BSides Cairo 2019: Catch Me If You Can: The Art Of CTF - Heidi Winter

hello besides Cairo thank you for having me along I've really enjoyed the past few days exploring your city the vibrancy never fails to surprise me so I'm Heidi I can be found on Twitter as winner underscore Heidi I've been posting lots of cats of Cairo here so if you'd like to check out my tourist photos just have a look at my Twitter so today during my talk I'll be quoting a lot of software applications and online resources and to save me try and stick lots of links in my presentation I'm just gonna post them on Twitter after the talk and save everyone some time so you can check that out there so I'm from the land down under so Australia has a

thriving security culture which is blossoming and we have lots of security conferences and a great community I'm more comfortable as an organizer than I am as a speaker and I'd like to give a shout out to besides Melbourne conference that I helped with our first conferences in two weeks as an organizer I know how hard this is to put this together and the work that goes into this so a big THANK YOU and well done - besides Cairo for putting on this conference it's an honor to be here so what I do I do a lot of things in security I've worked many places a consultant and a direct employee but while my history is in

telecommunications and enterprise system development I've had the pleasure working in security in many spaces from everything from compliance the through dhamaal where analysis at the moment I'm working with blue team's setting up security operations but the thing I love the most is giving back to the community and encouraging others to find their passion in this space I do a lot of work with adults and kids playing capture the flag games for education and fun and I find it rewarding as the kids and the adults who volunteer learn and grow the workshops always top rated so we must be doing something right so what this talk today is all about is capture-the-flag games this is designed

as a 101 introduction talk and covers what the point of it all is in addition to some handy tooling so what are capture-the-flag games so there are competitions and puzzles based on real world information security vulnerabilities and challenges that are played online at security events and conferences I think this particular image that we've got up here is actually from one of the DEF CON events and they famously have a lot of people turn up for those individuals our teams raced against the clock solving complex and fun exercises gathering flags to end points it's an opportunity for existing and new skills to meet and grow in a great environment so there's several different game styles one actually comes

to these particular games so you have the standalone jeopardy and also the attack and defend so stand alone can be known as all the ways that's known as wargames these are great for practicing on and aren't event based and they're always available as you play they get progressively harder so some examples those available are over the wire which is an online challenge which has been available for a quite a long time most of them are command-line games hacker 101 CTF is available as well which is relatively new and of course you've got the hack the box challenges which are always varied and have a lot of community content so jeopardy format is probably the more traditional format

which is actually known so study is an individual sort of games you've got Pico CTF and then you've got that escalating towards things like seesaw CTF and Google CTF so Tiffany is generally split up between different categories of play and escalate in well hardness and also points as they go along so these play styles you can be playing as individuals groups or just as pairs but the content varies directly depending as to with the designers knowledge experience and theme so you've got things such as binary exploit cryptography steganography social engineering vulnerable apps and webs forensics network physical security virtual reality I wasn't mobile and it just there's a lot and it really all depends is to

who's actually putting in this particular work together so as a result there's different tool sets that you can actually use depending as to the challenges you have available so as I said this is a 101 so there's just certain examples of the tools so for steganography you've got things along the lines of exif when you need to view the exif informational files stick crackers when you need to brute force and uncover data and when you've thrown strings in a file that you know that you're dealing with a sticker challenge but don't really know what's going on and so you throw it for is a last resort after you've been playing for it for two hours and it turns out

that someone's just embedded the code for the actual CTF flag in the image and all you had to do was change the color palette so I reverse engineering you've got different challenge tools on them so bin walk for example it helps you with reverse engineering extracting and Allen analyzing fairway I know which is probably one of the most popular investing tools and I love it a lot binary ninja if you want to do your binary analysis and anger which is binary analysis framework which when used properly can be used in CTF to crunch processing time you can pretty much just go and fuzz your way towards flags but that does actually take some configuration you kind of need to know

what you're doing but I recommend checking it out if you haven't already done so so social engineering and I'm going to be thrown in the same category here because social engineering CTF well they do exist on as popular as I really feel that they should be so the first half of these sort of see chefs actually comprised of doing research and looking at what's actually available out there so you can be looking at flexing some wasn't skills for those now a really good toolkit which is available as Belle in cats online investigation toolkit it's a list of tools used to verification and open source investigations and so if you're also looking at awesome awesome ozan

it's a curated list of wasn't resources and then you've also got social engineering the science and human hacking it's a book by chris chris hadn't knee and he covers the science of the behavioral hack so that's the second half of the social engineering side of things but if you wanted to look more into the social engineering CTF side of things social engineer dog puts up a range of podcasts and resources on the subject so approach really in the end you really need to just give it a go so step one go fight a game go go play a game or you can just go watch a game you step two you need to be context aware

really need to kind of be paying attention to what it is you're doing if you're like trying to like throw your biggest your best tools at points it's only worth 50 points you're not really kind of you're wasting your time pay more attention to what it is you're actually doing and Savior I think for the largest skill points and research the problem that you're actually working on

if you're not sure what it is especially when you're starting out there's a lot of walk fruits that are available and you really do need to actually check out as to things that are available like you Google is your friend and go and have a look at things that may be available on the web that may be comparable to the particular exercise that you're currently working on use your available resources now your resources aren't just your tools and your googles they're the people that you know and the people within your community there's people that have a lot of different range of skill sets that you can actually go and consult and lean on I was speaking to

someone earlier that was actually on one of the University CTF teams who seems to be extremely knowledgeable on the subject so there's a clearly a lot of skill available here locally you just need to go speak to the right people don't be put off it's it gets hard like this is the thing is that every time you do something for the first time every time you try something which is different it can be pretty hard don't be put off just give it a go and just research and just yeah try your best because you may spend three hours during one particular challenge but at the end of it when you actually get the flag and

you're actually able to get those points it's pretty successful and pretty good to yourself and the final step is pretend to step one do it again the bigger and better go find yourself a team go compete in international challenges and like up your skill set the best that you can oh you can go and extend those particular skills into different areas so things like bug bounties me you can actually extend your skills that you can get within playing CTF towards things like bugcrowd hacker 101 the same skill set can be actually used within pentesting and also when it comes to the forensic side of things digital forensics and incident response definitely needs people with skills like you oh you can just go out

and make your own CTF so there's a lot of different resources actually available on the internet for you and these are things like CTF D has a platform that you can either download yourself or actually set up your own challenges with you can even just use their challenges that they have available there's a large library Neverland CTF is another option they also put out there in game every year but you can also do the same thing whether I hope you put together a platform and with challenges it's up to you Facebook CTF also has a really really cool CTF platform which is available it's really shiny and has lots of blinky lights but at the same time it's unless

you have a really large infrastructure probably wouldn't look at using it for a large game as it can be really resource heavy and there's also open source so open CTF and things along those sort of lines but really in the end just give it a go you can learn a lot and there's lots of things that you are out there for you to try and I spoke really fast so that's pretty much it for me today thank you very much [Applause]