 Welcome to the talk about CTF capture the flag. These two are from the kid team for CTF and They'll talk a bit about it because they also organize it here at the GPN Please in applause. Thank you. Cool to see so many of you here Yes, we want to tell you about capture the flag which are compared which is competitive hacking as a team sport and Who are we? We are Martin and Liam. We're both studying it. We are both in the kid CTF team and both studying at KIT computer science and yeah as part of intros we do development and security research work So who here has heard about CTFs before we don't mean these CTFs Also, of course, not these CTFs. So quick show of hands who here has heard. Oh, that that's quite a few Still this is an introductory talk So what are CTFs in just a few bullet points? so at their core these are Competitions where it's about finding and exploiting security vulnerabilities These are organized in multiple challenges Containing intentionally vulnerable software. So someone placed a an issue there and you have to exploit it as the title of the talks chess, this is a team competition and Most of the time they run during a weekend. For example this weekend. It's give you and say death and You can always check upcoming CTFs at CTF time.org So what are these flags? We're talking about When you then get to exploit the vulnerable software or break some cypher You will always end up with a recognizable String which is the thing you're down down here and if you and you can then just take this one and Submit it at the contest sites get some point for it and climb the leaderboard a few spots All right What are CTFs not? It's not at all illegal or malicious hacking. It's also not just taking Known exploits known vulnerabilities where there already exists some metasploit module and just applying it And it's also not just proved for us in some password These challenges are organized in like big four categories and Martin will tell you more about these categories Yes As Liam has already said No CTF noted CTFs are similar and there is no No rulebook about what's a valid CTF challenge or what's the valid CTF category, but over the time there has there have been four Big categories that are that are pretty much present at every CTF event The first category I want to talk about is binary exploitation and binary exploitation is about exploiting vulnerabilities in applications written in compiled languages Still nowadays most of these challenges are about exploiting memory corruption issues in C and C++ binaries These issues are still pretty relevant in IT security today So that's why we still find them in in challenges and also While the underlying issues Is is quite old this the still is is a evolving field with new Mitigations coming up and new bypasses for these mitigations being developed so yeah Of course, there are also challenges about exploding other things For example nowadays we have a lot of just in time compiler bug exploitation in JavaScript engines for example This would be an example for more complex binary exploitation challenge The second big field is reverse engineering reverse engineering is about understanding a piece of software that you were given as part of the challenge and There you're mostly not giving source code to this challenge So you just get a compiled artifact that might be stripped and optimized by the compiler So it's it's pretty hard to to understand what's going on there But usually you attack these kind of challenges by using a decompiler disassembler Or some dynamic analysis to like a debugger and try to understand what the software is is doing Here we also find a lot of C and C++ binaries because these are kind of Approachable for for for these these kind of things and also there's a lot of Tooling because these these languages are are standard for a long time But we also find find challenges use challenges just use newer languages like go or rust But yeah, there's less tooling for for reversing these so yeah, it can be a bit of a pain But we also find exotic challenges in this category Like a lot of times people implement custom CPU architectures and compile binaries for these So then you have to exploit or understand some some application that was written for an architecture where no tooling is present for for reversing it and Super obscure stuff like recently there was a CTF challenge where love someone implemented Rubik's Cube based maze as part of a latte document So this is an example for a reverse engineering challenge where you were given source code because latte is not a compiled language But still understanding was what going on what's going on is not a trivial effort Another big category is cryptography we used to call it just crypto, but nowadays that's confusing people because they think about blockchains Crypto is mostly about Crypto is about attacking cryptographic protocols both like known standard protocols like RSA elliptic curve or block ciphers in more in many cases these Algorithms are just implemented wrongly so you can attack implementation or the author misuse them but That's not all there are also a lot of challenges this route that are based on on cutting edge Crypto research you have a lot of challenges that are based on post quantum cryptography things like lattices yeah, so heavy heavy math stuff so and And Lim also always said I'm too excited about this category because that's where I spent most of my time But yeah, there's webpacking And webpacking is anything that involves HTTP or web browser or at least that's how I classified Here you find a lot of Challenges that are based on the ova's top 10 list that you have may heard about They will find the classical web security issues like SQL injection cross-site scripting other kinds of injections Yeah, but also on the on the more difficult side of challenges There are a lot of challenges that are based on newer browser API is pretty much always if some with Chrome ships a new API That's vaguely security related. There will be CTF challenges about it quickly after Okay Now we've talked a lot about what CTFs are where you can play them how you play them what the categories are But we wanted to to give you an example of how Solving a CTF challenge can can look like and turning this into a demo isn't really trivial because they have a 30-minute slot Solving CTF challenges can take a lot of time. It usually does take a lot of time So you can spend a few minutes on a challenge, but you can easily spend tens of hours on solving a CTF challenge So in this demo, I will try to to show you everything else and Spend as little time as possible on the actual hacking so you will understand everything else. So this is this is demo time light so As we have already said previously, we are running a GPN CTF this weekend So this is the website of the GPN CTF You will get it well consider you are up there, but we'll show it show it again later And what I'm doing now is something that's normally pretty problematic So I'm going to solve one of these challenges that I already know the solution to and show it to you while the event is still running Normally, this is strictly prohibited and don't do it. But yeah, since we are organizing it This was all planned that coordinated so Hope hope is going to be fine. So what I'm going to show you is solving the rusty web challenge We can just pick any challenge on the website Here we have a have a have a description for the challenge some information about connecting to the remote instance and We can download some some source code. I Already downloaded the source code here and extracted the archive So as I said, I already know the solution to this challenge But I'm going to walk you through the steps that are usually involved at solving some such a challenge First thing first we can look at the provided files we get Fake flag file. So of course the real flag is not just present in the in the archive We get a talk of fire so we can run the challenge locally. I already did that as well And then we get the source code of the actual challenge and how you would usually go go or approaches maybe first have a look at What's the challenge actually doing in this case? It's it's running a rust web server seemingly and So if you think about okay rust rust web, so where could we could we try to to attack this? I think core server is a file that you probably would have a look on pretty look at pretty early on And of course this is this is fast forward, but you see okay. There's a method. That's handling connections It's having a look at the used HTTP method and it's passing the the u-reader URL we are requesting and then there's this line that May look suspicious if you have some experience with web security because what's happening here is the web server is Constructing the file path that it's going to read and return to the user so it's does this by compiling the static document route where all the web server related files are located and And concatenating the u-read path V as a user requested so for example if we try to load index.html this is going to be Slash was less www index.html and this gets returned to the user now the problem here is that if you try Sending something like this as a u-read the concatenation of the two would be would be this which is still fine Okay index html But if we send this this is equivalent to slash flag which is a path that does not Lay within the original document route So we just trick the web server into returning any file from the from the server In in a real-world scenario you could do something like This to to leak ETC password of any any credential So okay after we found the bug probably in a bit more time than this in this demo We we have to exploit it because CTFS also about exploiting issues so We can do this using using curl the only thing you have to know is the handy As is flag to prevent curl from already resolving these these dot-dot slash directly read traversal thingies So first we try to explore the local instance. We already have running That's all that is needed for for this example, and we get the local fake flag Now the next step is to to get the actual real flag So if you return to the challenge website and connect to the provided Endpoint here, it's not my laptop So in this case we have to solve proof-of-work puzzle to prevent people from just spamming our infrastructure with requests Live demo awesome. Okay. I hope this won't take too long Send this to the remote and luckily the queue is empty and we don't have to wait for five minutes here Okay, now we got a URL where the same rust web server is running but on our GPN CTF infrastructure where there is no fake flag file, but the actual flag So we have to run the same exploit against this instance and we get a real flag So on our last step in the CTF process is to submit the flag so we get get some points for our team Correct now we resolved our first CTF challenge And with that Liam will take us a bit more about more complex and more interesting challenges Okay, these challenges can Cover a very broad spectrum They start by these little introductory challenges, but actually go as far as pushing the state of the art of Like things like browser exploitation or kernel exploitation to give you a bit of a feeling for that I want to give you that the high-level conceptually overview of another challenge from last year's hitcon CTF you had to start by Exploiting Chrome's V8 engine then you had to break out of the sandbox Have a and then exploit the Linux kernel and this whole thing was running in a virtual box and You also had to break out of there Yes, and and you got got extra points for Doing this in one exploit as a and that's why it's called 4 Chain as a full chain and this is an instance of taking popular open soft open source software and Introducing some bucks where it's then some intentional bucks that are for example in in in this example Not dissimilar from things that actually happen in the real world but It could also be that it's just specifically crafted software for the the CTF One thing that is kind of a meme by now is these these simple note-taking apps And the the meme goes like if some IT security professional finds an actual interesting bucks and back in some customer software But they are not allowed to publicly talk about that buck because it's not customer software They re-implement this buck in a simple note-taking app and it ends up in a CTF Also for completeness there Sometimes is also just unmodified Software and then it's called clone in pond Okay, cool But but why why do this we can all only answer the question of why are we doing this and Obviously, it's fun To be honest, it's also very frustrating at times because you don't always Walks in a straight line Through the solution. There's a lot of trial and error and failing involved, but After that, it's even more fun if you if you solve it you learn a lot you sometimes have to Here you're not expected to know every technique or every technology that is present in a CTF but you're More expected to just read up on that on a weekend. So you learn a lot fast You meet cool people Both in your team as well as from the other teams and we'll talk about this a bit more later and all companies want to hire you obviously But that shouldn't be the main motivation. Why do anything? Okay, cool But how and how to get started with with all of this and The answer to this is just Play these CTFs Choose a CTF that features some beginner friendly challenges. For example this weekend at KPN CTF. We have Challenges that are specifically designed for beginners that have hints in them to get you started and There are also other CTFs like Pico CTF or CSCG and Just try to solve them and if you don't manage to solve them That's not not a problem at all because after the CTF There will be write-ups published most likely by other teams who solved it and you can learn from it And it's much better to learn from it and if you try it and just to read the write-up and Following that theme just join your local or online CTF team for example We here at KPN CTF have weekly meetings where we discuss Topics like the challenge categories we we just shown you and the rest of the slide is not here to overwhelm you But to serve as a reference if you look at the slides again, these are just resources That we found valuable in learning certain techniques, so I just won't read all of this, but it's here Okay, Martin will tell us more about the cool people we meet Yeah, so you may ask yourself Okay, who is spending the times in front of the computer then time we get okay, maybe not here people are asking themselves that but Yeah, who are these people that are playing CTFs and of course CTF is it's not a small small sport Depends on what you compare it to but there are a lot of people playing CTFs And so we can't answer that in a general way What we can say is that there are a lot of Academic teams so for example kids at EF is based at KT We also have have non academic people or non students in in our team But yeah, there are a lot of teams that are originally based at some at some university Then there are teams that are primarily Based on or primarily possessed of people that work the same company So for example Google used to have I think used to have a big CTF team with Google security research researchers So that's that's some That's one one group of teams and also there is there are merger teams And I think they're especially interesting for the community aspect, especially for big international competitions teams merge together to form from bigger teams and increase their odds of winning and This is also one cool way to meet other people even outside of your local CTF team because you play This is these CTFs together with with other people Yeah, who who also have good ideas and know know a lot about Exploiting stuff. Yeah, this is this a rough overview And now that we know who's who's playing these events it may be interesting who's organizing them Most CTF events are just organized by CTF teams. So we have big Mostly yearly events like high space CTF played CTF Alice CTF who are run by by these teams We have some CTFs that are organized by by companies So there's a yearly Google CTF and real world CTF or really big and successful CTF events and These are mostly online events. So you can join from wherever you are There are also some CTFs that are part of conferences So I think the biggest is the deaf con CTF at the deaf con conference in Las Vegas There's hitcon CTF also part of hitcon conference There's the CCC CTF at the Congress and of course give NCTF here at give in and these CTFs are cool because of course you can meet people in person also from from other teams Yeah Yeah Already it I think that's that's all we wanted wanted to tell you today I hope we could motivate some of you to to have a look at its CTFs and Try try your own own luck So of course the most important takeaway here is go play GP and CTF as Liam already said we have Beginner friendly questions Challenges from most categories We already mentioned it in the in the far plan so we are trying to do some kind of team matchmaking service So if you think okay CTF sounds cool, but I want to play with someone else Raise your hand now and look around So we're going to give you a bit of time so you can actually try to remember who here else is raising the head Okay Let's see how this works and of course a bit of Q&A. I think we have plenty of time probably You are a bit of time Yeah, and otherwise just ask us if you see us here at get in give NCTF Maybe is still running to tomorrow evenings or more than 24 hours enough time and of course you can just contact us Why email or matrix? Okay, are there any questions First thank you cool Is there a limit of the team members in these? Challenges and these events So I think when Google with this huge amount of people of very high qualified people It's kind of unfair against the team of five or six students at least from my point of view There's some CTFs that have a team member limitation, but most of them actually don't Mainly also because it's hard to enforce also We we've seen these big merger teams and these these growing teams and we're also part of part of one But what you actually can observe is that it doesn't scale linearly It's it's a lot of communication and it's much more about The how how in depth are your players so so there are some with and some without I think I saw a question in the back there Or there in the front Thanks for the talk. I only read about the necromancer Virtual machine. I guess that's also a CTF, but it's not intended to be a team CTF. Is that correct? Have you heard about that one specifically? Maybe I heard the name So so I can just like I can't tell you about this specifically I could tell you in general there are some CTFs like CSCG which are solo events so without teams And what that there's also if you say virtual machines It might be like a crack me crack me is a related topic to CTFs Which are mostly more long longer running? It's not a Timebox competition, but it's like they are always and you can just try your luck and maybe the this one is a solo thing But I can just speculate Hello, do you have some recommendations for some interesting tools for example? I guess that everyone knows cyber chef for example, but do you have some? lesser known tools that you can recommend Which are useful? I Think it's it's hard to give a general answer on that because like as we said there are a lot of different challenge categories And I think most tools are especially useful for for a single categories for example if you do reverse engineering Think you're going to use something like Giedra or or either pro or some reverse engineering tools. I Don't know of me. Maybe I follow up on that so Yes, their cyber chef is cool, and it's like for its own category Then there are decompilers and then there is like a bit of software that makes decompilers better like connecting it with Debugging debug to sync is one lesser known tool. I'm not sure if you heard about phone tools before it's what what we use like day-to-day to interact with servers and Kind of solve these binary exploitation challenges, but yeah It's hard to give a comprehensive list of all these lesser known tool tools oftentimes You just find a github repository with like four stars and it actually does Disassemble this old architecture that you're looking at so yeah Maybe a bit of an unsatisfying answer there What about tools like chat GPT? Can I use that? Is that forbidden or? Generally speaking There is there are very little things that are forbidden at CTFs as though things like sharing flags and or actually Communicating with other teams about solutions. That's that's big big. No. No, but tool-wise I think everything you can use you're allowed to use a chat GPT Chat GPT is fine and I think there are some people are using it and it's especially interesting It is kind of helpful in the reverse engineering context sometimes because it can It seems to understand what some assembler code is doing and can give you a high level Ideas about about it. But yep, you can you can use pretty much everything. Are there any other questions? if not then Thank you for this talk not only for this talk but also for organizing the CTF right here at gpn and The last round of the loss for Martin and Lyon