not Synced
Studying computer science at Düsseldorf.
-
Not Synced
Playing CTF with @flexerilla or sometimes
-
Not Synced
as a single player.
-
Not Synced
Lets start with the current solutions.
-
Not Synced
Playing CTF we currently have, like, 3
-
Not Synced
main platforms. The most used framework
-
Not Synced
used currently is CTFd.
-
Not Synced
CTFd is the first thing you'll find if you
-
Not Synced
google "hey I want to host a CTF, what
-
Not Synced
do I do?"
-
Not Synced
Second thing is hack the box
-
Not Synced
that is another case study, well case
-
Not Synced
study. More so a framework to host CTFs
-
Not Synced
but you can't use it, because it is
-
Not Synced
actually close sourced. Meaning that
-
Not Synced
you can only play with that. The last
-
Not Synced
solution is custom frameworks. So,
-
Not Synced
these are frameworks used by teams.
-
Not Synced
They build them themselves, like
-
Not Synced
at this years CTF.
-
Not Synced
So, CTFd looks like this. People may have
-
Not Synced
played CTF may have seen it since most
-
Not Synced
CTFs are hosted on CTFd. Overall
-
Not Synced
it is pretty basic, looks bit bootstrappy.
-
Not Synced
I´ll come back to what the problems are
-
Not Synced
later. Hack the box, the people who have
-
Not Synced
not seen it, it looks like this. This is
-
Not Synced
the machine view. Because hack the
-
Not Synced
box differentiate between machines
-
Not Synced
and challenges. Challenges are simply
-
Not Synced
files from where you need to find the
-
Not Synced
flag. Machines are a bit more, where
-
Not Synced
you an actual machine from where
-
Not Synced
you need to find the flag in the actual
-
Not Synced
services running on the machine.
-
Not Synced
So, it is a bit more.
-
Not Synced
And custom ones. This is an image of
-
Not Synced
a current CTF organised by HXV.
-
Not Synced
It is pretty much CTFd but, but built by
-
Not Synced
their own.
-
Not Synced
So, what are the problems with this?
-
Not Synced
Well, lets start with CTFd, where there
-
Not Synced
aren't actual problems, in my opinion.
-
Not Synced
It is mostly a static hoster, for files
-
Not Synced
you want people to use for the CTF and
-
Not Synced
some custom infrastructure for score
-
Not Synced
board, registration and stuff like that.
-
Not Synced
Hack the box is kind of close sourced,
-
Not Synced
why I say "kind of" because you can
-
Not Synced
actually use it, you can see how it is
-
Not Synced
built up, you could build it your self
-
Not Synced
and the problem we had when playing
-
Not Synced
with hack the box was that we had some
-
Not Synced
reverse shells at the root of the
-
Not Synced
challenges. As well as other problems like
-
Not Synced
multiple people writing in to some
-
Not Synced
challenges and that some files where
-
Not Synced
there, that should not have been. Which
-
Not Synced
was really annoying sometimes. Like we
-
Not Synced
started a challenges and saw that there
-
Not Synced
is a reverse shell for getting root in
-
Not Synced
root, you don't have to do anything.
-
Not Synced
There are shared challenge instances
-
Not Synced
the problem we saw that was you
-
Not Synced
have multiple hundre people playing the
-
Not Synced
same instance, where we could see what
-
Not Synced
other people where uploading to the
-
Not Synced
instance. Which kind of helped us and
-
Not Synced
found out that it could be kind of
-
Not Synced
optimised. The third problem, well
-
Not Synced
problem, but it is custom frameworks.
-
Not Synced
You might find errors in custom frameworks
-
Not Synced
allowing to get flags that aren't used
-
Not Synced
without solving the challenge. So, it is
-
Not Synced
now a ping pong between finding a problem
-
Not Synced
and finding a solution. The simplest
-
Not Synced
solution we tried to implement at our CTF
-
Not Synced
at a local hackrrspace was to generate
-
Not Synced
a single challenge instance for every
-
Not Synced
player/ team. This means that every
-
Not Synced
challenge we built was simply a docker
-
Not Synced
container somewhere and for everyone
-
Not Synced
who wanted to play it started a new docker
-
Not Synced
contianer. We first thought that this
-
Not Synced
would bring a lot of overhead, but it
-
Not Synced
didn't. We started multiple hundred
-
Not Synced
containers and it worked out fine. The
-
Not Synced
problem with this is that if you put
-
Not Synced
everything in a doker container docker
-
Not Synced
escapes and sandbox escapes get really
-
Not Synced
useful. It would be fatal if someone could
-
Not Synced
breakout of the container. We got
-
Not Synced
solutions for the possible problems.
-
Not Synced
You could place everything in a VM or
-
Not Synced
nsjail in order to isolate the process.
-
Not Synced
Stopping people from actually breaking
-
Not Synced
out. Another possible solution would be
-
Not Synced
to make it possible for people to break
-
Not Synced
out, which you don't actually want to
-
Not Synced
make possible. But you don't want people
-
Not Synced
to have anything in case; custom flags
-
Not Synced
for custom teams.
-
Not Synced
We did by implementing our docker
-
Not Synced
containers as - or we implemented the
-
Not Synced
challenges or the flags get put into the
-
Not Synced
docker via environment variables.
-
Not Synced
So when you are starting your docker
-
Not Synced
container you just set an environment
-
Not Synced
variable with you flag. And in the docker
-
Not Synced
container you have a little scrip that is
-
Not Synced
pushing your flag to the place you want
-
Not Synced
it to be. Then unsetting the environment
-
Not Synced
variable and deleting everything else.
-
Not Synced
Meaning no trace of the flag, where there
-
Not Synced
should not be. That worked out pretty
-
Not Synced
well. So, that is the CIRCUS prototype
-
Not Synced
that we used.