 Thank you. So, hi everyone. Tonight, Stefan and I are going to talk about how to organize a CTF. And we'll start with a short intro about what a CTF is and why you should organize one yourself. Then we're going to talk about what kinds of CTF exist and where the differences are. Then we'll go into the things you need, you should do and you probably shouldn't do during the organization. So, it's basically just a lesson to learn from us. And finally, there will be a Q&A session where you can ask your own questions. Okay, let's start. First, a short introduction about who we are. We, Stefan and me are members of the Square Roots which is the official CTF team of University of Mannheim. And we as a group started participating CTF around 2006. And right now, we organize two public CTFs and we also organize a workshop each year where we'll have two new CTFs. So, we'll want to teach new interested students in the topic and thereby we organize a new CTF. So, you might wonder about the name Square Roots. The name comes basically from the city where we come from. It's Mannheim. It's also called Quadrate Stadt in German, so Square City. And so, we took the square and then we took the root from Linux. You probably know what root is or the process of rooting. And if you mix it together, you have Square Roots. So, what is the CTF? CTF stands for Capture the Flag and it's basically an information security competition. So, the goal is to get as many flags as possible. Flags are just a sort of string which you can see here. And you get them for solving challenges and you can redeem them at the game server for points for your team. So, basically, the goal is to get as many flags as possible and thereby get as many points as possible. In talking about CTFs, there are some three big kinds of CTFs. First is the challenge-based, server-based and mixed. The challenge-based CTF usually contains challenges from all over Infosec. So, you have reversing challenges where you have, for example, to reverse engineer and key generation algorithm. You have trivia challenges where you have to find things in the Internet. For example, a recent challenge was to find the account number from the bad guy from the hackers movie. And you have crypto challenges where you have to break crypto algorithms and programming challenges where you have to gorilla program. So, you have to code something that solves a code and so on. So, just like I said before, each solved challenge gives you a flag. And basically, you have those different categories and you just solve them on your own or in a team. When we talk about challenge-based CTFs, they usually take several days. And some big examples are DEF CON CTF, which is one of the world's famous CTFs, I think, or the plate CTF. When you participate in CTF, the scoreboard usually looks like this. So, you have those different categories and you have challenges. And the more difficult the challenges are, the more points you get. Okay. Then there are the server-based CTFs where the basic principle is that you have to fight the other teams and at the same time protect your own team or your infrastructure. Basically, it works like this. You have a network. Either you are physically at one side or you participate over VPN. And each team has the same VM image and so also the same vulnerabilities and so on. And then you try to find the vulnerabilities in your own image and write exploits and exploit the other teams. This usually takes some hours because, yeah, you have to be in the event all the time. You can not... Or it would be bad if you say, for example, yeah, I go sleep some hours because, yeah, then you would lose a lot of time. Some big examples also here are root CTF and ICTF. I just have another overview in order to show you how it works in detail. So you have those different teams that assume you are team one. And during the CTF, the game server starts submitting team-specific and server-specific flags. So the game server pushes those flags, those strings, into each of the vulnerable boxes. He does this by methods which are programmed into the challenges. So, for example, if you have a vulnerable service like a web application where users can send messages and the vulnerability would be, for example, SQL injection. And in this case, the gaming server could push flags by just simulating a user sending some messages to other users. So you have the flags on all of those machines and you go to your own, look at your own 4M, find the vulnerabilities, fix them in your own system, write exploits and basically get the flags from all other systems and then you just submit them to the game server and get points. This is a scoreboard from one of all recent CTFs. You can see there are different teams and there are offensive points which you get for attacking other teams and there are defensive points which you get, for example, fixing a service and then you also have per service status overview because the game server, when he pushes the flags, he also checks if the service is intact, if it works, if it behaves just like he should and if it doesn't, you also might get some points abstracted because otherwise you just could stop your service then nobody could attack you but on the other side, this would be very unfair for the other teams so this is punished by subtracting points from you. Last category is the mixed CTF where you usually have a central infrastructure. Usually they are on site so you meet with all of the teams in one big area and then you get access to an unknown network and you have to find your way through the network so NMAP is your friend. What you usually first do is you scan, check what services are running and for example the second round could be that you have to solve a forensic challenge or something like that and usually the third round is something like the king of the hill challenge where you have to get access to one server and have to defend your root shell from the other teams because the other teams, all teams are going to try to get access to this one server and if you have root access you have to defend it so no other team can gain root privileges also. One example for this kind of CTF is the packet war CTF. Okay, now you all know what the CTF is and now Stefan will continue telling you why you should organize CTF and some other details. Yes, so that's the very content of our presentation today so why should you organize the CTF in the first place and not just take part in one and the idea is to implement your own ideas you maybe have for challenges so that was I think the most drive we got for our first own CTF because we have played so much CTFs we had a good idea of how a CTF should look like and what to do and so we just tried that. Also it gains you very much knowledge about how CTFs work and stuff so what's really behind that. Also you can challenge yourself to really do something that big like get it running and keep it good for all the players and that's a very good incentive. Also you can improve communication and collaboration with other teams the idea behind this is there are not that many CTF teams out there and you probably get many of them to take part in the CTF and that really connects with them so we had many teams come to us and say yeah nice you also did one and also had like input what should we do better and what was good and that stuff. Also it's really important to contribute back to the community so we did our CTFs at Gulasburg-Hermier-Nacht in Karlsruhe and we think it's like a really really good addition to such a venue and to have a CTF there and people really enjoyed it that's really cool stuff and also it's fun, it's fun to do it it's a lot of work but it's fun nonetheless. So what goes into a CTF most than for all commitment and time so making a CTF really takes time and really takes commitment to get stuff done to keep playing the ball and to look into all that little stuff you have to handle obviously you have to make challenges because that's the main idea of playing a CTF to do its challenges. You have to have work force so like people that do stuff you probably don't want to do that alone. Also you have to have infrastructure like scoreboard where other players can see what their score is how they're compared to the other teams. You have to have servers where all the challenges run on and you have network stuff to do. To get more specific about that point you want your challenges to be versatile so we had people approaching us after our first two CTFs and they said well the first one was a challenge based CTF and the second one was a server based CTF and they really said we didn't like the server based because the kind of challenges they were were not that cool and I'm not interested in that stuff and you really can understand that and you should be as versatile as possible to get as much people to join you as possible. Also you want to be unpredictable. As an experienced CTF player I can really tell you if you have multiple challenges and there's a scheme behind that you can repeat to fix the challenges that's not something you want to have. You want to surprise the players you want your players to really get into stuff to not be obvious about the solution. You want to be precise in how you present a challenge you really want to tell the players how they should approach the challenge what is the target and what is not. Probably your infrastructure for example is not. DDoS in your infrastructure is not that challenge. You want to have rules and enforce them that's also very important because there are some stuff that players can do and probably will do if you do not say they shouldn't do because they can and they like DDoS your servers or they will delete flags from other teams we also had that and that's really not cool that reduces the fun for everyone and they should also enforce the rules by checking the network and stuff. Infrastructure, so no CTF without infrastructure you have to keep in mind your network is attacked or the attacks come from within your network so you should really expect the unexpected you really should think about what an attacker can do and probably will do you probably get that experience if you played some CTFs yourself you learn how to think like an attacker and you really want to contain the attacks so if somebody breaks your servers like they should do and they have a shell or something you don't want them to have really network access or drop their zero days to get root access and stuff so keep your stuff patch for example scoreboards so the really idea behind CTFs is like to have a competition between teams and players and you really want to do that with a scoreboard like a list with all the teams and how much points they have so like they can see how good they are and how they are progressing with their points there's like a prepared server for that that's called CTFD that you can use for Japanese style CTFs you just only have to implement your challenges and you're ready also you want to have backup systems ready so if something breaks and stuff will break you can switch that some quick do's and don'ts you want to start early because that's like I said it's really much work to do and it takes planning and preparation and stuff and you want to speak with your local on-site org if you like doing an on-site CTF like they provide you with network and power and stuff that everything is ready when you start and now you don't have to care about that yourself schedule typically looks like this so we have a start of planning phase like six months before the actual date maybe like think about challenges implement stuff and build infrastructure then you have like a final test of the setup that's very important because most of the time stuff don't work at the first time and then there's for server-based CTF there's a team test network stuff going on so if teams are using VPNs to dial into you you want to test that before so you have like a debug we am ready for them to test just connecting to your network that you everybody knows the network is correct and everybody everything is ready and you can really concentrate on the CTF and not care about infrastructure keep it simple so debugging is much easier if stuff is simple we had incidents and with our CTFs we used new technology and based everything on that and as it turns out the docker we used was not that stable as we thought and server broke down minutes and we have to change the setup while everything was running and that's the whole mess you don't want to do that and also multi-stage challenges can be frustrating so the simple idea in this regard is keep the challenges simple you want people to do the challenge and not really want people to I have to figure out every time what to do and just keep it simple make a single stage so no connection between I found that solution and now I need to use that and do another challenge with it so yeah organize the team so as I said it takes much time you want to have a team and you want to have it organized that's maybe obvious but yeah that's something you should really think about when you start planning stuff and you want to have people at the site when the CTF is running because if something breaks down you don't want to have just one guy being on it and everything else is unprotected and stuff yeah and test, test, test that's very important you want to check your challenges for vulnerabilities so the vulnerabilities not the challenge itself we had several times when there was another vulnerability in the server or something that's not part of the challenge but people would try to abuse that stuff so you really want to check in with that and see that it's fixed yeah you want to have somebody else run through your challenges you as a developer like have another view on it you created the challenge you know what you have to do to get the flag but you just want to have someone else not taking part in the organization to test the challenge also test the setup stuff will break down and you should really think like an attacker in this regard refrain from last second challenges so the thing is if you do like a day before or hours before the CTF is starting and like oh I have another idea I want to implement that that really doesn't work out most of the time your stuff is probably not tested most probably your team does not know about the changes so when something breaks down and something is to be fixed and not everybody knows about the changes you make you have a really problem get stuff ready again yeah the last point is getting publicity so if you do a CTF that's really only cool if you have enough players taking part so spread the word among other teams most of the teams really like to take part in other teams CTF so that's really cool there's a site for where you can post your CTF and that's really everybody knows that site who's doing CTFs and they really check in often with that site to see if there's new announcements and on site you maybe want to get attention with talks or something because you have if you do in Japanese style or something there are really many players that just don't know about first but get in last second and as a really last point as a small reminder we have a CTF here at the camp and that's organized by Stratum Ahuru another really famous CTF team and it just started like I think about 6 o'clock and it's really for beginners so if you like what you just heard so really want to look into that yeah and that was it we are ready for questions we now have about 7 minutes for questions there's one mic over there and one mic over there so just queue at the mics if you want to ask a question I'll just talk to you and then you can speak anybody this one to the right thanks for the talk and the inspiration I have a question on tool sets or frameworks that might be available to assist in the creation of the CTF like you mentioned the scoreboard kind of thing are there other tools for rolling out the tokens etc that might help creating something like that well most of the time stuff is really home-grown so teams create their stuff themselves most of the time and yeah that's the only available technology that we know about for you I think I heard about another tool I'm not sure about the name I just read about it which is especially for server-based CTFs so they use technologies like virtual box and you have your challenges or your file system layout for the VM or for the wooden box VM that the participant gets and with one click you can generate all participant VMs and it will automatically create a unique team wooden box VM inject VPN credentials and all this kind of stuff but I'm not sure about the name anymore unfortunately thank you left please so semi-answer to the previous question legitimate business syndicate open source their previous CTF tools but actual question what's your favorite category of CTF challenges either to solve or to build well I think everybody has his personal preference I like personal programming stuff because I tend to have less time for programming myself so that's really something I'd like to do my personal favorite category is web probably because generally more CTF team which is web-focused but yeah just like Stefan said I think everyone in our awesome team has is his favorite category just curious thank you you're welcome is that a question? yes it is what's the size of a CTF team so how many people are in a normal team well that tends to vary also like if you're doing a challenge based or server based but how well organized you are our team for example is like 20 players at max with the really good CTFs but can go down to like 5 people or 3 even for smaller ones also I know for people that are alone and taking part alone and are really successful with that but yeah just another point I just like Stefan said it depends on server based and challenge based I think how it is for us when we have a server based CTF usually server based CTFs are nowadays very rare but when there is a server based CTF usually our computer lab at the university is full with 20-30 people and otherwise the challenge based CTFs they aren't so populated because maybe also they ask very often and yeah left mic please this is another answer to the question before about what resources are there the one you may have been thinking of is CTFD which is described as CTF in a can just check it out CTFD.io I'll give you all the infrastructure and resources the question I have is what's the first flag for the camp CTF? sorry the flag for the camp CTF can you tell us the answer? no probably we shouldn't do that because it would destroy the fun for all of us no it's okay thank you nice try I'm actually interested in creating CTFs for people who are interested in beginning their journey with technology and may not have a really in-depth knowledge of some of the tech that they're using right now do you have any suggestions for how to limit the focus of your challenges around that sort of goal? well most of the time the trivia challenges are really like for people not into the technology stuff that much but it really depends on what you want to achieve there are like possible challenges for every progression into that stuff okay now we are almost out of time is there one last question okay go ahead you told us that there is a few software about creating CTFs and you told us that you have a bunch of software on your computer do you thought of releasing it? well I know of teams that do open source their stuff that's really cool but it's most of the time not ready for use you can just take it and do your CTF or use it in taking part of the CTF or own stuff well the thing is if you are doing a server based CTF you are like success chance really depends on how much infrastructure and code you have on your hands to do that well you can imagine that it's unfortunate that we can't open source our stuff because other teams tend to use it that probably limits our success in CTFs I was only talking about the scripts to create CTFs I think we started to open source the challenges we had and something about their infrastructure to deploy it and some teams do that some organizers do that but it's not really ready for use because our time is limited and commitment tends to go down after the CTF so nobody likes to clean up the code and stuff if you are interested for example in our challenges just go to our Github page and look up of first CTF for example and then you find all the servers site source code ok please thank our speakers once again