The document discusses Root the Box, an open-source platform for cybersecurity capture the flag (CTF) competitions. It outlines plans to partner with Georgia Tech Research Institute (GTRI) to host a large CTF event in Atlanta, with the goals of educating 400+ attendees and introducing high school and college students to information security. It also provides an overview of the Root the Box software and resources for training, such as vulnerable practice systems and ongoing online competitions.
2. THE AGENDA
1. Background Information
• Who am I, why CTFs, why are they
important
• What CTFs are and how do they
work
2. Root the Box Vision
• GTRI and RTB joining forces for the
greater good!
3. Root the Box Internals
• How RTB is built, and how you can
work with it
4. Ways to Train
• Some ways that you can up your
CTF and pen-testing game
5. Closing
Not so hidden after all
4. WHO AM I?
• Christopher Grayson
• cegrayson3@gmail.com
• @_lavalamp
• Senior Security Analyst at Bishop
Fox (Pen-Testing FTW)
• MSCS, BSCM from GT
• Former Research Scientist from GT
• Former president, GT hacking club
That guy in the front…
5. WHAT ARE CTFS?
• Broad category, but commonly…
• Safe, controlled environment for
learning how to break into things
and how to defend against
attackers
• Attack and defense vs. just attack
• Can be representative of realistic
scenarios or esoteric challenges
• Intellectually stimulating
Did someone say Team Fortress?
6. WHY AM I HERE TODAY?
• I currently have my dream job
• I‟ve never had to choose
between education and safety
• I had the good fortune of
attending SkyDogCon in 2012
• But the story continues…
Raise a glass to the infosec community
7. WELL, THAT‟S SLIGHTLY COMPLICATED…
• 3 teams at SkyDogCon Duplicity
CTF, got 2nd, 3rd and 4th place
• …out of 4 teams
• Received tickets to Shmoocon
2013, Offensive Security training
• Competed in TOOOL Master
Keying competition
• Received ticket to Shmoocon 2014
Or at least more complicated than one slide
8. LASTLY, WHY ARE YOU HERE?
• We work in the coolest industry.
Period.
• We need more talented
individuals.
• We need safe places to hone
our skills.
• We need your support and
interest to help grow this project.
(Hopefully!)
10. ANATOMY OF A CTF
• Attack and defend
• iCTF, Root the Box
• Solely attack
• CSAW, Hungry Hungry Hackers
• In-Person
• DEF CON, Duplicity CTF
• Online
• Where do I even start…
No guts, no glory
11. ATLANTA‟S LOCAL CTF SCENE
• SECCDC
• Collegiate only, hosted by KSU
• Yearly, usually in Q1
• H3
• High school, collegiate focused, growing to
industry professionals
• Yearly, usually in Q3
• Grey H@t
• Organizing small CTFs, have a team
(cheers Mad H@tters)
• Root the Box…
• That‟s why we‟re here isn‟t it?!
ATL has talent
13. HUNGRY HUNGRY HACKERS
• Started in 2010 by GTRI
• Originally organized by Josh Davis,
now organized by Daniel Lee
• On-site only targeting primarily
collegiate competitors
• Focus on educational aspect
• Regularly 200+ attendees in the
past
Om nom nom
14. THE H3 TEAM
• GTRI IT support and staff
• Josh Davis
• The originator
• Daniel Lee
• The orchestrator
• Winston Messer
• The tech wiz
• Keith Watson
• The Swiss army knife
Bringing the pain
15. AND THEN THERE WAS ROOT THE BOX
• Originally from Chandler, AZ
• High-quality on-site CTF focused on
realistic scenarios
• Built and maintained by moloch
• 2014 will be its 10th competition!
• Geared towards education
• Great software package built for
administering the competition!
And yes, the boxes were rooted
16. ROOT THE SOFTWARE STACK
• Root the Box is written in Python
• Uses SQLAlchemy for back-end
ORM
• Uses Bootstrap CSS and jQuery
on the front-end
• Tornado web server for speedy
service!
A mighty fine stack, at that
17. THE BIG „13
• 2013 marked the first year where
Root the Box took on a
conference approach
• Full speaker series on Friday,
followed by all-day competition
on Saturday
• Lots of attendees, lots of fun
Taking Root the Box to the next level
18. BRINGING IT TO A-TOWN
• For the amount of awesome community and
infosec tech and growth that comes from
Atlanta, it should host the best competition
• Great location for future growth due to
Hartsfield Jackson
• Great foundation by teaming up with GTRI
and H3
• Event space locked down!
• We need a way to educate and inspire the
young and curious about the ethics around
our industry and responsible education – what
better place to do this?
The not-so-dirty South
19. OUR GOALS
• Free to attend
• 400+ attendees, August 22-24
• Three-track conference on Friday night
• Large on-site competition on Saturday
• Award ceremony and closing remarks Sunday
• Introduce high school and college-level students to
the world of infosec
• Heavy emphasis on education – whole educational
track
• Put employers in touch with talented individuals
• Crowd-source challenge generation
How‟s it going to be?
20. CREATING THE CHALLENGES
• Challenge generation comes from
internal sources as well as
sponsors
• Sponsorship includes financial
support as well as challenge
provision
• Challenges are representative of
sought skills
• Put sponsoring organizations in
touch with the properly-skilled
individuals
A whole lot of mutual benefit
21. SPONSOR DETAILS
• Sponsorship levels will be
announced
• Sponsorship guarantees
presence at H3/RTB conference
• Sponsorship allows for the
production of challenges
• Challenges submitted in .ova
format with an accompanying
XML file
In the raw
22. INTERESTED IN BEING A SPONSOR?
• Get in touch with me either after
this talk or later on
• cegrayson3@gmail.com
• Official sponsorship packet will
be put together soon
• Challenge specifications already
compiled!
Because that would be fine like wine
24. WHAT IS THE ROOT THE BOX SOFTWARE?
• The software package used to
administer competitions at Root the
Box
• Open source, distributed under
Apache 2 license
• Takes care of all administrative
aspects of the CTF competition
• Also has game features that can
add interesting twists to your CTF
Wait, did I not go over that yet?
25. ROOT THE BOX INTERNALS
• jQuery
• The Write Less, Do More JavaScript Library
• A library that is what JavaScript should have
been
• Rapid, easy development of front-end
interaction
• Bootstrap.css
• A sleek, intuitive, and powerful mobile first
front-end framework for faster development.
• Lead by Twitter, provides great CSS
functionality so that you don‟t hurt yourself
or those around you trying to write CSS
Business in the front
26. ROOT THE BOX INTERNALS
• Tornado web server
• A Python web framework and
asynchronous networking library […]
that can scale to tens of thousands of
open connections.
• SQLAlchemy
• The Python SQL toolkit and Object
Relational Mapper that gives
application developers the full power
and flexibility of SQL.
Party in the back
27. SOME OTHER COOL PERKS
• Root the Box uses web sockets to update
competitors on competition events in real-time
• CSS 3.0 animations! Unleash the full power of
CSS! …cough cough
• Snazzy front-end visualizations through
graphing libraries
• Has various components that can be turned
off and on to add additional aspects to the
managed game
• Black market
• Botnet
• Vault!
But wait, there‟s more!
28. WHERE CAN I GET THE SOURCE CODE?
• Root the Box is available on
GitHub
• https://github.com/moloch--
/RootTheBox/
• Comes with a detailed README
as well as step-by-step
configuration instructions
• Actively maintained by moloch
Get your hands on the goods!
30. TRAINING GROUNDS
• OpenSecurityTraining can be found
online
• http://opensecuritytraining.info/
• “Is dedicated to sharing training
material for computer security classes,
on any topic, that are at least one day
long.”
• Has free, professional courses on all
matters hacking
• Even has course outlines and pre-
requisites!
OpenSecurityTraining.info
31. TRAINING GROUNDS
• SecurityTube can be found online
• http://www.securitytube.net/
• Large amounts of free videos
created by the site‟s founder
• Aggregation of conference videos
and lectures
• Full primers on lots of different
hacking areas
SecurityTube.net
32. TRAINING GROUNDS
• Corelan can be found online
• https://www.corelan.be/
• In-depth tutorials detailing
exploit-writing and binary
exploitation
• Tons of other educational
resources, primarily focused on
binary and RE topics
Corelan.be
33. TRAINING GROUNDS
• Offensive Security can be found
online
• http://www.offensive-security.com/
• The group that created Backtrack
and Kali Linux distributions
• Training is not free, but the training
you get from their courses is top-
notch and well-managed.
• Has an IRC channel that you can
hang out in!
Offensive-Security.com
34. VULNERABLE IMAGES
• VulnHub can be found online:
• http://vulnhub.com/
• A large repository of software
images that are created solely to be
vulnerable
• Great place to get software
packages to hack on
• Has an IRC channel you can hang
out in!
Stand „em up and knock „em down
35. ONGOING COMPETITIONS
• CTF365 can be found online:
• http://ctf365.com/
• Touts a massive online, persistent
CTF
• CTFTime can be found online:
• https://ctftime.org/
• Keeps track of CTF competitions
worldwide, maintains scores for
teams across different CTFs
It‟s a good day to hack
36. STAND-ALONE CHALLENGES
• We Chall can be found online:
• https://www.wechall.net/
• Is an aggregation site for
individual challenges
• Advertises a total of 133
challenges available
The featherweight class
37. CHAT WITH THE COMMUNITY
• Hang out on Freenode to talk
through challenges and
difficulties you have trouble with.
• #metasploit – Metasploit
developers
• #corelan – Folks from Corelan
team
• #vulnhub – Folks from Vulnhub
team
• #offsec – Folks from Offensive
Security
Don‟t forget to RTFM
39. CTFS ARE IMPORTANT
• Lower the barrier to entry for newcomers
in the infosec field
• Provide safe environments for people to
learn critical skills
• Are intellectually stimulating
• Allow us to teach younger people how to
responsibly conduct themselves while
working with powerful tools and
technologies
• We need more talented people in this
field
It‟s the age of information folks!
40. GTRI + RTB + YOU = AWESOME
• Root the Box and GTRI have had the
same mission but have operated in
different venues up until now
• We‟re teaming up to put on what is
hopefully one of the best on-site CTFs
this world has ever seen
• We‟d love for you to be a part of it
• Mark your calendars for 08/22/14 and
follow @rootthebox for more
information!
I‟m no mathematician, but…
41. WE‟RE LOOKING FOR SUPPORT
• The more support we can
garner, the better this event and
all future events will be
• If you‟re looking to hire infosec
talent, and think that teaming up
with RTB / H3 would be
beneficial, let‟s talk!
Let‟s build something together
42. RESOURCES
• Hopefully I‟ve been able to share
some resources that you have
not heard of before
• I‟ll be posting these slides to the
interwebs within the next week
• Follow me at @_lavalamp for the
link
Back to that whole age of information thing…