Proposal: Security training and eventual CTF - Security & Cryptography

Users browsing this thread: 10 Guest(s)
Long time nixers
It would be interesting to set up a few capture the flag tournaments(CTF) in a few months with training sessions leading up to the tournaments. UnixHub would be a great base to try this with enthusiastic members who have a great mix of experience providing excellent collaborative potential.

So my proposal is as follows:


Not every member at UnixHub will be versed in information security but I have a feeling almost every member would be interested in learning a thing or two about the 'darker' side of computer geekery that is hacking or penetration testing. Due to this it would be cool to run a few training sessions which could start at the basics and work it's way forward slowly to prepare everyone with a few skills which may be utilised in the competitions to come.

This would involve:
  • A monthly task with one or more aspects to it.
  • The aspects could vary in difficulty to keep the more experienced members entertained while give a more challenging goal to the less experienced members if they want to push themselves.
  • The tasks would provide interesting relevant topics for people to discuss amongst each other on the forums whether they want to collaborate or just ask for tips.
  • I'd like assume directly telling other members the answer would be frowned upon, this is a learning process after all.
  • A progression around many different parts of a penetration ranging from scanning techniques to web application to pivoting through compromised machines.

Capture the Flag

Assuming the tasks would be monthly, if each task had significant depth it would be safe to assume within roughly 6 months members would have a developed enough base knowledge to perform a full hack of their own but leave enough unknown for it not to be trivial.

I am not quite sure how we would structure the CTF yet so this section will remain open to suggestions over the months if this idea comes to fruition. To my knowledge there are a few different types of CTF which could be done.

Challenges and Benefits

Obviously this idea isn't without it's challenges and it isn't entirely selfless on my behalf.
  • Firstly we would need some sort of server space to perform anything mentioned here which I don't have access to and so would need to acquire this in some way.
  • Secondly I am definitely not skilled in setting these kind of systems up, I've focused most of my learning on the breaking of things rather than setting them up in the first place. I would need experienced assistance in setting everything up which will provide a learning experience for me.

Other than that, this could provide a learning experience or at least some fun for anyone interested in security. Anyone more interested in the system admin side could also learn the do's and don'ts helping setting up the tasks/CTF if they don't want to get into the attacking side.

Finally, sorry about the layout of this, tried to put things in sections and then just waffled in each of them.

Lets hear comments, suggestions, feedback in any sense!

If anyone can provide what is needed in terms of consulting or helping with the systems for the tasks/CTF. The structure for both is up for grabs at the moment so any input is great.

Thanks, Derby.
Long time nixers
I think this is a wonderful ideas, great post! I would be willing to lend my server out for this. I would be willing to sign a contract stating I gave permission to penetrate my system etc like they do when you pay someone to pen test your systems.
If everything is well monitored then why not.
On the other hand, everyone here is pretty busy so we should plan everything before hand so it fits our schedule.
Long time nixers
I would most defiantly join!

It would be kinda cool to have a Knights Code of Condcut that we all abide by and that we all sign. Also we could have cool nicknames :D
The world is quaking from our Linux Thoughts!
Long time nixers
The point of the training is for people who don't know about this stuff NeoTerra! All you need is a willingness to learn ;)

Edit - It's also far from organised, it's just an idea yet. I'm going to need a lot of help to organise it properly.
Long time nixers
(23-09-2013, 03:58 PM)shix Wrote: I don't know how to do this. :(
I guess that's the point behind all this - most of us do not know!
Long time nixers
I know barely anything about security but if people would be willing to allow me in (slightly confused as to who this is aimed at, people like me or people who at least know a bit?), but if it's the former, or both, I'd love to.
I'd be extremely interested in this. Great idea, Derby.
Klan9 > Plan9! (H0pe)
Grey Hair Nixers
Hehe, why not!
Long time nixers
This is aimed at everyone, whether you know nothing or are a full blown security researcher.

It will be great to get a mix so people can teach others throughout it too. Spread the knowledge!
Long time nixers
I should point out, while I'm thinking about it, that if we do use someones server we would do the utmost to separate the hacking-space from the server's actual space. I'm sure someone will know of a way to make this possible.
Long time nixers
Quote:Sounds like a job for a FreeBSD jail.
Or KVM. VPS are cheap these days. But I like this idea even more the more I think about it. :)
Long time nixers
I'm glad you like the idea shtols, KVM would be good to look at, you say?
Grey Hair Nixers
(23-09-2013, 08:21 PM)NeoTerra Wrote:
(23-09-2013, 08:08 PM)Derby Wrote: I should point out, while I'm thinking about it, that if we do use someones server we would do the utmost to separate the hacking-space from the server's actual space. I'm sure someone will know of a way to make this possible.

Sounds like a job for a FreeBSD jail.

Not if I can break out of the jail :)
Long time nixers
Quote:I'm glad you like the idea shtols, KVM would be good to look at, you say?
Virtualization in general. But I'm by far no expert on that subject.
Long time nixers
(24-09-2013, 10:32 AM)shtols Wrote: Virtualization in general. But I'm by far no expert on that subject.

I was thinking of some virtualisation to have software separation. It's going to require some reading or someone knowledgable to be able to help do this I think.
Long time nixers
I like the idea.
Perhaps we could take up a collection to separate the serious participants from the flakes? Buy in for a cheap price like $5. (USD) or something? Use the funds to pay for hosting?

Or if someone has server space as Kopri mentioned, then use the funds for UH administration purposes?

I'd be willing to pay as well as agree to specific terms in order to protect the host.
Long time nixers
Yeah I would be willing to take my server out from behind NAT and poke a few holes in my security. I would need everyones IP address so I can blacklist EVERYONE but you guys since I don't want someone with ill intent to gain access to my box.

My idea of this is for instance I'm running a lighttpd webserver. They have a hidden dir that requires a user password once you have that you can see that stats page, and more devious things. I would have re setup the webserver so it's not chrooted since I doubt anyone has a privilege escalation hack up their sleeve.
Hans Hackett
;-) Very interested. Hehe
Long time nixers
I haven't forgotten about this or given up, I've had a situation IRL requiring a lot of time at the moment.

I am still very interested in this idea and wouldn't mind a few people, along with kopri (thanks for the support so far), helping out on the setting up! :)
Grey Hair Nixers
Really great idea! Even if I have no idea on what to do, I'd love to see how it goes, have people saying what they did and how. To all hackers here, is that possible to get a post about that when it will be over?
Long time nixers
Yeah it would be cool to give solutions once the task is finished. Explain the different aspects that could have been used during the task for anyone that may have missed something.

It would also be a good way to learn, the whole point is to allow people who may not know much about it to join in with a bit of reading.

Some websites such as do it very well already and have a good ethos around learning and developing knowledge and skills in the area.
Long time nixers
I'm in :>
I would be very interested in this. I don't think I have the necessary skill sets, aside from talking to a few pen-testers at work. I'll put my learning hat on.
Long time nixers
I totally forgot about this! I am glad no one started with out me!!
The world is quaking from our Linux Thoughts!
For years, the Capture the Flag platform has been a common and very popular part of the hacker convention scene. Teams come from all over the world to show their skill and technique in various competitions.
Long time nixers