PG - CTF All the Things: Leveraging Gamification to Up Your Security Game - Matt Pardo

Here is Matt Pardo with CTF All The Things. Hello, everyone. So I play in CTFs. I'm a CTF addict. I'll admit it here. How many of you guys play in CTFs? How many CTF? Okay, a fair number. Great. Any of you CTF addicts play all the time? No? No? Well, they're great. So my goal with this talk is for the rest of you to get you to try a CTF. because I believe that they are extremely valuable for the information security community. So before I go too far I want to talk a little bit about some of the terms I'll use. I'll define these more as we go along but CTF obviously is capture the flag. It's a contest where you solve a challenge

and you get a flag from it. CTFing is a term we use. you know I was CTFing all weekend CTF-er is not a you know diminutive or an insult it's someone who CTFs so I am a CTF-er so and hopefully you will be too so here's a little bit about me I'll go quickly through this I'm a lifelong learner which is where my interest in gamification sort of originated I run B-Sides Austin which is a great B-Sides it's not as big as this we have about 600 people and come on down and talk or enjoy it. I'm an INTJ, which means I would rather be running a B-size than speaking in front of people. So I'm naturally an introvert. I

am an OSCP, so I prefer Red Team stuff. I work at Rapid7 in web application security. And the most relevant to this talk is I help run a team called Open to All, which I'll talk a lot more about as well.

So let me tell you a little bit about my CTF journey because hopefully it will be relevant to some of you who are thinking about trying a CTF. So I was at a B-Sides and there were two talks in two different tracks and I wasn't really interested in either of them. And so I basically decided to walk around and find someone to talk to and all my friends were in tracks and Being an introvert, I was like, I'm not going to introduce myself to anyone. So I found the CTF room in the lockpick village and I thought, I'll check that out. Not thinking I would actually do anything with it, but they had this piece

of paper in there that described the CTF they were running. So I sat down and I started playing around with it. I thought, okay, I'll do this for an hour until my friend's talk comes up. And then... it was the end of the day. I'd spent the entire day there playing because it was like a hacking CTF where we had to pivot through and we could take over a cannon that launched rubber missiles essentially. It was a blast. And at that point I was hooked. So then I started looking around and what I realized, I found a site called CTF Time. And that'll be in the resources at the end. But it's a great site

because it tells you about CTFs that are coming up. And so I started looking at it, and what I realized is most CTFs aren't at a conference. Most CTFs are actually online. And what I found was that there was a CTF running pretty much every single weekend and oftentimes during the week. And some weekends there were three or four CTFs running. I mean there was a lot of opportunity to CTF. And so I went at it alone, I started playing in these CTFs and what I found was with the CTFs they had these channels on IRC where the moderators would answer questions. And so I went in and I started lurking in these channels and watching the interaction and people would ask these questions and what I saw

was that the community was extremely supportive. If you had a question, they would help you. They would say, hey, try this or look at that or whatever. They wouldn't give you the answer. And if people asked for flags or answers, that was incredibly discouraged. I saw lots of it. But the most important thing was it was an awesome community. And so I started looking for a team. And what I found was in my area there was a team, a very good team called ATX2600. But they were in a lull. So I joined up, I sort of went to their IRC channel and what I found was they weren't playing. I played a couple of CTFs

as ATX2600, which is out of Austin, that's where I'm from. And nothing was happening, I just, I was basically on my own still. So I was, I found a Reddit channel for this team called Open to All. and so I went and I found their IRC channel and there's like a dozen people in there and I tried talking to them and I got no response. They were all just sort of idling there and not really interacting with the community that they used to have and so I started playing as Open to All and the difference was while it was just me at the beginning the name was very intriguing to people because it's a very open name, it's inviting. And so after like one or two CTFs someone

found the Reddit site, they read the page, they came to the IRC channel and we started talking. And so I wasn't playing alone anymore. And then after a couple more CTFs we had grown into like six or seven people and then over the last year and a half we have grown from you know this you know almost no one to over a hundred people in our CTF community. It's a very active CTF community. We have a Slack channel, in fact I have it highlighted here, and we have all these channels. Now we're a large team, but we don't, everyone doesn't play in CTFs. Life has to take precedent, so people join when they can, and

so what we find is that most CTFs people They're like 10 or up to maybe 20 people if it's a big CTF. But it's become this awesome CTF community because we are open to all and we're open to everyone whether they're a noob or they have a lot of experience, whatever it is. It's really about learning for us. And so this got me thinking about gamification which is something I was very much interested in earlier in my career and I realized that CTFs are like the perfect vehicle for gamification in the information security industry. And the reason is, is because all of the challenges, which I'm going to talk about in a little bit, are oriented towards security. And you have these like micro learning

events in a CTF. And what's cool about gamification is it's a way to take a body of knowledge and make it fun and interactive. And when you do that, people are much more engaged. And what you find is because those people are much more engaged, they retain information better. They learn more, and they associate things more. And you start building this body of knowledge. And because it's all information security focused, it is extremely valuable in our industry. And it brought my sort of technical abilities to a whole, I feel like it brought them to a whole different level. In fact, like some of these CTFs, you know, they find the most modern exploits or recent vulns that have been released and they build a challenge around that. So

you learn about all these different things that you normally, you might pick up or you hear about on Twitter, but you have to learn how it's applied and how to interact with it. The other cool thing about gamification is because there's that instant feedback, you get something that's called a dopamine hit, which is basically this like shot of brain joy. and what that does when you are successful. And what's cool about that is it helps sort of like cement that knowledge in your mind. And what's neat about that is then you have all these hooks that you can then start building even a larger foundation. So very neat stuff. And CTFs are the perfect vehicle. So I want to go over the structures of CTFs and

some of the challenge categories so you guys have an idea of what they are. So CTF, as I said, it's a challenge or a puzzle and the end result of solving that challenge or puzzle is you get something called a flag. And in most CTFs that could be an MD5 hash, it could be a phrase in lead speak or something like that. But once you get that you get points for it if you turn it in. And so points might sound a little weird but there are different structures for CTFs and the whole idea of points came out of Jeopardy. Jeopardy the game show. So you have these different categories and you have different questions

and the easy questions would be worth a certain amount of money and you go down and the harder questions are worth more money. And CTFs, the bulk of CTFs, probably 90, 95% are Jeopardy style CTFs. And so you have these different categories and this is a challenge board and each of them are ranked differently. And so the ones with the most points are typically the hardest.

There's also another less common CTF called an attack-defend CTF. And this is where you have a system and you have services that run in that system that you have to protect. So it's a combo type of CTF where you have both blue team and red team working together. So your blue team is trying to protect your system and your services and your red team members are trying to figure out how to exploit them so that you can take down those services on an opposing teams. system. And so those are pretty cool but they're less frequent. And actually most of the TAC defense CTFs are run out of Russia and Germany. So let's talk a little bit about the challenge categories. There's several challenge categories. The

first one is reverse engineering. You essentially get a binary and you have to figure out how to, what it's doing, what its purpose is, and then how to manipulate it so that you get a flag from it. And that may be something like patching it so that it jumps a block of code and goes to some other code and spits out the flag, or figuring out what variables you have to feed it so that it gives you the flag. But you use tools like IDA Pro or IDA Free or Binary Ninja or GDB or strings. It could be anything. Another category is one called pwning or binary exploitation which is a cool category. You also have a binary and or a service

and you have to figure out how to exploit it through something like a buffer overflow or a return to libc or heap spray or return oriented programming those kinds of things or ROP or ROP. I don't know how that you pronounce it but I'm not a pwner but once you do that you get the binary and or service to run a command or give you a shell so that you can then get a flag. Next one is my favorite category, it's web challenges. And what we find is you'll have a site and you have to hack it somehow. You either use XSS to get a session token from the administrator so that you can hijack the session and log in as the administrator to

get the flag or you're doing a SQL injection to dump the database or something. So there's lots of, you know, anything you can imagine, it's out there. Another category is forensics challenges. So this could include anything like disk images, mounting them, going through it, trying to find the hidden flag. It could include memory snapshots, using volatility to go through and pull something out of memory like maybe a true crypt volume and also the passphrase so that you then decrypt that and find the flag in there. Or it could be using WireShark to go through a packet and figuring out how someone exfiltrated data from a network through DNS or ICMP and the flags embedded in that or USB or something like that. And then there's the black magic

category as I call it, cryptology. This is the category where you try to, you get something that's encrypted, you have to figure out what it's been encrypted by, what the cryptology, or cryptological method is, and what the weakness is in that method, and then once you unencrypt it, you can get the flag. So it's pretty cool. This is actually a really good tool, Feather Duster, a colleague in, not a colleague, but a person I know, and Austin made it. And then there are the other three categories. One is Recon, which is basically finding a flag that's hidden somewhere. It's somewhere on the Internet. It could be on archive.org, it could be retrieved through DNS enumeration, or it could be just on a website in a comment and you

have to use Google Foo to find it based on the hints that you're given. Another is programming algorithms. you're given a challenge or you're given a bit of code and you have to fix it or interact with a service, for example, interacting with a thousand QR codes to get to the flag at the end. But you have to do it interactively using something like Python. And then there's the miscellaneous category that's everything else. It could be a hybrid of these different things like crypto and web or it could be something that they thought of totally, that's totally different. And then there's there are hybrid types of CTFs as well. So there's scavenger CTFs, there's social engineering CTFs, there's

job CTFs. I don't know if you, a friend of mine sent this to me and it's basically some code that a company put out and what they want you to do if you look at it is base 64 in code, the word curiosity, attach it to the sub domain that I blurred out and once you go there there's another set of challenges that you go through. In fact this one I think had four. I love doing these because I like to see how companies gamify the hiring and job process which is pretty cool. So this is a Austin company that has like five or six different challenges including a binary exploitation and reverse engineering. What's cool is

Companies that do this kind of thing, that put this kind of thought into the hiring process, I think are probably a lot of fun, but they're also sort of getting people to sort of self-select themselves in and out of the position. And CTFs can help prepare you for these kinds of challenges if you're interested in that kind of thing. So why don't people CTF? So the reason I went through the long story about how I got into CTFing is because some of the principal reasons people don't CTF is because they don't know how it's structured, they don't know what's going on with it, which you guys now do, and they are also intimidated by what's involved with it. And I'm hoping that you

guys understand that. The other thing is some people don't want to jump into a CTF and be around people. And it's important to know that you can do this on your own by yourself or also with a team. So I hope that story helped you see that you could overcome any of those things that might be stopping you from moving forward. So the benefits like I said are very real in that the knowledge retention is much better. You get exposed to technology, techniques, vulnerabilities, that you normally probably would not be exposed to and it helps improve your problem solving and creative thinking skills. The other really big benefit is that if you do work with a team you get to work, or even

if you don't work with the team, if you get involved in the IRC chats you're gonna find that you are working with people who are creative and curious and learners just like you and they're very supportive. So you get in touch with, meet and get to know some of the best people in the world, in my opinion. So come join us. There's no one way to get into CTFing. Like I said, do it solo, join a team. If you don't have a CTFing team in your area, I guarantee if you go to a security event in your city and say, hey, I'm thinking about starting a CTF team, is anyone interested? or post to a local OWASP chapter or whatever, you will find people

who are interested in joining you. They're out there, people are intrigued by this, so be the person who starts it in your area. You can also join my team if you want, so we are open to all. So let me go through a couple resources to get you started. The first one is Pico CTF, it was created by, and these slides will be available too, so go ahead and take photos, but the slides will be available. Pico CTF was developed by a CTF team and it runs year long and it has challenges from beginner to expert and it's a great introductory platform so check it out. The other two sites, ringer0 and rootme.org are both challenge sites.

You basically sign up and they have all of these challenges, hundreds of challenges in every single category that you can just do on your own. and you get points for them and so forth. It's sort of like a CTF in a way, but it's a challenge site. These are just three of my favorite. There are literally hundreds of these sites out there. And sites that are specialized based on categories. So if you decide, hey, I'm really into binary exploitation, there's ponable.tw and ponable.kr. If you're into reverse engineering, there's challenges.re. There are very specialized sites for the things that you might be interested in. If you're more of a hacker, if you love hacking stuff, check out hackthebox.eu. It's relatively

new. I think it's been around for three or four months. It's a lot like the OSCP labs in that you VPN into the network and they have like 25 machines that you can just hack. And they're all different. And there's anything from easy machines, one of them's named lame, that's the easiest and all the way up to insane level ones like calamity so awesome and it's free so another resource that is great both for hacking CTFs and CTFs in general is cyberary IT also a free site when I did the OSCP course I took Georgia Weidman's advanced penetration testing course on there is excellent. The video was a little blurry because I think it was like the first one they put up there,

but it was an excellent course. I highly recommend Cybrary. So that is my presentation. The slides are going to be up on my GitHub here, and you can email me here, Ultraslogger on Twitter. I want to give a shout out to Jeff Mann right there who was my mentor for this talk. I know he made it a lot better. If I had just done this on my own, you guys would probably have all walked out by now. He's Mr. Jeff Mann on Twitter. Also, thank you to B-Sides Las Vegas for giving me the opportunity to speak. So, any questions?

Hello? Okay, sorry. Got to get it real close. This may be out of scope of the whole entire talk, but I was just wondering, is there any way, like some platform or template of creating your own, like CTFs or Jeopardy style, kind of do it internally with your team? Yeah, so that's a great question. So there is, Trail of Bits has a guide to creating CTFs on GitHub, and there are CTF platforms. There's one called Melivora. There's also CTFD, those are all on GitHub. Facebook released a platform as well, and there are a few others out there. So there are platforms for hosting a CTF, as well as how to run it. The hard part really is figuring out a date and getting people to build

the challenges. But there are some guys out there for that too. Good question. Any others? Well, if you have any,

if you want to start CTFing do you recommend trying to find a con and do it a con or trying to go online and do it by yourself first? Well doing it at a conference worked really well for me but I essentially did it alone so I really think it doesn't matter it's whatever works best for you so if you're introverted you can try solo or just get a good friend that you you know won't make fun of you if you mess up but I guarantee

No one's going to make fun of you. So it's a blast. It's an awesome experience. I highly recommend giving it a try. And if you have any questions, just email me anytime. What was the style of CTF they were playing here? Something with blue versus red, and they changed? Yeah, that's attack defense. So that's an attack defense. Because they have different services that you have to keep up. So yeah. Yeah, it's more complicated. And actually what's interesting is like there's a DEFCON, everyone's heard of the DEFCON CTF, right? So there's qualifiers for DEFCON CTF. They're almost all, in fact they all are Jeopardy CTFs except for one of them. But the DEFCON CTF is actually an attack defense CTF.

So it's kind of weird, but everyone's, all the teams strive to go to DEFCON, or at least a lot of them do. So, But it's a different skill set. Good question. All right, well thank you very much. Thank you all for coming. That's the end of our talk.