Capture The Flag Introduction

good go okay so uh welcome hi everybody there we go see this is going to be interactive you're not going to be able to sit like you're going to actually have to work in this one I'm sorry in advance but that's that's the point so yeah yeah too late they lock the doors change are up uh I'm Jordan I don't have a bio uh if you want to know that talk to me later there's my email I'm better known as Cipher Tex uh for CTF related stuff talking about the stuff from planet for years uh by day I work for the man by night I hack for the fun so here's our talk we're talk about

what is Capture the Flag we talk about why you would do it what are the motivations behind playing it or or running it uh talk about some of the skills the the parts of playing it uh the fun things about it and then I'll have a little bit on running a CTF which probably won't be relevant to most of you so i' I've got it short and I'll probably run out time before I get to it anyways but if you're interested in that I've got some content here and some other stuff that I'm going to link to that uh will give you more information so again can you hear me in the back of the room the the the um guys in the back

they did move awesome sweet okay so what what is ttf capture the 1 two 3 all right better yes and I look I even broke it out you have like four letters that was super easy that time so Capture the Flag uh is a generic term that gets used to all sorts of different things uh you see it for running around in a field with the flag I actually gave a presentation I captured a flag once uh it turned out some general was was in the room I guess whatever and he came up after he was like I like playing real Capture the Flag like we give me a a field and the hill to capture and I'll take it and I

was like well then you would not like these games um but you are way too fit for this type of activity uh but the idea here is that you're going to talk solve a bunch of challenges they are wildly different in terms of uh the type of game and the style of game and the skills you use uh the the bottom line the main the main feature is that these games are challenges right like you're not sitting at a class and taking a test like you are solving problems you're breaking into things you're you're stopping people from breaking in it is it is security related even that though gets twist a little bit sometimes it's

just about the the pure challenge right like this is uh this is this is the point of it so uh a couple of uh jargon entries for it so I'm going to use flag and key interchangeably I'll talk about the key sometimes I'll talk about the flag sometimes same thing right it's it's the thing that gets you points uh sometimes it's literally just when you solve it it auto scores it and you win you get a key or flag you submit to the score server and you get points a lot of different ways that happens SLA is a term that'll come up uh service level agreement you'll hear like you know in like it kind of Worlds like the slas the

how what your up times are your number nines uh in in CTF it has a particular meaning many of the ctfs will score you cuz it turned out that when people started playing Capture the Flag games they realized that when everyone can turn their services off turn their computers off they're really secure and it's a really boring game so they started measuring what your up time was and they actually would make you um make you you keep your services up so they us escalate to meure that a service or binary tend to be interchangeable for the types of games where you're actually running Network Services um you know binary could mean literally just zeros and ones it's binary but it's also

sometimes that's used to mean a binary like a file a program a service the thing that's running uh that you're going to break into or defend depending on on the case Falls and prequals this is just a bunch of random terms I'll I I'm so used to using some of these so they may not be make sure I'm in frame with the webcam sorry uh I'm I'm so used to using some of these if I say anything else that doesn't make sense or it's like a a sort of jargon term that I forgot to put up here ask me uh oh there we go nice now we're in hacker mode excellent love it especially it's cool

with the glow of the badges I like that extra awesome uh so qus and prequels uh I'm oh yeah I'm want to ask questions of you guys too so again this is interactive and if you have questions stop interrupting me I am tremendously add and so I like interruptions and don't mind switching back and forth um calls and prequals anybody want to take a guess this is not these are not hard ter qualification prequalification so this one's entirely redundant and it drives me nuts this is sort of my pet peeve people use the word prequal to talk about a qualifying round so Defcon CTF for example has a qualifying round that you participate in and if you qualify

then you play in the finals and everyone calls it a pre-qualifying round like that but what is this the thing before the qualifying round anyways that's just my little beef okay but ultimately these things are hacker games right that's the whole I actually have that game too although I stole the picture on mline um it's a hilarious little game but but these are essentially just hacker games they're fun their games that's what kind of makes them makes them interesting there's three basic models that that I argue you can kind of look at all caps of the flag games that fit in one of these three models this is kind of the little military jargony so

uh you'll hear like blue team red team exercises uh kind of comes from the military background when they run their own testing games they would have like a red team and a blue team uh the blue team is the defending team right so if you're on the blue team you're the you're the good guys well I like to be the offense so I'd say the red team's the good guys but that's another story um so in a blue team exercise everybody is defending the people playing the game are Defenders right and so they just defend services and then the organizers or some other third party is the attackers are attacking everybody and a red team exercise obviously is the

opposite you playing the game are all attackers you're all offensive you're all problem solvers uh and then you're all just attacking some kind of central thing there's one Central thing that's defending you everyone's trying to to to break in uh I think that uh the the CTF that's playing played now is a little bit of a hybrid but it's it's mostly a red team exercise you're mostly breaking into other stuff there's a little bit of a hacking other teams but but that would come in here like the real hack of the team kind of CTF I call a full spectrum there's uh a people uh the CTF Time website which tracks a lot of ctfs they

use the phrase attack defense because you do both attack and defense at the same time I think full spectrum sounds fancer so that's why I use that term the idea here is again everybody who's playing is both offense and defense and so you are defending your server you're attacking everybody else and they're crazy and ridiculous and and uh here's a quick here's a quick overview there are probably hundreds I didn't actually count cuz I'm lazy but there are just dozens and dozens of of CTS of all different sorts uh these are just the the sort of ones that I tend to play and the ones that I'm more familiar with again there are lots and lots of them so

in terms of the blue team exercises who started the CCDC the Collegiate cyber defense competition who's played in CCDC s Razer and you have there we go a couple of you guys and and hackucf by the way just one the Southeast Regional so Round of Applause for those guys room so this is a this is a sort of Nationwide competition that's sponsored by DHS and Sans and few other folks and they have Regional all the colleges compete and and they're all Defenders though it really is a boring competition in my mind because you just sit there and like you change passwords and update your things and just you know the offense gets to cheat and the Defenders

can't do anything interesting it's it's really boring so not my favorite type of game I'm a little biased though and then of course on the offensive side the your red team games you have things like the de qualifying round ghost to the show codes is a CTF IR run pla CTF there's a bunch of other the commander control uh tends to be more red team offensive based ctfs These are nice because they're easy to set up um relatively easy to set up there's still a lot of work and all these are like talk more about that later but they have a lot of um just it's pure challenge you just go you solve a puzzle you solve a challenge

and you kind of move on so as as a person playing it it's less investment in a lot of ways then the full spectrum ones there's relatively few of those I actually managed to find a number of them but they tend to be all in person cuz you got to set up infrastructure a few of them are VPN based uh but that's where you're attacking those those are kind of nuts and a lot of things are different in that kind of CTF any questions I'll stop randomly for questions if I'm not sure you guys are awake so questions and I won't continue until I get one I'm not bluffing could be an easy question where's the best place to start which

one of those previous slides great question just to get it going probably none of these um that's that's the problem and one of one of the the points that I'm going to bring up is that the entry level into CTF is like the by the time you like you most people wouldn't go and join my CTF in I run because I I build this CTF for the guys that win all these other ctfs and so there's you know there's the group of relatively well you know well in Our Little World we're well known like you know dozen other people know us so there's you know a couple dozen teams maybe 20 30 teams that're playing a lot

of these things um and it's kind of their own little world uh so it it is hard to get in seesaw actually cyber security awareness week is a program out of M poly and their qualification round is meant to be more entry level it's I think it's only opening University students no I think for the qualification on let anybody play but the finals they they sponsor University teams to go and play but that actually is is a relatively good introduction to try to make them easier the the best thing you can do is play old ones online you can kind of just generally look at the skills the type of CTF you want to play uh the skills that you're

interested in and then go play those type of ctfs and just put the time into it kind of build your skills there and then you'll start like getting to more and more more and then you won't have weekends uh anymore cuz there's that many CTS that's a good question I need a better answer for that actually what's that next week PL CTF is next week yeah so there's there's literally one of the best ctfs next week it's very it's a little difficult though that's the only problem in terms of a I wouldn't they they try try to make a range uh so I made a there's a timeline that I just put up online this is some

random website online you can make timelines for those that about the history of Defcon I don't think anybody here really does do you I mean defc con's cool it's neat it's like the big daddy granddaddy of all these things I put way too much work I didn't sleep but you know it just was mapping the hotel was in who won the game who you know organized the game the only interesting thing to note is that this game that Defcon in particular has been going on since '96 so part of that people wanted me to mention this is the context of the game like this has been around for a while Defcon CTF in particular and

there's a lot of other ctfs that have been you know kind of ongoing for years although it's really taken off in the last I'd say 5 years or so where you have this explosion of just again a CTF every weekend just about some of these things so that's kind of interesting but not really the only other interesting thing to know is there's a new organizer this year so it'll be fun to see what Devcon turns into or what changes happen um from that I'm I'm optimistic the the guys that are running it have have played before and know the game and should do a good job although they didn't get a lot of time to organize for

it so it'll be they're not sleeping speaking about having weekends getting ready so here's the Jeopardy kind of board this is what the def qualifying round looks like it's got just a bunch of categories all right so why would you do it like i' I've talked about a little bit of like what these things are without going into details we'll talk some more about some of the technical stuff why would you do it um you can get jobs I actually got my current job mostly because I play ctfs they took a look at my real they're like the hats oh you play ctfs oh that's interesting like okay maybe you can actually do some of the stuff um you get

skills uh like nunchuck skills and um sorry is it that early really that flat no joke okay sorry but you really this is so I hate running right this I I really just don't enjoy it like some people really enjoy that that's awesome I'm glad that you do but I can't I don't but I love playing basketball and so for me basketball is a sneaky way to get exercise like I've tricked myself into bettering you know my health by playing basketball because I think that's fun even though I hait running CTS are the same way right like not a lot of people really enjoy just sitting in classrooms all day long learning like people like

learning they just don't necess like classrooms and they teach but when you can play a game you can make it into this exercise and this challenge you're beating other people and a score like that that's fun so you're tricking yourself into enjoying it more uh and so that that I think is fun money no not really you don't you don't win a lot of money actually this is not like the World Series of Poker I'm I'm making your life difficult with the camera aren't I'm like it's good exercise you can trct me I'll move around okay cred you get you know not really there's not a lot of people that actually even know what this world is um you'll get

recognized by about a dozen people if you've won like a bunch of times in a row so so super cool you you can actually get a little bit of money so here's a black badge that that that Defcon winners won and uh they Au somebody auctioned off one for a charity uh and got 3500 bucks for their black badge so you can only get this badge by winning different uh events at Defcon uh and the biggest event you can win eight of the badges is the the CTF um but again that's you know that's not really the real reason you do it the only really really good reason besides you learn and get the skills is that it's

fun again this is a challenge you're tricking yourself into learning getting better skills and that's going to benefit your job it's going to benefit these other things but really they're a lot of fun I mean who doesn't want to hack something right like I've always wanted to hack stuff but I don't want to go to jail and that's increasingly common if you do that I met Stephen watt um actually yesterday uh and uh jail sucks it turns out so don't don't do that right like don't don't do things that are illegal I know that it's tempting sometimes but but CU because you can it's easy but but don't don't do that that's a bad idea instead go play a

CTF right it's again it's a legal framework it's much like the lock picking Village right like don't become a burglar but lockpicking is awesome and fun and getting those skills and learning it and learning how they work and understanding how things operate more is is a great thing to do all right so speaking of fun let's talk about some challenges um I've chose some challenges that are not the easiest of challenges but also that have kind of some fun tricks or fun quirks to them um I mean the easiest of challenges will literally be like word puzzles things you can quickly Google trivia on on all sorts of things that are kind of fun to learn and

and they get you know the whole gamut depending on the event um but this is one from back in 2006 it was a reversing 400 Challenge and so you open the who's used Ida before not bad I'm impressed okay good good good so if you used item before uh what can you tell me about this binary right off the bat like from if you cross your eyes and don't look at anything what can you tell me about this binary so I'll give you a hint to some colors that might be relevant it's very hard to see it is like don't ignore the letter that's what I'm saying literally like squint cross your eyes don't try to

focus on the details look at the big the overall like what might be actually not that high uh what might be something you can look at from the 20,000 M kind of view right like what's this color me right here in Ida Sam I'm going to call on you if nobody else answers Sam I don't know what oh come on what is this like the sections it's it's it there different sections of the binary blue is is it data is it what's that has a lot of known functions right so this is like it knows what this stuff is like this is all code all these functions here and yeah purple ones are things it

knows it recognize like I opens up and says oh that's lib C like it doesn't have the source code we can analyze the binary and figure out what these functions are so that's the purple ones these Unown ones are just called Subs but these are all codes this is all just data so this thing has as much code as it has data and it turns out if you look through the code you're like I don't see anything interesting but if you run the program it does like this encryption Loop thing so obviously they they've hidden something in there and so I'm not as good of a reverse engineer as the folks on my team at the time and so they

were like oh sweet they popped open eye I didn't even bother I'm like run it see what it does and it tells you you know usage encoder string so you can encode something and they give you an encoded file so an encoded file and a program that encoded it so you have to reverse out the algorithm and I was like oh man that's hard I'm not so good with the idas especially back in 2006 I was terrible with idas um so if you actually disassemble it like you can create a function in that hidden thing and you get mad math math is hard you know like I don't want to do that so I looked at I

looked at the file right um I said oh okay so they give you a binary which you open an Ida it's too hard and then they give you this encrypted file that this binary output uh and it's just you know okay it's kind of gibberish I don't know what the original stuff was um but it turned out that I just put a bunch of stuff into it and I coded it and I looked at it and I put a bunch of other stuff and I encoded it and looked at it and I noticed that if I change like just the last letter like two byes of the output would change and so I went to the

first letter and change it and two bytes of the input would change so I was like well it looks like pairs of inputs make pairs of outputs I'm I can brute force that right this is movie style hacking right so try all possible pairs of two letters A through Z with a through z and look at the output until I match up with the first two bytes of the encoded thing and I get be and then I do the next two letters and I do that and so I literally wrote like I don't code either I'm a really terrible coder I can see in Python a little bit but again to the point of you can start without knowing a

lot programming languages and and work your way into it um so I just Loop over this although does anybody here like a little bash junkie all right I put a little Easter egg in here this you couldn't actually do in 2006 CU bash 40 was where you theyed this syntax and it wasn't out in 200 anyways sorry I really like bash I thought that was super exciting I was like I'm going to hi I did so smaller so this thing would fit I used to have a through z spelled out anyways uh so I broke the crypto does that make sense you guys kind of get what happened like instead of encrypting like the message

where all the bits of the the input mixed up with all the bits of the output just two bites in a row made two bites of output so I just tried all the bites until I got the two that match and then I went to the next two and I did four bites where I only changed the last two bites until I got four bites of the match and I just did this two bites at a time by hand with this script and it was ugly and dirty but I beat the pants off the guys that did this like reversing and they were all off in the middle of and so they just watched him and

actually do that all right so here's a challenge from Ghost in the Shell Code uh that uh I'm going to go really fast by the way in the slides and Skip stuff so we can do more questions at the end does that sound good or do you guys have like not that many questions and then I'll slow it up then it's all for time I got one sure nobody else cares okay uh ghost to the sh this is a CTF that that we've run um four years in a row now I guess yeah four years uh at at shukan up in DC it's a conference there we had this fancy board and challenges so here's a

challenge from from uh ghost the showell code what the heck is coming with the name of the challenge so you know you get this thing it says what the heck is coming and you get a file with this this random name so this is I'm going to give you like the secret workflow this is how you solve 80% of all CTF challenges that are like forensic file based challenges right so first number one you run file who's used file before on Linux system like you take file space and the file name and it's like oh it's this and it just tells you it's a great tool it's also wrong sometimes uh so be careful and especially in ctfs people love to

put in challenges that screw with file so they will intentionally mess it up so so you know you got to keep in mind that it might be lying to you or they might have explicitly uh done something that looks like one thing but really isn't cuz that's the kind of evil jerks that people run who run CTS are so uh you run file on this thing it tells you it's an XZ compressed data who knows like an XZ compressed data file would normally be called like there's a file extension exactly a Gip you you were telepathically debugging this is actually a tgz um but yeah it's usually just a gz file like you can gzip and G

unzip a file and so if you do that um it turns out well so if you do that it turns out it tells you that the in fact if you run a different version of file it'll tell you that the original file name which which is encoded in the the gz format was 43 and you unz it and you get this really weird file where things are like out of order it looks it's pretty obviously assume enough that things are not in order right so step number two to solving most of these challenges read the spec and this sounds intensely boring and again this is the kind of thing you would never want to do

on a Friday for fun like I'm going to sit down and read some rfc's kick back and hammock and right like usually not I mean maybe good for you if you do but during ctfs I do this all the time and I love inflicting this on other people I abuse some really weird Quirk of a format of a specification something that most people wouldn't even like bother reading and then I'll take advantage of that in a challenge to force people to learn something interesting new they didn't know and so this part of the challenge was something I did where it turns out if you read the spec on gzip which I happen to be doing only cuz I

was making challenges not not cuz I was bored on hammock but um there's a quote right at the top that tells you a gzip file consists of a series of members compressed data sets the format of each member is and they give you like this header but the point is when you normally gzip something it makes one big member pardon don't go there within you just saying just that just don't go there no image on that it makes one big member but the spec says you can have lots of these things in a row no information additional before between or after like you just concatenate them together and that's that's also a valid gz file but no tool

handles this this U well no tool handles this the way you would expect right so if you have a bunch of chunks with separate file names like say one file name 01 one with a file name 02 one with a file name 03 and you put them all into one big gz file which I did um then when you uncompress it it's going to be out of order it's just going to be all these different like things like are just going to cram all together even with a separate names that might have indicated a different order so if you read this or if you just look in the file and realiz wait 43 is an odd name for a file and

you analyze it internally you could also run there's like a tool called binwalk which is a really handy tool which scans for other known files within other files and it would say hey there's a gz thing here there's a gz thing here there's a bunch of gzip headers that's weird so some people didn't get to the spec they just noticed there's a bunch of gzip things concatenated together and figured oh I'm just going to going to undo the order from that but in reality there was actually this this specification that says you you can do this with a file that I thought was kind of NE so anyways so now you have to extract and rearrange

that I'm not going to fit in a slide this small which you can essentially do is you have to break up this file into all these separate pieces you just look for the bites that mean this is the header this is the header you could do it by hand it would be tedious or you could write a little bit bit of python there's also writeups for these challenges online uh so if you Google that text in the title uh you'll find the Reddit joke thread and then you'll also find our CTF challenge writeups where other teams that play our CTF explain their Solutions and they've got code that you can cheat but don't do it

first right do it by hand first and when you get stuck look at look at their answers so you extract it you rearrange it you put it back together and then you go to one right start over so now we've got some new file and now we get to that tar ball so the guest earlier was like atar gzs are really common so AAR is essentially uh a thing that takes a bunch of files and just sticks them all together with a little metadata around it um and some other information and then a gz like compresses it and shrinks just single files normally right and so a tar gz it's kind of like a zip it

takes a bunch of files puts them all up and compress them even though it's twoo separate things done together because that's kind of the unix's way right little tool to do individual things Okay so let's start over and then we run file we turn up the tball and so that we don't have to read the spec in tball although sometimes you do it's good to do because you may find things you didn't know there having challenges to use that then you extract it so you extract it out and you get these things King you get a bunch you get an HTML file you get these wafts who knows what a wa is see you would have learned something

new everybody else would learn something new playing the CTF which is the best part about it so you could either like open the HTML file and look at it and see oh what is this doing and it gives you this text like random paragraphs of text in different different fonts and if you look at the source you see that the fonts are these particular files right here so now I'm going to go back to the other major rule of ctfs Google everything like everything you see like you see a hash Google it you never know you'll like decrypt hashes all the time that way just search it you never know what I going to find out and if you were

to Google this word you find out that it's actually a joke on a Reddit Thread about kerning font kerning right which has to do with when when you put fonts are really complicated beasts really complicated beasts you would be very surprised there a whole virtual machine in the windows kernel that can run code that exists inside of fonts craziness right um but anyways the kerning is is this font technique and so if you would have read that at the beginning you'd be like all right well this is a font related thing that's interesting and then out here enough sure enough we've got some fonts all right so now you know there's something to do with these fonts

so any guesses on what we do next file the font file the font and it will just tell you exactly it will just tell you it's a w web open file format what do you do next compress or the read the spec there we go yes read the spec a man a cookie right read the spec so the spec for for was is is W3 accepted it Firefox originally wrote it the standard guys they're like yep that sounds good to us and so you read the spec and it turns out they describe all sorts of interesting things and there's some tools you can you can analyze the header without reading the spec you don't have to read the spec but if you

do you'll learn a little bit about the file format you learn that there this header and there's these compressed chunks with a certain type of compressed data and one of the chunk names was called gets so if you parse out these fonts and you can do it with a couple of different ways you could write your own parser you can download there's a lot of I always do like apt cach search W right appcast search font and find like the the package on Linux that can deal with fonts and there's some tools that will analyze fonts and dump out information and tell you this different record names and so the one that was uh had you'll

see one's called GS and again this is the Ghost in the Shell Code competition and so GS was is the ACR name for it I thought that you guys don't look as excited as I was but it was really fun it was really fun trust me all right so playing like how do you get skills what do you do just a few skills you might be interested in that you would need to play the games like the bottom line is uh get a good team of other people and you're going to learn from each other find the guy that really likes the crypto find the person that really likes the web hacking find the person that

likes binaries find get everybody have their own little kind of Niche and then they all you'll come together and you'll work together you'll learn from each other and you'll be effective as a team so team building is actually a huge part of this and teams that play as a team will do far more effectively but there's one true secret to success somebody who hasn't seen this talk before in the two warm-up versiones I gave it excuse me I gave of it want to answer what do you think is like the one most important thing for playing a CTF like the one attribute or skill that that you have to have persistence absolutely you just have to keep trying

right this is the most important thing like don't give up it's really easy to give up if you get stuck bang away it for a little while and then go get help from somebody else right is this especially good sort of in between CTS and the law like take the off seon so to speak to build up to practice to learn go back and read other people's writeups and see how they solve things and as soon as you start getting a little bit of momentum you're going to be like I I will never give up until I solve this particular challenge you won't sleep although you should as an aside you should sleep that's an important thing

that most people overl so I wanted to do some specific resources like websites and URLs like if you want to go do this these are the things that you need to know about you need to learn from so first there's actually three separate calendars I maintain this one capt. is also capture.the fl. AG but that demand was too expensive so I I let it lapse um although I think hockey and June May picked it up and hosted it for me but uh so there's a calendar there that's actually a Google Calendar so if you use Google Calendar you can click add to my calendar and poof all these capture flag events show up in your

calendar so you'll see that next weekend there's this plaid CTF coming up uh the the Forgotten SE uh Wiki has a list of a bunch of conferences there as well and CTF time.org you'll see CTF and CTF .org show up in a lot of these resources CU they're both the really common websites for a lot of this this stuff CTF time has this whole like complicated ranking system although it's not complicated it should be it should be true skill which Sam has propos he's like given them the Code he's like here use this algorithm it's better but they haven't yet so that's why that's our excuse for why we don't care how poorly we do in the

rankings um it's funny thing man but but so there's a ranking thing but they also have an upcoming AR upcoming calendar they have an archive of old events and they to the challenges they link to writeups it's actually fairly well done it's all like fancy Web 2.0 stuff too so it looks pretty which is nice and they're they're they're maintaining that really well so that that would be good the main reason I put up capf many years ago was because there used to be websites that would come up that would host a couple CTF things and they disappear and you couldn't find like good archives so that's like an archive going back you know seven years of bunch

of ctfs I could get my hands on so there all sorts of old stuff which actually yeah speak skipping ahe other archives right there'll be a one Link at the end where these slides are you get all the links for you don't have to write this stuff down uh questions any any questions or other

comments I warned you before so other than like I know I've already asked like what a good way to start B to a couple death and you walk around the room you can watch but a lot of these like you're saying are online things there is is there an arena or something where you can see activity that's going on in real time so that before you want to take the jump and try to start doing it yourself you can get a little more used to yeah so that that's a good question um yes this is inherently not a great spectator sport for the most part I mean people have tried to make it make it such U but

it doesn't work out all that well supposedly the guys that are doing Defcon this year are going to try to make it more interactive or more exciting for the AUD I don't know what they're going don't generally encourage well the teams spy each other like crazy we're evil right so when you want to come over and it's it's unfortunately a you know negative pressure because we quite literally have spoted on other teams like no question and they do it to us and that's part of the game and it's it's a hacking game so if you're not cheating you're not trying um within reason like There are rules you don't break like I have a whole bunch of uh I

have an old Defcon talk I gave I link to you later on here where I talk about some of the like there's some rules you just don't break because they just ruin the game and like if you're going to ruin it why bother playing right um but but certainly cheating is an important part of the game and so spying on other people yeah they're going to let you somebody walk up and like look on their screen and take advantage of it so unfortunately that means that people don't uh trust you like we literally had like bodyguard like that would just stand there and be like can I help you like you know shielding our table at

Defcon do you may have experienced this I apologize my first year there I was just not not so much you but just the first year there walking around it was like everybody was just like get away yeah yeah it's it's not a friendly environment you can watch the scoreboard but you really don't know what's going on there have been very few attempts to to to do that especially on the on person like Defcon itself and Defcon is so competitive it's really one of the most competitive on so that's PARTA of the reason why you see that uh but some of the online ones you can hang out in IRC most of them will have an IRC

Channel associated with and that's often a lot of fun you kind of see the challenges that different people are working on and then after it's over you'll see people talking about how they solve different things and interacting you'll see a lot of trolling as well so the one thing I forgot to put slides on like sort of the culture of ctfs there's a lot of misogyny there's a lot of trolling there's a lot of uh just outright rude racist terrible things it's there's some not the prettiest of things going on it's kind of like you know I I don't know it's it's it's its own culture and some of them are better and worse than others but I want to

least get that out there like don't go to Defcon with young children um because the things they do to sheep on the videos are not appropriates um I would not take it Defcon kids what you mean there is Defcon kids they should stay away from the CTF although I hope they're going to get better this year I don't know if they will I don't expect it knowing the already announced last year the 21 this year and drinking def con itself right yeah there was yeah see that was one other tactic in the CTF was drink get the other teams drunk actually free alcohol for anyone who's competing against me um so the ctfs themselves don't

generally have great interactive modes what you usually will see is forums developing around them so especially so there's the there's the online games right where you're playing like over a weekend plat ctfs coming up it runs it stops and then you can see the archives but the game's essentially over there's a winner and then there's the other ones that run permanently so that's which is what this slide actually is you see how I did there uh so the practice ctfs there's just a whole bunch of like always on always there challenges you can go and pick up do they most of these will have forums Associated many of them will have forums associated with them

where people are talking about the challenges working on it so you if you want to get a hint without getting an answer there's people that can help you with that which is which is kind of a nice thing there's really no substitute for having a group which is great to see that that UCF for example has their big student club that they're um kind of putting together just this last year which has been exciting because it's like my own back I'm from Melbourne Florida so my backyard I grew up in in OVO so this is this is exciting to see that this is kind of happening here I've you know been a lot of other

universities where this is going uh going on but but it's awesome that they got a team here uh you know find a hacker space and get a club there find friends online for you know and and kind of band together because that really will make a big difference in terms of encouraging you to kind of participate and play um uh UF is number of uh Colonel Sanders and what's what's the new the new team name now Colonel Sanders it's still Colonel Sanders okay yeah they they've gone through different names which I was one of the the the founders of many years ago my a friend uh a friend and I just were like hey we

should have a club and and then it's it's still around so it's yeah this stuff is fun right kind of self perpetuates but playing with a team is important uh but D so they're always running those there forums like you can get a lot of help yeah good question there a bunch of videos I mean if you learn better you know AUD uh orally AIO whatever with your ears or with your eyes you could see these uh these are some of the folks hacker Joe was one of the original kotto guys that ran Defcon really made Defcon CTF what it is in a lot of ways like design the game that we play today is the one essentially they

buil uh primarily I I spoke at Defcon about playing Defcon Defcon CTF in particular and how you would organize your team and some more details on for that particular CTF there may be less relevant to some other ctfs uh like you would organize a team for CCDC very differently than you would organize a team for Defcon because there's different challenges different skills different things you can and can't do U I've hired I do a lot of hiring for for my job we have a fairly large office of people that do this kind of stuff and I've hired more people who've been kicked out of CCDC than have won CCDC we we've like we've hired both

but we've just we've had more that that get kicked out cuz that's the kind of mindset I have uh Chris Eagle uh who is is an instructor at the Naval Postgraduate School I'm going to make you keep up I'm to make um is an instructor at the Naval Postgraduate School and he uh is is like one of the Godfathers of CTF he has been little I talked to him uh recently he said he's been playing since Defcon is it seven or eight I think and it's Defcon 20 now he's been playing or running Defcon longer than I think anybody else around like I I've got a streak of playing for seven years in a row I don't think

anybody else has managed that in the finals but that's only because Eagle was running it if he was playing still he'd have been in those finals you know as well and have a much longer Street uh so uh there's another one for Mike arpa there's a shukan round table discussion about organizing a CTF as well so before you're going to run and organize a CTF you should check out that a bunch of different folks that have run big ctfs kind of talking about some of the challenges and lessons all right running it all right we're doing we're doing pretty good so I'm going to go relatively quickly first has anybody seen schlock mercenary somebody really is that a yes yes we

have one see see he seems like mer it's an awesome web comic right it's really funny you should you should check it out uh Howard um what's his last name I don't start the N anyways it's a it's a it's a good web comic he has this really funny uh kind of recurring joke in his uh in his talk called the 77 maxims of a maximally effective pirate it includes things like pillage then burn you know it's important to get that order right like you don't burn and then pillars like that would that would not work real well um and but it's actually for like space mercenaries it's out there anyway it's really funny though um based on

that because another friend that that does CTF was was uh was equally a fan of this and we uh we were kind of talking about some of the lessons we learned things that we wanted to teach people so we came up with the many maximums of a maximally effective CTF so so before you think about running a CTF I would highly encourage you to read uh the URL has like a longer like screed online it's like my Manifesto in fact it was originally named a Manifesto we don't want to freak people out not that this is any less scary but as a name and so here's here's some of the some of the the kind of things I'm going to go

through them again real quick I don't expect most of you in here will want to run a CTF but so you at least are aware of these are going to be things that a bad CTF will do and you'll recognize it um I've done it before some of mine I mean it's it's it's hard to get kind of get right um but people hack for fun not for fr frustration right the biggest complaint about CTF is that just wasn't fun like I didn't enjoy that again the whole point of doing this stuff is cuz it's a good challenge it's fun it's exciting but if you get frustrated if everybody who plays your CTF is frustrated you didn't run a very good

CTF now this is hard because that means difficulty is really hard to scale because if you make it too easy the people that are really good are like well that wasn't fun if you make it too hard the people that that haven't don't have experienced well that wasn't any fun so sometimes you have to pick an audience and make it fun for them and just be unap Unapologetic about it uh sometimes you have to just be really good about a scale of difficulties there's very few CTS that do that that's that's really hard um so it's a good goal to aim for but again it's very difficult to kind of get that level right the scoring mechanism should

always be the easiest challenge there's one particular CTF I like picking on called ictf uh Giovanni VNA is a professor at the University of California Center Barbara is one of the other like Staples of CTF has been playing for years the shellfish was a team that won Defcon many years ago they've been playing for for a long time and they've run this this ictf for a number of years now they're scoring algorithm takes a spreadsheet like you don't just One does not simply score in the CTF like you have an algorithm and formula when you can score and when you can't score and it's just to even understand how to play the game is most

of the challenge like once you get it you're like oh then okay I should just do this now I can actually go solve this technical challenge but they make the game itself part of the challenge which is one of my pet peeves because people get very frustrated like they don't even know what they're supposed to do to try to win the game because that's you know opaque it's way too complicated maybe he has some very good academic reason why he's a smart professor and does some good research but I don't like it so make the scoring really easy and obvious and simple u a related one to that I don't think it shows up later is that

your key for example if you get a key you should know when you got a key oh this does come up later I think right because some you got the answer you don't even know it like uh once pet peeve I have is people would just make a URL the key so you're doing a bunch of challenges and you like unpack a file you get some and then you get to URL and you go to the URL and you're looking for the next challenge and the key was the URL you just had to like paste F into the scoreboard and You' have been done but if it's not obvious that that's the key it's really irritating and we did

that this year ghost the shut that kind of annoys me for a 50 point challenge NOS that was evil that that sorry about that guys if you played Co sh that was that was CR um so that's basically this you should know when you're done it should like you might not know how to get there and so maybe you're challenge to figure out how to solve it but once you've solved it it should be obviously you've solved it you shouldn't have to guess every time you think you might be done Koreans do this a lot there a lot of guessing at Korean ctfs they make great CTF but they tend to be more brute force and just keep

trying until it it works um when the next step requires a leap of facei be sure to include a bridge one of the biggest insults people give a CTF is that require lots of guessing right and this is hard because you want to make a challenge that's difficult but you don't want it just to be so like random that you just have to try different unrelated Things That No One Would reasonably expect to be tried and so this is very difficult to strike a balance um the only way to do that is to try to give hints multiple paths is another good way of doing it I like I like to um uh like breadcrumbs right so

I like to have little discreet challenges like that font thing you knew when you reassembled the charbal correctly cuz it extracted correctly so it was sort of like one discret challenge you solve that and then there was another little challenge that was you know the next thing so you knew you had made progress if you have a bunch of different steps you have to do but you don't know when one was the correct one it's really frustrated and homage honors but duplication doesn't like don't rip off somebody else's that's just overly wordy for Don't Be a Jerk um Learners always win even when winners don't learn again the point of this is learning and so you

don't have to win the CTF and you can have a lot of fun you can learn a ton you can be you know have developed skills and improved and be really happy and had a great time dead last right like that's completely possible so it's fun to win a lot of people are very competitive about it but learning is really what kind of is going to energize people when they learn something new your point estimate yeah if you try to do points they're going to be wrong you're going to have a 400 Point challenge like that other one I mentioned earlier that somebody can solve with a bat script not supposed to be able to do that right like they

didn't intend for that to be a solution and likewise you'll have a 50.1 that's really hard and our had hundreds of teams playing in our ghost in the shco challenge only 18 solved our easiest 50o challenge because we made it more obnoxious than we should have so you can either fix it in the fly or just say I'm sorry a lot uh yeah some other ones that's good enough competitors are more clever this is a pretty fun one no matter how hard you think you make it when you put it on the internet especially at a small conference that's not necessarily true but when you put something on the Internet you got lots of teams do this a lot play they will

come up with Solutions you never thought of they will do it faster than you could ever imagine there's a lot of really good people out there doing this stuff learning starts to prior knowledge ends right so find something that nobody has ever seen before people haven't played with and force them to go into that force them to learn excuse me more about that but don't do it which so it's frustrating right again the whole point is to make it so that they can have some progress and enjoy it because that's what it's going okay all right so that's it I think we've got just a couple maybe like two minutes or so not too much for

five minutes we got five minutes excellent for questions it's about right thanks so folks here's the slides so this right here has the slides so if you want to grab like just that URL um they were uploaded as of like 5:00 a.m. so what's that take a picture just ctfc Emil it to you yeah you sure you get lots of uh interesting spams um okay so questions thank a that happened very quickly any qu no questions that boring that easy that trivial that complicated no feedback it's all good who's going to play a CTF now there's great segue there's actually a CTF going on village now how convenient is that and so I've talked to these guys this is

a good CTF they're they're really trying to make this kind of an entry level CTF it starts a little bit more of like a pen testing flavor kind of CTF and you're going to break into some server you can use existing tools kind of out of the box so you can learn some of the kind of basic pen testing type tools but as you progress in the challenges you're going to have to do stuff by hand you're going to have to extend the tools or fix things or do do stuff on your own that nothing's going to solve automatically for you so that's that sounds like a good balance I'm excited to kind of play

with it if I get time um you should too anything else all right oh wait question a CF and you have different uh styles uh so which one you think would make more sense for beginner CTF I think the most common one honestly is the red team exercise is sort of like you just put up a bunch of challenges and people solve it it's the most common it's probably the most fun and why most people play ctfs if I can click enough to like that's like a fake prey by the way I like prey but this is like the PowerPoint version of it you just do a slide transition you chop an image anyways um yeah the red the red team is

is is just put a scoreboard up throw bunch of challenges on it that to me is is um it's easier to set up in many ways um because you can just do a bunch of independent challenges you don't have to build a cohesive like server although you can you can actually make intricate like paths through multiple servers and lots of um those can be a little hard because one difficult challenge you get stuck and you can't get to the related the later stuff the nice thing about the sort of like you know scoreboard is that you know if this one's too hard you go to this one you try other ones you can do multiple things although from a

competitive aspect that favors bigger teams so that kind of has that that trade-off but you said multiple paths multiple paths through the same problem is a really good way to do it right anytime like you know you can either solve it this way or if you go this other route I'll give you a hint that kind of puts you back on the right path maybe I'll tell you so for one of I had an image I had an image challenge one was that a focus there's a piece of software that actually just magically will make it in focus and I thought this was the most amazing thing ever if you've ever seen this software it

literally will take blurry photos and just fix them and you can read things you wouldn't otherwise be able to read it's it's ridiculous I was like I make a CTF challenge that it was an easy challenge but if you like started opening up the jpeg reading the spec and reading like go to embedded metadata it says no really the challenge is exactly like it sounds you just need to find a way to make this be in Focus like there's no other hidden embedded Med like it told you like no go back that way like yeah good try you were looking the right you know it's not a bad idea but now go back and just try to find the

right software that would actually make this picture be Focus right all right one more yeah why do iners ctfs have such terrible music playing all the time um I a ghost in the shut had excellent music so we had we had a DJ like live streaming video like a video DJ it was over the Internet so you could like stream the broadcast so I argue we had good music as for the rest I make no excuses yeah Defcon especially is not all that great like they'll have some good tracks but it can be bad L it can't be either bad and quiet loud and all right thanks everybody appreciate it anybody know he hav