Try   HackMD

Beginners guide to CTFs

Hello all

Hope you all are doing fine. This is a message from the CTF Wing of Zense. We have got a very large summer break this year, and we must try to take this opportunity to explore different domains, be it Competitive Programming, Development, Machine Learning etc. And we would like to take this opportunity to introduce you to CTF.

Unlike CP, ML and development, most of you might not have heard of CTFs, but that is fine. Even we didn't know until recently. But trust me there is huge competition among various teams out there. And now is the perfect time to explore. You never know where you might find your interests.

So what is a CTF?

A CTF aka. Capture the Flag is a contest where there is a territory that has to be infiltrated and objects that need to be captured while fighting against the opposition or competition of another team. You might have heard it in video games frequently. The rules are similar here too. You have a set of challenges and you must find out the vulnerability and exploit it to find a flag. Now you know why it is known as Capture the Flag. So what is a flag? A flag is something which is proof that you have solved the challenge. In our case it is a phrase that usually looks like flag{...}

Why do you need to CTF?

This is an age of digitisation. There has been a sudden unprecedented switch from relying on physical data to complete digitisation of all the stuff that you use/require daily. With this much amount of data being digitised, there must be ample security measures to protect your data. CTF is all about that. It teaches you various skills on how to work around various vulnerabilities, scripting and exploiting them and in some cases also teaches you how to patch them. This would be an amazing introduction on how the security industry operates. There is a huge demand for any security researcher/developer out there in the industry. The demand is high and the number of slots vacant for these positions is also high. So isn't this a win-win?

I'm interested in CP/dev/other stuff, why should I CTF?

Firstly, it doesn't hurt to try something out, irrespective of whether you pursue it later or not.
Second, in any development job that you decide to take on in the future, there will be a heavy reliance on secure coding practices to prevent vulnerabilities. With CTFs you get trained enough to make a habit of writing secure usbale code as you tend to get an understanding of how someone could misuse your piece of code and hence you could try to fix it.

A simple example of how someone could misuse a piece of code which we use regularly in python 2.x

flag = "1234qwer"
inp = input("Enter a number: ")
print(inp)

How could someone misuse this piece of code? Well, traditionally we might think of entering a number, but then what if you enter flag as your input? It prints out the value assigned to the flag variable!!! Which was highly undesirable. You might think it is valid for only the variables mentioned in the piece of code, but then the attacker would not stop just here, he could retrieve all the files from your system and this could be highly dangerous. This is how someone could easily inject any command through your code. For this example, I am using the whoami command which prints out the username. This is an example of how this stuff works.

prohacker@ubuntu:~$ python test.py
Enter a number: __import__("os").system("whoami")
prohacker

Feel free to change the command and explore what all could be done by replacing whoami with ifconfig, cat ~/.bashrc etc.

And how could you avoid such issues? One major way to avoid this is by replacing input with raw_input and then analysing the input in the code accordingly by changing it into your required data type. If you are lazy to do all this, just switch to python3 :P

What did we learn from this? Even a small piece of code which we might think is secure can be vulnerable to various attacks. CTFs teach you on how you could prevent these attacks by helping you write secure code.

Here is a link which consists of a few other basic examples/ tools that you would want to look at.

So what are the specific stuff which we learn from CTFs?

There are 2 types of CTF contests generally. They are

  1. Attack and Defence
  2. Jeopardy

Attack and Defence is a type of CTF where there are vulnerabilities on all competitors systems(called boxes) and you must patch your vulnerabilities to defend yourself from competitor's attacks and simultaneously attack other boxes to get flags.

Jeopardy is the most popular form of CTF where a user/team gets a set of challenges and you have to identify the vulnerabilities and solve the challenges. The winner is the one who solves most of the challenges in a specified time.

We shall focus on Jeopardy type of CTFs for the time being.

Jeopardy CTF usually consists of 5 types of challenges

  • Binary Exploitation(Bin Exp/ Pwn)
  • Crypto
  • Forensics
  • Reverse Engineering
  • Web Exploitation

Binary Exploitation is finding vulnerabilities in a given binary file/executable to access the data.

Crypto includes a set of challenges where there are some encoded/encrypted messages which you need to decode/decrypt to obtain flags. This will introduce you to the world of Applied/Practical Cryptographic techniques.

Forensics is a field where you analyse the data which has been recovered once the attack has been done. These can be done on memory dumps, network packets etc.

Reverse Engineering is something which you perform on a software to understand how it works by disassembling it.

Web Exploitation is the exploitation of the bugs that are found out on a website by analysing it. There are various kinds of attacks that can be done, most common and basic of them being command/code injection, SQL injections, directory traversals, XSS attacks etc.

There are other forms of challenges like  OSINT, PPC(Professional Programming and Coding), Lockpicking etc. but we would not go into them at this point.

With these, we believe you might have a brief idea on how the CTFs work.

I'm interested Where should I begin?

Any decent developer must have a good grip of the Linux file-system and command-line and this is where we believe you must start. And Bandit - Over the Wire is an amazing wargame which could teach you all the stuff regarding basics of Linux. You will learn amazing things here, Trust us!!!

If you are done with Bandit, you might want to do Natas, Krypton, Leviathan etc. if you are interested. These would introduce you to the fields of Web Exploitation, Crypto and Bin-Exp respectively.

But if you find the concept of wargames boring, then after doing Bandit(which is highly recommended), we suggest you do PicoCTF. The challenges here groom you to teach the basics of CTFs and trust us these are helpful for beginners. There is much more stuff out there which you could explore on your own.

You could also look into Hardware CTFs where one could exploit the vulnerabilities on hardware devices.

Here are a few Youtube channels which we recommend you to look into:

  • LiveOverflow - His channel is amazing which consists of many tutorials related to Binary exploitation, Reversing and Hardware hacking
  • John Hammond - Another amazing channel, which consists of walkthroughs for various CTF challenges.
  • Null Byte - An amazing YT channel whose focus is on creating videos for aspiring ethical hackers, computer scientists, and the infosec community. Do check out their blog for some amazing content too.

In addition to it, you might find tons of resources online like Captf, Awesome CTF etc. which could guide you all along.

There are CTFs happening almost every weekend, where participants compete internationally. Look out for them on CTF Time.

Who are we?

Last but not the least we would like to introduce ourselves :P. We are a bunch of cybersec enthus. I guess that is what defines us. Some of us are doing it for the love of Crypto, some of us are doing just because we didn't find our interests elsewhere, and some of us, just out of pure interest and love in cybersec. We are currently the 14th best-ranked team in India and 190th best internationally, and we would love to achieve a better rating in the coming times.

If you are interested in CTFs and are willing to go ahead and try it, please do not hesitate to contact us(We have dropped enough hints in this article on whom to contact, so figure it out XD) and also don't hesitate to team up with your batchmates/seniors to participate in CTFs. Most of the CTFs have no limit on the size of the team, so you could very well form a team of an entire batch too if you would want to. Do look out for upcoming CTFs on CTF Time

Happy Hacking and Stay Safe.

Last changed by 
keiser
1808

Read more

Writeups for ZenseCTF

Find the source code to all the challenges over here https://github.com/DaKeiser/zensectf You can also deploy it locally, and run all the challenges.(Due to some issues, we shall share the code, once we shut down our contest server.) Steps to deploy git clone https://github.com/DaKeiser/zensectf.git cd zensectf ./rebuild.sh ./redeploy.sh

Jun 23, 2020
Examples and Additional Resources

Crypto Cryptography is the form of communicating with someone in the presence of a third party and making sure that no one other than the reciever can understand the message sent. You can encrypt your data using many ciphers, like Caesar cipher(which is basically making A=N, B=O ... Z=M ie. Rotation by 13 characters), or any rotation by x values called ROT x cipher. There are more advanced ciphers like Vigenre Cipher etc. But the major issue with these ciphers are that they can mostly be decrypted using entropy analysis. There are many tools online which could help you decode them too. So using Key based encryption is a better alternative compared to these. A method used to encrypt data is by using One Time Pad. This is cryptographically the strongest way to encrypt a message. But it comes with its own set of issues. You cannot reuse the pad Transfer of pad to the reciever to decrypt the message is an issue.

Jun 21, 2020
Read more from keiser
Published on HackMD