Introduction to CTF - For All!

well to start with thank golf coming and talk today it readings vacuum perhaps the bag is I'm English I really wish I could've played and participated in but I was a lot younger you didn't have all this writing if you teachers was done virtually by just breaking in dealer I can beat the book so really see Jeff is me we talk about and this talk is really designed to give people insight in how does it approach DTS how to start see Jeff who therefore et cetera so to start with we're gonna go through who we are my name's Bankart I'm the only reservation I run from the ten games which just by cleaning at the

minute in Leeds I'm in an IT and technology security consultant I've been in the industry for about twenty years I come from a support and design background and I moved into a offensive security you plus design space so I help organizations I get to fire from PPS at noon to try and help them understand their financial models and resources probably aren't aligned very well to protecting their businesses you have time money means I mean to fair dang give it a quick intro to herself probably doesn't really do injustice it gives a lot back to the community so if you don't follow me on Twitter I think probably lot of people in everyone do if you don't do it

he's always posting things that re helpful certainly want to add so yeah so I mean I've been industry like that about 15 RGS so you may 13 years we've got to sort of give back and ask big thing that we want to do we'll try and get back to you as much as possible and that's really what B side is all about and in throughout 2019 I've been doing that through a workshop called WTF is CTI so I have an architecture background and a intelligence background alongside my 15 odd years in cyber I've worked as a military intelligence operator of about 6 years so I have a purist Intel aspects and I've made use those to the last six years so the

workshop is kind of been introducing people to CTI and and damn he's been often working with doing the pone defend activities that summer b-sides play nineteen and over over a bear we decided to shoot basically his intro into into CTF so I'm not a Red Team I'm not a hacker so me is quite new to me and over the last six months I've sort of started my journey to learn that skill set and then the pone depend goes I've really helped me a lot so I wanted to think that's a good option a lot of people to get involved in so let's talk about you know WTF PCT I so excitement sits in the CTF we have

still need really good in town so capture the flag okay to kept the flag what is it effectively a game and there's a game that's there for a number of different reasons so it can be used for competitions sometimes it's used for actually part of the interview process but ultimately what it's there for is to actually have fun it's to have fun and to learn and to actually progress in that skill set you don't have to go down the red teaming side of things to actually get involved in CTS you can absolutely be part of the blue team side thing as well and if you know me my blue team I mean the defense side of things might be working a sock

maybe you're doing in post-sex side things maybe your maybe your risk adviser or just management or team leader involved in those things CTF you can absolutely get involved in so you see them at conferences so such as b-sides you see them at other events sometimes then we put on like InfoSec or sands weeks and then also there's seasonal ones as well so with the Easter coming up as one was called Easter and this things often look like big bore but like Christmas and events like that so they all want to pop them up all the time so like I said predominately therefore have a fun for learning competitions and that's something else um in a little video we wanted to show

earlier but will pretty tweet it so again keep on awareness a pound of fame will tweet a link to every guys called live over the wire no they overflow thing it's a really good video it talks about this little demo of a massive CTF over in China and I think the price uh come in yet normalize but it was big money it was very easy for very experienced that's one of the things that one try and help share of the world is what the [ __ ] the food yet if you're not player mean anything to you have to the flag games are very much like a computerized version of the physical game we used to

go and literally take factor rather than breaking the system still sensitive data we were breaking the system's still sensitive flags and then work out how to determine them as well so it's really important to understand the I think most people think of CTF and they think of art you get a bit and test you can do CTF I'm try and get rid of that myth because Romina didn't like the unity challenge we've got we did the level of technical debt we liver damage like defense landscape everyone in the organization is part of the blue team even the red team part of the blue team so making sure all the pigment and Walker and Aunty decisions what their

technology configurations what the implications to their business and the risks are is really important and I think looking back over the years we've done a really bad job doing that right it's just I needed now I'm going to buy it I'm going to give it to whitey to look after it we've deployed an aren't you in a way which is incredibly insecure it's really poorly managed I'm going to slightly listen these faces but I think we've all seen in the news and for our working life the impact that technology about security determine implementation design configuration you know but whole life's like what happens to organizations and to us as people went and money's deployed Burnley yes I'm actually trying

to help people the skill in an area that is complex that is challenging but you know I think is making people think differently about what they've got in front of them so that they how can you use tap the Vlad games to improve education and awareness for people and have fun the Galea also in the so take away from that really is it's a game instead have fun and you have to learn from it and ultimately interesting there for everyone and I'm sort of touched a lot on this piece about really don't talk about sort of bit more buns recap the skills one of the things that I've seen in the morning super in the marketing sense you

will be told time and time again that we have a site a skill built into it and I kind of agree and disagree with them because I spend a lot of my time online and in the community and we have an absolute abundance or skills what we don't have is an abundance of good at the use of the skills we have a problem with our hiring processes but we have problem with expectations and it's field is [ __ ] huge private and that you know any event to a great level and the more you go into it the more you realize that you know less and less every day not only that but like me some people we

know that the more you learn the more you forget so much are you be sitting talking to people about stuff that I've done a video on YouTube or even a presentation on and I can't remember the stuff that I've taught you so it's a really really very good wide landscape and this cyber skills taught is I think is being peddled in the wrong way right it is you see people calling it out and it's usually related to a product or a solution and studying perspective whereas actually I think we need to change the way we approach to getting skills and how to enable people to move through a young age and to leverage technology to understand the priorities

of purity implications and how we actually take them through that journey and then not just in the side as well right it's not not everyone just hacking away in a bitty looking your cat means this is for everyone you know is it more important have offensive cyber security capability inside most UK organizations or is it more important to have integrators architects engineers and developers certain systems in properly yep I'm in a say that it's more important to have the latter but having events as heels is great and it lets you demonstrate and let's have controls but what we're eating to do is we're going to stop being at the start managing the lifecycle and not going to this usual

point where we go right plan great get some money usually not enough design it's how I want it to be this might be how it looks build configure all the usual spanner in engineering and I've got some tip that go along the way and then at the very end just before you want to go live all we need to do a pen test and that if we abnormal my face everywhere and we need to change that we need to make it so that the ship left security goes way further then those of the developers I just need to go to board level it needs to go to program level and III financially understood by businesses

because until their financial costs change and the bodies change but what you do downstream is gonna be affected heavily because you're constructed in Greece absolutely keeping left isn't left enough for my appointment year day needs to go right into the financial belly of a business people need to understand what the risks are and then how to take the correct resources to get superior content on you right yeah yeah I completely great and in the security is too often an afterthought it should be one of the first things you start to do you design something very piratey into it and the human doing that is something like a CTF you're included to learn they have fun it's the best way

they manage to do do strongly believe CTFs are kind of the weight forward for a lot of a lot of training helps bring the community together as well we're not having to find them all support so we actually think it's the best approach and it kind of helps us sort of when we hear people about hacking CTF is important that we think well that's not criminality thing assess improving our skill so it's not it's preventing the criminality so they just put in defenses in place and there's lots of guys out at the moment this sort of do this talk about any of the guys in their own those common platforms matter further on my favorite platforms attack the box

mmm happy boxes are great like I said when I was kid would love this problem happy he's doing when having the certain paid parental controls you can go and test your skills and learn new effective technique and defensive techniques in a controlled arena where you're not breaking the law yeah he's a huge proper rule we've got an industry as well where the industry moorings in society the media portrayed that hackers are criminals and they used synonymously when I get into a taxi and the taxi what do you do I say oh I'm a security consultant look what does that mean so everybody that's left unplug and then immediately I get asked if I can break into a bank vault remember which

is great here I have to title my own professional and I've got career and let me be then after me to break the law but generally speaking the media we see people describing hackers as criminals and I think we need to tank that because the skills that we aren't joking with and the moral alignment we give people throughout their life will help steer them in the direction where we can use these skills for good rather than but yeah so there's plenty of stuff to talk about hacker box new a lot of you're aware of the o SCP that what you learnt at the pwk lab there's a 24 hour exam with that and that's within a lab

environment you got hacker bunch of systems hack East I mentioned over the wire is another good one to think about see that route me 24/7 CTF CTF 365 CTF time so that's quite good one to be aware of upcoming CTF s-- anime talked also about like sands holiday packs and another one as well is source and up games of really introduction type stuff and the opposite is atoned a bit activities that we do events there's also studying patience so setting things like immersive laps to go sands crawls Christ I think this is the we're talking with free tf2 the gaming things a lot right the that I've everyone else but at school I didn't particularly love some

of the subjects I was given but I did love that you need so I think after the flag games or break mechanism to taking some people who the action run and through being talked to that make sense so I think it's a really good like multifaceted mechanism on each use in timely little notation but also for occupation and also just brought having fun there are some sneaky about things that they're all right yeah it's another thing I'd like to show hand it possible on who would say the reason mind they've not been involved in CTF so I've not really got humbly involved in it towards don't know where how to get started was founded maybe a little bit too

difficult you've got the first question and just haven't got a clue okay so call it quite few people yeah absolutely so it's really strings up like very unequal to break into a system where they've got no idea of what that is could be a web browser or a Google elevation starting this stuff is really difficult yeah and the barriers went through on that in some areas it is a challenge absolutely and in cyber defense cyber security is a team sport I say it all the time from the entire perspective as well and this should be wrong there's a lot of communities out there to make sure you you tend your be size get to know people all very

different of different things you can learn from one another and there's also many communities out there you can be involved in so one the ones we often go to is zero set to zero so how's that how ii i play in the many hats club cdf thing where I can get on by only doing real work and there's loads of ways you can work together on getting to the community with people everyone's really helpful some like I said starting point going firm I can't break into a system to break into something is a bit like riding a bike so to start with this is quite a daunting task yeah there are people help on that darling cool so this is

mythology you want talking through this bit Kristen yeah yeah so I guess we've all got what CTS are we talk about some of these new challenges we've talked about the fact that getting unions is quite difficult one of the things I guess to realize is that when we look at a fraction like FICA or get to the target and then a CTF lifecycle they are slightly different but they are very similar in this quite a few think you don't have to do is EDF that if you wanted to get in a real-life scenario alright for a professional or from empirical perspective you would want to do slightly differently the CTF approach doesn't exactly lead you into stealth

mode so the first thing we need to do is reconnaissance what you'll find is that in mostly jet-black forms and games and traction testing and systems analysis sorry little bit trouble for victims games not different you least reconnaissance your target you need to understand who you're attacking you'll need to understand the learnscape of target and that could be symptoms considering lighting that IP addresses for the us names the organisation and the scope in a CTF a lot of that stuff from real life is condensed down into you need to attack that target so recon from a CDF point of view if you like what flag am i going after I'm on my own what do you know what you're doing you'd

only have a target game to you and that you need to do animation though you'll run a series of networks going three rules twos up to that map everyone use them up and then who's not used n method button with indicator yeah he's like get out you'll use that map you'll use the lightning so you'll use tools like web suite you lose vulnerability scans like rapid7 necess and open versus the open source one you can use and you will then start looking in a target and probing for weaknesses this process is probably the most important and if not the most important because if you don't be there she doesn't know where to fire but if

you don't need that's off a honeypot you can walk for everyone's viewing kit everywhere so clearly a lot of people don't use this in the targeted month but it's really key to understanding pal get into scan and gather as much data as possible you might miss the key to the castle just focusing is amused ringing wrong word so one people then divide the target attack surface we then live to do some exploitation so here for example on pity service but say telnet with exposed palpable getting happy telling passwords would lead to the other day if talent was exposed need latency war versions of government remember you can get that from about so you talk with the service

and you say who are you and it may give you're lucky say is tell that burden X you can then look up at element version and see you're doing known vulnerabilities for this is are pointing to say there aren't any you're then going to say right okay so what can I try next I need to get in he's asking you for a username and password so then we could try attack such as brute force today to start doing credentials brain to try to gain in that way this is a rinse and repeat activity and I think like the the linear part isn't doesn't do this justice because what usually happens is you start looking at

something you move down to position you then realize you're banging your head against a brick wall and you zoom back up again you then trying to have revenues and that's like this is just like when you go through the head banging process is literally like that sometimes it can make you feel quite depressed it's not as a holistic point but where it's happening your target and it's just a recap on on that page so let's say that you go try a pull-up so you try to compromise or push and exploits that that particular service that might be patched you smuggler we're about to be another one you find going to so you've got to try different ways

hmm hopefully if you're lucky you will be able to have a successful exploit and you'll be out there getting access to a target system either through direct contact or through a reversion once you have a system you may have a very level of user happiness from limited fruit total system ownership if you're in a limited position you'll then to escalate privileges and get to a higher position where you've got more rights from a CTF point of view most CTFs have this linear phase you get the privilege escalation then you get a flag and then you've done what they missing out on is deadly lateral movement so because CTF platforms of straitened provider but they're not deadly building

massive networks you often just going lockbox come out again we're going to give a demo I'll be doing exactly that I hope the expert works good once you're in you grab your flags and you clean up this is slightly didn't reload because once really one system is unlikely you're going to have everything you want to get that target and a bit from Earth a non-criminal and from a personal perspective you will you get in somewhere and then you will need to look around for more systems you will need to move through the network but no if you want some people that love making life easy down gets us a pair I think you sort of sort of captured or the or the

salient points a sweets yeah sweets of people in suits tears and the knowledge and moment I forgot his name he's part of the teapot top of the seat here so yeah awesome to go betting group yeah so we've got stickers so given that on your laptop you need that to actually hack and also we might have some these Loveline know might actually have some swag downstairs well yeah we've got multiple limited selection right so we've got them stock or water bottles a few t-shirts and stickers and sweets because here's nothing sweet enough that's it exactly nothing behind but yeah so just come down say hi and then before we actually started to do stellar what that gets over Christ who Sam

you've been on this easier life okay live in a third room and that's cool who's got a talk with Russell you have to build a suit yep Claudia today no I'm simply and you go mister yeah yeah so what we do now quickly very quickly because I can see fibers presión I'm going to demonstrate a exploitation of ms 1701 zero some of you may have seen this all before but really this is talking through from a enumeration and mindset point achievement so I'm using half the box for this mainly because the fact that it does a room from ready the that's how good I have it is look at the box around it and we're gonna do

some that box platform I've already connect to the VPN I already know the target I'm going for and I'm hoping that the Box still exploits on the server on the reset so the target we've got is an IP address it's ten ten ten forty I'm going to type make typos hey look at that because on a 4G connection so God no - this'll work right so we can see the target response to ICMP that's good if you attack a Windows 10 bucks for example what it will probably tell you that that won't work right as anyone respond what I'm in around is the quick nmap scan using the top common ports again it was attacking a real target I

wouldn't just run in math and the IP address I would pick my skin type I would pick my timings I would put velocity on I would put an out for the file format a dual kinds of switches I will do that on an update on youtube another day and you cannot use them Matt when you go home tonight and stuff people are doing you find on now you get that top on your home Wi-Fi from that and see a button your the device see you again so we've just on a quick to get it's the top 1000 force that is not the top 0 to 1000 is the top 1000 column horse I can't name them all but included

in that is our PC NetBIOS and six or SMB or Samba depending on what system you're using which is teaching people four five this is what the Emma 1701 zero vulnerability refers to this is what the terminal blew the exploit there it is so we can see you've done I'm just gonna we've done a little bit of scanning I'm gonna run a version scan just cuz let's go to pop a little bit more information on while that happens because time is ticking and I had changing interfaces what did Devon come from reading is teasing twenty nineteen point four Carly honest because times are very short as well as from running through quickly on a lot and I see Kate

friend today peanut top and get it to the other things which you wiped my hair are you going to see yet dot V science leads CTF apologies I did the main template I didn't say go to that and it's in many people need to connect to that and it's quite simple registration process good to see you account and the uh pitch of a road map it is different part different countries and they're basically different CTS in for the ones of the lower numbers like up five points for ten points and give that again we get a chance to crunch showed one but I think we're which put their Department if you could get again if you struggle

I'm Nancy and the other guys at the table downstairs so no no they've done a little bit more numeration but I'm going to get that this may or may not work right so we're going to use the kernel Bluett deployed will check our options in Metasploit this is lets you configure very different pieces like what the target you're going for what type of hand is you're going to use what paws operates on trend is left too many typos so we can target the IP address that we just said because this is suppose the easy peasy and share that people it's fine we're going to execute that and then we gonna break the dam I got

you be not that we get y'all that this is always a tense moment it's a bit like when you reboot the PC or a server and then you have to hold your breath until you come back online especially when your remote with no direct access so awesome we've got a win on that and shortly you can see that we have AC windows system32 we are no longer in penguin land we are now the land windows

so that's a really good like this this is obviously like the easiest script kitty you can fire this exploit something that's a really quick way of showing that we went through we enumerated we found that there's that open port we found the services from abroad these diff I went back and looked at the scan results and wood and then we attempted to target attack right in real life back to the cause of blue screen so you got to be careful how you throw this stuff around on networks please don't do it on your live production environment do it in labs or see care platforms but hopefully that gives you an example of the sort of approach that you'd go

through and we tend not to bill I mean when we build a CVS I tend not to build to any slow firing get exploit into them most of the fingers I find there in real life of the security misconfigurations so I try and build systems to attack the similar to I find in real life so yeah sorry it's possible to be President I mean you partner box which bin that wasn't black reporting when we're all right ok so in that the box there is no in here there should be time for the remember it is now yeah

that's right this is the problem when you get root you get adrenaline you're like this is amazing about everything it's not fair you have to think happy so the flags will be in different places on different CTF platforms yes typically people tend to use grieves inside of a holographic field and you get double curly bracket and don't get me wrong every CTF design-build it does things differently different platforms of different standards I do things in a slightly different way to others sometimes psych input can be a real real fun experience sometimes it's Frank : pass the parcel pass not only to explain into question so one reading to the whole point of this is to explain the

CTF can be used outside of the pen testing industry B to explain that you can see that even with my pumping hands and growing for audience I can still manage to exploit the box there but really this is about ensuring we defend our businesses we defend our people with our families and our technology and you can use offensive security as a mechanism to do that you can use capture the flags to improve awareness and understanding throughout your businesses and organizations it doesn't all have to be pews it can be defensive we've put some stuff in today's CTF which is blue team based it's log analysis its technical and you can read the logs or where I can actually put the right bug

files in the system but really this is all about increasing defense there's a very minority percentage of the world who are using cyber offense legally and that's mainly is restricted to government works right so most of the prize red teaming is actually blue team league is my message then cool so that's kind of out of time important they would like to show you a little bit more but think you have a phone I was also picked for a demo thank you all for taking the time if you do have any questions come find the guys and ultimately you know at the planet enjoy it have [Applause]