Capture The Flag (CTF) Competition Overview and Guidelines
"Explore the details of Capture The Flag (CTF) competition architecture, goals, and how to participate. Learn about accessing VM, exploiting services, and competing effectively in CTF events."
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Project CTF CSE 545 Software Security Spring 2017 Yeganeh Safaei Arizona State University http://yeganehsafaei.com
Capture The Flag CTF is an attack-defense hacking competition. Each team is competing against all the other teams. All teams have the same virtual machine with a set of vulnerable services. Each team is responsible for keeping their services running at all time. 2 Yeganeh Safaei, Software Security
CTF Architecture Game Network Vuln VM Vuln VM Vuln VM Router VM 34.223.215.204 Admin Network Scriptbot/ Gamebot Team Interface Score Board 35.161.233.76 34.208.63.112 3 Yeganeh Safaei, Software Security
Flag Each service is associated with a tuple (flagid ,token, flag) Flag id 1015566378 Token 4vCANiiRVvge2UGMA Flag FLG798aHS0P2eQJV 4 Yeganeh Safaei, Software Security
sample_py service exploit 5 Yeganeh Safaei, Software Security
Goal The goal of each team is to find the vulnerability in their local copy of the service and patch their service. Exploiting all the other teams services to get flags. Submitting the acquired flag to the team interface. Running the exploits for every game tick. 6 Yeganeh Safaei, Software Security
Where to begin Login to ictf framework with your team information https://shellweplayagame.org/iCTF2017_rules.html https://ictf.cs.ucsb.edu/ $ pip install ictf Then, from within a python shell, such as iPython, you can run: >>> from ictf import iCTF >>> i = iCTF( http://35.161.233.76/ ) >>> t = i.login( team@example.com , password ) To access your team s VM, use the SSH keys, IP address, and port provided here: >>> key_info = t.get_ssh_keys() The ctf_key is a key with access to the ctf user, and the root_key gives access to the root user. Ip and port refer to the SSH server on your team VM. You ll want to save those keys to files: >>> with open( ctf_key , wb ) as f: f.write(key_info[ ctf_key ]) >>> with open( root_key , wb ) as f: f.write(key_info[ root_key ]) Your hostname and port are provided as well; continuing the above example: >>> print key_info[ ip ] >>> print key_info[ port ] 7 Yeganeh Safaei, Software Security
Access Your VM You can then access the VM: $ ssh -i </path/to/ctf_key> -p <port number> ctf@<the_ip_here> Once logged in, you can run: >>> t.get_service_list() You can use the iCTF client to get a list of teams IP addresses, and the flag ID for the flag you must steal: >>> targets = t.get_targets(<service ID>) Submit flags: >>> t.submit_flag([ FLGxxxxxxx , FLGyyyyyyyyy , FLGzzzzzzzzz]) 8 Yeganeh Safaei, Software Security
Suggestions Lots of tools to automate the exploits pwntools, Use a monitoring tools to check the incoming/outgoing traffic Tcpdump, wireshark, Have your scripts and project ready for the final. 9 Yeganeh Safaei, Software Security
