Your Intro to Capture The Flag (CTF)
CTF - An acronym for "Capture The Flag". This term has been widely used to classify a specific type of games in many different fields. It can be used in video games, board game or as in our case - in cybersecurity. The rules are similar matterless of the field the game is played in, there is a territory that has to be infiltrated and objects that need to be captured while fighting against the opposition or competition of another team. The Ancient Romans used a board game version of CTF games to train their children in war strategy and battle formations. In 2007 the US Army created the US Scouting Service Project, which tackles hypothetical scouting missions in a sandboxed environment. Adapting these games to the field of informational security gives us the possibility to practice our practical skills, without needing to wait for a real work scenario to appear and without partaking in illegal actions to hone our knowledge.
CTF competitions are a powerful tool not only for the security specialist to train themselves in a possible work-related situation but also for students. The themed and interest dragging presentation of CTFs combined with the flexibility in the levels of difficulty make these challenges perfect for security enthusiasts of all calibers, even the smallest ones among us. Same way embedded specialists motivate children of all ages to be involved in robotics, we - the security specialist must take the responsibility to create an army of cyber-security ninja kids.Level up your cyber career today >>
1.2. Types of CTF competitions
Jeopardy - In this type of competition there is a certain number of task challenges which can be different types: web, crypto, binary, forensic, etc. Depending on the difficulty of a certain task it delivers a different amount of points to the player that solved it. The tasks can be shaped in so-called "chains" which means that for the player to unlock the next challenge he needs to first solve the one before it. At the end of the game, which is usually defined by a time limit the team that scored the most points is victorious. Examples for competitions of the like are present at Hack the Nexus, DEFCON Quals, Kaspersky Industrial, SECCON, HITCON.
Attack-Defense - Each team has its own Vulnbox which is essentially a system with security vulnerabilities. Each team has time to patch it's own system while developing exploits for the enemy system. When the games start the teams have to start using exploits on each other while protecting their own systems in order to "steal" flags off the enemy team.
Mixed - Any combination of the upper two competitions is considered a mixed one. There can be an attack-defense competition having a few jeopardy tasks set as bonuses or a jeopardy competition with a global task including an attack-defense dynamic.
1.3. Types of CTF tasks
Reverse Engineering - The point of reverse engineering is collecting new information and understanding of a technology through disassembling it to its base parts. At the beginning, to RE it was only used on hardware, but currently, it has evolved into being applicable in software, databases and even DNA analysis.
PWN (Binary) - The objective of PWN challenges is for the player to acquire access to a target system without the system administrator's permission. The targets can be personal computers, servers, websites, networking devices or applications.
Web - Web challenges include a wide range of things but the essence is analyzing a website to gain information. You can analyze the web site's source code, the hierarchy of the directories and all the functioning ports.
Crypto - Cryptographic challenges are mostly defined by giving the players a sample of encrypted information. The player has to decrypt it in order to acquire a flag or a clue to the next step of the competition.
Stegano - Steganography is the art of hiding a secret string of text, image, video or audio file in a different file of the same like. Stegano challenges usually consist of an image that contains nothing interesting at first sight. The image factually contains the flag of the challenge, but to acquire it the player has to run the image through filters and algorithms. There have even been steganographic challenges that feature a 3D model the player has to add a light source over to be able to see the flag.
Misc - All challenges that can't be classified within the upper categories are put under "miscellaneous". An example of such a challenge was the Sochi 2014 CTF Olympic. The players were given 5 different character strings. The challenge at first looked like a cryptographic challenge but was, in fact, a fun and simple keyboard mapping exercise, children are proven to solve this challenge faster than most grown-ups :
43wdxz ---> S
4edcvgt5 ---> O
65rdcvb ---> C
6tfcgh8uhb ---> H
9ijn ---> IThank you for your attention, if enough people want me to I will take the time to translate the next segment that covers hosting your CTF competition with the RootTheBox framework. Also here, have some useful learning sources:
- CTF Time: https://ctftime.org/ctf-wtf/
- Root The Box: http://root-the-box.com/
- Installation guide RtB: https://github.com/moloch--/RootTheBox/wiki/Installation
- List CTF frameworks: https://github.com/apsdehal/awesome-ctf/blob/master/README.md
- Hosting a hacking challenge article: https://events.ccc.de/congress/2005/fahrplan/attachments/562-Paper_HostingAHackingChallenge.pdf
- Russian article: https://cyberleninka.ru/article/v/ctf-orientirovannaya-paradigma-izucheniya-prakticheskih-voprosov-informatsionnoy-bezopasnosti
- Using docker for CTF: https://hackernoon.com/how-we-used-docker-to-organize-a-ctf-like-event-5e32061eb597
- DEFCON CTF archive: https://defcon.org/html/links/dc-ctf.html
- Article 11p: https://www.usenix.org/system/files/conference/ase17/ase17_paper_taylor.pdf
- Article Data collection: https://www.amrita.edu/system/files/publications/framework-for-evaluating-capture-the-flag-ctf-security-competitions.pdf
- Setting up FTP: https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-16-04
- CTF Approach in Education: https://www.researchgate.net/publication/306526917_A_CTF-Based_Approach_in_Information_Security_Education_An_Extracurricular_Activity_in_Teaching_Students_at_Altai_State_University_Russia
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!