 Hi everybody That was a big all right, so let's start off with the questions We'll get to the bio stuff later everyone on three. I want to hear it yelled out one two three Thank you everyone ought to be getting that so this was actually trivia 100 from the 2006 qualifier round of caps of the flag They were very clever next year's question was was very difficult We had a hard time solving this So of course that and then the following year any guesses if you weren't already didn't already know Any guesses hack blank planet. Thank you. Yes Yes, we were all wondering next year. What would they have done if if they ran it this year Ken Shoddy did not end up Running running it this year, but it would have been interesting to see now Of course the point that this does bring home There is a lot of inside jokes if you came across this out of the blue It might have been a little bit more difficult not knowing sort of the prior history in hindsight It's stupid easy, but it helps to sort of be prepared That's really what this talk is about a lot of this is meant to be Sort of background the kind of the inside story the inside jokes how it runs what it is So when you're wandering through the capture the flag room, you know, it's going on if you want to participate You want to compete hopefully we can we can go some hints that cover that too So I'm sorry for texts. This is me and my computer at home right now. That's what I use It's not It's probably no surprise. I prefer Linux over windows these days though Steve Jobs takes more of my money The age old debates I got to go with the eye ever important ever ever important issue over verunder I'm sorry. That's the only way another big Debates where I fall on I'm afraid for the ruby lovers out there. I just like the python so No applause, but no booze. I'll stick with that In terms of Pepsi versus Coke Neither I'm sorry Thank you Probably more relevant though to this talk. I'm actually a member of this team. It's pronounced last place It has ridiculous etymology and meanings that we came up with after the fact actually We really just kind of came up with that I think and tried to fit it to it The team looks like this. That's me in the back. I Like my anonymity apparently now just that the shot that we got there's two guys not pictured I'm gonna do a brief run through the rest of the team members because hey We we want a couple years and I want to show off the guys that made my CTF experience so great This here is Plato probably the only the first last and only lawyer To ever win captured the flag and I'm not talking about like he had a JD This guy is a lawyer in his day job, which is pretty stinking sweet when you think about it Team captain Atlas if you were here for the last talk and you heard the kenshota guys talking They said Atlas was the one guy that came in the individual just got his mind blown came back and you know Really learned a huge amount. I mean four years ago. He really wasn't doing the security stuff all that much And now he's just phenomenally good. He really applied himself and threw himself into it led this team Put this team together built it and then we not only had a solo win But then we won two years in a row after that This guy right here is actually in the front row So make sure to pat him on the back in the way out I'm borrowing his black badges up front Mizzendo played the network sniffer played defense to kind of whatever talk a little bit more about the roles later But you'll notice that everybody out here had a specific function right and it kind of mattered You didn't just all show up and do random stuff Now we've got shrewkin who besides being a phenomenally good sys admin and kept the services going is the resident IRC troll It's in a very important role that everyone needs on their team to have somebody in IRC hanging out Keeping things lively when you're been up for 48 hours straight Fury or maybe his twin. He has an evil twin acting on defense here Doc Brown is our reverser actually the nops or us website that the Kinshoto guys mentioned There's a link to it later has is actually primarily doc who did a lot of the write-ups and he did a huge amount of work and put that together he took all our team wiki and notes from a lot of the past competitions put it up online and then we're for a guy over here who doesn't get Mentioned a whole lot also an extremely good reverser exploiter really need that skill set You don't have a poo shown in the slides here He was out for this particular picture was an ex-marine. So besides actually being you know an actual technical guy Was also physical security which you should never underestimate the aspect of physical security in a capture the flag And then also J rod was also not in this picture another good exploiter as for me Defense offense reversing. I've kind of done it all which I take it to mean I'm just not very good at any of them, but they keep letting me be on the team So I won't complain so Capture the flag itself It's been billed as a lot of things the ultimate hacking game ultimate legal hacking game Reverse engineering exploitation as the kinshoto guys were up here explaining last time This is really their response to in a world of web app security They wanted this to be binary exploitation reverse engineering hardcore stuff that in some ways is a hard skill set to develop these days Because a lot of the security research nowadays in the web world kind of misses out on this the binary history in the background And so they want to make this just you know lots and lots of binary fun DD tech Which is putting on the competition this year claims that they have the same focus and so Presumably right now going on is the beginning of capture the flag for for this year doing the same kind of thing very Binary exploitation based not a whole lot of command injection across that scripting SQL injection I miss it, but I get made fun of for being a web weenie so Timeline if you saw the last talk there were sort of a couple different eras or epochs of capture the flag the first five years it was put on basically by the goons the bofh and There was a lot of different formats. It was really a lot of kind of finding their place They didn't really know what the best format with the best structure for this event what this thing could become They just had a bunch of servers. You could bring your own server. You could just show up It was very chaotic Not particularly organized a lot of the winning tended to be winning kind of just because you gained the system or figured out Maximize it not so much because you had the best technical prowess and so there was there was some attempts to fix that The ghetto hackers came along and after you notice. I don't know if you can even see this slide sucks I'm sorry my timeline software not so good But the ghetto hackers won They're towards the end and you know, it's then they came and actually put it on This is and not uncommon theme that the people who have been winning for a little while I'll decide to go put it on because they think they know how to do it as well or better So the ghetto hackers came along and they really made a bunch of improvements and revelations Caesar's got a presentation you could pull up online a black guy. We spoke about how they design They brought in game theory. They brought in a lot of thought and planning and design They introduced the idea of a qualifier round the idea that before Defcon a couple months in advance You would have a qualifier round sort of figure out who the teams were then when people would show up Only those teams would participate in the capture the flag, which is why we have the a CTF or OCTF In parallel meant to sort of resurrect the old school free-for-all kind of anybody can show up and join which has you know advantages and being a bit more open but less structured less Kind of cutthroat less probably less technically demanding I hope none of the DCF or nine guys get mad at me for saying that but I think it's probably a safe bet Then of course we have Ken Shoto Ken Shoto has put it on the previous four years They've really become refined it They took the sort of architecture in the game design if again if you saw the last presentation You heard a lot about that and they took it to an art this year We have DD tech who nobody really knows they're still kind of keeping mum on who they are in their history They're obviously very familiar with capture the flag But don't sort of none of the major usual players that play have any idea who they are So it's kind of interesting to see the mystery man They they swear that this weekend their identities will be revealed to some sort, but we'll see how that goes So here's the qualifying round this year if you were to do the qualifying rounds It was June 5th 2300 Greenwich mean and it ran straight for 48 hours So one of the differences between the qualifying around the finals is that the qualifying round it just goes straight through So you sleep you don't sleep But however you choose to do it you need to sort of be putting your points in the whole time It is fun to sort of watch and figure out who is in what time zone based on when they flatline like they Well, they were sleeping then and they were awake and you can throw the teams. Here's the top 15 teams Depending on the the year the top seven nine teams will make it through the qualifying round and then join the last year's winners Yep You probably can't read the font. It's really small. Feel free to grab the slides online later Actually, the raw data is online as well You can go pull it up and animate the graph to your heart's content or play with it if you like But you'll see there's just there's a lot of ups and downs a lot of backs and forth There's a couple of strong players and so these teams It's important to know it's a Sun Zoo quote. I'm sure it's relevant. It's got to be It's a security talk. So we'll talking about knowing our enemies. It probably says something like that, right? So those those 10 teams that we had that qualified the 10 teams including last year's winners I'm gonna do a brief bio rundown because when you walk through like you see the team name If you're not sort of in the kind of click if you've not been following or reading or you don't know What's going on? You don't really know who's who what's what and so I'm more entertaining to know Ah that team's got a vengeance against that team and so and so so to give you a little bit of that sort of Baxter and who's what? We'll start with School of Root. They not only won last year, but they've also won in 2004 Are incredibly good. They crushed the competition last year. They were first place They actually didn't have to participate in the qualifiers this year They had a buy as previous year's winners chose two anyways and at the last minute they won It's uncertain How much they were holding back as the previous year's qualifiers they had an automatic buy into the finals So they didn't have to participate but they did and at the very very end they won it was sort of a Not arrogant but demonstrating that they could have been ahead earlier possibly but they chose not to they didn't want to impact The final or the qualifying round so that the winner of the qualifying round gets to choose the next question So if somebody who's already got a buy gets a question right before anybody else does they would impact the game And so it's sort of the sporting the gentlemanly thing to do if you have the buy to not influence the game And they were very good at that until the last few minutes of the game when they saw the one that nobody had solved just to show That they were that much ahead so it'll be interesting to see how much ahead they are They're led by Chris Eagle who is you You heard earlier in the other talk if you were here a what did I put binary ninja and pirate rolled into one? He's just wicked good They came up with that interpreted machine that he wrote in you know They their own brand new virtual machine that he reversed in a weekend and wrote an interpreter for this is just mind-boggling How good he is it's scary I Yeah, he's extremely good He leads a great team and then John Boss is the other team captain of school of route Who sort of heads up the organizational side of it because as we get into it the roles really matter You need not just good technical, but you need good organizational You need the other stuff Chris Eagle also released last year just after Capsule flag was over and he had crushed everyone finishing I might add with guitar here at the end They were shown off their head so far. It was they told everyone they didn't want to appear direct But they were a little bit ahead so they could take the time off It was a pretty good move for somebody so far ahead, but after it CTF was over. He released Collaborate a really cool IDA plug-in as a result of kind of the need of doing collaborative reverse engineering And so this is some of the some product that's come out of basically his experience And he also wrote a book that went along with that the software went along with so capture the flag I sort of made a difference Kind of beyond just this fun little game In that team awesome with second place in the qualifiers mostly first-timers I know a couple of guys on a team. It'll be interesting. They led the entire qualifiers But the very end so the question is how much was school of root letting them and how much were they not? So it'll also be interesting to see because they did well on qualifiers But teams that in the past them on qualifiers and not done well in the finals So watch the score It'll be interesting to see if these kind of top teams and the qualifiers are also the top teams as you go Through capture the flag sexy pandas have been around for a while They're also known as the pandas with gambas osu tatake sexy pandas wooby wooby pandas Sexy pondas and then the Latin name for a panda, which I'm not going to bother trying to pronounce they have Not only are sexy pandas as you can see they look like very sexy pandas done extremely well They participate a lot of international CTFs. They're mostly They're Spanish-speaking Jants and most of these folks we kind of know each other you get to see me after a year And they do extremely well They tend to have a strong start and then die off But if they can keep their the level of Profit up or you know scoring up they will be extremely dangerous And they were in third place again in the finals. So plus is actually the one of many Republic of Korea teams. There's a lot of South Koreans that Have been showing up in capture the flag just the last couple years doing extremely well I think there's there's at least like four teams that are either entirely or partially made up of folks from South Korea So there's a very strong showing. I think they like play starcraft like an Olympic sport over there so it's My guess is that may have something to do with it. It sounds like a pretty cool place for a bunch of hackers, so Primarily undergraduates from the University again, they were fourth to capture the flag shellfish has been around forever University of California Santa Barbara these guys are led by Giovanni Vigna and They put on their own capture the flag called the ICTF, which is a lot of fun It's a great capture the flag to participate You can do it remotely primarily for academic groups, but others can participate usually they won 2005 and have been around A lot of the qualifiers are extremely good very very nice folks song of freedom another one of the Korean folks a little bit quieter Don't know much about them then when asked for any kind of logo or bio their the response was no comments So it's not at all surprising that folks like their privacy. A lot of skaters dropping from raffle copters these guys Aside from the awesome name But you like my my logo I made that now here's the cool part That made that two hours that it took to do that worth it. Thank you except keynote can't loop So otherwise you would be continuously falling and coming back They have a much cooler logo on their shirts if you go nowadays I wish they had given that to me and I didn't have to make this but they were really interesting because back in 2007 three guys from the this team sort of put together a team to do the qualifiers and just blew everybody away And the qualifiers which is really pretty impressive because the qualifiers not only because that are 48 hours straight But have a widely diverse set of challenges and so to have just a small team do so well is extremely impressive And again, they're here the finals now So we'll see how they do they've also picked up a couple members And I think if you know these guys are friends of them or interested in a slot every now and then Teams are willing to pick up kind of Ronan and have them join their team if they're under eight people Which is usually the table limit So if you really are polite and careful and can demonstrate your skills somewhere you might consider asking I make no guarantees or promises Most folks tend to keep their teams the way they want it because you have no idea if it's a spy from another team or not When they come and has to join you so the routars are a French-speaking team originally just all French They're now French-speaking. I'm not even going to try to read the names It would not be pleasant But Hanzo's the team captain and again They have an the distinguished honor of having been in the finals the last three years in a row the only other two teams to do that being the pandas and School of Root so again, they're very very commonly here and very skilled Wow hacker I've been around for a couple years another one of the Korean teams and It's about all I know about that SAP eds showed up at the last minutes this year. They made it because of a couple of the teams dropping out and There are a group a combination of a couple other groups that I'm not going to read it Be in the slide notes if you want that kind of join together some friends online there from all over the place It's great to see a lot of internationally mixed teams not folks just that you know or friends locally But a couple of these teams are really draw from all over the place. They are also behind a really really awesome I've probably the best capture the flag right up ever came out this year It's a comic book style right up explaining how they solved one of these binary challenges and it was a lot of fun It's linked to in the slide notes. You can pull up that All right, I've talked enough. Let's go back to a challenge This one I'm gonna warn you is a little bit more difficult that said the rewards are that much greater I have a Frisbee valued at far far under a thousand dollars much closer to a dollar at Target, but I'm not saying That is it goes to the if you can't see it in the back It's the skull and crossbones with heart-shaped eyes. It's very sweet that goes to the whoever can answer the next question. So Take your time If you've already seen this, please don't answer. You're on your honor here. It's no fun if you've already sieved it Anybody got any ideas? We'll kind of talk through it a little bit. So x86 EBFE. Oh, we got a possible answer Your answer was beef Always a safe bet incorrect in this case. However, it's specifically because PPC instructions are never two bytes long Well, yeah, let me anyways. Yes incorrect Incorrect. So EBFE let's start talking through it is somebody tell me what EBFE is I heard somebody say but he didn't count Anybody else Jump dollar minus two. Thank you. So this will spin your CPU. It says jump to myself And again, this was an actual question during a capture the quite flag qualifiers granted You had online access and manuals and docs which helps and I'm asking you to do this from memory That's why it's worth a Frisbee So who knows their PPC instructions I'll even take the mnemonic Somebody want to give me a mnemonic for a PPC instruction that is equivalent of a jump negative two and x86 Do they have jumps in PPC code anybody? This is a hacker convention guys. Come on. We got a hand up. Well, yes It is a branch instead of jump. What might the argument to the branch be? You're kind of thinking along the right idea But maybe it's not based on the end, but the beginning of the instruction instead in which case it would be zero Oh, we have a winner Excellent. All right, you want to try to oh All right, thank you. I promise I won't drag it out next time so long. So game mechanics I mentioned there's two halves to this game right capture the flag has the qualifying round Which these some of these lightning questions are coming from the qualifying round if it seems intimidating Well, it is but I mean don't worry about that too much because you learn you figured out That's the whole point of it I've learned more doing capture the flag than I have preparing for it or getting ready for just in the competition because of The fun that you have it get folks that you enjoy doing stuff with and it doesn't matter where you Participate in the quals doing the quals is an absolute blast. There's no reason not to do it's over a weekend So even if you're working, I don't care you can fit your schedule usually and you can do it It's a lot of fun The skill set has to be a little bit different as I mentioned qualifiers runs for 48 hours straight. So It's more of a Jeopardy style board and I'll flip ahead to this real quick. I'll go back This was the one from this year DD tech actually added even more problems than normal So you've got one through 500 in six different categories So 30 different questions binaries challenges forensics all sorts of off the map the categories were Pursuits trivial crypto badness packet madness binary leetness potent punnables and forensics But ignore the categories because I think it was a packet one and the crypto and a crypto one and the binary one That the sort of categories are kind of general rules of thumb rather than a hard and fixed thing generally speaking These were just there was binaries. There was network captures You were doing all sorts of interesting bizarre stuff. The write-ups for these are all online If you go into the links at the end don't cheat though It's kind of like playing a video game and looking up the answers are like that's no fun You don't want to ruin ruin it for you try it yourself do the problems first and then see see what you can learn first And then you know use the help only if you need it. So the Qualifying around like I said, it's 48 hours straight. It's independent. It's remote You can be anywhere when you're running the capture the flag you log into the server you get the account 200 plus teams Participate early 200 plus teams scored points certainly somewhere ghost teams or duplicate teams or others But it's definitely a lot of people like I said, there's no reason not to it's a lot of fun you don't have to even Play-to-win you can play just to get all the questions and have fun and enjoy it There's there's certainly nothing wrong with that The winner of the qualifying round like I said the top seven to nine teams depending on how many are allowed in depending on the year Gets into the gets into the finals here at cap at Defcon the CTF the hours I say 10 10 6 Friday to Saturday is Friday to Sunday at Defcon for the final the main capture the flag Nah, that can change like I said today. They hadn't started. I don't think one when I go into the speaker room So things were a little slow to kick off, but that's to be expected with a new team doing it so That's flexible take it with a grain of salt that the interesting thing is though Even though the capture flag hours end the work does not so the teams will go up to the hotel room They go up and they'll keep working on the stuff because you've got the miners You've got the server image to work on afterwards. So Q&A qualifiers finals is an actual live server It's defending attacking live other people and this is sort of the more interesting piece This is where everyone's like well, I'm just gonna bring my server that's X or Y I'm gonna do this and so before you kind of get into that it helps to understand How it's set up. Oh, right the the spoils you get the entry to CTF if you get in the top and the qualifiers the winning team With the actual capture the flag gets a black badge. Here's the two that our team got from a couple years ago The uber badge of course the infamous Defcon uber badge. It's admission for life. It's street credit It's you get a leather jacket you get dates with people of the opposite sex You didn't you didn't get that with oh, we're both married, so I guess we didn't do that either But I thought that was a part of it supposed to be part of it Oh well So at the main event though did my voice crack. I'm not 16. I don't like look like it still but I'm not At the main events every team gets their own identical server So like I said in years past things were more chaotic everything was a little bit random in this year You see if you saw the topology last time every team gets a VM. It's snapshot. You're in a jail It's been free BSD. It was Solaris one year. That was painful. It's been back to free BSD. I have no idea what they're new I think it was probably free as everybody. It's free BSD 7 to interesting. They've upped the version this year So right now the teams in there are doing free BSD 7 to playing with with some binaries You are usually the network upstream now a lot of this is sort of general Generalities you have to be very prepared for changing things on the fly the rules will change every year In fact, the rules this year if you go into the capture the flag room grab one of these guys It's got the updated rules. They're very different from the rules. I'm going to describe to you from years past Mostly the same style of gameplay, but the scoring system is a little bit different There's no longer breakthrough points for the first team that solves a problem. It's a zero sum game There's only the same total and it just shifts based on percentages in terms of who's done what So there's some of these differences will be very interesting to see how that that affects the gameplay Because it's always about kind of gaming the system, right? You always want to have the optimum plan of attack You want to be prepared to do a lot of things you've got flags Hence the capture the flag part, right? These flags can be anything typically though Yeah, they've been base 64 strings of a fixed length and so you can recognize them There's a lot of it that goes it goes on again behind the scenes in terms You have to track who stole what flag from whom because you have to know when they got it where they got it from What service so when you get points if you do a breakthrough point You have to kind of figure out all the stuff if you're tracking zero sum game You have to try so all that is very carefully set up and running a CTF is way harder than participating And I'm very glad to have participated and no desire to run it if I can help it because that would be a lot of work But stealing these flags and then submitting them is the way you actually get your points The other way you get points or rather you keep your points is your SLA So every team is required to keep their services up I can have perfect security when I unplug my server It doesn't help me much at actually maintaining a service and so to keep people from doing that sort of taking the Nuke approach your points are all some total all your points for me They're stealing a key from overriding your over a key under somebody else's keys all of that is Multiplied by your SLA. So if you're up for 90% of the service checks you make you get 90% of whatever the bucket of points you got SLA matters. This is sort of the biggest. It's not like an inside trick or secret This is just really really important. Keep your services up If you've got defensive techniques and tricks that you think of how you can Rearrange the server great test them very carefully never ever fail a service check because that will screw your score very very quickly So roles Thank you a Successful CTF team has a lot of different roles. I mentioned earlier. Yeah, it's pretty lame. I mentioned earlier a lot of people a Lot of people I think they're just gonna be to reverse engineering and that's like all it's gonna take I mentioned my team has a bunch of different skill sets. You really have to have the complete sort of picture You've got to have a leader. You need somebody just to organize the team I mentioned Atlas and and our team is an excellent leader Yeah, the herding cats This should not be your best technical person This should not be the guy who's the best reverser should not be the guy who's the best exploiter because that's a waste of his talents It needs to be somebody who's organizationally good who can motivate a contract who can keep communication going It sounds stupid and silly to say like teamwork is really important and really mad It really is if you don't get your people working together, you're never gonna win your network administrator It's the guy who's not only setting up your firewall But also monitoring the network and maybe a split role teams can obviously implement this differently But all these skills that are gonna be used He's the guy who's watching all the attacks that come against you He needs to be working with the defense to let them know new attacks needs to be working with their verses to let Them know when he sees a new attack to help them to figure out do to others you've got all work together Of course, you've got the reversing and exploitation. I didn't Google image search exploitation. Sorry decided that would be a bad idea This is the main skill set it really is like I said, this is a binary Exploitation so if you want to do this you've got to have somebody on your team You may have that one rock star who's your good exploiter and that's okay because you need all the skill sets But somebody's got to do this you need your sys admin Somebody's got to keep your services up that SLA. I told you is is crucially important Keep your system running and you don't know what you're gonna get you may get slurs You may get freebies you may get something bizarre and you need somebody with a lot of experience and all this stuff So defender is similar to sys admin Plays us it looks like the same. He's on the server. He's monitoring is keeping out The difference though is the defender's goal is purely to frustrate the opposition His goal is to think of all the nice. No all the not nice things you can do to your people You want to be dropping long live connections? You want to be moving binaries around that the scorebot checker won't use when it logs in Anytime when you can figure out a behavior that's definitely a human and not a bot you want to kill it You want to be actively involved in maintaining the security of your server and this would be especially interesting as you know The zero-sum game of scoring how that impacts the number of points when defense matters more in years past It's almost been easier to ignore defense. You were better off not doing anything on defense to keep that SLA up But we'll see if that changes a Gopher or go furs are critically important do not underestimate How nice it is to have somebody to get you food because hackers do not live on caffeine alone I'm afraid to say for maybe 24 to 48 hours, but beyond that you need a little bit more than I Said earlier you have to have teamwork My team has never been the best at reversing never been the best at exploitation never been the best at dirty trick Okay, we were pretty good at dirty tricks. We'll get to that next But we weren't the best in just about any area. We worked together really well Team size is kind of a controversial topic School of route the guys that won last year have a big team not everyone is necessarily good or it Involved in the same degrees But in some ways a big team can hurt you you need people coordinating working together more than you need small It more than you need you know Just a lot of people to throw different problems that said you probably can't win with like a five-person team no matter How good those five people are because there's something like 20 binaries you get at the start of the game and you're doing the Network monitoring the sysad me you're doing so all these are the roles that you've just got to have a number of people So a quick word on sort of CTF etiquette I'm a really nice guy I promise I am but I have been rather rude to people and asked them to leave the table because You don't know if they're a spy or not. I've since buys against other teams I would not be surprised and I know for a fact other teams have done it to us too So if somebody says hey, I don't want you watching my screen They don't take it personally when you're in the room and everyone is going on it gets pretty competitive So just as a word of warning you don't shoulder surf these guys or try to see you're doing I know it's really interesting That's why I love to do it. But like I said, just just don't take it the wrong way when they ask you to leave Alright another lightning round. It's a little x86 instruction heavy So who's got their intel manual on a on the laptop and wants to pull it out? I'll settle for the mnemonic. You don't have to assemble it in your head this time implement the following in one instruction What does this look like? I don't have a frisbee for this though. So maybe we'll Give you a water cup. It's not It's not it's the tricky part is it's it's it's not an in-app description of what's going on with clothes I guess would say but not quite it. There's there's so what will be yeah What will be put into ebx at the end of this? So the interesting thing is so we're shifting one by ecx and ending it so what's the only possible results? Can I have? 14 bits in ebx At the end of this I cannot how many bits could I have an ebx at the end of this? I can only have one bit There will only ever be one bit at a time in ebx at the end of this We're gonna skip this. It's not interesting. It's not all like this either. I like this stuff This is a bit scan right so it's actually a nice long C loop that comes down to just hey I look for the last one and put it in this other register. Isn't that neat? Okay now the fun stories This is where I hope I don't burn bridges It is a hacking competition folks. Don't be surprised if there are some hacking involved in this competition Let's let's all say it together again security is only as strong as The weakest link excellent. So what's the weakest link? Humans obviously but specifically what is it that we do or related to our usage of systems? It's if you want to hack a system. What's just the simplest stupidest way in besides asking? Let's do it physical security. Yes, come on What's under the keyboard Their password. Thank you. Yes your password almost always one of the weakest links of the passwords So there's been different ways to get root access to your server at the beginning of the CTF when you actually come in And you get access to your VM before everybody else does it One of the ways was that you got a text file and it's in the root of your system that had your password It was your database password. It was the password you logged into the score server with and it was with your root password Most teams managed to get this right and change the root password It's a rather important step in securing your box changing your password from one that someone else can read right Not everybody does School of Root actually owned somebody that last year and I got to give them credit because they could have literally owned every service Immediately because they had roots somebody else's box and they chose not to that was a very gracious thing to do They have a lot of self-control. Let's just say that I'm not sure I would have been so strong But one of the things you could do with this this password once you've changed it What good is it right? I can log into the score service you well, that's nice. I can see your score What else well? I can change your overwrite key one of the little buttons in the score service has changed my Overwrite key where you can change the key that you use to overwrite other people's flags to indicate you were the one that Exploded that service and overwrote their flag right that's kind of handy thing only one overwrite key can be active at a time If I click that button your scripts must be updated or you will not get any overwrite points So for a little while on Saturday back in defcon 15 school of roots overwrites went like this And then they noticed and figured someone hit the button And so then it went back up again and 50 minutes later I pushed the button again and another 45 minutes went by no one noticed and it flatlined again And then they noticed and I did again and so for about like three to four hours They were denied a bunch of overwrites because mainly they weren't paying attention Primarily because they didn't protect this password, but also it was like the little things you really got to get this right You got to protect your passwords. You got to remember. What could I do that's nasty with the score server? To be fair we asked before we did this now one of the other things that's interesting Like I said, they don't like the web weenies in this they like the binary exploitation there's usually one or two web services just to toss a bone here and there But one of the other teams had a really clever idea We were stealing people's passwords that they'd left unprotected the other team set up their web services that they were running with Cross-site request forgery attacks So if you just visited their web service your browser would go to the score server on your account and reset your overwrite token And I have no idea if this worked This may have been successful against half the teams that were there and we'll never know because that's not the kind of thing You can find out you have to go back and look through the grass for some more flat lines and overwrites So sometimes even though web security isn't really designed to be part of it You can kind of make it part one of my favorites is last year the badge Hacking that occurred is who is here for the awards ceremony last year and heard what the badges Or not you're all either ashamed to admit it or you weren't a whole lot here Well, the the winning the winning badge was you could wave and do a password and you plugged it in it was it was cute But the second place bad that was my favorite. That was a true dirty tricks badge the second place badge the guys that hacked that Programmed a bunch of shut off your computer IR codes it went in and out of front row on a Mac and HP laptops would actually go into hibernate which takes forever and then it would come out It would go in it would come out it would just just make your computer unusable. Oh, yeah And they clipped a resistor so these things work from like way far away They just be walking around the conference with their badges transmitting this code and so you see laptops popping it out. There's There's a recording last year these DV cams they were using where one of the Macs suddenly got a little antsy and You after your witch talk it is But if you if you go through the web video archives one of the recordings gets a little Hard to watch because the camera suddenly shut off. I don't know why One of the teams and I got feel a little bad for the guy in the wild hackers who had an HP laptop because this his computer was Unusable for most of Saturday. There was a couple guys who had these hacked badges just dying with this guy So I feel a little bad But again, it goes in the capture the fly it goes in dirty tricks it goes into cool hacking the moral The story is you better shut off every interface on your laptop go into your bios and disable your Wi-Fi Don't just do it in the OS tape Electrical tape over you could actually put your finger over with the other badge I was took it through in the laptop centers. I mean you better shut off everything you can To do it so I guess the essence of judo of which I know nothing But I've heard is using your opponent's strength against themselves, right? Remember that virtual machine they were just talking about in the last talk that Chris Eagle the one guy the only guy that Solved this crazy ridiculous problem. It was unbelievable. It was actually I think Saturday this at Sunday morning I think if I'm remembering correctly was actually Saturday morning It was the first night the competition Chris Eagle came back and he had solved it This is just ridiculous this hard problem built Basically for him he had solved Except he left it world readable So we were having shells in their boxes. We had his patch binary. We have no idea what the vulnerability was I haven't gone back and looked at it It was a huge amount of changes he had made to it his patch copy was secure And I don't know how it worked But I know I was secure too because I was running his copy from his machine that he left what readable so again Keep your keep keep track of those little things They will get you one of the almost ones that would have been really cool Was a couple years ago when you actually had dial tone submission the keys were all numeric And you actually submitted them on a DTMF which was really fun When everyone was scrambling to fries for wind modems and voice modems trying to be able to script the stuff because no one Wanted to spend dialing thousands of numbers into the phone system all day to the phone They gave you but one team actually figured out and I love to find out how nobody that talked to remembered Find out which team it was but these guys actually got to the admin interface of the VoIP adapter And if they had managed to like you know redirect traffic and get other people's keys to them and then we submit it That would have been the ultimate that would have been a great hack as it was They only were able to change the IP address on a causal denial of service that had to be fixed and then you know Eventually got resolved, but they did get breakthrough points So even though it was a kind of you know hack that was against the infrastructure Which is often against the rules the moral of story is if it's a cool hack if it's a good hack It's probably gonna be worth some points the other part is again if you ask if you go to the organizers They'll usually let you do whatever it is because they like cool hacks, too. They want to see this stuff go on So this year I wonder if somebody from DD tech is in here probably not they're sure very busy with that But the qualifiers they put on this year had a problem. It was forensics 200 It was meant to be solved by getting a VIM swap file So you had to actually get the swap file and figure out the changes to the file and the original file source to figure Out some changes there was another problem that was solvable the VIM swap file It was not meant to be solvable with VIM swap file. They were fixing a web service and Editing it on the server live with VI and someone from one of the teams happened to go grab The swap file get the source code to the prop it makes it much easier when you have the source to a web service for some reason I just it's strange how that's happened. So again, it's not always the way you expect it to be solved that it gets solved So there's a lot of ways you could ruin the competition we know this denial of service attacks are generally just disallowed It's just not fun. I know it's a hacking competition and if it's clever, it's worth it do it You get points ask always ask because you'll get the points, but just play nice That's all I ask once someone was ejected once for trying to cut someone else's network cable with a Leatherman and that's just He was totally busted too Collusion is another area by the way that you could really just make this not fun Thankfully it doesn't look like it's happened yet, but you could very easily collude swap keys with somebody else to make It look like you got a service you didn't so I've just told you now how to ruin CTF. Please don't please don't do that That would that would not be fun. So Great, you want to actually do this right? What do you need to learn to actually get these skills to practice? What's the best way to learn to practice not a problem? You just need to learn a couple of skills once you've mastered those You're set. You just it's a small set. You'd be just fine There's a there's some links. There's a lot of sites online Go back to Atlas's presentation from a prior CTF He talks about from script kitty to hacker and three sleepless nights It was really longer than three nights, but it was it was a good title But it really was over the course of you know Just this couple of month period from the qualifiers from that year on to the finals where he just Through himself into this and got really really good He instantly got job offers from this afterwards too because this turns out to be a handy real-world skill set Who to thunk it reverse engineering exploitation go figure So you can't do this. It's really about putting the effort putting the time in in terms of tools and techniques There really is no right answer. You need some scripting you need to be somehow doing For a quick kind of Response you whether you're scripting up your scaffolding for your exploitation framework you do in advance You need to be scripting up a new key submission. Oh, look now. They're requiring that we use SOPA or XML to submit our You know to submit our keys and so you've got to have some sort of familiarity to do this stuff There's a lot of changes that get thrown in the mix to do this if you're really really good I've seen the C is my script C is my scripting language shirt if you're that good more power to you There are people that are that good to see but generally speaking Having a number of people just really good to kind of the quick and re-descripting is really gonna be important If you're not good at reverse engineering, you won't win It's hard to score points if you can't actually exploit stuff And there's always a few there are cool little gotchas committed injection other little things But generally speaking you got a crack a debugger You got a crack Ida and you've got to actually sit down and reverse this stuff And again, this is can be tedious can be time-consuming can be a difficult skill to learn But it's totally worth it again Not everybody in the team has to do this because there's a lot of skill sets go back to those other roles if you're the defense guy You're the system and guy you're the network guy you these are vital rental roles But you're just never gonna get points unless you can can pull up Ida and do this although as shown in the last talk Ida is very often easily fooled and easily broken So a couple of web links a lot of the resources for this the first link is capture dot the flaw egg I wish that was easier to pronounce I'm sorry. It's captured the flag with a period between capture and the and the FL on the AG I was just Trying to be too clever apparently that's gonna be where these slides are up at that's gonna be where it's just a whole Much of other stuff going up there So if you are interested in capture the flag that will have everything you're gonna need to know links to all other Right-ups from all the other teams will have links to binaries will have images from capture the flag years past So you can play with these binaries yourself Right now it just has the presentation, but very shortly Aka when they get back on a network. I trust it will be getting more stuff Did you take that biz the guys that are running the show now? I'm really looking forward to seeing what they come up with this year and hopefully the contest is going live now And we can all walk through and watch the score as you what's going on again Make sure you read those updated scores and try to figure out how would you find loopholes? How would you play? What's the strategy teams are using walk around and watch from a distance in front of the screens to get a Feel of what the teams are doing Knops are us was mentioned in the last talk to that's the one that has all the write-ups Knops are us has write-ups for two or three years worth of qualifiers and Finals so you can find lots and lots of good stuff up there if you get stumped if you want to go see what types of questions Reliable get into next year's qualifiers go back and see that shall we play a game is done in the style of War games. Yeah, that's the thing With a little backdoor interface to a whopper and you can play video play games with it But it has write-ups for just this year's qualifying round so you can see those there's a Couple of the links that the one I want to do in a highlight is our snake Oh, I wonder if he's actually here to this weekend Has a great blog post that was called hacking with all the jail time that turned into this great reference because everybody linked Their favorite caps online capture the flag games There's a huge amount of sites where you can go to do web security testing capture the flag testing of a lot of Other types of capture the flags to you can practice all this stuff again practice the hacking with all the jail time It's a great resource as well. So if you want to pick three books to write I hope Chris Eagle doesn't hate me for all the dirty tricks. I've pulled on him And so I hopefully I'll try to pimp his book It is the Bible for Ida reverse engineering Chris Eagle I can mention the captain of school of root and just a phenomenal exploiter Reverser was the author that's released the book last year This is going to be like the standard one reference book for Ida for the foreseeable future. It's extremely good a couple others That are very useful as well our hacking art of exploitation and show coders handbook because again This is a binary exploitation kind of skill set so fine print Creative commons licensed all the images you pulled the slide notes were from flicker integrative commons And that's about that questions will be off in the other room. Thank you all for coming out