Using Capture the Flag

For Teaching and Training

DR. Kees Leune
CISSP, GCIH, GCFA, OSCP, CISM, CISA

"Copyright Kees Leune, 2012. This work is the intellectual property of the author. Permission is granted for this
material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on
the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise
or to republish requires written permission from the author."
Presentation outline
– Introduction
– Problem statement
– Why CTF?
– Types of CTF
– Developing your own CTF
– Running a CTF
 Adjunct Professor
CISSP Mentor

GCIH GIAC Gold adviser

GCFA CISM

OSCP Information Security Officer

Dr. Kees Leune
Open Source Developer

Thanks to Ed Skoudis for his feedback and encouragement!

INTRODUCTION
I amEducator
an educator
Practitioner
What are we doing wrong?
• Boring
• Ancient theory
• Little or no practical relevance
• Not technical enough
• Too technical
WHY CTF?
 High Impact Pedagogy

Experiential Learning Games

Capture The Flag

An information security Capture The Flag is a simulation of a real-world situation in

which participants are given the chance to test and develop their technical skills.
Gamification appeals to geeks
technical people.

Gamification :
• divides a problem into smaller pieces (challenges, flags)
• measure progress (score)
• create a sense of accomplishment (rewards, achievements)
• instill a sense of competition (leader board)
• directly applies theory
• is great fun!
 Game is not a bad word or
something just meant for leisure.

Participating in a simulation sounds better than playing a

game.
 A well-designed
capture-the-flag
is a
realistic simulation
of real-world scenarios
which allows the participants
to develop and apply
a wide range of skills
TYPES OF CTF
 Capture-the-Flag objectives

Assessment Fun!

Teaching or
training Proof of concept
CTFs come in many different types.
• Single-user vs. multi-user
• Single targets vs. multiple targets
• Competitive vs. collaborative
• Short and focused vs. long-term
• Local vs. remote
• Defensive, offensive, analytical
CTF-based Teaching and Training
1. Break stuff
2. Figure out why it broke
3. Teach methods to
prevent breakage
Some Examples
 de-ice.net live CDs
is a set of 3 bootable CD images that can be used for self assessment.

The machines test an attacker’s penetration testing skills in a single-user environment.

 SANS courses
Very often lecture-style with some exercises throughout the course.

On the last day, individual

Capture-The-Flag
(or another technical challenge)

CtF is used to informally assess newly learned skills

Offensive Security Certified Professional

Individual remote Capture the Flag

is an important factor in the final certification decision.
 Netwars
Local or remote CTF that can be played competitively or individually.

Used for self-assessment and skill development.

Telling a story

DEVELOPING YOUR OWN CTF

1. Tell the story
2. Decide on simulation model
3. Decide on architecture
4. Build it
5. Decide on scoring
6. Run it
A simulation is like telling a story

1.Determine the message to communicate

2.Introduce key players
3.Develop a scenario
All stories need a few essential components:
1. A message
“Obey your parents”
2. Characters
“Grandma, bad wolf, hunter, Red Riding Hood”
3. A plot
“Girl doesn’t listen, gets eaten, gets rescued, she lived
happily ever after”
4. Props
“Forest, basket, bed, knife”
Choosing a message is the easy part

Examples:
• Plaintext passwords are bad
• If using SSL, make sure you check the cert path
• XSS really isn’t harmless
• LANMAN is a weak password scheme
 Develop your characters
Many weaknesses are introduced by human actors.
The plot describes the anticipated flow of
the simulation.

Note: participants often deviate from the plot.

Having one ensures that the scenario can be
completed.
The props are where the exploitable vulnerabilities
are hidden.

• 1 web app
• 1 intranet server
• The domain controller
• 1 Email server
• 3 Workstations in varying degrees of patching
– Adobe Reader, Java Runtime, VLC player
 Determining vulnerabilities

Make sure you reflect back on the message you need to tell!

• XSS in web app can be used for cookie stealing

• SQLi will allow authentication bypass
• Set up pop-client to download email with password
• Password re-use for multiple system
• etc.
BUILDING THE ENVIRONMENT
Now that all components are in place, it is time
to determine architecture.
1. local/remote
2. physical/virtual
3. single/multi player
4. competition/collaboration/challenge
5. OS and application platforms
Things to consider:

1. Licensing
2. Isolation
3. Exploitability
4. Performance
5. Analytical capabilities
 Review your license terms!

You cannot distribute everything

You may not even be allowed to run it without
paying extra
 Isolation is important

It was just a typo agent Smith, and I really

did not really mean to take down that
SCADA system…
Performance may be an issue
especially with virtual environments.

Virtualization is NOT always

feasible
(it is hard to virtualize appliances)
If assessment is a goal of your CTF, you will need
to build visibility into the environment.
 Windows
PC
Web server

Dev Server Virtual Switch

Virtual Switch
BackTrack
Email server
Server
Web
Server

Linux
File server
workstation
SSH bastion
host

Campus network
RUNNING THE CTF
Operationally, the least interesting phase of the
process. Some decisions that need to be made
are:
• Credentialing
• Duration of the simulation
• Scoring
• Ongoing maintenance
In a multi-user simulation, decide if participants
share credentials, or if they have their own.

While all students have root on the BT5 system in the previous
example, they will still log in with a dedicated account from
which they elevate with sudo. Syslogs are sent off-network.
Metrics provide an objective assessment of the
extent to which the participants complete the
challenges.

Distinguish:
• Assessing outcomes (e.g., Netwars)
• Assessing process (e.g., OSCP)
 Prevent cheating
• guessing answers
• borrowing artifacts from other players
• brute-forcing
• patching by players
• denial-of-service
• attack the scoring platform itself
• etc.
Have a pre-determined response to deal with bad
behavior and publish rules of engagement!
 Stuff will break

Our tricks will often break the environment.

Do preventive maintenance.
 SUMMARY
CTF is a high-impact practice that focuses on experiential
learning. By letting participants work through a realistic scenario,
they can develop skills, assess weaknesses, and be ready for
unexpected situations.
Building a CTF is like telling a story. We need a message, cast, a
plot, and props. Once the story is ready, we can start designing
and building the environment.
When the environment is complete, the simulation can be run.
Running a simulation requires ongoing maintenance, and a well
though-out scoring method.
 Questions?

Email: [email protected]
Twitter: @leune
Blog: www.leune.org