 Mae ydych chi'n cael y 가�dd gan mwyaf o'r meddyl hefyd Fe wnawn i'r bydd, a rynnaf diwethaf a'r gofynch i gwn i gael Mae'n bod yn perlunio yn gwahanol mewn meddyl hefyd Dwi'n meddyl hefyd, mae'n mentholu sydd ynherau Dwi'n meddyl hefyd, ac mae'n meddyl hefyd yn gallu gwahanol Ar hyn yn cael ei wneud dda, mae'n mynd i'n meddyl hefyd Chyn bod dwi'n meddyl hefyd, efallai efallai efallai efallai efallai hefyd ac mae'n meddyl hefyd Ond yna lle yna. Rydyn y gallwch eich gwahanol, a mae gennym ei ganddyn yn ymdill. Mae'r gwahanol yn y gallu ei ganddyn nhw. Ond yn ffordd, mae'n ffordd yn ymdill. Ac mae gennym ei ganddyn nhw'n ffordd. Ond yn ddiwedd y gwahanol, mae y gallwn ymdill yn cael ei ganddyn nhw. Yn y gwrth i ymdill, mae rydyn ni'n ddweud y bwysig o'r bwysig oherwydd i'r gwahanol. Yn ymdill, rydyn ni'n amlwg yma i'r cymdeithasol, Ond nid yw'r amddwyl sy'n ystod, sydd fydd y gallwch chi'n gweithio'r aelodau. Rydyn ni'n dweud ar gweithio? Rydyn ni'n gweithio'r amddwyl ag ffag yn ystod, ac ond, dyna, yn ymwneud yn ymwyngau yno. Felly, ydych chi? Rydyn ni'n nataliau. Rydyn ni'n cyfeirio gweithio cyfrifoedd yw'r aelodau. Rydyn ni'n gweithio'r aelodau i'r cyfrifoedd yn ymddwyl, ac yn ymwyngau'r ystod, Rym ni'n gweithio gyd i'n meddwl i'n gweithio gyda'r canyfodol, ac yn ddiddordeb chi'n gweld i gyd. I'm Lewis, rym ni'n ddechrau ym Mhwyllus, rym ni'n gweithio cymdeithasol i'r gwybod llei'r amser. Rydyn ni'n gweithio'n meddwl i'r cyffredin amser, ac mae'n ddiddordeb i'n gweithio'r amser. Rydyn ni'n gweithio'n meddwl i'r gweithio'r llaw o'r cyffredinol i'n gweithio'r cyffredinol, Maybe you need to come to me and work to see the best and to run CTF exercises inside your company or just like with your friends and basically to have fun. And then I work Crazy Ireland and this is working for Chengard but this talk is not specific about companies or like running specific tools. It's basically giving you like kind of like a city here virtually, please come to say hello. Has anyone seen this comic strip before from XKCD? So for me, this is a problem that we have at the moment with ourselves in that we learn something new, but we're too afraid to be able to share that onto someone else because we're afraid that if we open up to say, oh, have you seen this new thing and someone says back to you, God, yeah, I knew about that already. How come you didn't know about that? It's something that I feel that we need to overcome. We need to be more open, and this demonstrates exactly how I think of it. I had the role of a trainer for a while, and just helping people get started. The first time they popped their first shelf out of a container, it's that magical moment where it's like, oh, God, actually, I can do this again and again, and being able to share with that with people is just epic. So what is a CTF? So it's somewhere between a company off site and an escape room and the movie saw four. If you go into the escape room and someone's like, well, I'll get out of here by throwing a chair out of a window, congratulations, you've done it, but we probably need to respect our boundaries unequally. We need to put CTFs in place for our achievable because if the CTF has a keyboard that's about a foot away from my hand and I'm chained back and there's a hacksaw next to my hand, that's too intense. We need to make it a pleasant experience for everyone to attend. So what is a flag is actually like an objective inside a CTF. So sometimes it can be compared to like saving points in like what's called computer games when you achieve something. So it can be like a main task or it can be actually like a site quest and then basically it contains information what you should do next or like where you should look after in the upcoming tasks. And there is also a concept of like red team and then blue teams. Red team basically the adversaries. These are people that they are trying something that they are not supposed to do. And then basically the blue teams are the defenders. So they are trying to prevent something that the red team is not supposed to be doing. And then for whom is a CTF for? So we are here in all different ages and then sizes like the point is it's not really matter like who you are. And then CTF is for everyone with all this kind of like different perspectives and like different kind of experiences. So for example a Kubernetes operator who is a Kubernetes operator for like 20 years with you things differently who is like in this like area for like the last four or five years. So we have all different kind of experience and that's fine. This is what a CTF can drive us for. So to that I feel very much like the sonic on the left here in that everyone sees my imperfections that everyone knows like the bits of information I don't know because I constantly beat myself up just thinking that I'm not good enough for what to be in any role. But actually it's the other sonic on the right. People see this I hope sometimes people see this anyway but it's the basis of if I can share information with people then it helps them get on to the next step. And if we keep thinking of ourselves as just being not ready for this then we're never going to share. And this gift is a little bit too busy for me but I realize that we had a number of we had a number of images of older games before when you were gaming but it's about building up infrastructure now for us. We want to be as close to reality as possible so when we spin things up we probably want to do it in the cloud. Now in saying that make sure you've got your scripts in place so that you can spin things up quickly but as well as being able to spin things up quickly if you're doing a CTF you're probably going to have some vulnerabilities in place like we're going to be doing in our CTF today. Having it up and open to the public is also a problem because if someone else finds your cluster and pones it make sure you've got their tear down script to give you that confidence and it's never going to be perfect like what we're about to show you today I'm really setting this up really well. It's not perfect yet but we'll strive to get it there but its most important thing is that we share it and finally when you are running an event make sure that you've got respect in place. Like I said make sure that everyone feels included. I gave a talk earlier this year about threat modelling and one of the key things for me is to make sure that everyone has a voice. Everyone feels confident to be able to say this doesn't look right. If on your first day you see something and you're like this doesn't feel right being able to raise it up to another team for them to review and say actually that's a great save because that could have really been a bad day for us. So at this point I think it's time to get our game on. Yeah let's do it. So I've still got internet access I hope. So we've created this repo and this is what we're going to send to the attendees. We've based this scenario and we've, well let's go through this. We've based this on a taxi company called Fubar and so Fubar, someone who works at Fubar was paid $10,000 to be able to send across their password. So this could be done by OSINT by just seeing that someone look on LinkedIn to see that there's an engineer within this company. Look at the Twitter profile and then you see that they like going to track days and then you offer them $10,000 if they come first on track day and they're the only ones going to the track day. That's one way we could get around this. So from that we can see that we've got the username and password and we also find a public website where we can use that. There's an email chain there and we've also done our OSINT on this company and so Fubar are proud to announce that every taxi they have is Fahoma. So Fahoma is a trademark taxi for Fubar and in their press releases they've also noticed that they've got ride-based automotive control as they call it RBAC and with this RBAC that you have in place you are able to upgrade your rides and pivot into your next ride. There's also something they call Beep Beep. So Fubar wanted to give back to the community so they've written an application to manage all the traffic lights within Detroit. We also find out that they're proud that it runs in memory and in the event of a crash it writes out all the log. Finally we've got Boombox. So Boombox is a feature that everyone likes singing in their cars but when you're in someone else's car you're not so much so we're trying to encourage it by being able to give you lyrics to the songs that you're listening to. Yeah so that's just some of the OSINT that we have going into this. So with our credentials here we're going to go into the GitLab instance. That's a little bit too soon, wasn't it? So I'm going in here and I can see that we've got the Fubar taxi. So looking through this readme I can see there's a couple of files here. Make sure to give them a 5 star rating afterwards. We've got, oh there's one of our flags. And in the readme it says clone this repo, get up to speed reading the history of our commits. So what's happening there? And also the storage of an S3 bucket and we're using that to manage our config to our cluster. There's a key and a secret to keep the credentials safe but it gives us an endpoint and a client to use. Now if you're hosting an event or if you're writing your own these are the pieces of a jigsaw puzzle that you're giving to people to put together to make that beautiful picture of whatever it is. But you need to start giving some people some hints and to make it a bit more enjoyable. So let's go and have a look in our commit history. So looking through here you can see that we had issues about two hours ago but we'll forget about that. What is mvrc? Mvrc, so mvrc it's a file that you can put into a directory and if you use a client tool with it it will, if you've got export variables in there then it'll put it into that shell when you go into that directory. But the two interesting ones that we can see is that we've got feet and we've got fix. So if a feature of ignoring an mvrc file is quite quickly followed by remove mvrc file that suggests to me something might have been committed. So let's just check it out. What's there? So here we see our first secret. So we've got a flag of ickeyfum. Does anyone know what the ickeyfum reference is to? Byron? Yes, White Stripes. So Jack White's from Detroit originally. Yes, bravo. So we've got our first point. So remember when we came into this CTF we just had a username and password to gain access to GitLab. Now we've got some credentials and if we went back to the readme we would have seen that we know the endpoint that we need to reach to be able to get access to it. So is that okay for everyone in the back? I heard everyone shout yes all at once so we're all good to go. Only because I couldn't remember this straight away so I've just got a script here that's just configuring my AWS bucket with the credentials that were given and we're connecting on to the endpoint. Now I didn't check if this was running earlier on so let's hope that it hasn't changed. So catching the AWS creds and we can see that it's downloaded the creds to a foobar cred. So I could have done it in LS here, sorry. It doesn't matter, we only live once. I could have done it in LS and just see that there's a single config in this S3 bucket. Now if you have a look at a config file that we just downloaded. So what's there? So this to me and I think for most people in this room this looks like something I could use with Kube Cuddle. Yeah. It looks like a cluster configuration. Can you just connect to it? Yeah. So I can pass through the Kube config parameter, reference the config file and then I can get pods and I can see that I've got access to the home pod. So just before I pass to you I'm just going to make this a little bit easier for us to go forward and I'm just going to pivot just in case we lose the shell afterwards. Just going to move it in there so Kube Cuddle get pods. Sweet. Okay. I'm going to pass to Natalia. All right. So let's just check it out. Like what this like home or pod is doing. So let's just inspect the YAML file. All right. So for me it actually looks like it's like an engine X service and then nothing suspicious. So we can see that the security context is actually not set. And then how can we modify this pod to be able to access to the host and basically fine tune this like car to driver and the whole Detroit. So what we can do is actually set the security context privilege to true and set the host speed and host network flag also to true. So how this configuration would actually look like is kind of like this. So if we modify the configuration and set this factor to true this would eventually allow the pod to have access to the host speed and the host network namespaces on the host and then have Copsys admin and for example Copsnet rule as privileges. So you should be able to have the same privileges as you would be running root on the node. So let me just try to apply this. We are on GKE and it should be working by default. So let's see if I succeed. All right. Looks like I did something. All right. And then we can see that it was applied. So let me just like try to keep catalogs like into this privilege pod. All right. Looks like I got a shell. And then let's just cut it's a password to make sure that I'm actually on the node. All right. So looks like I got some information. And then if I check cut it's a shadow that should contain the users also on the node. So let's just try to Anna center into all the namespaces. So yeah, at this point you're still within the container that's running within the pod. And we're using Anna center or namespace center to look if we can go up and the text is read so that must mean success. Yeah. So let me look for like some kind of flags around here. And now let's see if I find something or name. All right. So it looks like we got something. It looks like home car capital for flag is suspicious. So let's try to see like what's in that picture file. So I will just try to cut it. All right. For me it looks like a base 64 string. So let me just try to decode it. I made points to like a Google drive. So let me just try to open it and then see what we get. Oh no. You got the short straw of barring my machine today. Do you wanna have it? No. I will be fine. Let's try again. Hopefully it will work. And then in a couple of seconds you should be see well we got the second flag today. So these are basically Ford cars and then Ford cars were produced in Detroit after the second world war. So okay. So let's just check out like what kind of other containers are running on the node. So I will use like crycattle for this. And then it looks like we got a lot of Kubernetes and GK related containers. And then what's interesting, we got boombox and then beep beep. So I will just start with beep beep and I will check like what it's doing. So let me just inspect this container. Let's try it again. No, no. Turn on. Yeah. Let me try it again. All right. So we got some information. So if we just try to look for some lock files that could be a good starting point. So we can go up to the bottom and then we can see that it's actually writing the lock file that we will find in a moment. Okay. So it's writing to our lock pods. Intersection is actually the name space where the pod is running and then beep beep file.log. So I can just like try to inspect like what this lock file is looking like and then what is the information that we are getting there. So I can just like try to tell it. All right. So it's looking like some traffic lights like green, yellow, red, green, yellow, red, green, yellow, red. So this is managing the traffic lights for the city of Detroit right now. So we got some congestion. And at this point, if I'm going after this company, I might want to disrupt their services because if it disrupts their services then it's a public image, it's a public issue. So how am I going to disrupt this? Let me just try to stop this pod and then see what we get. Okay. So I need the container ID again which I will be getting from here again. All right. So it looks like I stopped it. So let me just try to inspect the lock file again and see like what we got here. All right. So it looks like we got another flag which is actually like an EWS secret access key and it says Dodge Viper. So what is Dodge Viper? Dodge Viper, according to Wikipedia, is the most successful car to come from Detroit. I don't know if that's true or not. I haven't seen any Dodge Viper since I've been out, I wouldn't actually know. All right. So we got like an undercontainer up and running and then I will just pass it to Luis to see and figure out like what can be the flag over there. Thank you, Natalia. So yeah, with that polyvia attack, so we knew that we had something called Beep Beep with our open source intelligence after the press releases that we had from Fubar and the other one was Boom Box. So let's get started with this. Okay. So if I do cry-cattle a PS and then I'm going to grab that out to Boom. So I've got the ID here. Now one of the things about the CTF which we're hoping that people take away from is that we've gone from being outside of this company just to having username and password. We managed to find that config and we got into the company. We got into a container but we saw VR back was misconfigured so we were able to run something that we shouldn't run. And we've gone from being in a container now to the root system onto VM as a root user. Because we're root and containers, containers are just processes. Well, that's a very TLDR. But because they're processes and we're root, we can view what's going on in there. So if I go to cry-cattle or cry control, however you want us to call it, inspect and I'm going to inspect C4E and I'm going to grab for PID. So I've got the process ID. So with namespace isolation that we have in place with containers, on the VM itself, it sees a process ID as 1-664-555. Inside the container it sees process ID 1. Now this is built... So let's get some more information with it as well. So if I go into PROC and then if I go into the directory 1-66, I did 4-66, that's probably not a good omen when you've given a demo to do three... Well, let's see. The number of the demo gods. So if I look here, I've gotten a bit of information about this process. So if I cut this out, if I cut out a command line... Sorry for the cough. I can see whether it's running a KO or co-app. Co is... Co, you can use it with your containers. If you're building go code, you can use code to build a container for you and put best practices in place. So already I know that. It's not going to have bash or shell in there. I'm not going to be able to exec into that one. If I cut out the environment variable, so... So if I cut out environment, then these are the environment variables that I can be seeing within the container itself. Just hide that from you and show it again. So running in Kubernetes, Kubernetes injects some environment variables in. And one of the things that's been injected in is the Napster port. So what is Napster port? Thank you ever so much for asking. So let's go and find it. Here we go. Let's try to curl it. Like what is it doing? Apparently I was going to open a dictionary. Cool. So I'm just going to get this all set up. So I come from a place called Cardiff in Wales. We've been working on this idea for a while and this is ultimately where it got to. So I'm going to run this command. So we're going to do a watch. We're going to curl hyphen s. And then I've got the IP and I can use this IP because this cluster is using IP tables and so it's available on the host. Hopefully we've all in. If you could just read out what you see, that'd be great. Just because you're probably just going to need a little bit of time to review it. Let's just change the watch to two. I think it would be two by default. Ready? Okay, let's go. Oh, God, that big set up and I can't even spell watch. Well, that's a bad sonic moment. Look, if you had one shot or one opportunity just so you can read out the back, yo, his palms are sweaty, knees weak, arms are heavy. So if you're going to fly me into Detroit, I'm going to bring these lyrics to you. So if you remember, that's because Boombox is the lyrics. It's providing you lyrics as a passenger so you can sing along to your favorite songs. But let's just go a little bit further in here because we haven't found the flag yet. So if you go back to the environment variables, I'm using co. Co, if there's any state within the container, it puts it into a place which we can also see within here, which is va run co. So if I CD into root so you can see by my directory now, I'm sorry for the noise on the screen, but we've got proc process ID root. So if I go to CD, va run co and I do an LS, I've got, I know because of the color, that's a directory and so I'm going to do cat. So his palms are sweaty, knees weak, arms are heavy, and there's vomit on his spreader already. Mum's spaghetti and if I hit enter, then I see that the flag is lose yourself. So remote work is great, but it does get lonely at times. So what have we done there? There's a picture of car. So we've done a few things. We've compromised our GitLab. To do that, we had to pay someone $10,000. But then we found credentials that were committed by accident. Those credentials could have been scrubbed, but because Git's a miracle tree, it wasn't scrubbed until we were able to go back and find it. We connected to a cluster with those credentials and then we checked the role-based access control. We created a new part with additional capabilities and utilities, became root on the VM, found flags on the VM, and we had a great time. So from our talk as well, these are some of the resources that either help us out, run these events, or gives us inspirations for these events and what we've taken from it. And to that, here's our statement build of Twitter accounts. So in here, these are the people that inspired us to be able to do this. As well as that, we've made this repo available. So the whole purpose of this was to create a brand-bag exercise for people to take away from this conference so that when you go back to your office, if you have to give a talk, it's not much fun having to try and build something out of nothing. It took us a while to get that done. So there's access to the Git repo. It's kind of in a stable-ish state at this moment. There's going to be a little bit more love going in there. But there's resources in there as well, so that it's a basis of saying, well, this is how to attack it, but also this is how you can defend it as well. So we didn't want to talk too much about where we work, but there's things that we could play. So from ISOvalent, you could use TetraGon to be able to monitor things that were going on. Yeah, for sure. And then from ChainGuard. Yeah, so we actually use a bit of ChainGuard in this. So we're using ChainGuard images just to remove a lot of bulk out of our containers so we can just like spin up shells and such in there. And also behind the scenes we're using Enforce on this. So Enforce would have prevented us from putting the container that we used in privileged into that box, and it would have also told us everything that we had running in there. So to that, there's our QR code. So we would appreciate feedback. Please be constructive with your feedback. It would be much appreciated. But to that, if you do have any questions, we'll be here for them. Otherwise, thank you for your day and hope you enjoy the rest of the conference. We got a question there. Oh, I don't think it was a question. Let's find out what's going to happen to unlock the basis for it. Thank you, that was really fun and entertaining and super interesting. Can you do a follow-up presentation next year where you defend from an attack? Yeah, so just to, can we do a follow-up and defend the attack? Well, actually, that's what we want to do with this repo in that we want to put the defenses in place. And like I said from the start of it, this isn't a bit, so Natalia's been amazing to work with and I think I might say that I've been all right at times. But in making it available to everyone, then it's the case of we'll put what we perceive to be like ways that we can defend this, but equally, we're open to other people to say, actually, this would be a better way to defend and to say that as well, to attack, because there's so many different routes to attack. And I think it's a perspective of it. It's what you see and that's what we try to explain with this talk in that what the ability that you have is who you are, you see different things differently to how I see them. And so if you can share how you might have done something different there, then I get to learn from that and then that helps me to defend. And again, purpose of this talk is to help upskill everyone. Also just like on another note, like we have a tool, it's called that everyone is going to be or it was as already. So you could see like all the events that happened already in the cluster and then maybe I wanted to show it in this presentation, but maybe it would have been too much to see like all the observability events, but you could use that for example to actually prevent attacks. Any more questions? I think that's good. It's tough for you because if you've got to walk from there to there, that's going to be a tough day. Good shot to eight mile. Thank you. In your last slide, you had a SIFT SPD experiment. Yes. Do you have a flavor for a cycle of the ex of it? Yeah, so this is about Easter eggs with CTFs. So like if you didn't notice through the talk, the title for each slide is a different like a command that we could have used. So like which Sonic and grabbing temporary FS and which and HTOP and yeah, like a Chimaldi plus and I don't know why I'm Chimalding a hex if I was a late night, but yeah. But again, this is what it's about. For us, I feel is that consuming this material. I has anyone been on like a security course on the first day in the job and then does it like go from being like great. I'm starting a new job to oh my God, I got to get through the next three hours of these security videos. It's our consumption of it. So back to Sonic. When I played Sonic as a kid, it was left to right. And then when you completed the game, you became supersonic, which meant you could go left, right and up as well. And then you get to go to new areas. And that's for me what the CTFs are again. So it's the case of you go back, you upskill, it gives you that validation today. I've improved, but then you can also see different routes and entries. I hope that kind of answers.