**North Carolina A&T State University**
*Computer Systems Technology*
*Center of Excellence in Cybersecurity Research, Engineering and Outreach (CREO)*
# Capture The Flag Write-Up
## Introduction to Cybersecurity
> Hello, and thank you for attending Explore IT Day! During this session, you will be introduced to some basic disciplines that exist within the field of cybersecurity by completing CTF Challenges. But of course, that begs a few questions. First, what is cybersecurity? Well, according to the [Cybersecurity & Infrastructure and Security Agency](https://www.cisa.gov/news-events/news/what-cybersecurity), cybersecurity is "**Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.**". Basically, cybersecurity describes how people protect computers from the bad actors, who might otherwise try to steal data, control systems, or cause other trouble. Second, what is a CTF Challenge? Well, in cybersecurity, Capture the Flag describes a variety of competitions where individuals and teams are tasked with solving cybersecurity based problems. The "flag" is usually a string of some kind that indicates that the challenge was solved. Specifically, we will be exploring **Jeopardy Style** CTF challenges using [**PicoCTF**](https://picoctf.org/resources.html).
# CTF Challenges
## [**Challenge #1: Binary Search**](https://play.picoctf.org/practice/challenge/442?page=2)
> ## What is Binary Search?
> Binary search is an efficient search algorithm used to find a target value in a sorted list or array. It operates by repeatedly dividing the search space in half and comparing the target value with the middle element.
> ## How Binary Search Works
1. **Initial Setup**: The binary search algorithm is given a search value and a list of items, like so:
| 1 | 3 | 7 | 9 | 11 | 13 |
| --- | --- | --- | --- | --- | --- |
When run through the algorithm, it takes the following form:
This is called a [**binary tree**](https://www.w3schools.com/dsa/dsa_data_binarytrees.php), which is a special way of organizing data in order reduce the number of operations needed to find a desired value. Instead of checking each element inside of a list to see if that value if the one you are looking for, a binary tree organizes similar values together so that they are easier to find, due to their like qualities. For more information about why binary search is efficient, visit this link [here](https://www.geeksforgeeks.org/analysis-algorithms-big-o-analysis/).
2. **Check the Target Node**: Starting from the top of the binary tree, compare the value of the target node with the value being searched for.
> * Starting from the root (top) node, if the target node value matches the search value, the search is complete and the element has been found!
> * If the value of the target node is greater than the search value, the algorithm shifts to the right node.
> * If the value of the target node is less than the search value, the algorithm shifts to the left node.
3. **Repeat**: Continue this process by halving the search space until either the target is found or the search space becomes empty.
> ## Binary Search [Pseudocode](https://www.techtarget.com/whatis/definition/pseudocode#:~:text=Pseudocode%20is%20a%20detailed%20yet,involved%20in%20the%20development%20process.)
```
def binary_search(arr, target):
left = 0
right = len(arr) - 1
while left <= right:
mid = (left + right) // 2
# Check if target is present at mid
if arr[mid] == target:
return mid
# If target is smaller, ignore the right half
elif arr[mid] > target:
right = mid - 1
# If target is larger, ignore the left half
else:
left = mid + 1
# Target not found
return -1
```
> ## Example
Given the sorted list:
[1, 3, 5, 7, 9, 11, 13]
Let's search for the target #7:
> 1. The search value is the number 7, which matches the target.
> 2. The algorithm stops and returns the value at index 3 (lists in programming languages begin with [index 0](https://codefinity.com/blog/Why-Do-Programmers-Count-from-Zero)).
> ## Time and Space Complexity
**Time Complexity:** \(O(log n)\) — The search space halves at every step.
**Space Complexity:**
> * O\(1\)\) for iterative solutions.
> * \(O\(log n\)\) for recursive solutions (due to recursion stack).
For more information on algorithm analysis and Big O analysis, read [this](https://www.geeksforgeeks.org/analysis-algorithms-big-o-analysis/).
> ## **Why is it Efficient?**
Binary search is much faster than linear search \(O(n)\) for large datasets because it eliminates half of the search space at each step. However, it requires the list to be sorted in advance.
> ## **Solving the Challenge**
> ### **Step 1**: SSH Connection
```
ssh -p 64697 ctf-player@atlas.picotcf.net
```
* **`ssh`**: Secure Shell to remotely access the server.
* **`-p 64697`**: Specifies the custom port number (63117) for the SSH connection.
* **`ctf-player@atlas.picotcf.net`**: The username **`ctf-player`** and the remote server's hostname **`atlas.picotcf.net`**.
After entering the password (here, it is **1ad5be0d**), you successfully logged into the server and were greeted by the server's banner **"Welcome to the Binary Search Game! I'm thinking of a number between 1 and 1000. Enter your guess:"**:
> ### **Step 2**: Implementing Binary Search
* In this instance, the list is too extensive to write out. But still, it is simple enough to calculate what the target root node is (500).
* A solution can be found by repeatedly reducing the size of the list by choosing the median value as input, then determining the new values of the list based on the response from the server **Higher** or **Lower**.
> ## Conclusion
By implementing a binary search method, you can successfully guess the correct number in fewer than 8 moves and get the challenge's flag.
## [**Challenge #2: Includes**](https://play.picoctf.org/practice/challenge/274?category=1&page=1)
> ## **Solving the Challenge**
> 
This challenge doesn't provide a whole lot of information before hand. In order to get more context into the challenge, start by clicking "**Launch Instance**", then click the link provided (where it says "website"). Then, the challenge will load, like so:
There is a lot of important information here. First, this challenge is testing "**Web Exploitation**" skills. Basically, participants are tested on their ability to identify vulnerabilities in web pages. It is a good idea to start any web exploitation engagement by inspecting the [source code](https://www.washington.edu/research/glossary/source-code-and-object-code/#:~:text=Source%20code%20is%20generally%20understood,compiled%20with%20a%20C%20compiler.). We can do this by right clicking inside the broswer window and selecting "**Inspect**" or "**Inspect Element**" to open the **Developer Tools Menu**:
We can also see, on the main page, the following quote:
> "Many programming languages and other computer files have a directive, often called include (sometimes copy or import), that causes the contents of a second file to be inserted into the original file. These included files are called copybooks or header files. They are often used to define the physical layout of program data, pieces of procedural code and/or forward declarations while promoting encapsulation and the reuse of code."
Given that the name of the challenge is "Includes", it is safe to assume that with this additional clue, the flag can be found somewhere within the included files. In websites, included files will typically be [**Cascading Style Sheets** (CSS)](https://www.w3schools.com/css/css_intro.asp) and [**Javascript**](https://www.w3schools.com/js/js_intro.asp) files. CSS is used to modify the visual appearance of a webpage in a structured and repeatable manner. Javascript is used to allow webpages to be dynamic, or to take different actions based on some user input. Together with HTML, these three languages make up a basic [**Front-End Web Stack**](https://www.mongodb.com/resources/basics/technology-stack).
Also, note the presence of the "**Say hello**" button. As a button, this is a way for users to provide input to the webpage. When it is clicked, the following alert pops up:
This further supports the hypothesis that the flag can be found within the included files. Let's explore!
After opening the **Developer Tools**, a menu should appear like so:
In these exercises, I am using "**Safari**", but other browsers (i.e. Google Chrome, Microsoft Edge, Firefox, etc.) have this menu as well. Initially, you will see the source code for the web page that is currently loaded in the browser. Here, it is shown that two files are included with the HTML - `style.css` and `script.js` in the following lines:
```
<link rel="stylesheet" href="style.css">
...
<script src="script.js"></script>
```
To see the contents of these files, click on the "**Sources**" tab at the top. If this is not an option, the data can also be viewed from the "**Network**" tab. Different web browsers will have different options:
On the left side of this menu are the two files identified in the HTML source code. Start by selecting `style.css` (If you used the "**Network**" tab, simply click on the listing which has the file name and the content should appear):
And, we've got it! The first part at least. Nested within a comment (denoted by the `/* */`), the part of the flag can be found. To find the second part, take a look at the `script.js` file:
Here, we can see the second (and final) part of the flag, again nested within the comments (denoted by the `//`). To complete the challenge, copy both parts of the flag and paste them into the challenge webpage, then click "**Submit Flag**".
> ## Conclusion
By utilizing the Developer Tools Menu, you can inspect the source code of a webpage and view all of the files that are loaded along with the HTML!
## [**Challenge #3: Information**](https://play.picoctf.org/practice/challenge/186?category=4&page=1)
> ## **Solving the Challenge**
The first clue given about this challenge is the name, "**Information**". From the challenge description participants are given an image file, `cats.jpg` that is meant to be inspected. To start, click on this link to download the file:
Upon initial inspection, this simply looks like a regular image of a cat! To get more details, take a look at the [metadata](https://www.techtarget.com/whatis/definition/image-metadata) of the file:
This process will vary across Operating Systems, but on Windows open the image in the File Explorer, right click on it, then click on `Show more options > Properties`. Looking through this information, we can see the name of the image, the format it is in, when it was created, and other details about the image itself. However, from this window view, there are only certain metadata tags that will be displayed. In order to get a full view of the metadata contained within the image, you can use a special command line tool called `exiftool`.
Using the [`Webshell`](https://webshell.picoctf.org) feature on picoCTF, do the following:
1. Right click on the link for `cat.jpg` and copy the link
2. In the webshell, type `wget`, then paste the copied url. This will download the image so you can use it.
` 9
wget https://mercury.picoctf.net/static/d1375e383810d8d957c04eef9e345732/cat.jpg
`
4. Run `exiftool cat.jpg` to see all the metadata contained in the image.
Using this tool, there is clearly more information provided. An interesting metadata property that can be found is the `License`, which holds a value `cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9`, and appears to be a jumble of alphanumeric characters (A-Z, a-z, 0-9). This indicates that the data is possibly encoded using [Base64](https://bunny.net/academy/http/what-is-base64-encoding-and-decoding/). Basically, this means that this value might have a more sensible value if it can be decoded. In order to do that, use the `base64` tool within the Webshell, like so:
```
echo "cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9" | base64 -d | more
```
* `echo`: Prints whatever it is given to the terminal window
* `|`: This is called a pipe symbol, and it is used to pass the output of one command as the input to another. Here, it is used to pass the base64 string to the `base64` tool.
* `base64 -d`: Used to conduct operations with the base64 algorithm at the command line. Here, it is used to decode the given string value, which is denoted by `-d`
* `more`: Here, it is used to make the output appear preetier.
Running this command should look something like this:
And there, we can see the flag!
> ## Conclusion
Metadata is data that describes the properties of a file. It can be inspected using command line tools. Sometimes data is encoded, so it appears to be different that it's initial meaning. Decoding obfuscated data will reveal any hidden meaning behind it!
## [**Challenge #4: Mod 26**](https://play.picoctf.org/practice/challenge/144?category=2&page=1)
> ## **Solving the Challenge**
Take a look at the challenge description:
> "Cryptography can be easy, do you know what ROT13 is? cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_Ncualgvd}"
The string `cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_Ncualgvd}` kind of resembles a flag! However, from past experience it is known that flags take on the form `picoCTF{...}`. So, what can be done to decrypt this value?
The description also mentions something called `ROT13`. According to [GeeksforGeeks](https://www.geeksforgeeks.org/rot13-cipher/):
> "ROT13 cipher(read as – “rotate by 13 places”) is a special case of the Ceaser cipher in which the shift is always 13. So every letter is shifted 13 places to encrypt or to decrypt the message."
Let's try decrypting the given string value using Rot13! [rot13.com](https://rot13.com) provides an easy way to do this, like so:
And violá! Like magic, the flag appears.
> ## Conclusion
Information can be encoded using a variety of different algorithms. It is beneficial, when working in Cybersecurity, to be able to identify how data can possibly have been encoded in order to attempt to decode it for practical use.
# Summary
CTF challenges test cybersecurity skills through hands-on problem-solving. Web Exploitation involves analyzing web apps for vulnerabilities using tools like the browser developer tools. Cryptography challenges test ones ability to analyze encryption algorithms, like ROT13, then decoding it so that is exists in some useful form (e.g., transforming "cvpb" to "pico"). Forensics focuses on extracting hidden data from files using metadata analysis (ExifTool) to uncover flags in images or log data.
# Links
> ## Challenges
* **Binary Search**: https://play.picoctf.org/practice/challenge/442?page=2
* **Includes**: https://play.picoctf.org/practice/challenge/274?category=1&page=1
* **Information**: https://play.picoctf.org/practice/challenge/186?category=4&page=1
* **Mod 26**: https://play.picoctf.org/practice/challenge/144?category=2&page=1
> ## Resources
https://www.cisa.gov/news-events/news/what-cybersecurity
https://www.w3schools.com/dsa/dsa_data_binarytrees.php
https://www.techtarget.com/whatis/definition/pseudocode#:~:text=Pseudocode%20is%20a%20detailed%20yet,involved%20in%20the%20development%20process
https://codefinity.com/blog/Why-Do-Programmers-Count-from-Zero
https://www.geeksforgeeks.org/analysis-algorithms-big-o-analysis/
https://www.washington.edu/research/glossary/source-code-and-object-code/#:~:text=Source%20code%20is%20generally%20understood,compiled%20with%20a%20C%20compiler
https://www.w3schools.com/js/js_intro.asp
https://www.mongodb.com/resources/basics/technology-stack
https://www.techtarget.com/whatis/definition/image-metadata
https://www.geeksforgeeks.org/rot13-cipher/
# About the Author
[Jaden Andrews](https://jadenandrews831.github.io)
Red Team Operations Lead
[Center of Excellence in Cybersecurity Research, Education, and Outreach (CREO)](https://www.ncat.edu/research/centers/creo/index.php)
Sign in with Wallet
Connect another wallet