36C3 ChaosWest: CTF in a box

0:19 - 0:21

We are about to start the next talk right
0:21 - 0:23

here. So, I am very happy to introduce
0:23 - 0:26

Hanemile. Who is going to talk a little
0:26 - 0:28

bit about the struggles you are facing
0:28 - 0:31

when trying to find the next capture the
0:31 - 0:33

flag (CTF) adventure and how he is
0:33 - 0:34

proposing to solve the problem.
0:36 - 0:38

Please join me in welcoming Emile.
0:43 - 0:46

Hi, I am going to talk about CTF in a box.
0:46 - 0:48

It is the story of what problems we
0:48 - 0:50

found when playing CTFs. How we plan
0:50 - 0:52

to solve the problems; we built a
0:52 - 0:55

prototype, tested it and the problems
0:56 - 1:00

that came after that. So, first who am I
1:00 - 1:05

I am Emile, @hanmile at post platforms.
1:05 - 1:07

Studying computer science at Düsseldorf.
1:07 - 1:09

Playing CTF with @flexerilla or sometimes
1:09 - 1:11

as a single player.
1:12 - 1:15

Lets start with the current solutions.
1:15 - 1:19

Playing CTF we currently have, like, 3
1:19 - 1:23

main platforms. The most used framework
1:23 - 1:26

used currently is CTFd.
1:26 - 1:30

CTFd is the first thing you'll find if you
1:30 - 1:33

google "hey I want to host a CTF, what
1:33 - 1:34

do I do?"
1:34 - 1:36

Second thing is hack the box
1:37 - 1:40

that is another case study, well case
1:40 - 1:45

study. More so a framework to host CTFs
1:45 - 1:48

but you can't use it, because it is
1:48 - 1:50

actually close sourced. Meaning that
1:50 - 1:52

you can only play with that. The last
1:53 - 1:55

solution is custom frameworks. So,
1:56 - 1:58

these are frameworks used by teams.
1:58 - 1:59

They build them themselves, like
2:00 - 2:02

at this years CTF.
2:02 - 2:05

So, CTFd looks like this. People may have
2:05 - 2:08

played CTF may have seen it since most
2:08 - 2:11

CTFs are hosted on CTFd. Overall
2:11 - 2:15

it is pretty basic, looks bit bootstrappy.
2:15 - 2:17

I´ll come back to what the problems are
2:17 - 2:22

later. Hack the box, the people who have
2:22 - 2:23

not seen it, it looks like this. This is
2:23 - 2:26

the machine view. Because hack the
2:26 - 2:29

box differentiate between machines
2:29 - 2:32

and challenges. Challenges are simply
2:32 - 2:34

files from where you need to find the
2:34 - 2:36

flag. Machines are a bit more, where
2:36 - 2:39

you an actual machine from where
2:39 - 2:41

you need to find the flag in the actual
2:41 - 2:43

services running on the machine.
2:43 - 2:44

So, it is a bit more.
2:44 - 2:46

And custom ones. This is an image of
2:46 - 2:52

a current CTF organised by HXV.
2:52 - 2:56

It is pretty much CTFd but, but built by
2:56 - 2:58

their own.
2:58 - 3:00

So, what are the problems with this?
3:00 - 3:02

Well, lets start with CTFd, where there
3:02 - 3:04

aren't actual problems, in my opinion.
3:04 - 3:06

It is mostly a static hoster, for files
3:06 - 3:10

you want people to use for the CTF and
3:10 - 3:13

some custom infrastructure for score
3:13 - 3:18

board, registration and stuff like that.
3:18 - 3:27

Hack the box is kind of close sourced,
3:27 - 3:28

why I say "kind of" because you can
3:28 - 3:29

actually use it, you can see how it is
3:29 - 3:33

built up, you could build it your self
3:33 - 3:40

and the problem we had when playing
3:40 - 3:42

with hack the box was that we had some
3:42 - 3:43

reverse shells at the root of the
3:43 - 3:45

challenges. As well as other problems like
3:45 - 3:47

multiple people writing in to some
3:47 - 3:49

challenges and that some files where
3:49 - 3:52

there, that should not have been. Which
3:52 - 3:55

was really annoying sometimes. Like we
3:55 - 3:58

started a challenges and saw that there
3:58 - 4:00

is a reverse shell for getting root in
4:00 - 4:03

root, you don't have to do anything.
4:03 - 4:08

There are shared challenge instances
4:08 - 4:10

the problem we saw that was you
4:10 - 4:13

have multiple hundre people playing the
4:13 - 4:17

same instance, where we could see what
4:17 - 4:21

other people where uploading to the
4:21 - 4:23

instance. Which kind of helped us and
4:23 - 4:25

found out that it could be kind of
4:25 - 4:28

optimised. The third problem, well
4:28 - 4:32

problem, but it is custom frameworks.
4:32 - 4:35

You might find errors in custom frameworks
4:35 - 4:38

allowing to get flags that aren't used
4:38 - 4:45

without solving the challenge. So, it is
4:45 - 4:47

now a ping pong between finding a problem
4:47 - 4:52

and finding a solution. The simplest
4:52 - 4:55

solution we tried to implement at our CTF
4:55 - 4:57

at a local hackrrspace was to generate
4:57 - 4:59

a single challenge instance for every
4:59 - 5:01

player/ team. This means that every
5:01 - 5:04

challenge we built was simply a docker
5:04 - 5:06

container somewhere and for everyone
5:06 - 5:08

who wanted to play it started a new docker
5:08 - 5:12

contianer. We first thought that this
5:12 - 5:15

would bring a lot of overhead, but it
5:15 - 5:16

didn't. We started multiple hundred
5:16 - 5:20

containers and it worked out fine. The
5:20 - 5:21

problem with this is that if you put
5:21 - 5:24

everything in a doker container docker
5:24 - 5:27

escapes and sandbox escapes get really
5:27 - 5:30

useful. It would be fatal if someone could
5:30 - 5:34

breakout of the container. We got
5:34 - 5:36

solutions for the possible problems.
5:36 - 5:45

You could place everything in a VM or
5:45 - 5:49

nsjail in order to isolate the process.
5:49 - 5:54

Stopping people from actually breaking
5:54 - 5:56

out. Another possible solution would be
5:56 - 6:00

to make it possible for people to break
6:00 - 6:01

out, which you don't actually want to
6:01 - 6:04

make possible. But you don't want people
6:04 - 6:08

to have anything in case; custom flags
6:08 - 6:10

for custom teams.
6:10 - 6:12

We did by implementing our docker
6:12 - 6:15

containers as - or we implemented the
6:15 - 6:20

challenges or the flags get put into the
6:20 - 6:22

docker via environment variables.
6:22 - 6:25

So when you are starting your docker
6:25 - 6:27

container you just set an environment
6:27 - 6:29

variable with you flag. And in the docker
6:29 - 6:30

container you have a little scrip that is
6:30 - 6:32

pushing your flag to the place you want
6:32 - 6:34

it to be. Then unsetting the environment
6:34 - 6:36

variable and deleting everything else.
6:36 - 6:38

Meaning no trace of the flag, where there
6:38 - 6:40

should not be. That worked out pretty
6:40 - 6:43

well. So, that is the CIRCUS prototype
6:43 - 6:44

that we used.
6:44 - 6:47

A little story for that - we had the
6:47 - 6:49

18th anniversary of our hackerspace
6:49 - 6:50

this year and we thought that we
6:50 - 6:52

need a CTF for that.
6:52 - 6:54

In a week before we realised that it is
6:54 - 6:57

in a week so we quickly started building
6:57 - 6:58

a prototype for it.
6:58 - 6:59

And called it CIRCUS.
6:59 - 7:01

Because it looks like a circus.
7:01 - 7:03

That is a graph showing how the
7:03 - 7:06

containers interact with each other.
7:08 - 7:10

The goal with this was that we wanted a
7:10 - 7:12

place where the teams could register
7:12 - 7:13

and get a known companion.
7:13 - 7:16

A companion in our system was a place
7:16 - 7:17

where people could go and spawn
7:17 - 7:19

individual contianers.
7:19 - 7:21

Because companion spawns in VPN
7:21 - 7:23

containers impacts s all other containers
7:23 - 7:25

in to that network.
7:25 - 7:27

So, people would go and get the VPN
7:27 - 7:30

config and can access the challenges.
7:30 - 7:32

It is really similar to how hack the box
7:32 - 7:35

works. A problem with this was that
7:35 - 7:40

we got one companion container per user
7:40 - 7:41

or per team. And we got n challenges
7:41 - 7:44

that can be spawn. Meaning that we got
7:44 - 7:47

n teams with m challenge computers
7:47 - 7:49

we end up with a lot of containers.
7:49 - 7:52

What you are seeing here is just a listing
7:52 - 7:54

of all the containers that we had spawn
7:54 - 7:56

after day 1 of the CTF, with 10
7:56 - 7:59

participants or so. But we had like
7:59 - 8:01

50 containers at that point.
8:01 -

Which was quite a bit.

Title:: 36C3 ChaosWest: CTF in a box
Description:: more » « less
Video Language:: English
Duration:: 15:20

	cs edited English subtitles for 36C3 ChaosWest: CTF in a box
	cs edited English subtitles for 36C3 ChaosWest: CTF in a box
	cs edited English subtitles for 36C3 ChaosWest: CTF in a box
	cs edited English subtitles for 36C3 ChaosWest: CTF in a box
	cs edited English subtitles for 36C3 ChaosWest: CTF in a box
	cs edited English subtitles for 36C3 ChaosWest: CTF in a box
	cs edited English subtitles for 36C3 ChaosWest: CTF in a box
	cs edited English subtitles for 36C3 ChaosWest: CTF in a box

Show all

English subtitles

Revisions Compare revisions

Revision 11 Edited

cs
Revision 10 Edited

cs
Revision 9 Edited

cs
Revision 8 Edited

cs
Revision 7 Edited

cs
Revision 6 Edited

cs
Revision 5 Edited

cs
Revision 4 Edited

cs
Revision 3 Edited

cs
Revision 2 Edited

cs
Revision 1 Edited

C3Subtitles

	Revision Number	Author	Created
	11	cs
	10	cs
	9	cs
	8	cs
	7	cs
	6	cs
	5	cs
	4	cs
	3	cs
	2	cs
	1	C3Subtitles

36C3 ChaosWest: CTF in a box

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)