How to organize a CTF

Video in TIB AV-Portal: How to organize a CTF

Formal Metadata

How to organize a CTF
Title of Series
Number of Parts
CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Capture the flag contests are today's - competitive - crossword puzzles. We want to introduce you to CTFs, share our experience in organizing them and provide you with dos and don'ts to help you get your own up and running.
Telecommunication Self-organization Chaos (cosmogony) Coma Berenices Streaming media
Different (Kate Ryan album) Self-organization Density of states
Group action Root
Root Square number Student's t-test
Point (geometry) Server (computing) Quadrilateral Motion capture Motion capture Process (computing) Root Mixed reality Mixed reality String (computer science) Square number Flag Information Game theory Quicksort Information security Routing Information security Square number Flag
Algorithm Electric generator Information Key (cryptography) Code Image resolution Computer programming Number Category of being Cryptography Internetworking Gastropod shell Flag Reverse engineering Flag
Point (geometry) Source code Category of being Medical imaging Server (computing) Software Multiplication sign Computer-generated imagery Website Computer network Vulnerability (computing)
Service (economics) Server (computing) Arm Service (economics) Server (computing) Multiplication sign Exploit (computer security) Event horizon Latent heat Root Order (biology) Cuboid Flag Game theory Game theory Writing Flag
Injektivität Message passing Server (computing) Personal digital assistant Game theory Cartesian coordinate system Vulnerability (computing)
Point (geometry) Service (economics) Server (computing) Service (economics) Server (computing) Virtual machine Total S.A. Exploit (computer security) Flag Right angle Game theory Game theory Physical system Vulnerability (computing) Flag
Point (geometry) Service (economics) Flag Game theory
Point (geometry) Area Category of being Service (economics) Service (economics) Roundness (object) Software Mixed reality Different (Kate Ryan album) Website Computer network 2 (number)
Server (computing) Roundness (object) Root Gastropod shell Hill differential equation Computer forensics
Presentation of a group Telecommunication Ideal (ethics) Implementation Mereology
Collaborationism Addition Film editing Commitment scheme Server (computing) Telecommunication Multiplication sign Execution unit output Computer network Commitment scheme Mereology
Point (geometry) Server (computing) Mathematics Software Energy level
Service (economics) Software Term (mathematics) Flag Rule of inference
Point (geometry) Server (computing) Structural load Server (computing) Patch (Unix) Electronic mailing list Control flow Computer network Software Root System programming Pairwise comparison Backup Sinc function
Backup Structural load Server (computing) Control flow Planning Computer network Expert system Density of states Power (physics) Software System programming Pairwise comparison Backup Physical system
Virtuelles privates Netzwerk Broadcast programming Software Multiplication sign Phase transition Computer network Software testing Planning
Mathematics Multiplication sign Figurate number Density of states Connected space
Website Software testing Density of states Vulnerability (computing)
Multiplication sign Software developer View (database) Staff (military) Density of states Mereology Mathematics Flag Self-organization Software testing Software testing Sanitary sewer Vulnerability (computing)
Point (geometry) Mathematics Multiplication sign Density of states
Point (geometry) Word Word Website Mereology
Cartesian closed category Conditional-access module
Token ring Multiplication sign Set (mathematics) Software framework Reading (process)
Injektivität Category of being Open source Uniqueness quantification Multiplication sign File system Boom (sailing) Cuboid Virtualization Web syndication Bookmark (World Wide Web) Computer programming
Web 2.0 Point (geometry) Category of being Server (computing) Universe (mathematics) 1 (number) Mereology Computer
Web page Scripting language Server (computing) Focus (optics) Open source Code Multiplication sign Source code Mereology Computer Mathematics Software Commitment scheme Flag Self-organization Data structure Quicksort
thank you so hi everyone tonight Stefan
I gonna talk about how to organize CDF and we'll start with a short intro about what CTF is and why you should organize one yourself and then we're going to talk about what kinds of CTF exists and
where the differences are then we'll
talk up but then then we'll go into the things you need you should do and you probably shouldn't do during the organization so it's basically just a lesson to learn from us and finally there will be a Q&A session where you can ask your own questions ok let's
start first short introduction about who we are which definitely at Stefan and me are members of the square roots which is the official CTF team of University of Mannheim and we as a group started
participating in CTF around 2006 and right now we organise to publix etfs and we also organize a workshop each year
where we have two new BCTF so we'll want to teach new interest interested students in the topic and thereby we organize a new BCTF so you might wonder about the name square roots the name
comes basically from the city where we
come from it's Mannheim it's also called quad cottage that in Germans or scarcity and so we took the square and then we took the route from Linux you probably know about what route is or the process of rooting and if you mix it together you have square roots so what is the
city FC t f stands for capture the flag and it's basically an information security competition so the goal is to get as many flex as possible on flex are just sort of string which you can see here and you get them for solving challenges and you can redeem them at the game server for teams for a 4 points for your team so basically the goal is to get as many flex as possible and thereby get as many points as possible and talking about CTFs there are some three big kinds of cgf first is the challenge based server base and mixed
the challenge based CTF usually contains challenges all from all our info SEC so
you have reversing children just where you have for example to reverse engineer and key generation algorithm you have trivia challenges where you have to find things in the internet for example a recent challenge was to find the account number from the bad guy from the hekkus movie and you have trip two challenges where you have to break trip two algorithms and programming challenges where you have two gorillas program so you have to code something that solves a code and so on so just like I said before I'm each shell solve challenge gives you a flag and basically you have those different categories and you just solve them on your own or in a team we when we talk about challenged by CTFU usually they usually take several days and some big examples are DEFCON CTF which is one of the world-famous ETFs I think are the plates ETF when you
participate at CTF us the scoreboard usually looks like this so you have those different categories and you have challenges and the more difficult to challenges are more points you get okay
then there are the server based ETFs where the basic principle is that you have to fight the other teams and at the same time protect your own team or your infrastructure basically it works like this you have network either you are physically at one site or you participate over VPN and each team has the same VM image and so also the same when abilities and so on and then you try kana you try to find the vulnerabilities in your own image and
write exploits and exploit other teams this usually takes some hours because yeah you have to be in the event all the time you can not oh it would be wet if you say for example yeah I go sleep some hours because yeah then you would lose a lot of time some big examples also hear our roots ETF and I CTF I just have
another of you in order to show you the how it works in detail so just a you you have those different teams that's assuming you are team one and during the CTF the game server starts submitting team specific and service specific flags so the teams the game server push those flags those drinks into each of the venerable boxes he does this by arms methods which are programmed into the challengers so for example if you have a burnable service
like an application where you where users can send messages and the vulnerability would be for example SQL injection and in this case the gaming server could push flex by just
simulating a user sending some messages to other users so you have the facts on
all of those machines and you go to your own look at your own for EM find the vulnerabilities fix them in your own system right exploits and basically get the flags from all other systems and then you just submit them to the game server and get point yeah this is
scoreboard from one of our recent CTFs you can see on the there are the different teams and there are offensive points for which you get for attacking other teams and there are definite of points which you get for example fixing a service and yeah and then you also
have her service status overview because the game serve when you push the flags he also checks if the service is intact
if it works as if it behaves just like he should and if it doesn't you also might get some points obstructed because otherwise you just could stop your
service then nobody could attack you but the other side this would be very unfair for the other teams so this is punished by subtracting points from you yeah and last category is the
mixed CTF where you usually have a central infrastructure usually they are on site so you meet with all of the teams in one big area and then you get access to an unknown network and you have to find your way through the network so n that is your friend what you usually first do is use can check what services are running and for example the second wound round could be
that you have to solve a forensic challenge or something like that and usually the third round is something like the king of the hill challenge where you have to get access to one server and have to defend your root shell from the other teams because the other teams all teams are gonna try to get access to this one so ever and if you have root access you have to defend it so no other team can gain root privileges also one example for this kind of CTF is the packet for CTF ok now
you all know what the CTF is and now Stefan will continue telling you why you should organize CTF and some other
details yes so that's a very content of our presentation today so by you why should you organize a CTF in the first made not just take part in one and the idea is to like implement your own ideas you have maybe have four challenges so
that was I think the most drive we got for our first own CTF because we have played so much CGS we had like a good idea of what we how a CTF should look like and like what to do and so we just try that also you it gains you very much
very much knowledge about like about vows ETFs work and stuff so what what's really behind that also you can challenge yourself like to really do something that big I get it running and keep it good for all the players and that that's very good incentive also you can improve communication collaboration with other teams the idea behind us is there are not that many CTF teams out there and you probably get many of them to take part in the cgf and that really connects with them so he had many teams come to us and XA ya a nice you also did one and also had like your input what should we do better and what was good and that stuff also it's like very important to contribute back to the community so we did our chefs at goulash become unit in cuts war and we think it's like a really really good addition to such a venue and to have like a city after and people really enjoyed it that's yeah that's really cool really cool stuff and also it's fun it's fun to do it it's a lot of work but it's fun nonetheless so what goes into a CTF most and for all
commitment and time so making a CTF really takes time and really takes commitment to to get stuff done to keep playing the ball to like look into all the little stuff you have to handle obviously there you have to make challenges because that's the main idea
of playing CTF to like do its challenges you have to have workforce or like people that do stuff you probably don't want to do that alone also you have have to have infrastructure like scoreboard there you can other players can see what their scores how they're compared to the other teams you have to have servers where all the changes one on and you have network stuff to do to get mobile specific awful about that points you
want to change us to be versatile so we had people approaching us after our first to see jeff's and they said well the first one was the challenge based EGF in the second one was it so a bestie GF and everybody said oh we didn't like the server based because they kind of challenges they were not that cool and
I'm not interested in that stuff and yeah really can understand that and you should be as versatile as possible to like get at much people to join you as possible also you want to be unpredictable as an experienced egfp agri you can say you if you have like multiple challenges and they like there's a scheme behind that that you can repeat to get to fix the challenges that's not something you want to have you want to surprise the players you want to want your players to like really get into stuff to like not be obvious about the solution you want to be precise in how you there are like presented challenge you really want to tell the players how you short how they should approach to challenge and what is the target and what is not probably your infrastructure for example is not he doesn't your infrastructure will like here is not that challenge you want to have woods and enforce them that's also very important term because there are some stuff that players can do and probably do if you do not say they shouldn't do because they can and they like the Josie service or they will delete flags from other teams we also had that and that's really not cool that like reduces to fun for everyone and there should also all yeah like enforce
the rules by checking the network and stuff infrastructure so no CTF without without infrastructure you have to keep
in mind your network is attacked or the checks come from within your network so you should really expect the unexpected you really should think about what an attacker can do and what we will do you probably get that experience if you played some cgf yourself you like learn how to think like in the checker and yeah you really want to contain your check so if somebody breaks your service like they're shorter and they have a
shallow something you don't want them to like have really network access or drop their zero days to get root access of stuff so keep your stuff patch for example scoreboard so on the idea behind CTF since like to have a competition between teams and players and you really want to do that with the scoreboard like a list with all the teams and how much points they have select they can see how good they are and how they are progressing with their points there's like a prepared server for depth that's called ctfd that you can use first
jeopardy start CGS so like you just only have to implement your new challenges and you're ready also you want to have backup systems ready so if something breaks and stuff will break you can guess which yet some click do's and don'ts you want to start early because that's like I said it's really much work to do and it takes planning and preparation and stuff and yeah you want to speak with your local on-site over if you like doing is on-site CTF like they provide you with network and in power and stuff as everything is very when you
start you know you don't have to care about at yourself schedule typically looks like this so we have is the start
of planning phase like six months before their actual date they like think about challenges implement stuff and yeah but infrastructure then you have like a fine your chest of the setup that's very important because most of the time stuff don't work at the first time and then there's four server-based CTF there's a team test network stuff going on so if teams are using VPNs to dial in to you you want to test that before so you have like a dbag we am ready for them to chest just connecting to your network that you everybody knows the network is correct and everybody every everything
is ready and you can really concentrate on the cgf and not care about infrastructure keep it simple so um debugging is much easier if stuff is
simple we had incidents in and with our CTFs gives new technology and based everything on that and yeah as it turns out the doctor we used was not that stable as before and server broke down minutes and yeah we have to change the setup while everything was running and that's the whole mess you don't want to do that and also multi-state changes can be frustrating so the simple idea in this regard is um keep the change is
simple you want people to make your figure do the challenge and not really wanted people to I have to figure out every time like what to do and yeah just keep it simple make a single stage so no connection being here I've found that solution and now I need to use that and do another challenge with it so yeah organize the cheap so as I said it takes much time you want to have a team and
you want to have it organized that's may be obvious but you know that's something you should really think about when to start planning stuff and you don't you want to have people at the site when DC GF is running because if something looks down you don't want to have just one guy being on it and everywhere everything
else is unprotected and stuff yeah and test test test that's very important yet you want to check your charges for vulnerabilities as so the
vulnerabilities not the challenge itself we had several times when there was another moon ability in the sewer or something that's not part of the challenge but people will try to abuse that stuff so you really want to check in with dirt and see that it's fixed yeah you want to have somebody else run through challenges you as a developer like have
another view on it you did you created a chance you know what you have to do to get to get a flag but you just want to have someone else not taking part in the organization to test the challenge also test to set up as I said staff will break down and you should really think like in the checker in this regard we frame from last-second changes so two fingers if you do like day before or hours before the CTF is starting and
like oh I have not idea i wont to implement that that really doesn't work out most of the time yourself is probably not tested and you'd most
probably you team does not know about just changes so when something breaks down and some things to be fixed and not everybody knows about the changes you make you have really problem get stuff ready again yeah the last point is getting publicity or so if you do a CTF
it's really only cool if you have enough players taking part so spread the word among other teams most of Kim's really like to take part in other teams CTF so that's really cool get aside for you can post your CTF and that's really everybody knows that side who's doing see jeff's and they will check-in off from the flat side to see if there's new announcements and on-site you maybe want to get it attention of talks or something because you have if you do japanese style or something there are really many players that just don't know
about first but get in last second and as a really last point as a small reminder we have a CTF here at the camp
and that's organized by a stratum of war not a really famous CDF team and it just started like I think about six o'clock and it's really for beginners so if you like what you just hear hurt so really want to look into that yeah and that was it we are ready for questions
we now have about seven minutes for questions there's one mic over there and one mic over there so just queue at the
mics if you want to ask a question I'll just talk to you and then you can speak anybody okay this one to the right thanks for the talk and the inspiration I have a question on tool sets or frameworks that might be available to assist in the creation of the of the CTF like you mentioned the scoreboard kind of thing are there other tools for rolling out the tokens etc that might help creating something like that well most of the time stuff is really home
brune so teams create their stuff themselves most of the time and yeah that's the only like availability available technology that we know about that you can that's very for used for you yeah I think I heard about another tool I'm not true about the name I just free read about it which is specially for server-based ETFs so they have
technology use technologies like virtual box and they you have your challenges or your file system layout for the vm for the boom box p.m. which every participant gets and with one click you can generate all our participant VMs and it will all automatically create an unique team vil boombox vm inject VPN credentials and all this kind of stuff but I'm i am not sure about the name anymore unfortunately thank you like a left please hello semi answer to the previous question legitimate business syndicate open source their previous CTF tools but actual question what's your
favorite category of CTF challenges either to solve or to build what I think everybody has his personal like reference I like personal like very much programming stuff because I tend to have less time for preparing myself so that's really something i'd like to do my personal
favorite category is web probably because growers generally are more TTFN team which is that focused but yeah just like Stefan said I think everyone in our awesome our team has is his fate he saw her favorite category just curious thank you like I said a question yes it is yes hello what's the size of the city FG so how many people are in a normal team well that tends to vary also like if you're doing a challenge base or server based but and how well organized 0 our team for example is like 20 players at next by with the really important CTFs and but can go down to like five people
or free even for smaller ones so also there I know full of people that like are alone and taking part alone and I like really successful with that but yeah okay thank ya just another point I just like chiffon chat it depends very own server based in challenge based I only can say with how it is for us when we have a server-based CTF usually serve ace ETFs are nowadays very rare and but when there is a server-based CTF you really are computer lab at university is full with 20 some 130 people and otherwise the challenge base ETFs they aren't so populated because um yeah maybe I also they are very often and yeah left my place this is another answer to the question before about what resources are there I'm the one you may
have been thinking of is ctfd I would just described as CTF in a can just check it out CTF dao gives you all the structure and resources the question I have is um what's what's the first flag to the camp CTF kind of the flag for the camp CTF yeah can you tell us the answer and no problems ii we shouldn't do that because it would be it would destroy the fun for all of us no that's okay thank you nice try the right my place I'm
actually interested in creating cts for people who are interested in beginning their journey with technology and may not have a really in-depth knowledge of some of the tech that they're using right now do you have any suggestions for how to limit how to limit the the focus of your challenges around that sort of goal well most of the time like the trivia challenges are really like for people not into the techno technology stuff that much yeah but it really depends on on what you want to achieve their like challenges possible changes for every like here for crashing into that stuff so okay now we are almost out of time is there one last question okay go ahead you you told us that there's a few software about helping for for creating CTFs and you told us that you have a bunch of software on your computer do your thought of releasing it well I know of teams that do like open source stuff and that's really cool but it's most of the time not ready for you to care just taken in do you see Jeff or take use it in taking part of a CTF and your our own stuff well the thing is if you're doing a server-based etfs you're like success chance really depends on how much infrastructure and code you have on your hands to do that and well you can imagine that it's unfortunate that we can't open source our stuff because other teams tend to use it and that probably limits our success in caf no I was only talking about the scripts to create cts oil I think he I think we started to open source their changes we had and then something about their infrastructure to deploy it and yeah so as most some teams do that some organizers to that yes so but it's not really ready for use because our time is limited and like yeah commitment tend to go down after the CTF so nobody likes to like clean up the code and stuff so yeah yeah but if you are interested for example in your challengers just go to our github page and look up of first 30 f for example and then you find all the also servers side source code and yeah okay please thank our speakers once
again you


  106 ms - page object


AV-Portal 3.21.3 (19e43a18c8aa08bcbdf3e35b975c18acb737c630)