CTF Environments as a Teaching Tool

[Music]

[Music]

we're all sharing summer experience we've had with different CTS competitions voting lab environments in the classroom and how that has benefited us well like CTF like in the classroom that we've practiced on Alex usually makes them and then yeah it kind of just gives us an idea of how to what we're going to see when we go into the competitions and if possible like sometimes certain competitions will give us like the moai so using that we usually build those and we just test them out see with there

[Music] [Music] my first competition was in 2015 when Cybertron Japan I know you when I was doing fun camp actively helps me for the next one the next competition that competition on me for the next one once you start going you start and see patterns this once get easier you start learning how these things work so honestly the best practice fair competition is the competition reporters that's why like when we prepare to go to a competition we look up that exact competition and then a year before it and see what they did it and see what it was all about - trying imagine with what the questions are gonna be what the challenge is like and how it was set up

what reservations if any did you guys have going to your first competition I feel like hesitation is just like I never did one before you know I don't know anything but you're not gonna learn you know like social engineer people that you're scared of like doing the competition they had a first time to you know they were like a new beats like you would be I'm doing in there I actually got that

you've learned and applied in knowledge just from that short experience first is like reading a textbook when you're trying to learn about something doing it yourself it's better than just like reading from a textbook you know just reading from a textbook you're not you're not doing anything you're just like oh that's how it's done but then you know you've said I enjoy doing yeah you get to use it yeah for instance

so last 2016 net wars besides DC for example there was a challenge or we had to find the 40 character flag and an unspecified manage okay that's a ton of data how am I supposed to throw that you have to apply these simple tools and increases in a creative way to get the result that you want so you can just catch all the main pages the screen grab them for any 4030 patterns and the way that similarly like they might be set off you know it's because each time you go to these things are new challenges that may use the same tools but you might be using a completely different way like CTF that we did in class you're

like I no idea was doing I just said didn't know which time but by the time I did like net words and stuff that'd be signs like that was like I I kind of like broke through like a wall that I'm just like stuck at it with like critical thinking it was a pretty fun the fact that I was able to actually do it now and how of you with students benefited from building competition environments okay so we actually build to two CTF environments in the classroom so we have one based off mr. robot and we have one based off the 2016 election so I actually

so this is the website you head on the began CCAP important you see one check the logon page it's simple stuff at first when it's started it starts adding up it starts getting a lot more fine-tuned by the end you have to use the specific Linux there may be system you have to figure out how to patch 49mm you know what you want the students or the users that are doing your CTF to be jumping all over the place getting off course you want them to be going for the path that you intend to so you have to learn how to catch all those 49 vulnerabilities and having for me and know in depth how that one works

so that was some fantastic legs so these are sites that we made in the class and we we have an environment that I run with this photographer so we have volume in triangle same networks we can turn on bone so we need to turn off the others and complimentary lithography but this is kind of becoming a cycle where in the capstone class the outgoing sets associate sophomores they kind of create this X lab environments and then the students take the ethical hacking class and their second or third semester actually complete this

those are all those stupid questions we had wireshark things like that we tried to incorporate that into the competitions actually so you made part of the competition maybe now you've completed this you have done a network capture and here's the

ones I've been to some observer jeopardy and some were kind of like like the USC summer camp for this year it was kind of jumpy style more of the

[Music]

it's so and simply with me I actually came back to moderate the CTF while the teams are doing so I was able to find out if I did anything wrong how do so so its security topics so it's really getting into in depth it's a lot of operating system so how to secure either windows or Linux operating system from the ground up and that really applies to building the CTF because I'm saying it was 49 abilities that you don't want them getting in you have to completely secure that system

[Music]

[Laughter] [Music]

[Music]

[Music]

[Music] so that if we need to go back and do maintenance or patching or not doing so many systems so back to your question how are they formatted as I mean you're done it works both of the competition we set up have a similar style the network's we really like that format when we went and we try to do the same type of style so is seven five levels first level you have a Linux machine and you're in a standard user the Gateway to the second you can get root we never revoke access the third level is the give us to web sites so if the election it was both candidates had a web site

and then four and five is each of the internal networks behind the web site

[Music]

how are you helping the next group once you encouraged me to do better well we're kind of in that stage right now we're really creating similar systems to last year this new CDC and we're kind of doing like practice run throughs usually it's him our teacher attacking like I mean he like would be going next year and so it would like the attack a system that I have and then how I'll try to keep them out and then if and then at the end we'll go through and they'll tell us like how to fix it or both who research so that information stays on that and we usually put all the resources that we use so that way it's

kept on there for the next year

[Music]

[Music]

[Music]

this guy just had this script all made up and with the pumpkin here now spin out the privates me complete something to kind of go back and see if like questions we didn't answer see if someone has the answers to them we learn from that you study that we run through it as well we do it ourselves like I said like applying it rather than just reading how they do it yeah it's not only we're going to succeed it's where where did I get stuck where I make mistakes how can I fix that for next time you ever think about like a website Cynthia so like different pages of different specific web server that's something I

thought about but there hasn't been any sense motion into stone during lunch in house and the students would be and students are coming in to doing so means we run on our internal network and the students aren't there for doing so it's just some hands both about but it hasn't really become an issue yet [Music]

[Laughter]

so specifically what you serve with the Linux machine the premise is it's your friend's laptop he's gone missing here's his leg speciality fun as you as you get farther in the web server system Linux and then you get into Windows enterprise environments on the internal networks so anyone doesn't a main controllers an email server another there's a MS single server so we are getting sort of it

yeah yeah we talk music try to spread it out of it

[Applause]