If You Can Open The Terminal, You Can Capture The Flag: CTF For Everyone

that would explain it testing testing mik check one two three

awesome all

right good morning everybody uh my name is Nicole nus Rogue clown hey blue I answered it just about anything seriously um so anyway I'm here to talk a little bit about Capture the Flag um the capture the flag they're actually having one here at besides Detroit and it's starting in about half an hour you know surprisingly enough contemporaneous with the end of the stock and if you've done 80 bajillion capture the flags maybe this isn't quite the talk for you but if you've never done a capture the flag if you've done one or two and not quite sure about having your feet under you on them yet if you're interested in learning more if you don't know what a

capture the flag even is then this is totally the talk for you and I suggest you stay um it's only half an hour I promise not to be too scary thank you and you know this title says it all if you can if you can open the terminal you can in fact capture the flag now what do you really need to do Capture the Flag first of all you need creativity I've said this before I'll say it again I'll probably say it five times during the course of this talk people who design capture the flags who design these challenges are devious you know they are security nerds like you or me or a lot of people here and you know

when writing these challenges they're not just necessarily going to be like oh you know let's just put MSO 8067 on here everyone's going to pop it call it a day have fun um they want to be as creative writing the challenges as is you are in solving them so you know you need a little bit of thinking outside the box you need to be curious I mean you're going to do a CTF and you know no matter what kinds of problems there are which is a topic I will get into in a bit it's probably going to have some stuff that you don't know or it's probably going to have some Concepts that maybe you've seen before but

they're being applied in a way that you haven't seen or they're being combined with other Concepts that you may not know as well again capture the flag is often not so much a question of real world vulnerabilities that you'll see you know day-to-day in your job as it is a puzzle game a lot of the times and persistence I I don't know how many Capture the Flag problems that I've just looked at I don't know how to solve it I try I go back to it I don't know how to solve it and when I started doing Capture the Flag I would get fr frustrated really easily and you know even now that I've been doing capture

the flags for a couple of years is it that I get frustrated sure I get frustrated all the time and I think anyone who does capture the flag is inevitably going to get frustrated but it's a question of what are you going to do with it are you just going to you know set it aside screw it I'm not doing this Capture the Flag anymore I haven't solved anything no because that's no fun and you're really not going to learn a whole lot if you give up after five minutes on a problem that you don't know but if you keep whacking your head against it and trying to solve the problem then maybe you'll solve it and

even if you don't solve it you're probably going to learn a lot during the course of the research that you do now one thing I've heard so many times when I've talked to people about capture the flag and one thing that I'm sure I said plenty of times when I was thinking about starting doing them you know years ago I'm not good enough for capture the flag you know capure the flag is for those people who you know beat hackers blah blah blah no that's not required at all the first Capture the Flag I ever did was it was back in 2009 um they don't do it quite in that same form anymore but shukan used to have a

contest called hack or Halo and it's exactly what it sounds like there was a hacking competition that lasted maybe two or three hours so it was a pretty short CTF and a Halo competition and you got points for hacking and you got points for playing Halo and at that point I wasn't working in infosec I wasn't working in it in fact I was law I was a lawyer at douchebag and douchebag LLP not doing Tech anything but I was playing around with computers in my spare time and starting to realize that I liked that a lot more than I liked slinging law books around and I decided hey the CTF is only a couple of hours why not and so I mean I

gave it a shot and I was so I was so embarrassed about my lack of skill that I didn't look for teammates I even anyone who suggested it's like no you don't want to be on a team with me I want to do I I want to do this alone I suck I promise all I'm going to do is drag you down I solved a couple of the challenges you know a couple of the easier computer challenges got a couple of the lockpicking challenges CU some of the on-site ctfs have physical challenges lockpick and that was something that even then I was reasonably good at but you know I'm not sure that I got as much out of that or

other ctfs that I've done later without teammates but I feel like I still got a lot out of it and I mean like I said I I think I had first picked up a Linux box less than a year before doing that CTF so you don't need to be elite you don't need to have been around forever you it's a it's a good way to start because you know it throw it throws you into the fire you start picking up things you start figuring out okay this is what I need to learn now what kinds of ctfs are there what can you expect to see in a CTF there are mainly two kinds of ctfs that are out

there there's one called Jeopardy style and one called classic style Jeopardy style is referred to as Jeopardy because you know there's usually kind of a board laid out and challenges in various topics with different point ratings you know 100 to 500 one to 10 that sort of thing um and they're discret puzzles sometimes they build on each other but not usually and you know the 100 200 level are usually considered easier the 400 500 are usually considered harder sometimes it varies sometimes it depends on what you know you know there have been ctfs where the 100 level problem was killing me but maybe I got the 200 or 300 straight out because it just so

happened to mesh with how I thought you know if one problem is driving you crazy the nice thing about the Jeopardy style is you can you know hop to another and go back to it because there's a lot of you know different stuff different ideas that you're going to see different problems to do the classic style is Real Time attack and defense you know you have a machine up on a local area network or VPN and not only do you have to you know defend that machine find what's wrong with it patch it keep those Services up but then you also have to go out and you know hack on the other team's machines um I've done a lot more

Jeopardy style ctfs than I've done classic style ctfs in fact the first classic style CTF I did was the ructfe which is um there's a group in Russia that does ctfs for mainly Russian universities and that's what the Ruf is ructfe is the extended version of that basically anyone in the world can get together a team and as long as you can you know get together and get on that VPN and play the game it's a lot of fun it usually Falls around Thanksgiving I actually was here in the Detroit area and did it with the myc team last year it was a lot of fun I mean we had we were split into different parts of

the team we had people who focused on defense we had people who focused on writing attacks writing patches on you know operations it was it was a real undertaking and it was neat to see just how different it is to organize a team for Jeopardy versus organizing a classic style team like Jeopardy can be a lot more ad hoc you know okay who's online who wants to do the reverse engineering problem who wants to work on web app problems Etc whereas I mean the classic style you've really got to have your stuff together because you need people patching Services you need people you know attacking services and capturing Flags because usually the score is based on

some combination of that and now that kind of goes into what sorts of problems you can expect to see on the CTF basic basically if there's any sort of skill discipline study that relates to security you're probably going to see it somewhere on a CTF you're not going to necessarily see everything on every single CTF but crypto exploit writing forensics programming reversing trivia web applications it's not even a complete list but these are kind of the the things that I feel like I see the most when I'm doing ctfs or practicing CTF Style problems but it's literally anything um which is nice because if you feel like honing a skill that you already have you'll find something in a

CTF to do that if you feel like learning a skill I mean like crypto for example I I really need to get better at crypto like I can recognize a b 64 I can recognize an md5 but that's really about it I definitely can't go deep in depth and tell you you know how RSA works for example and you know there are problems that require you to be able to know all of the math behind it and through ctfs I've realized okay this is something that I need to get better at now what kinds of tools are you going to use first of all operating system environments it's really nice to have you know I've got a Linux environment as

well as a couple of Windows environments that I use for hacking on ctfs you know I've got a back track box I really need to update it to Kaylee one of these days but I haven't quite done it yet because I just I don't know I've made so many customizations so that old BackTrack 5 R3 box that it's going to be so sad to Let It Go um and then I have Windows because even though I don't really prefer to hack in Windows I mean if you've got a net reversing problem it's going to be a lot easier to toss it in a decompiler on a Windows box that can deal with it natively than to mess

around with it in a Linux box and a lot of times time is of the essence you know that example of the shukan CTF that only lasted two or three hours is a little extreme but most ctfs tend to last two or three days um scripting languages it's really helpful to know how to code at least a little bit you don't have to be the best programmer on the face of the Earth my goodness I'm not but you know if there's something that you see and it's like oh you know I can script my way out of a jam like it doesn't matter what it is like Learn Python learn Pearl learn Ruby learn bash

learn Powershell like it doesn't matter what it just matters that you know you need to be able to script at least a little bit you know enough to possibly talk to a network socket enough to you know automate going through like I there was this one crypto problem I remember doing where I was just basically like I knew it was going to be one of like thousand or 10,000 things and by God I wasn't doing that by hand so it's really helpful and you know it definitely gets you better because it gives you more situations for applying your scripting skills and then you know security utilities just basic command line basic command line utilities um intercepting

proxies the stuff that you would use day-to-day in like manual security Tes you know you may see that in a CTF one thing you're not going to see is scanners like I'm not going to use like nessus or Metasploit or anything like that in a CTF you know that's not to knock on those tools because you know when you're when you're doing a pen test they're very helpful but you know the point of a CTF is usually not to scan a network and find known vulnerabilities again it goes back to the fact that the CTF or organizers are completely devious they're writing these weirdo challenges and you know there's not going to be an existing metapo module for you know

reverse engineering 400 for the CTF now remember what I said earlier about the fact that in my first CTF I was so nervous that I was such a noob that I wouldn't get together with a team that was ridiculous and that's in fact the stupidest thing I've ever done when it comes to a CTF like don't be me don't be that guy um get together with a team it doesn't matter if it's some of your co-workers some of your friends you know some people that you hang out with on IRC um I finally ended up getting together I started doing ctfs with my SEC sometime last year and it's made a world of difference it's made me a

better CTF player not only because I've picked up new skills in continuing to do ctfs and I'm more motivated to do more ctfs because I have friends to do it with but when you're trying to solve a problem you'll go down this rabbit hole and sometimes that's the right way to solve it and sometimes it's not really going to get you anywhere and it's nice to step back and just be able to talk to somebody and say Hey you know this is what I've done on this so far it doesn't seem to be getting me anywhere do you have any other ideas and you know the vast majority of flags that I've captured it's been at it's been in

significant part because of bouncing ideas off of other people um it's nice to have a group of people with different outlooks to craft a creative way to solve these problems so yeah I just wanted to thank I wanted to thank all of you in my SEC for being awesome and for being fun to capture the flag with and seriously if you're nervous to join a team don't if you know somebody who ctfs talk to them if you don't know anyone who ctfs um ask around ask Twitter ask IRC or ask your friends who don't see TF but may like to program or play around with security because it'll be fun now kind of feeding into that the whole

thinking outside the box thinking around the problems you do go down these rabbit holes and I've gotten frustrated sometimes and I've written you know potential Solutions and just not taken any notes about them and sometimes deleted them and that's a really bad thing to do um it's happened that you know there was a CTF I was working on it was the um it was the Ghost in the Shell Code teaser and I was um I think it was the crypto problem I believe and early that morning I was you know trying to think of the trying to think of okay what to do they seem to be suggesting like cryptographic hashes and poems and I

don't know what in the world they're talking about but maybe there's some cryptographic hash in a poem or described by a poem or something but I thought that was completely stupid and I didn't write that down and I forgot about it and I went down some other rabbit hole for some other problem and then several hours later after thinking about it again and you know talking to Jeremy I believe um I'm like oh my God it is a poem and sure enough I end up finding this court document where Apple used this ha coup which was which was not even well formed which drives me nuts because I don't know I'm a little bit of a poetry nerd

but you know there was in fact a poem being used as a being used as a key and I had to just you know change my Google terms just a little bit but I think if I had written that down it might not have quite taken me so much time to think oh wait that's how it's to be done so no matter how ridiculous the potential solution you think up just leave it there write it down bounce it off of somebody else it's a lot better than just discarding it offand and not talking to anybody about it now writeups write ups are a topic near and dear to my heart because because you know a lot of times you

won't solve all the problems sometimes you'll play a CTF and even though you're with a team none of you will solve any of the problems and it's okay it's not you know it's not like it's the end of the world if you don't capture any flags that weekend but you know you're going to wonder how were they solved and you know writeups are writeups are great a lot of teams will you know teams or just individuals will post stuff on their blog we'll link it off of CTF time we'll link it off of Forgotten sex Wiki and you know read them enjoy them work through them because you're not really going to internalize it if you're just reading it

that was a mistake I made at first I read these writeups without actually trying to work through them and it just didn't stick and you know in addition to reading them and working through them if you've worked on a CTF and you've solved a problem please make her write up like use your notes that you take during the CTF it doesn't have to be long it doesn't have to take you forever but post it in a blog post it in a Wiki post it somewhere even if some other people have written writeups you may have solved it differently than another team I mean I've seen problems and four or five different teams will have solved it

four or five different ways and people who are reading have so much to learn from seeing the different ways people solve it so if you're going to compete in ctfs writing up problems is a great way to contribute back to the CTF community and back to the hacker Community why do I have two copies of that slide that's a little silly so now you're asking yourself okay you know there's all this stuff I can learn it's a lot of fun to play with a team how do I get involved how do I actually start doing Capture the Flag competitions um no first of all CTF time.org is great because it has a a schedule of upcoming CTF competitions

and you know some of them are at conferences but a lot of them are online and you know if you're like me I don't play a lot of ctfs at cons um I like running around I like being social I like talking to people that I only see at cons and that's a lot of what I get out of coming to events I'm not really want to you know sit over my computer and play a CTF all weekend when there are all these people who I never see but but you know if I'm at home that weekend then yeah it's a great time to be sitting over my computer and talking to everybody on IRC and let's solve these

problems and let's capture these flags fortunately a lot of ctfs nowadays are remotely accessible so it's really easy to do that and a lot of these are listed on CTF time.org ctftime is also a great source for writeups another site that I really like is the Forgotten SE CTF Wiki and that has a selection of writeups it has a list of conferences and other events that frequently put on ctfs so you can look to see if there's one coming up um you know it doesn't have specific dates usually like CTF time does but it usually does have kind of the time of year it's like these are the ones that do it in April May June Etc

another really nice thing that's that forgotten SE has is a lot of links to practice problems and you know practice virtual machines because even if there's not aot live competition going on there's still a lot of resources for problems that will help you build skills to apply in ctfs um you know some of my favorites include um you smash the stack has a lot of good problems um if you want to play around with web applications the OAS vulnerable web applications virtual machine is amazing it's got everything from you know web goat which is basically I don't know what web vulnerability are and it walks you through from you know square one all the way up to more realistic style web

applications to try to hack into um another one is exploit exercises it's a couple of vulnerable VMS to hack around in um there's there's a long list I'm not going to bore you with the list but both on forgotten CTF and also cap tf. practice CF those are lists of a lot of good online um you know some of some of them are contests with scoreboards and some of them are just like okay here's a bunch of problems let's see you know how you can rise through the ranks get through the harder ones and it's nice because there's stuff available for any and every skill level now um I'm just going to touch on a few bugs if you will excessive noise I

think I just did touch on um if there's you know too much else going on at a conference or some weekend where there's a CTF it's okay to skip and do the next one you know it doesn't have to be it doesn't have to be the everything in your life I mean that's another go going back to the whole you know I'm not Elite enough for ctfs blah blah blah you know I'm not obsessed with doing these all the time that's fine you're still going to get something out of it even if it's one of many hobbies that you have um session timeout just don't keep working on it don't you know try it for a five minutes say oh I can't

do this and go away like put the time in put the thought in and put the research in and you're going to learn something and tunnel vision that's one of the big problems that I have like I'll have this one idea of how to solve the problem and it gets to be so hard to break out of that one box um and I know I I know it's hard I can't just say don't do that because you know easier said than done right but I think that's a huge part of the value of having teammates because different people will look at it different ways and you know even if everybody has their own little tunnel vision their own one

way of looking at it five different ways you start discussing it's a lot easier to break out that way um that's pretty much all I have I've got a few minutes left for questions so does anybody have any questions about CTF what you can get out of it how to get involved

anything thanks for you're asking the CTF is actually starting as soon as this talk finishes it's in the Waterfront room um the organizers are in there they will be able to get you started and get you going um there was a joint CTF between bsides Chicago and bsides Detroit but even if you did not participate at bsides Chicago or in any of the challenges between bside Chicago and bides Detroit there is still a bsides Detroit specific leaderboard there's still you know a chance for you to win prizes accolades hugs from your friends um and still a chance for you to learn a lot it's going to be going on starting now really until the end of the

conference does anybody have any other questions sounds like no so thank you all so much for oh oh sorry you're folding your shirt I thought there I thought there was a hand up um thank you so much for coming um if you have a chance please do go to the Waterfront room and you know check out the CTF hack all the things meet some new friends and I'll see you all around the con [Applause]

[Music]