These are the slides presented at Outerz0ne conference in 2014. The contents detail CTF competitions, the Root the Box software platform and competition, and resources for sharpening your CTF and penetration testing skills!
- 1. ROOT THE BOX AN OPEN-SOURCE PLATFORM FOR CTF
COMPETITIONS
2. THE AGENDA 1. Background Information Who am I, why CTFs, why
are they important What CTFs are and how do they work 2. Root the
Box Vision GTRI and RTB joining forces for the greater good! 3.
Root the Box Internals How RTB is built, and how you can work with
it 4. Ways to Train Some ways that you can up your CTF and
pen-testing game 5. Closing Not so hidden after all 3. BACKGROUND
INFORMATION LAYIN SOME GROUNDWORK 4. WHO AM I? Christopher Grayson
[email protected] @_lavalamp Senior Security Analyst at Bishop
Fox (Pen-Testing FTW) MSCS, BSCM from GT Former Research Scientist
from GT Former president, GT hacking club That guy in the front 5.
WHAT ARE CTFS? Broad category, but commonly Safe, controlled
environment for learning how to break into things and how to defend
against attackers Attack and defense vs. just attack Can be
representative of realistic scenarios or esoteric challenges
Intellectually stimulating Did someone say Team Fortress? 6. WHY AM
I HERE TODAY? I currently have my dream job Ive never had to choose
between education and safety I had the good fortune of attending
SkyDogCon in 2012 But the story continues Raise a glass to the
infosec community 7. WELL, THATS SLIGHTLY COMPLICATED 3 teams at
SkyDogCon Duplicity CTF, got 2nd, 3rd and 4th place out of 4 teams
Received tickets to Shmoocon 2013, Offensive Security training
Competed in TOOOL Master Keying competition Received ticket to
Shmoocon 2014 Or at least more complicated than one slide 8.
LASTLY, WHY ARE YOU HERE? We work in the coolest industry. Period.
We need more talented individuals. We need safe places to hone our
skills. We need your support and interest to help grow this
project. (Hopefully!) 9. HOW BOUT THOSE COMPETITIONS?! LETS CAPTURE
SOME FLAGS 10. ANATOMY OF A CTF Attack and defend iCTF, Root the
Box Solely attack CSAW, Hungry Hungry Hackers In-Person DEF CON,
Duplicity CTF Online Where do I even start No guts, no glory 11.
ATLANTAS LOCAL CTF SCENE SECCDC Collegiate only, hosted by KSU
Yearly, usually in Q1 H3 High school, collegiate focused, growing
to industry professionals Yearly, usually in Q3 Grey H@t Organizing
small CTFs, have a team (cheers Mad H@tters) Root the Box Thats why
were here isnt it?! ATL has talent 12. THE VISION PLAYING THE LONG
GAME 13. HUNGRY HUNGRY HACKERS Started in 2010 by GTRI Originally
organized by Josh Davis, now organized by Daniel Lee On-site only
targeting primarily collegiate competitors Focus on educational
aspect Regularly 200+ attendees in the past Om nom nom 14. THE H3
TEAM GTRI IT support and staff Josh Davis The originator Daniel Lee
The orchestrator Winston Messer The tech wiz Keith Watson The Swiss
army knife Bringing the pain 15. AND THEN THERE WAS ROOT THE BOX
Originally from Chandler, AZ High-quality on-site CTF focused on
realistic scenarios Built and maintained by moloch 2014 will be its
10th competition! Geared towards education Great software package
built for administering the competition! And yes, the boxes were
rooted 16. ROOT THE SOFTWARE STACK Root the Box is written in
Python Uses SQLAlchemy for back-end ORM Uses Bootstrap CSS and
jQuery on the front-end Tornado web server for speedy service! A
mighty fine stack, at that 17. THE BIG 13 2013 marked the first
year where Root the Box took on a conference approach Full speaker
series on Friday, followed by all-day competition on Saturday Lots
of attendees, lots of fun Taking Root the Box to the next level 18.
BRINGING IT TO A-TOWN For the amount of awesome community and
infosec tech and growth that comes from Atlanta, it should host the
best competition Great location for future growth due to Hartsfield
Jackson Great foundation by teaming up with GTRI and H3 Event space
locked down! We need a way to educate and inspire the young and
curious about the ethics around our industry and responsible
education what better place to do this? The not-so-dirty South 19.
OUR GOALS Free to attend 400+ attendees, August 22-24 Three-track
conference on Friday night Large on-site competition on Saturday
Award ceremony and closing remarks Sunday Introduce high school and
college-level students to the world of infosec Heavy emphasis on
education whole educational track Put employers in touch with
talented individuals Crowd-source challenge generation Hows it
going to be? 20. CREATING THE CHALLENGES Challenge generation comes
from internal sources as well as sponsors Sponsorship includes
financial support as well as challenge provision Challenges are
representative of sought skills Put sponsoring organizations in
touch with the properly-skilled individuals A whole lot of mutual
benefit 21. SPONSOR DETAILS Sponsorship levels will be announced
Sponsorship guarantees presence at H3/RTB conference Sponsorship
allows for the production of challenges Challenges submitted in
.ova format with an accompanying XML file In the raw 22. INTERESTED
IN BEING A SPONSOR? Get in touch with me either after this talk or
later on [email protected] Official sponsorship packet will be
put together soon Challenge specifications already compiled!
Because that would be fine like wine 23. BACK INTO THAT SOFTWARE
STACK TIME TO NERD OUT 24. WHAT IS THE ROOT THE BOX SOFTWARE? The
software package used to administer competitions at Root the Box
Open source, distributed under Apache 2 license Takes care of all
administrative aspects of the CTF competition Also has game
features that can add interesting twists to your CTF Wait, did I
not go over that yet? 25. ROOT THE BOX INTERNALS jQuery The Write
Less, Do More JavaScript Library A library that is what JavaScript
should have been Rapid, easy development of front-end interaction
Bootstrap.css A sleek, intuitive, and powerful mobile first
front-end framework for faster development. Lead by Twitter,
provides great CSS functionality so that you dont hurt yourself or
those around you trying to write CSS Business in the front 26. ROOT
THE BOX INTERNALS Tornado web server A Python web framework and
asynchronous networking library [] that can scale to tens of
thousands of open connections. SQLAlchemy The Python SQL toolkit
and Object Relational Mapper that gives application developers the
full power and flexibility of SQL. Party in the back 27. SOME OTHER
COOL PERKS Root the Box uses web sockets to update competitors on
competition events in real-time CSS 3.0 animations! Unleash the
full power of CSS! cough cough Snazzy front-end visualizations
through graphing libraries Has various components that can be
turned off and on to add additional aspects to the managed game
Black market Botnet Vault! But wait, theres more! 28. WHERE CAN I
GET THE SOURCE CODE? Root the Box is available on GitHub
https://github.com/moloch-- /RootTheBox/ Comes with a detailed
README as well as step-by-step configuration instructions Actively
maintained by moloch Get your hands on the goods! 29. PREP AND
PARTICIPATE PUT ON YOUR HARD HATS LADIES AND GENTLEMEN 30. TRAINING
GROUNDS OpenSecurityTraining can be found online
http://opensecuritytraining.info/ Is dedicated to sharing training
material for computer security classes, on any topic, that are at
least one day long. Has free, professional courses on all matters
hacking Even has course outlines and pre- requisites!
OpenSecurityTraining.info 31. TRAINING GROUNDS SecurityTube can be
found online http://www.securitytube.net/ Large amounts of free
videos created by the sites founder Aggregation of conference
videos and lectures Full primers on lots of different hacking areas
SecurityTube.net 32. TRAINING GROUNDS Corelan can be found online
https://www.corelan.be/ In-depth tutorials detailing
exploit-writing and binary exploitation Tons of other educational
resources, primarily focused on binary and RE topics Corelan.be 33.
TRAINING GROUNDS Offensive Security can be found online
http://www.offensive-security.com/ The group that created Backtrack
and Kali Linux distributions Training is not free, but the training
you get from their courses is top- notch and well-managed. Has an
IRC channel that you can hang out in! Offensive-Security.com 34.
VULNERABLE IMAGES VulnHub can be found online: http://vulnhub.com/
A large repository of software images that are created solely to be
vulnerable Great place to get software packages to hack on Has an
IRC channel you can hang out in! Stand em up and knock em down 35.
ONGOING COMPETITIONS CTF365 can be found online: http://ctf365.com/
Touts a massive online, persistent CTF CTFTime can be found online:
https://ctftime.org/ Keeps track of CTF competitions worldwide,
maintains scores for teams across different CTFs Its a good day to
hack 36. STAND-ALONE CHALLENGES We Chall can be found online:
https://www.wechall.net/ Is an aggregation site for individual
challenges Advertises a total of 133 challenges available The
featherweight class 37. CHAT WITH THE COMMUNITY Hang out on
Freenode to talk through challenges and difficulties you have
trouble with. #metasploit Metasploit developers #corelan Folks from
Corelan team #vulnhub Folks from Vulnhub team #offsec Folks from
Offensive Security Dont forget to RTFM 38. RECAP WE ALL NEED SOME
CLOSURE 39. CTFS ARE IMPORTANT Lower the barrier to entry for
newcomers in the infosec field Provide safe environments for people
to learn critical skills Are intellectually stimulating Allow us to
teach younger people how to responsibly conduct themselves while
working with powerful tools and technologies We need more talented
people in this field Its the age of information folks! 40. GTRI +
RTB + YOU = AWESOME Root the Box and GTRI have had the same mission
but have operated in different venues up until now Were teaming up
to put on what is hopefully one of the best on-site CTFs this world
has ever seen Wed love for you to be a part of it Mark your
calendars for 08/22/14 and follow @rootthebox for more information!
Im no mathematician, but 41. WERE LOOKING FOR SUPPORT The more
support we can garner, the better this event and all future events
will be If youre looking to hire infosec talent, and think that
teaming up with RTB / H3 would be beneficial, lets talk! Lets build
something together 42. RESOURCES Hopefully Ive been able to share
some resources that you have not heard of before Ill be posting
these slides to the interwebs within the next week Follow me at
@_lavalamp for the link Back to that whole age of information thing
43. AND NOW FOR SOME Q&A GIMME SOME TLC? 44. REFERENCES A
DIGITAL GOODIE-BAG 45. GTRI Hungry Hungry Hackers / H3
http://www.hungryhungryhackers.org/ Root the Box Competition
http://root-the-box.com/ Root the Box on GitHub
https://github.com/moloch--/RootTheBox/ Moloch on GitHub
https://github.com/moloch--/ SQLAlchemy http://www.sqlalchemy.org/
Tornado Web Server http://www.tornadoweb.org/en/stable/ Bootstrap
CSS http://getbootstrap.com/css/ jQuery http://jquery.com/
OpenSecurityTraining http://opensecuritytraining.info/ SecurityTube
http://www.securitytube.net/ Corelan https://www.corelan.be/
Offensive Security http://www.offensive-security.com/ Vulnhub
http://vulnhub.com/ CTF365 http://ctf365.com/ 46. CTFTime
https://ctftime.org/ WeChall https://www.wechall.net 47. THANK YOU!
Christopher Grayson [email protected] @_lavalamp
