Your Intro to Capture The Flag (CTF)

April 17, 2018 | Views: 7531

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Welcome, to any enthusiastic cybrarian viewing this.

I am a high school senior and my entire senior project is based on the world of CTF. In the following article, I will be translating the first section of my senior project documentation for everyone interested in getting a better understanding of CTF.

1.1. Introduction

CTF – An acronym for “Capture The Flag”. This term has been widely used to classify a specific type of games in many different fields. It can be used in video games, board game or as in our case – in cybersecurity. The rules are similar matterless of the field the game is played in, there is a territory that has to be infiltrated and objects that need to be captured while fighting against the opposition or competition of another team. The Ancient Romans used a board game version of CTF games to train their children in war strategy and battle formations. In 2007 the US Army created the US Scouting Service Project, which tackles hypothetical scouting missions in a sandboxed environment.  Adapting these games to the field of informational security gives us the possibility to practice our practical skills, without needing to wait for a real work scenario to appear and without partaking in illegal actions to hone our knowledge.

CTF competitions are a powerful tool not only for the security specialist to train themselves in a possible work-related situation but also for students. The themed and interest dragging presentation of CTFs combined with the flexibility in the levels of difficulty make these challenges perfect for security enthusiasts of all calibers, even the smallest ones among us. Same way embedded specialists motivate children of all ages to be involved in robotics, we – the security specialist must take the responsibility to create an army of cyber-security ninja kids.

Level up your cyber career today >>

1.2. Types of CTF competitions

Jeopardy – In this type of competition there is a certain number of task challenges which can be different types: web, crypto, binary, forensic, etc. Depending on the difficulty of a certain task it delivers a different amount of points to the player that solved it. The tasks can be shaped in so-called “chains” which means that for the player to unlock the next challenge he needs to first solve the one before it. At the end of the game, which is usually defined by a time limit the team that scored the most points is victorious. Examples for competitions of the like are present at Hack the Nexus, DEFCON Quals, Kaspersky Industrial, SECCON, HITCON.

Attack-Defense – Each team has its own Vulnbox which is essentially a system with security vulnerabilities. Each team has time to patch it’s own system while developing exploits for the enemy system. When the games start the teams have to start using exploits on each other while protecting their own systems in order to “steal” flags off the enemy team.

Mixed – Any combination of the upper two competitions is considered a mixed one. There can be an attack-defense competition having a few jeopardy tasks set as bonuses or a jeopardy competition with a global task including an attack-defense dynamic.

1.3.  Types of CTF tasks

Reverse Engineering – The point of reverse engineering is collecting new information and understanding of a technology through disassembling it to its base parts. At the beginning, to RE it was only used on hardware, but currently, it has evolved into being applicable in software, databases and even DNA analysis.

PWN (Binary) – The objective of PWN challenges is for the player to acquire access to a target system without the system administrator’s permission. The targets can be personal computers, servers, websites, networking devices or applications.

Web – Web challenges include a wide range of things but the essence is analyzing a website to gain information. You can analyze the web site’s source code, the hierarchy of the directories and all the functioning ports.

Crypto – Cryptographic challenges are mostly defined by giving the players a sample of encrypted information. The player has to decrypt it in order to acquire a flag or a clue to the next step of the competition.

Stegano – Steganography is the art of hiding a secret string of text, image, video or audio file in a different file of the same like. Stegano challenges usually consist of an image that contains nothing interesting at first sight. The image factually contains the flag of the challenge, but to acquire it the player has to run the image through filters and algorithms. There have even been steganographic challenges that feature a 3D model the player has to add a light source over to be able to see the flag.

Level up your cyber career today >>

Misc – All challenges that can’t be classified within the upper categories are put under “miscellaneous”. An example of such a challenge was the Sochi 2014 CTF Olympic. The players were given 5 different character strings. The challenge at first looked like a cryptographic challenge but was, in fact, a fun and simple keyboard mapping exercise, children are proven to solve this challenge faster than most grown-ups :

43wdxz —> S

4edcvgt5 —> O

65rdcvb —> C

6tfcgh8uhb —> H

9ijn —> I

Thank you for your attention,  if enough people want me to I will take the time to translate the next segment that covers hosting your CTF competition with the RootTheBox framework.

Also here, have some useful learning sources:

  1. CTF Time:  https://ctftime.org/ctf-wtf/
  2. Root The Box: http://root-the-box.com/
  3. Installation guide RtB: https://github.com/moloch–/RootTheBox/wiki/Installation
  4. List CTF frameworks: https://github.com/apsdehal/awesome-ctf/blob/master/README.md
  5. Hosting a hacking challenge article: https://events.ccc.de/congress/2005/fahrplan/attachments/562-Paper_HostingAHackingChallenge.pdf
  6. Russian article: https://cyberleninka.ru/article/v/ctf-orientirovannaya-paradigma-izucheniya-prakticheskih-voprosov-informatsionnoy-bezopasnosti
  7. Using docker for CTF: https://hackernoon.com/how-we-used-docker-to-organize-a-ctf-like-event-5e32061eb597
  8. DEFCON CTF archive: https://defcon.org/html/links/dc-ctf.html
  9. Article 11p: https://www.usenix.org/system/files/conference/ase17/ase17_paper_taylor.pdf
  10. Article Data collection: https://www.amrita.edu/system/files/publications/framework-for-evaluating-capture-the-flag-ctf-security-competitions.pdf
  11. Setting up FTP: https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-16-04
  12. CTF Approach in Education: https://www.researchgate.net/publication/306526917_A_CTF-Based_Approach_in_Information_Security_Education_An_Extracurricular_Activity_in_Teaching_Students_at_Altai_State_University_Russia
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel