Capture the Flag (CTF) 101
Capture The Flags (CTFs) are a kind of computer security competition. Teams of competitors (or just individuals) are set up against each other in a test of computer security skills. You, or your team, have to go to the other team’s base and steal their team flag and bring it back to your base for points.
A cybersecurity CTF is a competition type that really took off at DEFCON in 1996, between security professionals and/or students learning about cybersecurity. This competition is used as a learning tool for everyone that is interested in cybersecurity, and it can help sharpen the tools they have learned during their training. In these challenges, the contestant is usually asked to find a specific piece of text that may be hidden on the server, or behind a webpage, in an image, etc.. The flag comes in different formats but is usually flag{ds90f8aufds223f}
Read the following techniques, thought processes, and methodologies in order to succeed in capturing the flag!
Forensics
You need to learn how to recover the digital trail left on a computer. Data can be deleted, not stored, or covertly recorded.
—–
It is important to be familiar with the following Forensics topics:
- File Formats – File extensions and file signatures allow programs to parse the data in a consistent manner. Files can also have hidden data called metadata that can be used to find information about the context of a file’s data. File signatures (also known as File Magic Numbers) are bytes within a file used to identify the format of the file. Generally, they’re 2-4 bytes long, found at the beginning of a file.
- EXIF Data – is metadata attached to photos which can include location, time, and device information. ExifTool is a tool that displays metadata for an input file, including – File size – Dimensions (width and height) – File type – Programs used to create (e.g. Photoshop) – OS used to create (e.g. Apple).
- Wireshark & PCAPs – Wireshark is a network protocol analyzer that is often used in CTF challenges to look at recorded network traffic. Wireshark uses a filetype called PCAP to record traffic. PCAPs are often distributed in CTF challenges to provide recorded traffic history.
- Stegonagraphy – Stegonagraphy is the practice of hiding data in plain sight. Stegonagraphy is often embedded in images or audio. Files are made of bytes. Each byte is composed of eight bits. You can modify the LSB without changing the file noticeably. By doing so, you can hide a message inside. Some of the types of steganography: different bits, different bit combinations – Encode in every certain number of bytes – Use a password – Hide in different places – use encryption on top of steganography.
- Disk Imaging – A forensic image is an electronic copy of a drive (e.g. a hard drive, USB, etc.). It’s a bit-by-bit or bitstream file that’s an exact, unaltered copy of the media being duplicated. Why image a disk? Forensic imaging: – Prevents tampering with the original data evidence – Allows you to play around with the copy, without worrying about messing up the original.
Cryptography
The word “cryptography” technically means the art of writing codes. When it comes to digital forensics, it’s a method you can use to understand how data is constructed for your analysis. Cryptography is used for securing web traffic (passwords, communication, etc.) and securing copyrighted software code. It can be used maliciously by hiding malicious communication or hiding malicious code.
—–
It is important to be familiar with the Cryptography topics:
- XOR – XOR Encryption is an encryption method used to encrypt data and is hard to crack by brute-force method, i.e generating random encryption keys to match with the correct one.
- Caesar Cipher – The Caesar Cipher or Caesar Shift is a cipher that uses the alphabet in order to encode texts.
- Substitution Cipher– A Substitution Cipher is a system of encryption where different symbols substitute a normal alphabet.
- Vigenere Cipher– A Vigenere Cipher is an extended Caesar Cipher where a message is encrypted using various Caesar shifted alphabets.
- Hashing Functions– Hashing functions are one-way functions that theoretically provide a unique output for every input. MD5, SHA-1, and other hashes that were considered secure are now found to have collisions or two different pieces of data that produce the same supposed unique output.
- Block Ciphers- A Block Cipher is an algorithm that is used in conjunction with a cryptosystem in order to package a message into evenly distributed ‘blocks’ which are encrypted one at a time.
- Stream Ciphers- A Stream Cipher is used for symmetric key cryptography, or when the same key is used to encrypt and decrypt data. Stream Ciphers encrypt pseudorandom sequences with bits of plaintext in order to generate ciphertext, usually with XOR.
- RSA (Rivest–Shamir–Adleman) – The RSA algorithm is the basis of a cryptosystem — a suite of cryptographic algorithms that are used for specific security services or purposes — which enables public-key encryption and is widely used to secure sensitive data, particularly when it is being sent over an insecure network such as the internet.
Web Exploitation
Every website has different programming languages and those programming languages have specific vulnerabilities. There are issues fundamental to the internet that can show up regardless of the chosen language or framework. These vulnerabilities often show up in CTFs as web security challenges where the user needs to exploit a bug to gain some kind of higher-level privilege.
—–
It is important to be familiar with these Web Exploitation topics:
- SQL Injection – SQL Injection is a vulnerability where an application takes input from a user and doesn’t validate that the user’s input doesn’t contain additional SQL.
- Command Injection – Command Injection is a vulnerability that allows an attacker to submit system commands to a computer running a website. This happens when the application fails to encode user input that goes into a system shell. It is very common to see this vulnerability when a developer uses the
system()
command or it’s equivalent in the programming language of the application. - Directory Traversal – Directory Traversal is a vulnerability where an application takes in user input and uses it in a directory path. Any kind of path controlled by user input that isn’t properly sanitized or properly sandboxed could be vulnerable to directory traversal.
- Cross Site Request Forgery – A Cross Site Request Forgery or CSRF Attack, pronounced see surf, is an attack on an authenticated user that uses a state session in order to perform state-changing attacks like a purchase, a transfer of funds, or a change of email address. The entire premise of CSRF is based on session hijacking, usually by injecting malicious elements within a webpage through an
<img>
tag or an<iframe>
where references to external resources are unverified. - Cross Site Scripting – Cross Site Scripting or XSS is a vulnerability where on the user of an application can send JavaScript that is executed by the browser of another user of the same application. This is a vulnerability because JavaScript has a high degree of control over a user’s web browser.
- Server Side Request Forgery – Server Side Request Forgery or SSRF is where an attacker is able to cause a web application to send a request that the attacker defines.
Reverse Engineering
Reverse Engineering in a CTF is typically the process of taking a compiled (machine code, bytecode) program and converting it back into a more human-readable format. Very often the goal of a reverse engineering challenge is to understand the functionality of a given program such that you can identify deeper issues.
—–
It is important to be familiar with these Reverse Engineering topics:
- Assembly / Machine Code – Machine Code or Assembly is code that has been formatted for direct execution by a CPU. Machine Code is the why readable programming languages like C, when compiled, cannot be reversed into source code.
- The C Programming Language – The C programming language was written by Dennis Ritchie in the 1970s while he was working at Bell Labs. It was first used to reimplement the Unix operating system which was purely written in assembly language. At first, the Unix developers were considering using a language called “B” but because B wasn’t optimized for the target computer, the C language was created.
- Disassemblers – A disassembler is a tool that breaks down a compiled program into machine code. Some disassemblers are IDA, Binary Ninja, GNU Debugger (GDB), radare2, and Hopper.
- Decompilers – Decompilers do the impossible and reverse compiled code back into psuedocode/code. IDA offers HexRays, which translates machine code into higher language pseudocode.
Binary Exploitation
Binaries, or executables, are machine code for a computer to execute. For the most part, the binaries that you will face in CTFs are Linux ELF files or the occasional windows executable. Binary Exploitation is a broad topic within Cyber Security which really comes down to finding a vulnerability in the program and exploiting it to gain control of a shell or modifying the program’s functions.
—–
It is important to be familiar with these Binary Exploitation or “pwn” topics:
- Registers – A register is a location within the processor that is able to store data, much like RAM. Unlike RAM, however, accesses to registers are effectively instantaneous, whereas reads from main memory can take hundreds of CPU cycles to return.
- The Stack– In computer architecture, the stack is a hardware manifestation of the stack data structure (a Last In, First Out queue). The stack is used for a few things, storing function arguments, storing local variables, and storing processor state between functions calls.
- Calling Conventions – Calling conventions are used by all programs without the user even realizing it. To be able to call functions, there needs to be an agreed-upon way to pass arguments. If a program is entirely self-contained in a binary, the compiler would be free to decide the calling convention. However, in reality, shared libraries are used so that common code (e.g. libc) can be stored once and dynamically linked into programs that need it, reducing program size.
- Global Offset Table (GOT) – The Global Offset Table (or GOT) is a section inside of programs that hold addresses of functions that are dynamically linked. As mentioned in the page on [calling conventions](# 3. Calling Conventions), most programs don’t include every function they use to reduce binary size. Instead, common functions (like those in libc) are “linked” into the program so they can be saved once on disk and reused by every program.
- Buffers – A Buffer Overflow is a vulnerability in which data can be written which exceeds the allocated space, allowing an attacker to overwrite other data.
- Return Oriented Programming (ROP) – Return Oriented Programming (or ROP) is the idea of chaining together small snippets of assembly with stack control to cause the program to do more complex things.
- Binary Security – Binary Security is using tools and methods in order to secure programs from being manipulated and exploited. These tools are not infallible, but when used together and implemented properly, they can raise the difficulty of exploitation greatly.
- The Heap – The heap is a place in memory which a program can use to dynamically create objects.
- Format String Vulnerability – A format string vulnerability is a bug where user input is passed as the format argument to
printf
,scanf
, or another function in that family.
CTF’s (Why is critical thinking important?)
- The cool thing about CTFs is that they’re always different and surprising. These competitions push you to delve into areas you wouldn’t normally interact with.
- Things change so fast in infosec that practice, and constant learning, is the only way to keep up. To become a skilled professional, you must combine theoretical knowledge with as much practical experience as possible.
- Now take that with critical thinking and problem solving and you will be UNSTOPPABLE!!!
- Going through a CTF benefits you in more ways than one. The experience you gain from the competition helps you in the most practical sense and it always adds points to your resume.
- Joining a CTF proves to current and/or potential employers that you’re curious, committed to continuous improvement, and focused on proactively enhancing your skills.
- Sometimes contestants get so creative that they even surprise CTF organizers!
CTFs show that you are a team player. They enable you to learn by engaging in extracurricular activities. This shows you are proactively using outside of work hours to learn and build experience in the field.
—–
What happens when critical thinking fails you and you hit a brick wall in a CTF?
Take a break (walk away, watch a movie, take a nap, read a book, get a drink, etc…!) Seriously!
Come back to it with a fresh mind and eyes
Google things, YouTube, different forums, etc….the answer, or something similar, is out there!
If you’re not already, join a local DEFCON group and/or 2600 and/or any other cybersecurity group
Ask questions! After you have exhausted your research first!!
Leave a Reply
You must be logged in to post a comment.