際際滷

際際滷Share a Scribd company logo

CTFs, Bugbounty and your security career

I
Ibrahim El-Sayed

Ibrahim M. El-Sayed discusses Capture the Flag (CTF) competitions and bug bounty programs. CTFs are ethical hacking competitions where participants solve computer security challenges to capture flags and earn points for their team. They have been held since the 1990s and involve categories like pwnable, web, forensics, and crypto challenges. Bug bounty programs allow security researchers to test products for bugs and get rewarded for valid vulnerability reports. Top companies like Facebook, Apple, and Google run prominent bug bounty programs. Both CTFs and bug bounties provide hands-on experience for security careers, but bug bounties more closely mirror real-world vulnerability discovery and have monetary rewards.

1 of 74
Downloaded 13 times
Ibrahim M. El-Sayed CTFs, BugBounty and professional work
$whoami Professional work Pentester/RedTeam Security engineer Companies EGCert/QCert Secforce Deloitte Facebook CTFs BugBounty
Capture The Flag competitions (CTFs) Bug bounty (BB) CTFs and Bug bounty vs career Questions Outline
Capture The Flag (CTF) History and De鍖nition Definition Ethical hacking competitions where participants are expected solve computer security challenges History 1996 ~24 years (Defcon) In 2010 started to be more popular Chaos Computer Club (CCC) https://www.ccc.de/ https://defcon.org/
Capture The Flag (CTF) History and De鍖nition Duration 24-48 hours (usually over weekend) Team size 4-8 for finals (on-site) Online qualifications ()
What is the flag?
Capture The Flag (CTF) History and De鍖nition The Flag is usually a string of a specific format e.g TMCTF[abcdefg12346] DC{abcdefgh123324324} But it can be any text as well :) or a combination of strings you will build during the challenge
Capture The Flag (CTF) Types Jeopardy Attack and Defence
Capture The Flag (CTF) Types - Jeopardy Categories Pwn - Mobile - Web - Forensics - Reverse engineer - Network Each category contains tasks Teams get points when the finish the task (get the flag) Team with most points win the competition
Google CTF
https://twitter.com/internetwache/status/697172252211683328/photo/1
Capture The Flag (CTF) Jeopardy - Categories (Pwn)able A service running usually written in a native language Flag: usually a file on the system Methodology: Usually binary is provided Reverse the binary Find a bug Write an exploit
CTFs, Bugbounty and your security career
CTFs, Bugbounty and your security career
CTFs, Bugbounty and your security career
CTFs, Bugbounty and your security career
Capture The Flag (CTF) Jeopardy - Categories Web Web application and you are expected to attack t Flag: file on the system, stored in the db, or in another users session Methodology Find a web bug (XSS, RCE, SQLi, etc) Exploit the bug to read the flag
Capture The Flag (CTF) Jeopardy - Categories - Web
Capture The Flag (CTF) Jeopardy - Categories - Web
Capture The Flag (CTF) Jeopardy - Categories - Reverse Engineering An application that has the flag but you need to understand how it works to return the key e.g Enter password to return you the flag Can be native or a high-level language
Capture The Flag (CTF) Jeopardy - Categories - Forensics Memory dump, Disk image, Network capture, Some file format Flag: usually hidden inside the target file Methodology Depends on the file type Network: understand what is going and identify anomalies try to find the flag Disk image: How data stored on the drive and how you can restore deleted data
Capture The Flag (CTF) Jeopardy - Categories - Crypto Encrypted Blob Flag: decrypt the blob you will find the flag Methodology Understand how the encryption algorithm
Capture The Flag (CTF) Categories - Attack-Defence Machines running services Attackers try to attack the service and defend it Points are given for finding the bugs Time defending the services Each team own services Defend services Keep services running Attack others Standard Format
Capture The Flag (CTF) Categories - Attack-Defence Team A Team B Team C Machine A Machine B Machine C Defend attack Defend
Capture The Flag (CTF) Categories - Attack-Defence King of the hill One or more services Teams attack and then defend the services
Capture The Flag (CTF) Categories - Attack-Defence Team A Team B Team CMachine A Team D
Capture The Flag (CTF) Categories - Attack-Defence Example CTFs Defcon finals TrendMicro finals Arab Cyber Security wargames iCTF RuCTFe
Capture The Flag (CTF) Arab Cyber Security wargames - mixed Style: mixed jeopardy and AD Team size: 3 - 5 Duration: 2 days Qualifications and Finals Attack and defence style: teams attack machines, fix/defend them, keep service running and access you get points
Capture The Flag (CTF) TrendMicro - Mixed Style: mixed jeopardy and AD Team size: 5 Duration: 2 days Attack and defence style: teams attack machines, fix/defend them, keep service running and access you get points
CTF - Attack and Defence - TM 2017 Finals
Capture The Flag (CTF) Attack-Defence - TrendMicro source: https://www.twitter.com/TrendMicroCTF
Capture The Flag (CTF) What a good CTF look like? No guessing Diversity in categories Fair scoring Stable challenges Enough time
Capture The Flag (CTF) Top Teams Top Teams https://ctftime.org/stats/ PPP DragonSector LCBC TrailOfBits Top players Geohot Lokihardt Hellman pwning.net https://dragonsector.pl/
Capture The Flag (CTF) QA Do I need a team to play CTFs? What are the best CTFs? How to start playing CTFs? Are they related to real life work/bugs?
Credits: Word Cloud byEpic Top 10
Bug bounty (BB) De鍖nition Companies allow researchers to test and find bugs in their products for which they can reward them back Products: Software: web application Hardware: mobile devices
Bug bounty (BB) History 1995: Netscape "Netscape Bugs Bounty", a program that rewards users who help Netscape find and report "bugs" in the beta versions of its recently announced Netscape Navigator 2.0 software
Bug bounty (BB)
Bug bounty (BB) History 2002: iDefense Cash rewards up to $400 Middleman between researcher and software vendor 2004: Mozzila Cash from $500 2005: Zero Day Initiative 2007: Pwn2Own 2010: Google for web application 2011: Facebook, BugCrowd 2012: PayPal, HackerOne,
Bug bounty (BB) Facebook Started in 2011 Started with focus on web and mobile applications Expanded to all products Expanded further to third party applications and data leaks Paid more than $6M in Bug bounty Facebook, Inc. / Public domain
Bug bounty (BB) Apple Covers all their products Focuses on hardwares e.g iPhones Apple Watch Original: Rob Jano鍖 / Public domain
Bug bounty (BB) Zero Day Initiative Covers any products on the Internet (as long as they have value) They acts as a middleman between the researcher and vendor Trend Micro / Public domain
Bug bounty (BB) How it works? Use the product Find bugs Reward $$ Reproduce the report Deduplicate Check originality Fix Report to Facebook
Bug bounty (BB) How it looks?
Bug bounty (BB) How it looks?
Bug bounty (BB) How it looks?
Bug bounty (BB) What is a good BB program? Time to triage? Time to reward? Time to fix? Minimum bounty scope
Bug bounty (BB) Researchers Top researchers? How do you know it is a top researcher? What is a top researcher? Number of submissions Signal Creativity
Bug bounty (BB) Researchers Snipers Research Find bugs in technology Find all BB programs that are affected Photo byAnnie SprattonUnsplash
Bug bounty (BB) Researchers Top researchers Micha Bentkowski (@SecurityMB) Masato Kinugawa (@kinugawamasato) Orange (@orange_8361) File Descriptor (@filedescriptor) Nicolas Gr辿goire (@Agarri_FR) Frans Rosen (@fransrosen)
Bug bounty (BB) Researchers Recon masters Write tools to find the scope Find the weakest link Report issues Photo byFranck V.onUnsplash
Bug bounty (BB) Researchers Top researchers Mark Litchfield (@BugBountyHQ) @NahamSec @thedawgyg
Bug bounty (BB) QA How to start bug bounty?
Career Image byArek 皆看界鞄温油韓姻看馨油永庄恰温恢温霞油
Career Roles Offensive How to break? Identifying vulnerabilities Blackbox How to weaponize? Developing exploits Full stack
Career Roles - O鍖ensive Vulnerability researcher Redteam/Pentest Exploit developer
Career Roles Defensive How to break? Identifying vulnerabilities Whitebox Writing PoCs How to securely build? Fixing and prevent bugs Design systems/application
Career Roles - Defensive Application security engineer Network security engineer Malware analyst Incident response engineer
Career Roles vs Skillset Vulnerability researcher Redteam/Pentest Exploit developer App security engineer Network security engineer Malware analyst Incident response engineer Asset discovery (recon) OSINT Reverse engineering Exploitation Forensics Code review Coding System design - Code fixes Fuzzing application security (Web - Mobile)
Career Roles vs CTFs and BB Vulnerability researcher Code review Fuzzing Application security Reverse Engineering Reverse engineering Web Pwnable CTF BugBounty Web Application security
Career Pentest Recon Application security App securty (Web - Mobile)CTF BugBounty Recon Web/Mobile Roles vs CTFs and BB
Career Exploit developer Exploitation Native security System Design Pwnabel Web Native Security CTF BugBounty Roles vs CTFs and BB
Career Malware Analyst Reverse Engineering Code Review System Design Forensics Reverse engineering Code Review Forensics System Design - Code 鍖xes CTF BugBounty Roles vs CTFs and BB
Career Di鍖erences between CTFs and BugBounty Real world challenges (superficial?) CVE-2019-11043 - PHP Andrew Danau from Wallarm (LCBC) Realworld CTF RCE CVE-2019-6690 - python-gnupg Alexander Kj辰ll and Stig Palmquist Insomnihack
Career Di鍖erences between CTFs and BugBounty Real world challenges (superficial?) CVE-2019-11043 - PHP Andrew Danau from Wallarm (LCBC) Realworld CTF RCE CVE-2019-6690 - python-gnupg Alexander Kj辰ll and Stig Palmquist Insomnihack
Career Di鍖erences between CTFs and BugBounty HITCON CTF 2016 3 Zerodays in SugarCRM LCBC, PPP, Cykorkinesis CVE-2012-1823 - PHP Endbazen Google CTF Finals 2019 - Suidbash https://www.youtube.com/watch?v=-wGtxJ8opa8
Career Di鍖erences between CTFs and BugBounty Bug bounty - Exploitation techniques Finding novel ways to exploit bugs => Reward Cross-site Leaks documentedover a decade ago BB hunter exploited it Google Search XSS Owning The Clout Through Server Side Request Forgery
Career Di鍖erences between CTFs and BugBounty Reward Bugbounty $$$ Credits to Jericho (CC)
Career Di鍖erences between CTFs and BugBounty Reward CTF Credits to Jericho (CC) Public Domain(CC)
Sad loser / CC BY-SA Career Di鍖erences between CTFs and BugBounty Experience - Holistic view BugBounty
Career Di鍖erences between CTFs and BugBounty Experience CTF ArnoldReinhold / CC BY-SA Alan Turing
Summary Photo byNathan DumlaoonUnsplash
One last slide Personal view Photo bySaketh GarudaonUnsplash
Questions?

More Related Content

CTFs, Bugbounty and your security career

  • 1. Ibrahim M. El-Sayed CTFs, BugBounty and professional work
  • 2. $whoami Professional work Pentester/RedTeam Security engineer Companies EGCert/QCert Secforce Deloitte Facebook CTFs BugBounty
  • 3. Capture The Flag competitions (CTFs) Bug bounty (BB) CTFs and Bug bounty vs career Questions Outline
  • 4. Capture The Flag (CTF) History and De鍖nition Definition Ethical hacking competitions where participants are expected solve computer security challenges History 1996 ~24 years (Defcon) In 2010 started to be more popular Chaos Computer Club (CCC) https://www.ccc.de/ https://defcon.org/
  • 5. Capture The Flag (CTF) History and De鍖nition Duration 24-48 hours (usually over weekend) Team size 4-8 for finals (on-site) Online qualifications ()
  • 6. What is the flag?
  • 7. Capture The Flag (CTF) History and De鍖nition The Flag is usually a string of a specific format e.g TMCTF[abcdefg12346] DC{abcdefgh123324324} But it can be any text as well :) or a combination of strings you will build during the challenge
  • 8. Capture The Flag (CTF) Types Jeopardy Attack and Defence
  • 9. Capture The Flag (CTF) Types - Jeopardy Categories Pwn - Mobile - Web - Forensics - Reverse engineer - Network Each category contains tasks Teams get points when the finish the task (get the flag) Team with most points win the competition
  • 12. Capture The Flag (CTF) Jeopardy - Categories (Pwn)able A service running usually written in a native language Flag: usually a file on the system Methodology: Usually binary is provided Reverse the binary Find a bug Write an exploit
  • 17. Capture The Flag (CTF) Jeopardy - Categories Web Web application and you are expected to attack t Flag: file on the system, stored in the db, or in another users session Methodology Find a web bug (XSS, RCE, SQLi, etc) Exploit the bug to read the flag
  • 18. Capture The Flag (CTF) Jeopardy - Categories - Web
  • 19. Capture The Flag (CTF) Jeopardy - Categories - Web
  • 20. Capture The Flag (CTF) Jeopardy - Categories - Reverse Engineering An application that has the flag but you need to understand how it works to return the key e.g Enter password to return you the flag Can be native or a high-level language
  • 21. Capture The Flag (CTF) Jeopardy - Categories - Forensics Memory dump, Disk image, Network capture, Some file format Flag: usually hidden inside the target file Methodology Depends on the file type Network: understand what is going and identify anomalies try to find the flag Disk image: How data stored on the drive and how you can restore deleted data
  • 22. Capture The Flag (CTF) Jeopardy - Categories - Crypto Encrypted Blob Flag: decrypt the blob you will find the flag Methodology Understand how the encryption algorithm
  • 23. Capture The Flag (CTF) Categories - Attack-Defence Machines running services Attackers try to attack the service and defend it Points are given for finding the bugs Time defending the services Each team own services Defend services Keep services running Attack others Standard Format
  • 24. Capture The Flag (CTF) Categories - Attack-Defence Team A Team B Team C Machine A Machine B Machine C Defend attack Defend
  • 25. Capture The Flag (CTF) Categories - Attack-Defence King of the hill One or more services Teams attack and then defend the services
  • 26. Capture The Flag (CTF) Categories - Attack-Defence Team A Team B Team CMachine A Team D
  • 27. Capture The Flag (CTF) Categories - Attack-Defence Example CTFs Defcon finals TrendMicro finals Arab Cyber Security wargames iCTF RuCTFe
  • 28. Capture The Flag (CTF) Arab Cyber Security wargames - mixed Style: mixed jeopardy and AD Team size: 3 - 5 Duration: 2 days Qualifications and Finals Attack and defence style: teams attack machines, fix/defend them, keep service running and access you get points
  • 29. Capture The Flag (CTF) TrendMicro - Mixed Style: mixed jeopardy and AD Team size: 5 Duration: 2 days Attack and defence style: teams attack machines, fix/defend them, keep service running and access you get points
  • 30. CTF - Attack and Defence - TM 2017 Finals
  • 31. Capture The Flag (CTF) Attack-Defence - TrendMicro source: https://www.twitter.com/TrendMicroCTF
  • 32. Capture The Flag (CTF) What a good CTF look like? No guessing Diversity in categories Fair scoring Stable challenges Enough time
  • 33. Capture The Flag (CTF) Top Teams Top Teams https://ctftime.org/stats/ PPP DragonSector LCBC TrailOfBits Top players Geohot Lokihardt Hellman pwning.net https://dragonsector.pl/
  • 34. Capture The Flag (CTF) QA Do I need a team to play CTFs? What are the best CTFs? How to start playing CTFs? Are they related to real life work/bugs?
  • 35. Credits: Word Cloud byEpic Top 10
  • 36. Bug bounty (BB) De鍖nition Companies allow researchers to test and find bugs in their products for which they can reward them back Products: Software: web application Hardware: mobile devices
  • 37. Bug bounty (BB) History 1995: Netscape "Netscape Bugs Bounty", a program that rewards users who help Netscape find and report "bugs" in the beta versions of its recently announced Netscape Navigator 2.0 software
  • 39. Bug bounty (BB) History 2002: iDefense Cash rewards up to $400 Middleman between researcher and software vendor 2004: Mozzila Cash from $500 2005: Zero Day Initiative 2007: Pwn2Own 2010: Google for web application 2011: Facebook, BugCrowd 2012: PayPal, HackerOne,
  • 40. Bug bounty (BB) Facebook Started in 2011 Started with focus on web and mobile applications Expanded to all products Expanded further to third party applications and data leaks Paid more than $6M in Bug bounty Facebook, Inc. / Public domain
  • 41. Bug bounty (BB) Apple Covers all their products Focuses on hardwares e.g iPhones Apple Watch Original: Rob Jano鍖 / Public domain
  • 42. Bug bounty (BB) Zero Day Initiative Covers any products on the Internet (as long as they have value) They acts as a middleman between the researcher and vendor Trend Micro / Public domain
  • 43. Bug bounty (BB) How it works? Use the product Find bugs Reward $$ Reproduce the report Deduplicate Check originality Fix Report to Facebook
  • 44. Bug bounty (BB) How it looks?
  • 45. Bug bounty (BB) How it looks?
  • 46. Bug bounty (BB) How it looks?
  • 47. Bug bounty (BB) What is a good BB program? Time to triage? Time to reward? Time to fix? Minimum bounty scope
  • 48. Bug bounty (BB) Researchers Top researchers? How do you know it is a top researcher? What is a top researcher? Number of submissions Signal Creativity
  • 49. Bug bounty (BB) Researchers Snipers Research Find bugs in technology Find all BB programs that are affected Photo byAnnie SprattonUnsplash
  • 50. Bug bounty (BB) Researchers Top researchers Micha Bentkowski (@SecurityMB) Masato Kinugawa (@kinugawamasato) Orange (@orange_8361) File Descriptor (@filedescriptor) Nicolas Gr辿goire (@Agarri_FR) Frans Rosen (@fransrosen)
  • 51. Bug bounty (BB) Researchers Recon masters Write tools to find the scope Find the weakest link Report issues Photo byFranck V.onUnsplash
  • 52. Bug bounty (BB) Researchers Top researchers Mark Litchfield (@BugBountyHQ) @NahamSec @thedawgyg
  • 53. Bug bounty (BB) QA How to start bug bounty?
  • 54. Career Image byArek 皆看界鞄温油韓姻看馨油永庄恰温恢温霞油
  • 55. Career Roles Offensive How to break? Identifying vulnerabilities Blackbox How to weaponize? Developing exploits Full stack
  • 56. Career Roles - O鍖ensive Vulnerability researcher Redteam/Pentest Exploit developer
  • 57. Career Roles Defensive How to break? Identifying vulnerabilities Whitebox Writing PoCs How to securely build? Fixing and prevent bugs Design systems/application
  • 58. Career Roles - Defensive Application security engineer Network security engineer Malware analyst Incident response engineer
  • 59. Career Roles vs Skillset Vulnerability researcher Redteam/Pentest Exploit developer App security engineer Network security engineer Malware analyst Incident response engineer Asset discovery (recon) OSINT Reverse engineering Exploitation Forensics Code review Coding System design - Code fixes Fuzzing application security (Web - Mobile)
  • 60. Career Roles vs CTFs and BB Vulnerability researcher Code review Fuzzing Application security Reverse Engineering Reverse engineering Web Pwnable CTF BugBounty Web Application security
  • 61. Career Pentest Recon Application security App securty (Web - Mobile)CTF BugBounty Recon Web/Mobile Roles vs CTFs and BB
  • 62. Career Exploit developer Exploitation Native security System Design Pwnabel Web Native Security CTF BugBounty Roles vs CTFs and BB
  • 63. Career Malware Analyst Reverse Engineering Code Review System Design Forensics Reverse engineering Code Review Forensics System Design - Code 鍖xes CTF BugBounty Roles vs CTFs and BB
  • 64. Career Di鍖erences between CTFs and BugBounty Real world challenges (superficial?) CVE-2019-11043 - PHP Andrew Danau from Wallarm (LCBC) Realworld CTF RCE CVE-2019-6690 - python-gnupg Alexander Kj辰ll and Stig Palmquist Insomnihack
  • 65. Career Di鍖erences between CTFs and BugBounty Real world challenges (superficial?) CVE-2019-11043 - PHP Andrew Danau from Wallarm (LCBC) Realworld CTF RCE CVE-2019-6690 - python-gnupg Alexander Kj辰ll and Stig Palmquist Insomnihack
  • 66. Career Di鍖erences between CTFs and BugBounty HITCON CTF 2016 3 Zerodays in SugarCRM LCBC, PPP, Cykorkinesis CVE-2012-1823 - PHP Endbazen Google CTF Finals 2019 - Suidbash https://www.youtube.com/watch?v=-wGtxJ8opa8
  • 67. Career Di鍖erences between CTFs and BugBounty Bug bounty - Exploitation techniques Finding novel ways to exploit bugs => Reward Cross-site Leaks documentedover a decade ago BB hunter exploited it Google Search XSS Owning The Clout Through Server Side Request Forgery
  • 68. Career Di鍖erences between CTFs and BugBounty Reward Bugbounty $$$ Credits to Jericho (CC)
  • 69. Career Di鍖erences between CTFs and BugBounty Reward CTF Credits to Jericho (CC) Public Domain(CC)
  • 70. Sad loser / CC BY-SA Career Di鍖erences between CTFs and BugBounty Experience - Holistic view BugBounty
  • 71. Career Di鍖erences between CTFs and BugBounty Experience CTF ArnoldReinhold / CC BY-SA Alan Turing
  • 73. One last slide Personal view Photo bySaketh GarudaonUnsplash