Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Root the Box - An Open Source Platform for CTF Administration

4,645 views

Published on

These are the slides presented at Outerz0ne conference in 2014. The contents detail CTF competitions, the Root the Box software platform and competition, and resources for sharpening your CTF and penetration testing skills!

Published in: Internet

Root the Box - An Open Source Platform for CTF Administration

  1. 1. ROOT THE BOX AN OPEN-SOURCE PLATFORM FOR CTF COMPETITIONS
  2. 2. THE AGENDA 1. Background Information • Who am I, why CTFs, why are they important • What CTFs are and how do they work 2. Root the Box Vision • GTRI and RTB joining forces for the greater good! 3. Root the Box Internals • How RTB is built, and how you can work with it 4. Ways to Train • Some ways that you can up your CTF and pen-testing game 5. Closing Not so hidden after all
  3. 3. BACKGROUND INFORMATION LAYIN‟ SOME GROUNDWORK
  4. 4. WHO AM I? • Christopher Grayson • cegrayson3@gmail.com • @_lavalamp • Senior Security Analyst at Bishop Fox (Pen-Testing FTW) • MSCS, BSCM from GT • Former Research Scientist from GT • Former president, GT hacking club That guy in the front…
  5. 5. WHAT ARE CTFS? • Broad category, but commonly… • Safe, controlled environment for learning how to break into things and how to defend against attackers • Attack and defense vs. just attack • Can be representative of realistic scenarios or esoteric challenges • Intellectually stimulating Did someone say Team Fortress?
  6. 6. WHY AM I HERE TODAY? • I currently have my dream job • I‟ve never had to choose between education and safety • I had the good fortune of attending SkyDogCon in 2012 • But the story continues… Raise a glass to the infosec community
  7. 7. WELL, THAT‟S SLIGHTLY COMPLICATED… • 3 teams at SkyDogCon Duplicity CTF, got 2nd, 3rd and 4th place • …out of 4 teams • Received tickets to Shmoocon 2013, Offensive Security training • Competed in TOOOL Master Keying competition • Received ticket to Shmoocon 2014 Or at least more complicated than one slide
  8. 8. LASTLY, WHY ARE YOU HERE? • We work in the coolest industry. Period. • We need more talented individuals. • We need safe places to hone our skills. • We need your support and interest to help grow this project. (Hopefully!)
  9. 9. HOW „BOUT THOSE COMPETITIONS?! LET‟S CAPTURE SOME FLAGS
  10. 10. ANATOMY OF A CTF • Attack and defend • iCTF, Root the Box • Solely attack • CSAW, Hungry Hungry Hackers • In-Person • DEF CON, Duplicity CTF • Online • Where do I even start… No guts, no glory
  11. 11. ATLANTA‟S LOCAL CTF SCENE • SECCDC • Collegiate only, hosted by KSU • Yearly, usually in Q1 • H3 • High school, collegiate focused, growing to industry professionals • Yearly, usually in Q3 • Grey H@t • Organizing small CTFs, have a team (cheers Mad H@tters) • Root the Box… • That‟s why we‟re here isn‟t it?! ATL has talent
  12. 12. THE VISION PLAYING THE LONG GAME
  13. 13. HUNGRY HUNGRY HACKERS • Started in 2010 by GTRI • Originally organized by Josh Davis, now organized by Daniel Lee • On-site only targeting primarily collegiate competitors • Focus on educational aspect • Regularly 200+ attendees in the past Om nom nom
  14. 14. THE H3 TEAM • GTRI IT support and staff • Josh Davis • The originator • Daniel Lee • The orchestrator • Winston Messer • The tech wiz • Keith Watson • The Swiss army knife Bringing the pain
  15. 15. AND THEN THERE WAS ROOT THE BOX • Originally from Chandler, AZ • High-quality on-site CTF focused on realistic scenarios • Built and maintained by moloch • 2014 will be its 10th competition! • Geared towards education • Great software package built for administering the competition! And yes, the boxes were rooted
  16. 16. ROOT THE SOFTWARE STACK • Root the Box is written in Python • Uses SQLAlchemy for back-end ORM • Uses Bootstrap CSS and jQuery on the front-end • Tornado web server for speedy service! A mighty fine stack, at that
  17. 17. THE BIG „13 • 2013 marked the first year where Root the Box took on a conference approach • Full speaker series on Friday, followed by all-day competition on Saturday • Lots of attendees, lots of fun Taking Root the Box to the next level
  18. 18. BRINGING IT TO A-TOWN • For the amount of awesome community and infosec tech and growth that comes from Atlanta, it should host the best competition • Great location for future growth due to Hartsfield Jackson • Great foundation by teaming up with GTRI and H3 • Event space locked down! • We need a way to educate and inspire the young and curious about the ethics around our industry and responsible education – what better place to do this? The not-so-dirty South
  19. 19. OUR GOALS • Free to attend • 400+ attendees, August 22-24 • Three-track conference on Friday night • Large on-site competition on Saturday • Award ceremony and closing remarks Sunday • Introduce high school and college-level students to the world of infosec • Heavy emphasis on education – whole educational track • Put employers in touch with talented individuals • Crowd-source challenge generation How‟s it going to be?
  20. 20. CREATING THE CHALLENGES • Challenge generation comes from internal sources as well as sponsors • Sponsorship includes financial support as well as challenge provision • Challenges are representative of sought skills • Put sponsoring organizations in touch with the properly-skilled individuals A whole lot of mutual benefit
  21. 21. SPONSOR DETAILS • Sponsorship levels will be announced • Sponsorship guarantees presence at H3/RTB conference • Sponsorship allows for the production of challenges • Challenges submitted in .ova format with an accompanying XML file In the raw
  22. 22. INTERESTED IN BEING A SPONSOR? • Get in touch with me either after this talk or later on • cegrayson3@gmail.com • Official sponsorship packet will be put together soon • Challenge specifications already compiled! Because that would be fine like wine
  23. 23. BACK INTO THAT SOFTWARE STACK TIME TO NERD OUT
  24. 24. WHAT IS THE ROOT THE BOX SOFTWARE? • The software package used to administer competitions at Root the Box • Open source, distributed under Apache 2 license • Takes care of all administrative aspects of the CTF competition • Also has game features that can add interesting twists to your CTF Wait, did I not go over that yet?
  25. 25. ROOT THE BOX INTERNALS • jQuery • The Write Less, Do More JavaScript Library • A library that is what JavaScript should have been • Rapid, easy development of front-end interaction • Bootstrap.css • A sleek, intuitive, and powerful mobile first front-end framework for faster development. • Lead by Twitter, provides great CSS functionality so that you don‟t hurt yourself or those around you trying to write CSS Business in the front
  26. 26. ROOT THE BOX INTERNALS • Tornado web server • A Python web framework and asynchronous networking library […] that can scale to tens of thousands of open connections. • SQLAlchemy • The Python SQL toolkit and Object Relational Mapper that gives application developers the full power and flexibility of SQL. Party in the back
  27. 27. SOME OTHER COOL PERKS • Root the Box uses web sockets to update competitors on competition events in real-time • CSS 3.0 animations! Unleash the full power of CSS! …cough cough • Snazzy front-end visualizations through graphing libraries • Has various components that can be turned off and on to add additional aspects to the managed game • Black market • Botnet • Vault! But wait, there‟s more!
  28. 28. WHERE CAN I GET THE SOURCE CODE? • Root the Box is available on GitHub • https://github.com/moloch-- /RootTheBox/ • Comes with a detailed README as well as step-by-step configuration instructions • Actively maintained by moloch Get your hands on the goods!
  29. 29. PREP AND PARTICIPATE PUT ON YOUR HARD HATS LADIES AND GENTLEMEN
  30. 30. TRAINING GROUNDS • OpenSecurityTraining can be found online • http://opensecuritytraining.info/ • “Is dedicated to sharing training material for computer security classes, on any topic, that are at least one day long.” • Has free, professional courses on all matters hacking • Even has course outlines and pre- requisites! OpenSecurityTraining.info
  31. 31. TRAINING GROUNDS • SecurityTube can be found online • http://www.securitytube.net/ • Large amounts of free videos created by the site‟s founder • Aggregation of conference videos and lectures • Full primers on lots of different hacking areas SecurityTube.net
  32. 32. TRAINING GROUNDS • Corelan can be found online • https://www.corelan.be/ • In-depth tutorials detailing exploit-writing and binary exploitation • Tons of other educational resources, primarily focused on binary and RE topics Corelan.be
  33. 33. TRAINING GROUNDS • Offensive Security can be found online • http://www.offensive-security.com/ • The group that created Backtrack and Kali Linux distributions • Training is not free, but the training you get from their courses is top- notch and well-managed. • Has an IRC channel that you can hang out in! Offensive-Security.com
  34. 34. VULNERABLE IMAGES • VulnHub can be found online: • http://vulnhub.com/ • A large repository of software images that are created solely to be vulnerable • Great place to get software packages to hack on • Has an IRC channel you can hang out in! Stand „em up and knock „em down
  35. 35. ONGOING COMPETITIONS • CTF365 can be found online: • http://ctf365.com/ • Touts a massive online, persistent CTF • CTFTime can be found online: • https://ctftime.org/ • Keeps track of CTF competitions worldwide, maintains scores for teams across different CTFs It‟s a good day to hack
  36. 36. STAND-ALONE CHALLENGES • We Chall can be found online: • https://www.wechall.net/ • Is an aggregation site for individual challenges • Advertises a total of 133 challenges available The featherweight class
  37. 37. CHAT WITH THE COMMUNITY • Hang out on Freenode to talk through challenges and difficulties you have trouble with. • #metasploit – Metasploit developers • #corelan – Folks from Corelan team • #vulnhub – Folks from Vulnhub team • #offsec – Folks from Offensive Security Don‟t forget to RTFM
  38. 38. RECAP WE ALL NEED SOME CLOSURE
  39. 39. CTFS ARE IMPORTANT • Lower the barrier to entry for newcomers in the infosec field • Provide safe environments for people to learn critical skills • Are intellectually stimulating • Allow us to teach younger people how to responsibly conduct themselves while working with powerful tools and technologies • We need more talented people in this field It‟s the age of information folks!
  40. 40. GTRI + RTB + YOU = AWESOME • Root the Box and GTRI have had the same mission but have operated in different venues up until now • We‟re teaming up to put on what is hopefully one of the best on-site CTFs this world has ever seen • We‟d love for you to be a part of it • Mark your calendars for 08/22/14 and follow @rootthebox for more information! I‟m no mathematician, but…
  41. 41. WE‟RE LOOKING FOR SUPPORT • The more support we can garner, the better this event and all future events will be • If you‟re looking to hire infosec talent, and think that teaming up with RTB / H3 would be beneficial, let‟s talk! Let‟s build something together
  42. 42. RESOURCES • Hopefully I‟ve been able to share some resources that you have not heard of before • I‟ll be posting these slides to the interwebs within the next week • Follow me at @_lavalamp for the link Back to that whole age of information thing…
  43. 43. AND NOW FOR SOME Q&A GIMME SOME TLC?
  44. 44. REFERENCES A DIGITAL GOODIE-BAG
  45. 45. GTRI Hungry Hungry Hackers / H3 • http://www.hungryhungryhackers.org/ Root the Box Competition • http://root-the-box.com/ Root the Box on GitHub • https://github.com/moloch--/RootTheBox/ Moloch on GitHub • https://github.com/moloch--/ SQLAlchemy • http://www.sqlalchemy.org/ Tornado Web Server • http://www.tornadoweb.org/en/stable/ Bootstrap CSS • http://getbootstrap.com/css/ jQuery • http://jquery.com/ OpenSecurityTraining • http://opensecuritytraining.info/ SecurityTube • http://www.securitytube.net/ Corelan • https://www.corelan.be/ Offensive Security • http://www.offensive-security.com/ Vulnhub • http://vulnhub.com/ CTF365 • http://ctf365.com/
  46. 46. CTFTime • https://ctftime.org/ WeChall • https://www.wechall.net
  47. 47. THANK YOU! Christopher Grayson cegrayson3@gmail.com @_lavalamp

×