By: Apurv Tiwari
October 7, 2020
Getting Started With CTFs
By: Apurv Tiwari
October 7, 2020
What is it?
Capture the Flag is originally derived from gaming: arena type games where two players would pit against one another and capture the enemy's flag while defending their own. This game mode then got ported into the world of cybersecurity to develop and showcase one's skills. It's alright if you aren't a gamer. The only thing it shares in common with the game world is the name. The aim of most challenges requires the contestant to find a specific piece of text (the flag!) that is hidden behind a web page or on a server.
Capture The Flag tournaments are very popular in the cybersecurity space, as a sport, a learning tool, and in some cases in assisting real-world cases or as a recruitment tool. These tournaments can be played as a team or as individuals.
The skill level for CTF's varies according to the event. Most of the challenges do not require programming know-how and test problem solving and creative thinking skills.
However, most CTF players are information security students, professionals, or enthusiasts who wish to showcase their skills in academic or professional circles.
Most of these competitions also have a healthy mix of first-timers hustling for the flags, too, along with a dedicated community that hosted or organized the event.
Types of competitions
There are three common types of competitions:
Jeopardy-style CTF These competitions have multiple questions/challenges/tasks belonging to a particular category. The DEF CON CTF qualifiers, VirSecCon, and H@cktivityCon, are a few examples of CTF challenges falling in this type. These feature a set of points-based tasks around a single overarching topic like web security or cryptography.
Attack-Defense Style CTF These competitions differ from traditional CTFs. These start with every team having their network or host machine with vulnerable services. The teams get time for hardening their environment, including patching their services or setting up defenses. Then the challenge opens up and connects all the teams on one network, starting a war game. The challenge is attacking another team while preventing your machine from getting hacked. Attacking gives the offense points, and defending gives defense points. Such challenges often require a massive scale of preparation and hence are rather limited in number. You can find some of these at the DEF CON CTF and on the tryhackme website.
A variation of this challenge is the King of the Hill challenge, where all attackers start targeting a single machine. Whichever attacker gets system access first must solidify their position, aka remains the king while preventing the others from taking access.
Mixed Style CTF As the name suggests, these competitions are a hybrid of the aforementioned styles. Typically, there can be either an attack-defense competition with jeopardy-like tasks as bonus points or a jeopardy style competition with an overarching global storyline in the style of attack-defense.
Types of Tasks
CTF competitions generally focus on skills from the following domains: reverse engineering, cryptography, web security, steganography, forensics, coding/programming challenges, and sometimes miscellaneous challenges. While having a general background in all the aforementioned domains is certainly helpful, do not feel held back or averse to participation because of your lack of knowledge. The following paragraphs will serve as a small primer for those looking to get introduced to these challenge types.
Reverse Engineering This challenge domain primarily deals with deconstructing or breaking down software (or hardware in rare cases) components and analyzing the source. In plain speak, these challenges would require you to look at the process of how "the challenge" was created and work through it. This would be the most "programming heavy" domain, and special knowledge of tools like Ollydbg, IDA Pro, Ghidra might be required. If you are looking for some practice or to get your feet wet, Microcorruption (https://microcorruption.com/about) would be a good place to start.
Binary exploitation / Pwning This is a subfield within RE, abusing subtle flaws in a software/program to perform functions it wasn't designed to perform. Again, this is a heavy knowledge domain(low-level programming and assembly language would help!). At the same time, initial foothold can be gained via brute-forcing and luck. This challenge type needs practice and having an eye to look for code errors. Some books that are a good assist here are "Hacking: The Art of Exploitation" and "Practical Binary Analysis." If you wish to learn via challenges, pwnable.kr is a good place to start.
Web Security Web challenges are the bulk of most CTF challenges. These are relatively easier, too, and have a less steep learning curve. These challenges will require an analysis of a website, source code, directory structure, plausible directories, open ports, etc. An excellent resource to learn via reading is the book "The Web Application Hacker's Handbook." If you want to learn via challenges, hacker101 CTF is a good place to start.
Cryptography Crypto challenges are focussed on encrypting and decrypting ciphertext using some classical cipher algorithm (check Caesar and Vigenere ciphers for starters). It might also involve finding and exploiting flaws in known ciphers, commonly known as cryptanalysis. If you wish to learn via reading, "Crypto 101" is a good start. For learning by doing, "CryptoPals" is the place to go with its easy to follow guidelines and step-by-step practice towards cryptographic challenges.
Steganography Steganography is the art of concealing messages (files, images, or text) in another message (files, images, text, or even videos). The image/file usually contains a "flag" that needs to be analyzed via filters and algorithms. Stego specific CTF's are rare; to read more about how to hide things in other things, look at this 4 part series by BlackHillsInfosec (https://www.blackhillsinfosec.com/steganography-the-art-science-of-hiding-things-in-other-things-part-1/). Stego challenges are usually found in most Jeopardy-style challenges.
Forensics Forensic challenges can include file format analysis, memory analysis, or network packet capture analysis. Solving these challenges requires a minimum of the following skills:
- Any scripting language (Python, Go)
- Manipulate binary data in the language of choice
- Recognizing formats, protocols, and file encodings
Some challenges will also require knowledge of tools like hex editors. This category often combines with steganography by layering multiple challenges.
Scripting/Coding These challenges require knowledge of coding in any scripting language. Some example challenges would include writing custom connection scripts to connect to a server and play a mathematical challenge that eventually results in the flag. Such challenges require logical thinking besides an understanding of how web servers work. These challenges may also get layered in with other categories for harder challenges.
Miscellaneous These challenges don't have a sure-shot way of solving. Mostly they just require patience, perseverance, and luck. Lots of Googling helps. Experience can also help if you have attended enough challenges or read past challenge write-ups.
Perfect, yes. The problem lies because it's frustrating to keep knocking against a tough challenge. Some personal tips for starting on a warpath, gathered after attending multiple different CTFs are:
- Don't expect to solve all the "warmup" challenges in one go. They aren't necessarily easier.
- If playing competitively, check to see if the CTF allows for teams. If so, it's best to take part in a team.
- If playing solo, don't spend over 15 minutes researching and over 30 minutes, breaking against a challenge.
- Especially when starting new, skip challenges after trying them and not getting through. It's a better experience to get a shot on 20 challenges partially than completely solving three challenges.
- Time is usually limited but frets not. Most challenges stay up even after the CTF has ended for a short time.
- Read write-ups of ALL challenges; it's really common to find alternative methods of solving challenges.
- Document the steps when solving the challenges, even if there was no time to complete it or were unable to solve it. This is good practice.
- Remember documenting, well now blog it. Write-ups need not always be about succeeding in the challenge. Instead, one could write about the rabbit hole one fell through and their learning.
- It's a game. Everyone was once a noob, so put on the thickest skin possible(for defense against toxicity) and ask questions, hints as permissible in the challenge.
- Join CTF communities on apps like Discord and Slack; they will be a big motivator to grow and learn together.
- When starting afresh, find a group with similar interests to help maintain consistency.
Some tools one might find useful when attempting challenges:
- Burp Suite
- Binwalk (Linux command)
- File (Linux command)
- Strings (Linux command)
Now it is time to step out and, as the phrase goes, "getting one's feet wet." Cybrary has a broad range of CTFs from Cydefe available to learn with, so start a CTF by searching our catalog today at https://www.cybrary.it/catalog/
Finally, if stuck, reach out on Twitter (@AidenSenju).