Hosting CTFs with Berlyne
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 95 | |
| Author | ||
| License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/32300 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
| |
| Keywords |
FrOSCon 201747 / 95
4
8
9
15
20
22
23
24
25
27
29
32
36
37
38
39
40
45
46
47
48
49
50
51
53
54
59
63
64
65
74
75
76
79
83
84
86
87
88
89
91
92
93
94
95
00:00
Open sourceFreewareInformation securityStudent's t-testSoftwareSession Initiation ProtocolPhysical lawUniverse (mathematics)QuicksortKey (cryptography)ArmVideo gameBitMultiplication signComputer virusComputer animation
01:50
2 (number)FlagMotion captureComputer animation
02:28
Time zoneFlagMultiplication signFlagField (computer science)Point (geometry)Information securitySoftwareComputer animation
03:21
Service (economics)Game theoryFlagVulnerability (computing)Self-organizationMultiplication signPlanning
04:12
Physical systemEndliche ModelltheorieWater vaporRevision controlService (economics)String (computer science)Point (geometry)Type theoryGame theoryFlagWhiteboardComputer animation
04:54
Different (Kate Ryan album)Service (economics)Game theoryType theoryFlagUniverse (mathematics)Self-organizationBitMultiplication signLecture/ConferenceProgram flowchart
05:56
Multiplication signElement (mathematics)Point (geometry)BitComputer animation
06:32
WebsitePasswordLoginTask (computing)Field (computer science)BitFluxCASE <Informatik>WebsitePoint (geometry)Information
07:09
WebsitePasswordLoginPay televisionOnline chatWebsiteTask (computing)Web 2.0Perturbation theoryInteractive televisionComputer clusterSystem administratorCASE <Informatik>FlagEmailPay televisionCross-site scriptingForm (programming)Endliche ModelltheorieDirection (geometry)Data managementComputer animation
08:04
Meta elementRSA (algorithm)Parameter (computer programming)LogicInversion (music)Vulnerability (computing)TelecommunicationKey (cryptography)SoftwareTask (computing)Service (economics)WebsiteScripting languagePhysical systemMessage passingRight angleComputer animationXML
08:55
SequenceElectronic signatureContent (media)RSA (algorithm)Key (cryptography)Codierung <Programmierung>Uniqueness quantificationQuery languageDivisorParameter (computer programming)LogicInversion (music)CryptographyTask (computing)Goodness of fitForm (programming)Category of beingWeb 2.0WebsitePhysical systemCryptographySource codeXML
09:26
Schmelze <Betrieb>Event horizonRoundingIntrusion detection systemMobile WebComputer animation
09:57
State of matterFlagStudent's t-testUniverse (mathematics)Cartesian coordinate systemWave packetType theoryPoint (geometry)Combinational logicSimilarity (geometry)Computer animation
11:17
TheoryUniverse (mathematics)Student's t-testDot productCartesian coordinate systemIndependence (probability theory)MereologyInformationNatural numberPoint (geometry)Real numberGroup actionOnline helpProcess (computing)Computer animation
12:47
Natural numberGroup actionFeedbackInformation securitySoftwareUniverse (mathematics)Logical constantDatabaseMoving averageLecture/ConferenceComputer animation
13:26
BitArchaeological field surveyFeedbackStudent's t-testService (economics)SoftwareTask (computing)Graph (mathematics)Information securityMultiplication signComputer animationDiagram
14:52
FlagMotion captureRankingUniverse (mathematics)Computer animation
15:22
Medical imagingCASE <Informatik>Router (computing)Service (economics)Vulnerability (computing)Exploit (computer security)File formatSoftwareBoss CorporationMatching (graph theory)Normal (geometry)Right anglePower (physics)Computer animation
16:34
Line (geometry)Content (media)SoftwareMotion captureTask (computing)Enterprise architectureMultiplication signUniverse (mathematics)Computer animationLecture/Conference
18:00
2 (number)Software frameworkInformation securityCartesian coordinate systemMultiplication signSoftwareRight angleComputer animation
18:43
System programmingBit rateComputer-generated imageryTouchscreenFormal grammarWindowComputer iconConfiguration spaceElectronic visual displaySlide ruleWeb pageFeedbackHacker (term)Lattice (order)Computing platformAlpha (investment)Game theoryService (economics)FlagPoint (geometry)Firefox <Programm>EmailComputer forensicsFirst WORDInstallation artHash functionBlogVirtual realityContent management systemActive contour modelElectronic mailing listComputer programData typeState of matterTask (computing)Group actionPasswordThresholding (image processing)Digital filterRobotData recoveryExploit (computer security)CryptographyoutputCodeBinary fileString (computer science)IRIS-TWebsiteWeb browserWeb applicationPasswordTask (computing)Point (geometry)Computer fileRemote procedure callStudent's t-testMultiplicationDescriptive statisticsDigital electronicsPerspective (visual)Computer configurationCuboidCASE <Informatik>Category of beingThresholding (image processing)VirtualizationInclusion mapVector spaceTunisOperator (mathematics)BefehlsprozessorFlagGame theoryBit2 (number)RankingWeb 2.0Link (knot theory)Reverse engineeringPhysical systemFront and back endsGraphical user interfaceComputer animation
24:01
Firefox <Programm>Link (knot theory)EmailActive contour modelGame theoryPoint (geometry)Exploit (computer security)Hash functionVirtual realityContent management systemComputer fileLocal ringInformationFlagSource codeObject (grammar)Multiplication signBinary codeWeb 2.0Computer animation
24:41
CASE <Informatik>Web pageActive contour modelInformationComputer animation
25:11
Gamma functionExploit (computer security)Firefox <Programm>Game theoryPoint (geometry)Slide ruleView (database)File formatWindowScripting languageVirtual realityPoint cloudStudent's t-testOnline helpFile formatMereologyInformationContent (media)Scripting languageConfiguration spaceComputer fileDirectory serviceMeta elementComputer animation
25:57
Physical lawRepository (publishing)NumberPhysicalismPoint (geometry)Distortion (mathematics)Different (Kate Ryan album)Internet service providerMeasurementSoftware testingDrop (liquid)Cloud computingPoint cloudReal numberLecture/ConferenceComputer animation
26:56
Content (media)Active contour modelPoint (geometry)NumberGamma functionProtein foldingLine (geometry)Sinc functionCASE <Informatik>Instance (computer science)NumberDocument management systemPhysical systemService (economics)Computer configurationRight angleDirectory serviceDescriptive statisticsFree variables and bound variablesMereologyState of matterLink (knot theory)Category of beingPoint (geometry)SpacetimeWordInheritance (object-oriented programming)Term (mathematics)Exception handlingElement (mathematics)Revision controlIdentifiabilityContent (media)Computer fileConfiguration spaceMetadataComputer animationJSON
29:13
Installation artHash functionActive contour modelGame theoryContent management systemTask (computing)First WORDNumberBlogVirtual realityElectronic mailing listData typeComputer programState of matterComputer configurationPhysical systemDifferent (Kate Ryan album)Color managementUser interfaceSolid geometryComputer animation
29:44
Content (media)Configuration spaceReading (process)Configuration spaceMultiplication signMetadataRevision controlContent (media)Scripting languageService (economics)Directory serviceCASE <Informatik>MereologyStapeldateiComputer programmingException handlingTheoryComputer animation
30:25
Lattice (order)Group actionInstallation artVirtual realityData typeState of matterTask (computing)Hash functionFirst WORDNumberComputer programContent management systemBlogElectronic mailing listExploit (computer security)EmailFirefox <Programm>Active contour modelGame theoryPoint (geometry)RobotFlagAddress spaceInternet service providerAbelian categoryWritingFeedbackVulnerability (computing)FlagWeb pageTask (computing)NumberPoint (geometry)Descriptive statisticsSelf-organizationReflection (mathematics)Rule of inferenceOrder (biology)Computer animation
32:14
Slide ruleWindowComputer fileFile formatView (database)WikiBitComputer animation
32:45
UsabilityEmailPerfect groupLine (geometry)Electronic mailing listRepository (publishing)Library catalogDigitizingSelf-organizationUniverse (mathematics)Multiplication signOpen sourceRoundness (object)WikiTask (computing)Event horizonSoftwareService (economics)Wave packetSoftware testingPatch (Unix)Physical systemScaling (geometry)QuicksortFlagMotion captureCategory of beingThresholding (image processing)Speech synthesisCodecBitElement (mathematics)Process (computing)Vulnerability (computing)WebsiteInjektivitätStandard deviationExploit (computer security)Maxima and minimaComputer fileReal numberLecture/Conference
39:26
FreewareOpen sourceEvent horizonComputer animation
Transcript: English(auto-generated)
00:07
Thanks for showing up to my talk on hosting CTFs with Verlinde, where Verlinde is a tool I have written for exactly this purpose.
00:22
First of all, about me. My name is Troven Gonzalez. I am currently an InfoSec Master's student here at this university. Let me start with an apology. I'm really not fit today, so if I'm a bit slow from time to time or I have to take a sip of my tea, please excuse me.
00:48
Hello. As I said, I'm a Master's student here and I currently live in Bonn. So, what is this talk about?
01:01
The last three semesters, I was tutor for software security at another university and there we spiced up our lecture with CTFs and I want to pass on some of the experience we've made
01:25
and talk about the tool I have written to host CTFs. So, the talk has three segments. First of all, I'm going to talk about what a CTF actually is. Then I'm going to talk about the principles of problem-based learning,
01:46
which is important in my opinion. And then I'll show the actual tool this talk is mainly about. Okay. For a second.
02:02
Can you maybe raise your hand, who knows what capture the flight means? Okay. A lot, not everyone though. Okay, nice. So, I'm going to give a brief introduction then.
02:22
This is a capture the flight competition. As you can see, the red team here is trying to steal a flag and the grey team is trying to prevent the red team to steal this flag.
02:40
They're playing on a field that looks somewhat like this. Each team has a base, the base contains a flag and the other team's goal is to get the flag and bring it to their own base. That way they receive a point.
03:00
So, both teams have to defend their own flag while trying to steal the flag from the other team or other teams. So, this talk is about software security or IT security in general. So, what does that have to do with IT security?
03:22
Well, they're playing basically the same game. These are two teams, one in the back and one in the front, playing CTF and how does it work? Basically, each team hosts vulnerable services.
03:45
The services are usually provided by the organizers of the CTF but hosted by the teams participating and the goal of this team is to steal a flag of the other team by using the vulnerability in the service
04:03
while at the same time defending their own flag by patching their own services. Once they got a flag, they submitted to a system, took their board and received their points.
04:21
In this version of the game, the flag doesn't consist of cotton. It's usually just character strings that are weighted because if it's hard to exploit a service, you get more points than for an easy service.
04:42
Okay. So, one last thing. There are mainly two types of CTFs played. The first one is attack defense, that is exactly what I've just showed you where the goal is to steal the flag,
05:02
host it in the service of the other team. These are a bit difficult to host, especially for large setups, so these are usually played at conferences or locally at universities or something like that. The second type is the Jeopardy CTF
05:23
named after the game show where the organizer hosts the services and the goal for every team is just to exploit the service hosted by the organizer and steal the flag there.
05:43
The Jeopardy CTF has some big advantages. For example, it's not as time critical, it's not real-time as an attack defense. If I have an attack defense for eight hours, I need to pay full attention for this time.
06:01
Whereas in Jeopardy, there's not really a real-time element, so it can last for days or even longer and teams can just work in their own pace, which is good for educational purposes and easier to organize.
06:21
So, since a lot of you know what CTFs are, this is a typical scoreboard, as you would imagine it, a ranking with points. Now, a bit more interesting, this is an example task I picked out because I liked it from the Hekalu Jeopardy-style CTF
06:43
that is organized by the Flux Fingers, which is a CTF team of the Ruhr Universität Bochum, which is nearby. A typical, easier task you have, in this case a website, and one field where you can interact with the website,
07:03
where you can enter something. So, this is your starting point. You don't have background information, you just have this website and you need to get a flag. As an example for a more complex task, from the same CTF actually,
07:22
there was this, the motto that year was Wild Wild Web. This dating site, Hot Cows, and it has a lot of interaction. It has a chat that actually works, the cows reply. You can get a premium account, you have user management,
07:44
you can even write the administrator an email via a form. And that's also a problem. You don't know where to start, but you need to get a flag. In this case you had to contact the administrator
08:00
and use cross-site scripting. Here is an example for another task. It doesn't always have to be a software service or a website. Here there are two weak RSA keys and of course in your lecture you learn, okay, short keys are bad, but once you,
08:26
because you got a communication here, once you actually wrote the script that decrypts RSA encrypted messages, then you really understood how the system works and why it is bad to have short keys.
08:46
Last thing you need to know. A lot of teams, after they solved a particular challenge, they write a write-up how they solved this challenge and publish it often, which is a good form of documentation for them,
09:02
but also for others who weren't able to solve the task. You know, typical categories nowadays include almost everything. Typically it's a reversing or web crypto, but you see everything in CTFs nowadays from simple websites to all operating systems
09:23
that you need to exploit. So, if you didn't know about CTFs, I hope this was a brief introduction. There is a website called ctftime.org that lists a lot of CTFs. So if you're interested, check it out.
09:42
There is currently a CTF hosted online almost every week, which is really cool. So, secondly, this talk is about hosting CTF with Perline, not about participating.
10:00
And now there's a lot of institutions, especially universities, use capture-the-flight competitions, which is really cool, but often they do it in a manner that doesn't really help students, which is why I included this segment about problem-based learning, which are very basic principles that you should follow
10:21
if you host a CTF. Yeah, as it states here, the idea behind PBL is that the starting point should be a puzzle, a riddle, a query, and of course you can argue that this type of learning has been around forever,
10:43
but the problem-based learning, how I'm gonna talk about it, is the formal, defined one, there's been a lot of research about that it works very well in combination with lectures, not as a replacement, though,
11:00
but together with a lecture, and that it works really well to assimilate fragmented knowledge into applicable skills. So if you have a lecture or a training in your company or university that teaches you the theories, problem-based learning is great
11:22
to make the students understand the theory, connect the dots, and get applicable skills out of this theory. The goals are to promote problem solving, independent learning, also to evaluate independent learning,
11:43
and last but not least, also the motivation is a big part. So, PBL, these are the four basic points. If you're a CTF, you should take into consideration, very basic, very easy, and if you follow them,
12:02
you usually have good outcomes. So, first one is authentic problem. That's something often violated. That just means the problem should be as close to a real-world problem as possible. And also, that there should be no detailed background information
12:20
on the problem itself. Secondly, you work in small groups. Third, the teacher steps back, is a tutor. He doesn't help with any problems. He might moderate the learning process, but he definitely should not help.
12:42
And the individual knowledge gain usually comes naturally. That just means if you work in a group, you can discuss with people, but everybody should do research on their own, and then discuss with the others. But as I said, if you do a CTF in small groups,
13:00
that usually comes naturally. So, we hosted a CTF at the RTV Constance, which is a university in Constance, taking these roles into consideration to spice up the software security lecture.
13:23
Afterwards, we gathered feedback from the participants. There was a bit over 30 students, I think 31, mainly IT students, but also we had some from electrical engineering. And,
13:40
of course, we got a survey for the feedback. One of the questions was, did you have fun? And the CTF was obligatory, so people had to participate. But still, most of them said they had fun, or at least a little,
14:00
which is nice. But even more interesting was this question, did you learn something new? These graphs look a bit too good, but these are from the actual feedback. Did you learn something new? And everybody said yes, which is interesting because
14:21
the tasks of the CTF and the topics taught in the software security lecture and the CTF was at the end of the lecture. It was really cool to see the students really invest a lot of time, more than they would usually do with a worksheet,
14:42
and still having fun and still learning something new. Why I included this PBL is, as I said, a lot of institutions are picking up on this idea of capture-the-flag competitions, which is cool, but
15:01
sometimes they don't take problem-based learning or other learning methods into consideration. I included an example for this here by the vendor Hacking Lab, which is used by some universities. It's a company that hosts
15:21
capture-the-flag competitions. There, if you solve a task, you have to write up and submit it, and then the write-up gets assessed. In this case, you got the image of a router,
15:42
and you're supposed to run it. The router had a software service running with a vulnerability. How I solved it was just download the image, convert it to a format you can use with, mount the image, grab for flag,
16:01
and I received the flag, which is an enormous CTF. This would be a valid solution because I got the flag, but in this case, the write-up actually gets assessed. I can't exploit the service as I would.
16:22
I have to specifically exploit it and how the creators wanted me to exploit it, and that, of course, is not authentic. It's not an authentic problem, and it doesn't motivate. It's frustrating. That was a really frustrating task.
16:42
There was an introduction to CTFs and problem-based learning. I will talk about the tool I have written to host these capture-the-flags at my university. It is also used by a company in Cologne,
17:01
Dilexium, which is also a sponsor at this conference. This tool, I wrote it as free software, and it's a tool to work with. It's not your enterprise tool to just use. You're supposed to work with it.
17:22
First of all, why would you use a tool to host CTFs? Why would you host CTFs if there are so many online? First of all, the CTFs online, they vary heavily in difficulty and quality, and if you have a lecture or a course,
17:42
you might not want to depend on a CTF. You don't know what it's going to be about. It might not match in content, and also not in time. It's often during the weekend. You can use Berlin to host your own CTFs whenever you want with the topics you want.
18:01
So the goals of Berlin, basically bring CTFs to the classroom, make it easy to spice up your lecture, your course in software IT security with a CTF, make it very easy to set up a CTF within seconds.
18:24
It's written in Django, which is a Python framework. Just because I'm very lazy and Django is an extremely cool framework that allows you to write applications in no time.
18:40
Okay. So I'm going to show the tool, which is why most people came, probably. So I have two browsers open. It's a web application.
19:12
At least the frontend is a web application. The Chrome one is a teacher.
19:20
The Firefox one here is a student. So as a student, you just have the different courses, and a course is essentially a CTF. I mean, in this game mode, you have a threshold,
19:45
a certain amount of points you need to pass, kind of like an exam. You have a beginning and a deadline for flag submission, and the short description, and the rest is just your usual CTF.
20:02
You have problems here. You have a flag submission and you have a scoreboard. Here somebody already has some points. They are in red because they haven't reached a threshold yet.
20:21
Okay. So the first student is just a normal CTF. More interesting is the teacher's perspective. Here you have an additional tab about problems. So if I look into them,
20:42
these are the different problems that I currently have installed in this local installation. You can see, but I will dive into that a bit more later, you can see the deployment options are different. I have challenges that are only downloadable,
21:01
but also Docker or some run in the VirtualBox VM. I'll show that to you in a second. As a teacher, I just create a problem.
21:21
A course, sorry. And I show how to create problems in a second. I choose if I want the scoreboard. Maybe sometimes you don't want the ranking. I can say if the students have to submit a write-up with their solution,
21:42
start a deadline, I can set a password and a threshold, and then I can assign problems to the course. So now in this case, they have tags and names and categories.
22:02
So I want a web challenge, maybe something remote file inclusion. I'll add that. Maybe some reversing. Reversing.
22:34
Now I can assign points. These are the points the problem creator wanted for the task, but I can overwrite them for the course.
22:44
Now the course is created, and if I go back to the problems page, I see the system now starts the problems that got newly assigned. So this can be seen as like a high-level singleton.
23:01
The problems that are in the course are running. The problems that are not used in the course are shut down. Okay. So I go back to the student's perspective. I see the new course,
23:20
and I can join it with, I just set a password, yeah. And this is my course. It's a CTF. I see in the meantime, now because it's a local installation,
23:40
there's only one worker that starts and stops the VMs. Usually it's one worker per CPU in a real deployment. So this is not initialized yet, but here this is a problem. This is a CTF task. I can, I have a brief description, and in this case a link.
24:04
Yeah. And that's your problem. You don't have background information, you just need to receive a flag somehow. Okay. So, exactly.
24:28
So the other one also started, is also started. Again, here I can download a binary, and this is not a web page,
24:42
it doesn't look too good. In this case it's just a snake game, and again it's without background information,
25:02
it's just a problem you have to solve. So a teacher can just assign problems, use problems, create courses, and for students it's basically a CTF.
25:21
It's just a help for teachers or institutions to set up CTFs really fast. So these problems I was talking about, obviously they are very important.
25:43
If you want to write your own problems they consist of only three parts. A config file for meta information, a setup or provisioning script, and the content directory with the actual content of the problem. So you can exchange them very easily
26:00
via USB stick or Git repositories or whatever you prefer, and you can just deploy them either to Docker, VirtualBox or DigitalOcean, whereas I would recommend using Docker only for testing because it doesn't offer isolation
26:20
as the real VM does. And DigitalOcean is a cloud provider which is handy because then the problem doesn't get deployed locally, but it spins up a droplet VM in the cloud. And for you it doesn't make a difference in the handling.
26:41
The problem difficulties are measured in points. For me I do it for between one and five hundred points, but you can do it however you would like to do it. So, problems? If you have a problem you just copy it
27:03
to the problems folder of your Berlin instance. In this case these are the problems I have. The problem lucky number, although I just copied there, I haven't used it,
27:22
haven't installed it yet. And as you can see it consists of four elements, the readme is just a bonus by me so you know what it's about. Config.json is the metadata file
27:42
where I have the points, obviously, the ports the VM uses because the VM is not just put out in the wild. You have to specify the ports your service is using and then the per-line system
28:02
adds a port forwarding. In this case the service uses a port 6666 and that will get assigned a random port later on. You have a category, the tags for the search option. You can specify downloads from the content directory
28:20
people should be able to download a name and a description which uses these placeholders. So here for example the dlmain will be replaced by the download link for this download.
28:42
The host part, the host placeholder will be replaced by the host since I don't know where it's going to get deployed. And the port is the port I specified earlier. You can use that because as I said there will be a random port assigned
29:02
that has a port forwarding to the VM's port, in this case 6666. Okay. So a lucky number in this case. Let's say I want to add it to my course. Once I put it in the problems folder
29:21
I can just, via the Wipe interface, install it for the different deployment options then the system will install it. This can take a second now since it creates the VM, it provisions the VM.
29:46
During this time I can show you the problem. I showed you the config metadata. The content is just a normal directory. In this case with the program and a configuration for XENETD.
30:02
And the third part was the setup which is just a script that installs the needed services for the problem. Here it's just a batch script but in your installation you can also use Puppet or whatever you prefer.
30:25
Okay, so now it's installed the problem. I will add the problem now to the course. How is it called? Lucky number.
30:46
Again it just makes it very easy for teachers to do these kinds of stuff. Now it starts up the VM.
31:01
So here you see the tasks are starting and the task is currently running to start the VM. I can show you, I can cheat.
31:22
If I submit a flag, maybe that's also interesting. This is a task I see as a teacher, a page for a problem I see as a teacher where I see the port forwarding that was used, the description and the flag.
31:40
The flags get created automatically. They're not always the same. They get created for a startup. So now I have the task. I can submit a flag and then oh, there was another here.
32:01
And then I can write it right up. For the teacher to read and I receive the points. So it's CTF just made easy for organizers.
32:23
So that was it. I hope you've seen a bit about the tool. I hope you think it's useful. If you have any questions or if you have trouble setting it up, there's actually a Wiki page describing everything. But don't hesitate to write me.
32:41
I'm glad to help.
33:02
There's not really a marketplace for problems, but so far there's a Wiki page listing problems available. And that's also one of the reasons why I want to put this tool out because
33:21
if somebody creates problems or I mean you can also just use open source software as known vulnerabilities and include it, for example, then it would be really nice if you tell me so I can add it to the list. So far there's not a marketplace because
33:40
there's not that huge amount of problems. But there's a Wiki page also on GitHub listing them. And as I said, it's really easy to include them. Most of them are in Git repositories, so you just clone the repository, copy it and then you have to put it. But if it grows and if there are more problems, there will be a marketplace here or a catalog here.
34:10
Hi, thank you for the talk. Are you aware of other people or organizations using it already? How many?
34:22
My university, where I did my bachelor's, they're using it since three semesters. What they do, they have worksheets during the semester and in the end this is kind of like a final. So you have a certain threshold which is not too high
34:42
and a lot of tasks. So you need to solve three tasks at least that were from the category that was taught in the lecture. And also, this is the first time I speak publicly about the tool,
35:00
but a company in Cologne uses it for training of penetration testers. The company is called Delixio. I did an internship there, I'm not there anymore. And so far everybody who used it liked it, but only my university and the company I worked for used it.
35:24
They like it. Any more questions? A rather generic question in regards to the sketch of the flag,
35:42
because I think the idea is very good. Did you see appliances where, this is very software centric I believe, where it was taken out into the wild existing services so that people had to sit there and solve problems like getting a service up and running in the real world with devices and that stuff?
36:03
This is one of the main critiques of the method, especially if you do it in jeopardy style, where you don't even have to fix the problems you've exploited. You just have to prove that you understood them. It's an interesting problem and we have experimented with it at universities,
36:24
but I haven't seen large setups where you had to patch a system or get a system running. I think it would be very great, but it's difficult to organize.
36:41
So maybe someone can come up with a nice solution for that, especially that scales, because if you do it in a university, it's easy, but if you do it online with hundreds of participants, it's not so easy to organize. So I haven't seen a large setup that does that, unfortunately,
37:05
although it would be really great. Thanks. And a question, how long does it take usually to set up a challenge? Maybe I missed that in your speech, but what's the min and max that you have experienced to create a new challenge, because I think that's the essence of it. Yeah, so that's, as I said, one of the reasons why I gave this talk now,
37:27
because I think it's a bit of a crowdsourcing task, but there are a lot of existing CTF tasks, because a lot of organizers that held online CTFs afterwards put their tasks on GitHub or something like that, so you can use them.
37:44
You can also use existing software that has vulnerabilities, for example, but making easy tasks is not that difficult, so you can set up a website that has an SQL injection vulnerability or something.
38:00
It usually doesn't take so much effort, so it really depends on your standards. I think it's not much of an effort to write tasks, but to write really, really good tasks, to take it to perfection, is almost hard. As I said, there are CTF tasks where somebody actually wrote an operating system
38:28
and stuff like that, but the basic tasks, as I showed them here, it took me maybe a couple of hours. If you make it really small, even less.
38:42
Once you've done one, you kind of get a hang of it. So if you write your own problems, per problems maybe need a couple of hours, or if you use an existing problem, just align it for per line, it's very easy, because you just need these three files.
39:01
So it's not hard, but if you want to perfection it, it's work. Thanks a lot. Thank you, and maybe another round of applause.