Monday, April 8, 2019
What is CTF?
What is CTF (Capture The Flag)?
Security CTFs, or
Capture-The-Flag competitions have nothing to do with paintball or shooter
games, but they are awesome to learn to hack. They can be very challenging and
teach you a lot of new skills. In this post, I want to tell you about what kind
of challenges there are and how you can find CTFs to play.
Generally, there are two categories of CTFs.
Jeopardy-style and Attack-and-defense. I
will only focus on the Jeopardy-style, especially because it’s easier to get
into. So a typical CTF offers a bunch of different challenges that you have to
solve. Most commonly you have to exploit some kind of service so you get remote
access to the server, so you can then read the content of a file that contains
a special string, the flag, which is proof that you hacked the system. You can
then enter that string in a form and you get points depending on how hard the
challenge was for your team.
Usually, a challenge has a title, a short
description and maybe info on how to reach the service or a file to download.
Oftentimes the title or description is already a small hint. So, for example, there was a challenge called sha1lcode at the HITCOn CTF 2014, and without
really looking into the challenge I already assumed that you have to write
shellcode, and it has something to do with sha1 hashes. Maybe writing
shellcode in the form of sha1 hashes. And indeed, that was the solution
in the end. There are a lot of different kinds of challenges, and sometimes you
get some new creative ones, but the typical topics covered are reversing,
pwning, crypto, web and maybe misc or programming.
Reversing
usually comes with an executable, a program you can download and run locally.
The program implements some kind of algorithm that checks an input key. If you
find the correct key, which is oftentimes already the correct flag, then you
solved it. So solving it requires you to reverse engineer and understand the
implemented algorithm to deduct the correct input key.
For
pwning challenges you often get also an executable but with it an IP address
and port of a server running this program. So you have to figure out how to exploit
the program to gain remote code execution. You develop your exploit locally and
then use it against the server, where you can then read the flag file. These
challenges range from simple buffer overflows to very advanced heap feng shui
stuff. And they are the most interesting ones to me.
Crypto,
like the name says is about cryptography. Sometimes it’s about attacking a
self-made cipher, or very simple crypto attacks like weak random generators.
But it can get really advanced and mathematical. Where you are basically lost
if you are not up to date with the research and papers form that field.
Web
challenges are also clear, they are about web applications. Usually you get a
URL and you have to exploit maybe a advanced SQL injection, or bypass
authentication. Sometimes even XSS or CSRF challenges. I also have a web
challenge writeup where you can get a feeling for what it is about. Misc
basically covers anything else. And programming is also self explanatory.
Mostly
it’s about clever implementations of solving some kind of problem. Now that you
are excited about solving some of these challenges, let’s talk about where you
can find them. The best platform for all of this is ctftime. It’s made by the
CTF community for the CTF community. You can see which CTFs are upcoming and
you get information like the format, when it happens and where to register. You
can also see the archive of competitions in the past. Over the year the CTF
teams collect these points and you have an overall ranking. Being in the top 50
is quite challenging. But how to find a team? Well it’s like finding a group of
friends. There is no one way how to do it. You could also checkout the reddit
CTF team OpenToAll, which is, like the name says, open to everybody. But all
these CTFs are usually short. They are over a weekend. Maybe 48-72 hours. But
there are also websites where these kind of challenges are available forever.
So I played a lot on w3challs, smashthestack and overthewire. In the beginning
you will realize you know nothing. You fail every challenge you try. But that’s
normal. Because people create writeups or upload their exploit script. And then
you can work through those solutions. You can research topics you didn’t know
about. You see how other people solve it. And you start to gain experience. And
you will see that after a couple of CTFs you start to be able to make progress
yourself. So for that prupose you should look up the writeups on ctftime, or
the ctf writeup github repository (maybe contribute yourself by gathering other
peoples writeups and create a pull request), or simply hang around on the IRC
channel of the competition, because people will start discussing solutions
afterwards. I hope this quick overview was helpful to get into challenges
yourself. And maybe consider recording yourself solving them during the CTF.
Just make sure you don’t beg for flags, solutions and hints. Respect the
competition. Be excellent to each other. And accept your lack of skill and
convert it into motivation to learn more.
Subscribe to:
Post Comments
(
Atom
)
No comments :
Post a Comment