The Gogol Project: Lessons Learned Building My First CTF

everyone so our next speaker is gonna be the go-go project couple lessons you learn building my first ETF and but first I want to take a moment to thank our Gold level sponsors they are st. Mary's University USA a Trend Micro digital defense and sales continue good morning I appreciate it my name's Robert Wilson today and talking through her the case study project and recently this was kind of accommodation CTF scavenger Lent that started it started out based on inspiration from some of the sudden they're running at DEFCON people running all over the place right stuff like the Fox mine where it wasn't a traditional CTF in the sense that you couldn't sit in one place and solve everything

you'd have to you know move somewhere else find something and that was your next puzzle other was very cool and I thought we need to do something like that over a longer time span make people get up and move and I especially like the idea of having this narrative that drove the training exercising kind of interesting right communication plus I found that if there's something I want to learn one of the most effective ways to learn it is to tell everyone hey I know this and I'm going to give a I'm going to make a workshop for it you can do that in a month and now I got a month to build a workshop so that's a good way

to get myself sir my two motivation for this or really been a primary motivation was to learn some stuff myself and then to play with this idea and see what people thought of it so in my opinion this this wound up kind of tanking in my opinion I'm going to talk about why I said it but it also got me thinking about what makes effective training and I used to be an elementary school teacher for it at welcome info 7 and I'm responsible for a lot of Japan in my organization so got me thinking about what makes effective training and how to get people engaged and deliver something that's consistent in his family right so this

is sort of open season you might have noticed when the description that I am looking for employed so I'm definitely looking for your feedback when I get to be in here so we're gonna walk through context we're gonna walk through kind of some of my views about teaching and learning some of the challenges of building a training like this which this is the first time I've built something on this scale it's not particularly big so that's not saying much there's five challenges through the names will make a little more sense in a second and I'll kind of walk through what I've learned so for context this guy in the corner is Nikolai Gogol he's a Russian

writer he wrote a story about a Russian bureaucrat find dead people two new tax fraud it's an entertaining movie but one of the things is character in this book basically spends his time driving from place to place to meet all these people convince them to sell in their dead servants so we can report that to the Russian government in a tax rebate so I thought you know and to move from place to place this panicle Russia needs kind of some kind of lesson something I can use to provide the backdrop for this ETF Aaron episode that's just something I went with and then that second comment on this slide right was to what I said

earlier you can't do something less live you'll learn alright so coming from teaching these are some of the quotes that got kind of drilled into us when I was training for that job the top one Socrates is basically saying that 9 percent of the time this student knows or is capable of figuring out what they're trying to teach me he was talking about basic math right and he was basically saying you don't need to explain to the student that four plus four equals eighty because really they know that you just need to ask them the right questions make them realize they know that and everyone's had that feeling when they're working through a problem and something clicks and you go

oh duh right how did I not see visit first and the rest of these quotes kind of good at the same point so Jonathan Gregory someone who wrote a lot about teaching if you said questioning is pretty much that's the be-all end-all and you shouldn't tell the student anything that they can figure out for themselves and I think offensive securities plastic line is really just a reiteration of that this is a look at different ways you can teach people things so core the Socratic kind of covers that concept of questioning but you know what's the alternative when we say that you should teach this to something they can't figure out themselves or you should have been

asking questions what else what you do one thing you can do is do some hands-on teaching kind of like these software-defined radio workshop but as messing with this morning right so give them something concrete to turn over break in my case was the break and mess with an exit good way for the building is a monitor to learn by experience right really that makes them come up with their own questions and that's pretty fingers a lot of people learn about their Socratic where you're asking the question and then sending student out the theater on the answer google it art is another popular phrase right so dialectic is your telling right so here good morning my name's Robert Wilson

I'll be your teacher today and I'm here to inform you that four plus four equals beta memorize that because you'll be tested on animals so what I think really is most effective bidding when I'm running items like this I found that the biggest thing that tends to be a problem for me is I'll start out with something Socratic Socratic enhance on I'll ask a question I'll give them the problem to mess with right and then when I meant to the end-all cycle on the next button so I think that we can eat is kind of a combination to all these things because if you're in a position where you're training people for your organization chances are you're not charged with who

you hire the fire and your job is to get all of these people to a common baseline right which means that if people learn in different ways it's really going to be on you to figure out how to bring them there and so you've got to kind of employ all these and whereas you could do something like that just hands-on right so we come to my organization and oops excuse me you might say said about WebP in test challenge and say all right you've got Google you've got a week if you can figure this out and you're done with training right that will weed out a lot of your rule highly motivated folks and you'll get a very engaged body

of people coming out of it you can just excuse me just ask a series of questions you got it you don't have the option of deciding you're just going to you basically you've got to do your best to get people through if they're willing to work with you right and so what I find ones are being effective is you give them that challenge you ask them a few questions you get them to work with it and then you sit down with macwhirr's and you say look here are the answers and do you kind of see where your pencil logic work right that's your dial authorities and then you give them another challenge all of them work through that and that I think

is is an effective way to go so you folks doing this backwards with you because I'm talking to you about this if you have so I'm just going to give you a this is what it was you're missing most of the rest of it so this you could say it's a bad day all right so summing that up right learn of this exercise basically it's strenuous you should students should be working to hunt down the answers because it's going to make it stick your role is to ask their questions it's a teacher and then I think you can use this hybrid model to get them interested get them to build experience working hands-on with what

you're trying to teach them and then solidify that learning afterwards kind of a dialogical overview again you still have to watch your Stratis and I think I think Socrates would have been all about it yes so some of the challenges these were the three big criteria I was thinking about what has worked through this CTF I'm consistent right it's no good if I tell you to give me the slack this exercise it's not gonna be the same time every time you never get it right sy hashes hashing follow something that's like that is really popular it when they say yes so keeping it consistent keeping it contained which can go you got to be careful with this one because if you

lock people down too much thicket or because they feel like you're just sort of leading them on the leash right but you are at least in this room we're teaching people who are actors and the sex that they love to break things in the sense that they particularly like to break your things and so you got to think about how to set up an environment where they can play around and mess up they can explore their different options and learn by making mistakes without destroying the environment for everyone else so it is something to consider and then the last question and probably the most important thing is invested because here's what you're trying to teach them

right you get okay some people coming through your program who are there because they love this stuff and they want to improve and they want to do something themselves you know some people are coming through because there's some reward at the end of it for them all some people coming through because they don't want to fail I guess or there's some penalty if they don't think that right getting that investment it's always best to find some way to make this students idea so in in 4th grade right there's always a big deal to get them excited about whatever we're really excited about that chess was my favorite I had fourth graders crowded around a test table as if it were a football team

or football team just yelling at each other it was fantastic because they're all right that's the ready they were they cared about what was happening and what the result was going to be us that's important so Scotland I don't get him started you got a there's some necessary information that they're going to have to have to get moving and this sums being specifically about building something like CT data for it whether it is here's the scoring server and here's your first box right here playing the Facebook CTS that happened recently you close a link and now you've got a binary file that's not to start working with and they'll typically say something like others will make sure you write that one

muscles like blood level trauma from that particular exercise that's just the one is sticking in my head but so you can with the necessary information given many concern eighties they need to kind of get rolling and then give them this narrative hook in this case that because I'd like to see - yes - tell us Doris I think it's fun if you can make your student feel like like they're part of some kind of some kind of an area that they're a hacker in the sense of being in a body behind the computer because secretly must find that thrilling but get the sense that they are a protagonist right and that what they're doing is is not just difficult but

rewarding so for this particular project would I be able to miss a give them the PDF of pencils or book partly Murray did before learning I gave me that give them an IP address a username and a given SSH keys all of which I will give to you at the end if you want to play with one or two of these challenges afterwards and then I threw them in the first challenge and so really when I made this announcement I just threw it out on to the organization slack I said folks we're doing this thing called here all the resources you'll need and gave like a very minimal introduction and the thought I was one

with was this sparks the curiosity of those who like to dissect things like this so maybe I can spark curiosity I'll make that my book so this particular one kicked off I threw up a VM Nasir what's a few docker containers on it and where this started right they told you the whole point behind this initially was that I kind of wanted to learn some stuff and so I was like well I don't want to learn a little more about docker work so how can I build a dr. escape laughs so the way this sequence part of working was you you would SSH into this outline container and then it was how many people in here a real familiar

dollar how many people in here know what dr. das office disability good question I've been there yeah all right so there's a basically there's a socket doctor that you never want to expose your containers because it's actually the socket that the doctor process reduces to manage your containers right whenever you write don't run or something the doctor service is actually making an HTTP request I think the I call to a socket money box and so if you were to mount that socket excited container well now they can make API calls to that socket and they can do anything from generate other containers on your machine basically since the accrued and then kind of lent it to my

first problem but I'll get to that in a second so cool dr. dev sock Amos that's cool it's fairly entropy level I guess for a lot of doctors out there but I thought it was it's a it's easy to build relatively speaking or so I thought and it may need exercise I'll teach people something so the process for this basically was they had to log into helpline they would figure out that dr. duck sock was exposed and then they would use rest queries to get credentials for this other post threats container that was up there and steal something out of the daters first problem I ran into was one of the areas I mentioned earlier is how do I contain

this hi just through a it's - you're damn right so whatever happens that this is kind of it's really only going to hurt me if someone decides me I'm gonna absolutely trash your deer this year so hey I don't really want them to mess around with my stuff more than I want me to be how do I keep them from messing with other teachers and so what I did for the users as this is least aligned to the badge machine basically and I've seen people do this as he did before so this was Kenya I don't want wonder how they did this broke every script that opens up a non-persistent container for you right and then make that your luggage so every

time you log in it spins you up a non-persistent docker container and now you are in your little box and we lock out your box would be deleted and can't mess with anyone elses little box so I worked I sure then there's someone out there if you figure out a way around this but I thought that was pretty cool look workable over so I did that and then the other issue I had more pressing one was well I'm by its very nature this if I've got set up it's a root right I'm exposing this doctor Duck Sauce so how do I let how do I let the challenge proceed without letting you annihilate everything when

I'm giving you the keys to the kingdom and so I looked around and I found this project which it just hit me I did not put my references slide but if you look at me chafe proxy these folks wrote a container that you can stick in between so you basically mount your your real doctored up stock inside of this container right and then you create a safe socket it's just another side right it creates another socket they can link your outline to and you just all it's doing is winning his requests if it supposed is throwing now so it's only along with this stuff is or anything or potentially it allows like privilege installation and that

worked like a charm so they can use get requests to get information they weren't really supposed to have about this other Postgres containers which is what I wanted them to do but they could have messed with the underlying him so that was so that was a good containment solution except I forgot something so again I have to say the last part of this challenge you log in you use the API calls to look at all the arguments to use to spin up this post rest container Frank one of those arguments was the password see now if you use the default Postgres username the password not access to the database so I mean who sees whatever no one did that still bugs

me I have a fix that yet incidentally in this challenge he's up for people to play with so please don't do that anyway so existent Lee was solvent everything all this stuff stay there will reliably output was consistent containment was okay said the only issue with containment really was that post res investment wanna main the issue and this was sort of where I think the exercise failed turns out that if you say hey username IP parentals but people don't necessarily go oh yeah this is what I want to do so I'll talk a little bit later about how I think it could have made that buying a little better but we didn't get a whole lot of participants that

affected everything from here on out so once you get into that database you find some black people on street corners right and there was like big launch new coordinates let you do two NFC tags on the table those undersea tags have a small bitmap this is cool does that I always wanted to play with NFC tags it turns out they're super frustrating it's still cool so you find the tags you pull out this picture I threw in a ps1 script I wasn't really sure how to eat at what was going on otherwise and that you decode and URL that leads you to the next challenge right and this is kind of what what's going on so for the big battle guys

little PD to be a folks are gonna get mad at me just to keep walking off the camera so that you can use is going to be this blank for might work better anyway you pull open this little piece you image and if you start dropping the hex this is basically hope that that works over here the zero a offset you've got the offset of the image by so tells you really the new starts and then the gears whirring under actual image and so what I do is they use at least an 8-bit steganography so each of the last base needs to be device was flipped when we're done - Cody URL which is something

that's kind of hard to figure out on the face of it at least for me I'm sure there's lots of look at this note clearly this is Li significant bits technocracy I'm not one of those people and so I want to also throwing in an uncommon copy of the power shell that I wrote to do this and so basically what they had to do was look at the picture look at the powerful scripture figure out what it was doing to write something to reverse it right this was cool I think investment on this was solid I got a watch just got in the front crawling around entertaining cable supermodel just make hesitate and I think that

stuff like this honestly the pretty surprised someone they're expecting to sit at their desk because was something on the web and suddenly you through a lot too much you poor bastard some school Ike that they've gotta get up and get moving and suddenly feels like they're in James Bond stands like this stretch do anything right suddenly they've gotta get moving I think that's great for investment I think say good people excited consistency was great we can lock NFC tags I guess the problem with containment that first bullet is optimistic the problem of containment is I guess you could just yank the NFC tag Lee should be a jerk move but there's nothing I can do to stop you from doing

that continue that these sort of challenges where you give someone a file - or solid for entertainment because everyone's got their own copy it's not gonna no one's gonna be messing with each other really they're not sitting on the same machine to do their analysis anyway you get through this decode this bitmap and now you're off to survivors this is one of the challenges at least happy with certain because it just default I wanted it to be a deal it's challenge something else they didn't know much about that's like I want to make you go map out the DNS footprints in his domain and the vine flag that way so for the hook you pulled off of that

pictures of occupation of X Y Z which is domain Nevada so you would set up this if you try to go directly to it it would bounce you if you scan it you realize as a sage is open if you use SSH from the beginning you can log in except you can't log in because the jump box appears shelter in Austria is maybe false what you can do is set up an SSH tongue right so if you set up an SSH tunnel now you've got access to stuff behind and I did the reason I don't think this was great was because now that's really intuitive and you could spend a really long time trying to troubleshoot y-axis

age isn't working so what about of doing those frogs in the banner basically SSH tunnel in that it sort of breaks it breaks inherited right but that's why I wasn't super happy with this one but anyway you you can SSH tunnel to spa kovitch if you do some DNS to be numeration to figure out that the dev subdomain works in cases right and I hadn't redirecting and I think to locals those and basically what we've had to do to make this work and again I had to a lot of havoc if heavy painting to make this because this wasn't the lead to ative in his long reasons they didn't like this as you had to set the good to set the ho

statement I don't think it was the low cycle I think it directed the same jump box set the ghosting to resolve to localhost in your own NZ ghost file SSH through your connect through your tunnel to the server and it had to be to death as you can connect through the tunnel to just sobotka vision X Y Z and it would give you some standards of last page connect through that to dev tons of micronesia X Y Z and now your PIN right tangled knot doesn't really match practice my opinion and just wasn't thrilled with that and you know I just sort of talked through everything on this slide without changing to it so what's up there was no I prevented

people from dis logging straight into the jump box messing around with it it's just changing their shell debated false I've heard there are ways to get around it the one time tribe didn't work so it seemed to be it was saved enough I think for me and then this was sort of the set of the managed next config where you if you're coming in dead as you to different page than if you're going to anything else in this body I mean choo-choo-choo change yes consistency was good containment was good investment was pretty poor I don't I've already explained what I thought of that I don't think that it think it required too much hand holding to gaming but you go

through that you can pull off the server this analog another one that was okay and this was just a short challenge that where you take something called password generator finding a program that generates a password and use that to build a hashtag profile so you notices notices Python script doesn't mean this combination of characters I'm going to set up a hashtag to reports that combination characters and off we go and that was this was actually in someone's probably snicker this is my first time missing with tax pay so it's kind of the reason that I think this so this is straightforward right in the end the in Toronto being you use this first flag separate forces you use that second flag

to set the option to we're done when you don't like it the citizen attack case where document pull on the hash and then use that characters that then I think force cuz I think it was trying to use the GPU that didn't exist or something that was pretty straightforward that was a pretty minor consistency in containment we're obviously to the solid non-secure excited about Spock vision and their sort of stuff I'd pump it in the middle to make sure that I had a connector to the next challenge but something that changed later I liked the idea behind it a lot there so I'm ready next time I'm thinking that might be worth that into something a little more elaborate but

we'll see anyway so this live you to a second NFC tag got in actually elected to branch of directors they give you sent important is to find an FC tech in this document that you decoded and so when you got to this NFC tag it had something that kind of like this and this is you can do this with Wireshark as well this is just a broad capture of all the opcodes coming into the keyboard so it was just this blob of keyboard opcode and if you could figure out what the opcodes were then you couldn't decode a message for me right that was cool USB captures something that's fascinating to me that I don't have a

handle on so it was kind of neat to mess around with it long legs didn't know that this USB HID don't command existed I'm interested in looking at more and this is this is really sort of a one-off you went off you did this we decoded the opcodes when you get a password to open the zip for the final today so we've got two more if you the other file that was sitting on Sobotka mentioned I expressly was this picture actually is in the corner and if you ran it through exit tool and went to the coordinates that listed as where the picture had been taken right then you would be within me breaking through this Wi-Fi

hotspot this raspberry pi step let's talk about breaking where that's very class last episode so I basically had this Wi-Fi access point or presbury by seeing out there and it had another Raspberry Pi that would connect with a resolve and send a message or Corolla rather world of web server alliances point I say you show up there you look around you figure out that there is a nexus point called or a vodka and I had to in the picture was the comment to go find more votes because eventually I'm sure people would have just started flailing the way in a Wi-Fi access point in range which would have been met so you figure out that there's this network that

you're looking for you can if you were to improve that PDF of dis holes into a word amidst that patchwork was one of the words that the participant so you could capture the answer you break into the network and now we can use our voice need to capture that Colonel request and from the first second Raspberry Pi in the first and if you inspect the contents of that car or bus to see their credentials as you can get in the webserver boom you've got access and you can download the zip file for the last time I really enjoy putting this together consistency was sort of iffy because entertainment was also be mrs. wireless so I can't do anything to make you you

know keep you from messing with the other chapters and the art boys thing was kind of finicky but that's probably more of me problem than anything else so I thought this is a salt and I think the investment would have been good if anyone had been using this exercise so we're kind of referring back to the innocent issues never said I was cool my testers thought it was pretty cool they enjoyed it I'll probably have to do it again one of these days because like I said no one really made it that far I think it would have been neat and we've got the same thing where people have to run across town to find this I think as

long as they've got a solid idea of where to start and people WPA is just that makes a familiar and exotic but I think makes it funded to bring the mess with all right last challenge so Pushkin was a Java programmer that was written by a friend of mine called grass water to say who super sharp is Java that other works that were along the East Coast and he helped put together as I say he helped he put together this Java program that was really a simple database programmer and so you were through this and you can simple SQL injection basically and some of the super familiar to folks this is an example of how we cannot validate

your input with the gentleman programs and again didn't see or you can just throw in a quote and start adding your arbitrary queries consistency was okay I actually had some issues with this when I compile it on deviant verses is Ubuntu system so once again no one got this far so I'm not sure how it would have been with a bunch of people going after it I suspect as we've had problems contain that's good because they work together on file they're not messing with each other investment is if you know you're near the end do you hide your you're kind of over it at that point right and SQL injection can have the same effect

because I know if you're like me and you playing against Facebook's ETS you have another challenge to go over want me to do message well objection give the two conflicting feelings you've got cool I know this and to figure out the query and I don't really want to do this right now so who dinners as a training exercise honestly I have no idea all right so here's your final right when you start off with those three often this year it bounces you to the NFC tag not listening to the baggage domain where you have these two frames is one of them takes you down and the password to that like zip file one of them takes you to court books good to

get the file itself and then at the end out of that Java file you pull the numbering combination for a locker evils locker you get a custom chocolates right that's I realized afterwards I should have led with that I think that would about my investment a lot but anyway so this is kind of what I learned the biggest thing things this year was advertising yeah I don't know next time I'm actually interested in getting some ideas for what you folks think would be a good way to focus people into something like this I like the idea QR code notations Center I think there was zero context means right where you find this QR code on the

bottom present and I keep that back I love but is hit or miss because maybe a little people there who are going to loose kanyon maybe you get one person shot glasses are more effective so there's that so yeah I got a bill for this year for $170 for the month which was more than I thought it was going to be uh it turns out I looked at my settings I'm still uptown I'm sure it's going on if any of you had issues with is your district right bills I'll be interested to hear what the cause was for me part of it was I apparently had selected the things that default one of their dreaming SSD slots which is twice

as expensive as non-premium this is Isla I don't know anyway watch the meter there was something I learned that was a personal impact and an unwelcome surprise and then defining your objectives I think for something like this you might have noticed this is super theater I've got a little bit of steganography a little bit of SQL injection cool if you're creating a sort of fun pose to do you're going to try to train people with something like this probably a little more focused probably it's not definition of what success looks like right would have been helpful so those are the three things and maybe a tweak next time make this a little more solid five loops mr. names here I

didn't see all right well mr. Bexon is somewhere around here you don't need to review these slides and he used to is presented in some conferences in the past and give you some welcome advice I really appreciated that grass watcher did the co-development troubleshooting maybe one day that would be Twitter handle or something is starting hearing about him for now he keeps to himself is why he told me to just use that animal finally there's a URL right there if you want to jot that down in there there's a folder called Loveland packet and in that is that ID address username and SSH people so I've got two of the challenges set these once again

wiped out the coordinates goodbyes yesterday is gonna hide them in the lawmaking village somewhere but I did something nasty to one of them I think because it's just not talking to me at all so that's how but you've got the first two challenges so in Austria and the first set of NFC tag somewhere around here so feel free to that go after that and if you drop me a note either on a request on this repo or I didn't put it in here but you can I like a little sein o tra if you shoot me note on Twitter to let me know what you think I appreciated so questions right usually the poll questions fly there's a big

question mark and I'm waiting for you to ask me things I'm going to ask you things part of these way to deflect attention for myself so hey what are some good ways to get the word out you think there's something like this some novel and looking for novel stuff right stuff will make people set up and go hey you know there's been a different done I don't want them to be sitting sitting in this training thinking well I have to be ready how would you have done this differently and then history ot it's like how do we construct lessons exercises right that are memorable informative and they get people invested so in any I'm thinking maybe you could put a QR

code and a user name on the side of the coffee machine procession so that whatever is like we could copy me see it constantly throughout the day drove to me like okay I don't have to buy what is this yeah it also is more mainstream than SDS so I like that my only qualm item are clubs I like them for having a long-standing so you definitely could leave every year or something maybe and then gather people because it takes people well in it I like that a lot and that's definitely what gets me going it's trickier you've got a Florida right you like you will start class on this deck and you will finish by this day and

I expect to write something like that too Plus sir do you have to turn everybody as individual you worried about them lighting yes I do some team exercises this particular one miss matchings I kind of miss matching a little because I'm talking about an exercise they basically built for fun and in the same breath asking you know how do we do professional group training but yes I've done I do a little bit of both you do some stuff where they work as individuals and then once they've got a certain measure of competencies individuals I believe is when we put them together having to figure out how to work as a team and then you're ready

colliding with each other's prostrate what do you think of yourself or ages they have eternity into that years ago

quite capture the flag but in a sentence puzzles challenges even tell them upfront leave with the prizes we encourage teaming because everything questions authorized company and so you will happen to any of that which we had a salesperson with an engineer and it with the customer service and they need to go over the questions of the cancer because all these communication it was just it was even intended I just thought that that was what was what has to about team but sometimes I can get you a lot of between intermediate and based in beginners or just across different aspects of coordination yeah that's awesome I actually looked at Pina after we've got some time getting some more

information about what else I did do something where have a base for our best fuel injection and it's something low being part as it progressed through bill my skill set and a monster but then so you go from one point to another to another but it gets harder as you travel but spills right absolutely

there's always start with something that's stupid nose and then give the question and applaud for them to move from there to something yeah and that that would especially help with that pull that down having a clear objective in my mind all right close well I really appreciate you coming out a couple of references if you're interested Black Hills intersected a solid piece on cracking hops documents are poisoning I went to melt by dr. API I thought was probably the part of this where I had the most fun but you can find them this guy's give up all these slots it simply if you caught that initial hump Lincoln gave you are in the Welcome Packet sober and

I love this slide of shared up afterwards sir and then finally I didn't talk too much but good teaching is good learning right and the best piece I've seen on that is by lineae some of you probably heard of who I know is this area can't recommend for peace enough on how to learn new skills to emphasize a particular social song and that's all I've got for you thanks again for coming and enjoy versatile [Applause]