By: Nafeel Ahmed
August 12, 2020
Strategies To Win A CTF: How To Approach A Jeopardy Style CTF
By: Nafeel Ahmed
August 12, 2020
What is a CTF?
CTF stands for Capture The Flag. It is a kind of competition or game which hackers enjoy to compete and play. Hackers are either competing to win a prize in a big competition (e.g., Google CTF) or practicing to polish their skills. There are three main and most popular types of CTF categories.
What are the different types of CTFs?
1. Attack & Defense CTF
The Attack & Defense CTF consists of the Attackers, who are required to attack the network, and the Defenders, who are required to counter those attacks to save the network from being compromised. This kind of CTF requires a good combination of skills due to time limits. These are usually on-site, not online.
2. Boot2Root CTF
As the name suggests, these are installed (usually as VMs) and are booted to solve and finally get the root flag, which is equivalent to getting system admin privileges. These are purposely vulnerable virtual machines made by the creators for the hackers to solve. You can practice them in a controlled virtual environment without worrying about anything interfering with the outside network. To better understand what networking is, and how a computer communicates, take the Network+ course.
3. Jeopardy CTF
This is one of the most popular types of CTF, where users worldwide can compete without being on-site. This happens online with dedicated servers and machines vulnerable to attack. Competitors get the flags to score the most points, often winning a prize. This type of CTF includes different categories of challenges, as follows:
- Web Challenges
- Network Challenges
- Cryptography Challenges
- Steganography Challenges
- MISC Challenges
- PWN/Binary challenges
- Forensics/ Reverse Engineering challenges
We will break down every category of a Jeopardy-style CTF and see how to approach them strategically.
Web challenges can include anything from SQL injection to RCE. Players try to gain access to the webpage/server to get hold of the flag.
To approach web challenges, one should be familiar with how a web application works. What framework and which version of the framework is being used by the site? Where could one possibly find a vulnerability? How does one exploit such a vulnerability?
One of the best ways to approach it is to know that web challenges usually require access to the admin/login page, using common vulnerabilities or executing a known vulnerability of that framework (e.g., WordPress, Apache, MyPHPadmin, etc.). Once one has identified the framework and the version of the framework being used, it can be Googled for known framework vulnerabilities. Then one can proceed to perform a directory scan. Always check for the robots.txt file, which usually has some sort of flag/directory pointing towards a flag. One will usually find a login page, or any page, with some sort of vulnerability. These vulnerabilities can be anything from SQL injection, XSS (Cross-Site scripting), Local File inclusion, or Remote File inclusion. After the known vulnerability has been exploited, you either receive the flag, which you can submit or can further enumerate (if required) by uploading a reverse shell and gaining access to the machine.
In summary, the process of completing a WEB Challenge is as follows:
- Manually explore the website, looking for the robots.txt file.
- Identify the framework and version of the framework (e.g., WordPress, Apache, etc.).
- Run a Directory scan (there are some fishy directories).
- Google for known vulnerabilities of the specified version of the framework.
- If none are found, try manually exploiting by finding input parameters where vulnerability can be executed (e.g., SQL, LFI/RFI, RCE).
- Further enumerate to find more vulnerabilities for more flags, if required.
Being good with web application pentesting and knowing how to exploit different vulnerabilities are musts for this category.
Network challenges usually include a pcap file. One can view it in Wireshark or tshark, analyze it, then answer the required questions to get the flags.
These challenges require competitors to have a good amount of knowledge in using Wireshark and tshark. One can practice Wireshark at Cybrary Labs to further polish those skills.
These challenges will usually give you a pcap file, and then ask you basic questions like:
- What is the IP address of the victim/target?
- What was the picture the attacker was looking at?
- What are the files being seen by the attacker?
- Which version of FTP is used?
Once you have the answers to these questions/flags, you can submit and win this challenge. Good skills in packet analysis and Wireshark are required for this challenge. One should also know how to extract files from packets, view them in the terminal, and follow packet streams.
Crypto challenges usually include solving various cipher algorithms, such as Caesar cipher, Pigpen cipher, and Vigenere cipher. The challenges can also include encodings like Morse code, Base64, and XOR.
These challenges usually provide competitors with some sort of a text file that includes an encoded text. Be familiar with the kind of encryption being used for the text because it will need to be decoded. Various tools can be used to identify what sort of a cipher it is. The ciphers could range anywhere from Caesar cipher to Vigenere cipher., to encodings such as Base64 and XOR. Taking the "Cryptography" course helps one become familiar with what cryptograms are being used in challenges. In general, keep reading books and looking at different ciphers to become familiar with other cryptograms.
In summary, to solve Crypto challenges:
- Identify the encoding of the text.
- Decode the text.
Steganography challenges usually include a hidden file/text within a picture file, a music file, or a zip file, which usually has to be brute-forced or cracked.
The challenge creators might present a certain type of file for players to find a flag in it. The file is usually in the form of a text file, a picture file, or a music file. First, examine what kind of file it is. Details of the file can be seen using various tools (e.g., file, exiftool, steghide). Once the kind of file has been identified, proceed with the following:
- ZIP File: Bruteforce the .zip file password to find the flag.
- Picture file: Check with Steghide to see what files are hidden behind a .jpeg file.
- Music file (mp3): Check the file in a spectrogram. One of the most popular types of steganography is to embed data into music files as plain text.
Steganalysis, as it is often referred to, is the process of detecting hidden text using steganography. Steganalysis is a trial and error process, and you have to keep trying until you find the flag.
Pwnables are challenges where competitors need to exploit a specific vulnerability. Hosted on Linux or Windows, these can be vulnerabilities such as Buffer overflows, Format strings, Heap, or Stack exploits. Pwnable challenges are also found in the Binary category.
Binary challenges are challenges where players get a binary file that need to be reverse engineered to get the flag. Binaries are usually Windows or Linux executables.
Forensics/ Reverse Engineering challenges
Anything related to Forensics comes under here. Challenges can include Windows, Linux, and Android platforms forensics.
Reverse engineering challenges are where competitors are given a file that needs to be reversed to find the flag.
Anything that cannot be categorized in the above categories gets included here. All you have to do is follow the challenge description and go for it. It's mostly a trial-and-error challenge.