Capture the Flag - CTF

earthing August 05, 2020


CTF’s (capture the flag) are security/hacking competitions that consist of participants attacking, information gathering, reverse engineering, exploiting, and escalation to reach the end goal, a “flag” which is usually found as a string of text.

DEF CON hosts what is the most widely known and first major CTF, occurring annually at the hacking conference in Las Vegas.

Why CTF's?

We all know trying to attack active websites, servers or computer systems is illegal, unless we have permission from the owners. So how do you get practical knowledge and practice with all the theories you read? This is where CTFs become our best friends. The focus areas that CTF competitions tend to measure are vulnerability discovery, exploit creation, toolkit creation, and operational tradecraft. Success in CTF competitions demands that participants be an expert in at least one and ideally all of these areas. Therefore, preparing for and competing in CTF represents a way to efficiently merge discrete disciplines in computer science into a focus on computer security.

What should I focus on?

The difficulty is subjective based on your individual skillset. If your forte is forensics but you are not skilled in crypto, the point values assigned to the forensics problems will seem inflated while the crypto challenges will seem undervalued to you. The same perception biases hold true for CTF organizers. This is one reason why assessing the difficulty of CTF problems is so challenging.

If you’ve tried several of the basic problems on your own and are still struggling, then there are plenty of self-study opportunities. CTF competitions generally focus on the following skills: reverse engineering, cryptography, web vulnerabilities, binary exercises, networking, and forensics. Pick one and focus on a single topic as you get started.

1) Reverse Engineering. I highly suggest that you get a copy of IDA Pro. There is a free version available as well as a discounted student license. Try some crack me exercises. Write your own C code and then reverse the compiled versions. Repeat this process while changing compiler options and program logic. How does an “if” statement differs from a “select” in your compiled binary? I suggest you focus on a single architecture initially: x86, x86_64, or ARM. Read the processor manual for whichever one you choose. Book recommendations include:

2) Cryptography.  Here are some resources to check out:

3) Web vulnerabilities. There are many web programming technologies out there. The most popular in CTF tend to be PHP and SQL. The php.net site is a fantastic language reference. Just search for any function you are curious about. After PHP, the next most common way to see web challenges presented is with Python or Ruby scripts. Notice the overlap of skills? There is a good book on web vulnerabilities, The Web Application Hacker’s Handbook. Other than that, after learning some of the basic techniques, you might also think about gaining expertise in a few of the more popular free tools available. These are occasionally useful in CTF competitions too. This category also frequently overlaps with cryptography in my experience.

4) Binary exercises. I recommend you go through reverse engineering before jumping into the binary exercises. There are a few common vulnerability types you can learn in isolation: stack overflowsheap overflows, and format string bugs for starters. A lot of this is training your mind to recognize vulnerable patterns. Looking at past vulnerabilities is a great way to pick up these patterns. You should also read through:

Where do I find a CTF?

Choose a CTF you intend to play in and come up with a workout schedule in the near future. Below are a few approved CTFs:

  • Backdoor – Security Platform by SDSLabs.
  • Crackmes – Reverse Engineering Challenges
  • Ctfs.me – CTF All the time
  • Defcon CTF- One of the most famous CTF sites where it all started
  • Exploit Exercises – Variety of VMs to learn a variety of computer security issues.
  • Gracker – Binary challenges having a slow learning curve, and write-ups for each level.
  • Hack The Box – Weekly CTFs for all types of security enthusiasts.
  • Hack This Site – A training ground for hackers.
  • Hacking-Lab – Ethical hacking, computer network, and security challenge platform.
  • Hone Your Ninja Skills – Web challenges starting from basic ones.
  • IO – Wargame for binary challenges.
  • Microcorruption – Embedded security CTF
  • Over The Wire – Wargame maintained by OvertheWire Community
  • Pwnable.kr – Pwn Game
  • Pwnable.tw – Binary wargame
  • Pwnable.xyz – Binary Exploitation Wargame
  • Reversin.kr – Reversing challenge
  • Ringzer0Team – Ringzer0 Team Online CTF
  • Root-Me – Hacking and Information Security learning platform.
  • ROP Wargames – ROP Wargames
  • SmashTheStack – A variety of wargames maintained by the SmashTheStack Community.
  • VulnHub – VM-based for practical in digital security, computer application & network administration.
  • W3Challs – A penetration testing training platform, which offers various computer challenges, in various categories.
  • WebHacking – Hacking challenges for the web.
  • WeChall – Always online challenge site.
  • WTHack OnlineCTF – CTF Practice platform for every level of cybersecurity enthusiasts.

CTF Resources

Tools

Bruteforce

Forensics

  • Aircrack-Ng – Crack 802.11 WEP and WPA-PSK keys
  • Audacity – Analyze sound files (mp3, m4a, whatever)

Networking

  • Masscan – Mass IP port scanner, TCP port scanner.
  • Nmap – An open-source utility for network discovery and security auditing. Wireshark – Analyze the network dumps.
  • Zmap – An open-source network scanner.

Reversing

  • Frida – Mobile Dynamic Code Injection
  • Binary Ninja – Binary analysis framework
  • BinUtils – Collection of binary tools
  • BinWalk – Analyze, reverse engineer, and extracting firmware images.
  • PEDA – GDB plugin
  • Plasma – An interactive disassembler for x86/ARM/MIPS which can generate indented pseudo-code with colored syntax.
  • Pwndbg – A GDB plugin that provides a suite of utilities to hack around GDB easily.
  • Detox – A Javascript malware analysis tool
  • Revelo – Analyze obfuscated Javascript code

Steganography

  • Exif – Shows EXIF information in JPEG files
  • Exiftool – Read and write meta information in files
  • Exiv2 – Image metadata manipulation tool
  • ImageMagick – Tool for manipulating images
  • Steganabara – Tool for stegano analysis written in Java
  • Stegbreak – Launches brute-force dictionary attacks on JPG image
  • StegCracker – Steganography brute-force utility to uncover hidden data inside files
  • stegextract – Detect hidden files and text in images
  • Steghide – Hide data in various kind of images
  • Stegsolve – Apply various steganography techniques to images

Web

  • BurpSuite – A graphical tool for testing website security.
  • Commix – Automated All-in-One OS Command Injection and Exploitation Tool.
  • Hackbar – Firefox addon for easy web exploitation
  • OWASP ZAP – Intercepting proxy to replay, debug, and fuzz HTTP requests and responses
  • Postman – Add on for chrome for debugging network requests
  • Raccoon – A high-performance offensive security tool for reconnaissance and vulnerability scanning
  • SQLMap – Automatic SQL injection and database takeover tool

Exploits

Operating Systems

CTF Writeups

  • Hacking Articles- CTF challenge archive, tools, and a lot more maintained by Raj Chander
  • Captf – Dumped CTF challenges and materials by psifertex
  • CTF write-ups (community) – CTF challenges + write-ups archive maintained by the community
  • CTFTime Scrapper – Scraps all writeup from CTF time and organize which to read first
  • Shell Storm – CTF challenge archive maintained by Jonathan Salwan

References

Used references in this article:

https://medium.com/@lakshaybaheti1/capture-the-flag-ctf-50267bae4559

Credits to all the creators listed above for their work

This is an original post by Lakshay Baheti on the old OWASP VITCC Blog.

0 Comments