What is CTF (Capture The Flag) ?

Capture the Flag (CTF) is a competition that related to information security where the participants will be test on a various of security challenges like web penetration testing, reverse engineering, cryptography, steganography, pwn and few others more. Participants must get the “flag” to gain their points. So, the team who have the highest point at the end of the game will be the winner.

Usually, CTF competition is free and most of CTF out there are online and organized by various organizer. In malaysia we have wargames my where it is a 24-hours online CTF hacking game. It’s open to all Malaysians – students, academics, professionals, hobbyist or anyone. The organizer not just a big company, but also the organizer may from various local universities.

 

 

Why participate in CTF?

There are few reasons why you must join CTF competition: –

  1. To gain knowledge and experience in Cyber Security environment.
  2. Hobby
  3. Socializing and networking
  4. To make your resume awesome!

Sometimes, when you participate on CTF, the industry will acknowledge your skill and maybe you will be recruited as one of their staff.

 

Types of CTF

There are three common types of CTFs: Jeopardy, Attack-Defence and mixed.

  1. Jeopardy-style CTF
    Jeopardy-style usually have multiple categories of challenges, which contains a variety of questions of different point values and difficulties.
  2. Attack-defence CTF
    While on this type of CTF competition, each team is given a task to defend their network or server and the other will attack the opponents. Teams may attempting to take an opponent’s flag from their machine by pwn(own)  the opponent’s machine.

Usually the flags that organizer give are easily recognizable strings, like “FLAG{th1s1s7h3fl4g}” so that participants don’t miss them.

 

Categories of challenge in Jeopardy-style CTF

In such competitions there usually are different categories of challenges and within each category, challenges are sorted by their difficulty.

Traditional categories include:

  1. Web: This type of challenges focus on finding and exploiting the vulnerabilities in web application. The may be testing the participants’ knowledge on SQL Injection, XSS (Cross Site Scripting), and many more.
  2. Forensics: Participants need to investigate some sort of data, like do a packet analysis on .pcap file, memory dump analysis and so on.
  3. Cryptography: Challenges will be focus on decrypting a encrypted strings from various type of cryptography such as Subtitution crypto, Caesar cipher and many more.
  4. Reversing (or Reverse Engineering): RE usually need participants to explore a given binary file weather PE file, ELF file, APK or some types of other executable binary. Participant need to find the key by decompilation, disassemble using static or dynamic analysis or other reverse engineering tools.
  5. Exploitation: Within this type, the goal is to build an exploit, very often for a binary, though sometimes for a Web application. Almost always contestants have (explicit) access to the source code of the application, unlike the Reversing category, where a big part of the challenge is that you have to essentially play “in the dark”.
  6. Miscellaneous: Everything not listed else that is still relevant to Information Security is in this category. This need require Google-Fu skill.

 

 

Skill required in CTF

  1. Google-Fu Skill
    Sometimes, flag and details information for your findings during solve the challenges can be get by just google the title, description and related information. Miscellaneous category require google skill. If you don’t know anything about the challenge just google the keywords. Sometimes if you know little bit of information and concept about the challenges, just google the concept + “write-ups”. Usually, organizer make challenge based on CTF online platform.
  2. Learn python or other scripting languages.
    Programming such as python will make us easier to do what we looking for. Sometimes, challenges require scripting knowledge and skill to generate/get our flag.
  3. Linux skill
    There is a lot of good tools in Linux that you can use for solving CTF challenges. Hacker out there in real-world prefer Linux than using Windows. These some tools and command line I list for you to explore;

    • cat
    • nc
    • strings
    • file
    • grep
    • unzip
    • nano, vim – text editor
    • chmod
    • binwalk – Stegano, Forensics
    • pdfcrack – crack pdf password
    • Exiftool – Stegano, Forensics
    • foremost – Stegano, Forensics
    • base64 – Crypto
    • gdb – Reverse Engineering
    • ltrace, strace – Reverse Engineering
    • and many more!
  4. Web Penetration Skills
    CTF, often have challenge for web hacking. Knowledge in web concept and pentest is so much important for participant to solve the challenge. Usually, the challenges are based on OWASP Top 10. Exploring the OWASP top 10 will get you some good skill for this. Refer this https://www.greycampus.com/blog/information-security/owasp-top-vulnerabilities-in-web-applications.
  5. Reverse Engineering Skills
    RE required knowledge of understanding the codes. You need to have a strong C programming languages and Assembly language for this. If you want to explore more, read this book https://github.com/harryskon/re4b.
  6. Pwn Skills
    In order to master pwn you need have RE skills first. Pwn is a leetspeak slang term derived from the verb own, meaning to appropriate or to conquer to gain ownership. Tools like pwntools will help you a lot in CTF. Refer this https://dhavalkapil.com/blogs/Buffer-Overflow-Exploit/.
  7. Wireshark and Network Miner tools.
    Mastering PCAP analysis will make us good in CTF. CTF often too have challenge about pcap analysis. Just youtube the tutorial how to use Wireshark. Strings and binwalk command sometimes can help you.
  8. Cryptography
    Use online tools to decrypt. Google some information.

 

Tips in CTF

Steganography

Note:
  • Usually when organizer gave us Image, M usic, Video, Zip, EXE, File System, PDF and other files, it a steganography or forensics challenge.
  • Always issuing file <filename> command to whatever file you get first!
  • Checkout the EXIF data of the file by using exiftool <filename> command.
  • Try file carve using foremost <filename> command. Foremost support all files.
  • Note the flag at one text file.
  1. Image @ photo
  2. Zip
    • File carve using foremost <filename> command.
    • Unzip it.
    • Use zipdetails -v command to display details about the internal structure of a Zip file.
    • Use zipinfo command to know details info about Zip file.
    • Use zip -FF input.zip -out output.zip attempt to repair a corrupted zip file.
    • Bruteforce the zip password using fcrackzip -D -u -p rockyou.txt filename.zip
    • Binwalk it.
  3. Music file
  4. Text
  5. PDF
    • Lot of tools in kali linux for pdf
      • pdftotext <filename.pdf>
      • peepdf <filename.pdf>
      • pdfimages <filename.pdf>
      • pdfcrack 
    • OfficeMalScanner.exe <filename.pdf>
    • Malzilla
    • PDFStreamDumper.exe

 

PCAP Analysis

Note:
  • So, usually they gave us file in .pcap or .pcapng file type.
  • Note the flag at one text file.

    • Use strings command the pcap file.
    • Analyse it using Wireshark.
    • Analyse it using NetworkMiner. It used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc …
    • Use binwalk
    • Try aircrack-ng <pcap> -w <wordlist> or to crack wifi password.
    • Then airdecap-ng -p <password> <pcap> it.
    • Use netcat command when you find ip on it.
    • Open the server ip in web browser.
    • Use http://pcapng.com/ to convert pcapng file to pcap file. And analyse it using Network Miner software.

Cryptography

Whatever happen, google is your friend.
  • Usually they gave us a jumbled text that we cannot understand.
  • Decrypt it using online tools. Look at my bookmark bar security/online tools.
  • Try and guess.

Pwn

Note:
  • Usually they gave us a binary and a source code of the binary.
  • Whenever you get a file, issuing file command first to it to know what really file is it.
  • You need know about Assembly Language, computer architecture, C programming and Python language to make script for this challenge!
  • Note the flag at one text file.
    • Do some reverse engineering first.
    • Understand the C code.
    • Use Zeratools.
    • Maybe overflow concept.
    • Use pwndbg.
    • Use strings <filename> command to read the strings in the binary.
    • Maybe some grep -i command too.
    • Use DIE on the binary.
    • Use ltrace ./<filename> command to know what library function are being called in the binary.
    • Use strace ./<filename> command to know what system and signal function are being called in the binary.
    • Use nm <filename> command to know what symbol being called in the binary.
    • Use readelf -a <filename> command. It will displays information about ELF files.
    • Use IDA Pro software to perform static analysis on the binary.
    • Use Snowman software to perform decompiler.
    • Use debugger like GDB-Debugger to debug the binary.
    • File traversing on the netcat. Like ../flag
    • Use pwntools to do script exploitation.
    • Use cyclic to create pattern
    • Gdbpeda pwn
      • Breakpoint at strcmp
      • pattern create [number of pattern]
      • x/s $[register/stack/base]
      • pattern offset [strings of pattern]
      • Then you get the value to pwn it.
    • gdbs [./binaryname] to switch between peda and pwndbg
    • Use python like example, python -c “print ‘A’*28 + ‘\x39\x05′” | ./<filename>

Reverse Engineering

Notes:
  • Whenever you get a file, issuing file command first to it to know what really file is it.
  • Checkout the EXIF data of the file by using exiftool <filename> command.
  • Use strings <filename> command to read the strings in the binary.
  • Maybe some grep -i command too.
  • You need know about Assembly Language and computer architecture for this challenge!
  • Note the flag at one text file.
Usually they gave a binary file. Weather it
  1. PE file
  2. ELF File
  3. APK File
  4. .NET File
  5. Java file.
  6. Python File
  1. PE File
    • Use strings <filename> command to read the strings in the binary.
    • Maybe some grep -i command too.
    • Use DIE, PEID, PEBear, or PEView software to do static file analysis. Find details of file in there!
    • Use HxD to check the header file, file signature. Maybe the corrupt file sign one.
    • Find it whether it packed or not. Find online unpack.
    • Find it whether the binary has anti-debug or not.
    • Use IDA Pro software to perform static analysis on the binary.
    • When do analysis static or dynamic focus on strcmp, function call, conditional jump.
    • Use Snowman software to perform decompiler.
    • Use debugger like Immunity Debugger, x64Dbg/x32Dbg, or WinDbg to debug the binary.
      • Modify and assemble the binary. Like change PUSH 0 to JMP <flag address>.
      • Modify conditional JUMP.
      • After doing some modifying stuff..
      • right-click -> copy -> select all -> right click again -> copy to executable -> all modifications -> click copy all -> right click again -> save file -> rename it -> open back
      • or in x64dbg just click patch.
    • Scan the binary on virustotal.com to know something malicious.
    • run command rundll32 <dllfilename>
    • Use eXeScope to find out about header, import and resource of the binary.
    • Use universal extractor to extract files in the binary.
    • Buat script balik lepas tgk code decompiler
  2. ELF File
    • Use strings <filename> command to read the strings in the binary.
    • Maybe some grep -i command too.
    • Use DIE on the binary.
    • Find it whether it packed or not. Find online unpack.
    • Find it whether the binary has anti-debug or not.
    • Use HxD to check the header file, file signature. Maybe the corrupt file sign one.
    • Use ltrace ./<filename> command to know what library function are being called in the binary.
    • Use strace ./<filename> command to know what system and signal function are being called in the binary.
    • Use nm <filename> command to know what symbol being called in the binary.
    • Use readelf -a <filename> command. It will displays information about ELF files.
    • Use IDA Pro software to perform static analysis on the binary.
    • Use Snowman software to perform decompiler.
    • Use debugger like GDB-Debugger to debug the binary.
  3. APK File
    • Use APKTool <filename> command tools.
    • Use Android Emulator to run the program.
    • Use Android Debug Bridge.
    • Use dex2jar <filename> command tools.
    • Use jd-gui.
    • rename the file to zip file. Unzip it.
    • apktool -> file extracted -> use dex2jar to convert .dex file to .jar file-> open tha .jar file using jd-gui
  4. .NET File
    • Use dnSpy software. Very powerful. Edit it -> compile -> save all. Try run the program back!
  5. Java file
    • Use Java Decompiler program to decompile it.
  6. Python File
    • Use Easy Python Decompiler to decompile it.

 

Web exploitation

Note:
    • View the page source first. Analyse it!
    • Save page as to look to full code of JS.
    • Use Inspect Element tools.
    • Try php console alert(function) or console.log(function) on function that suspicious.
    • Try to look to <web URL>/robots.txt
    • Use nmap <URL> command to look up for the open port.
    • Use DirBuster tools to try directory traversing.
    • Use WPScan if the web is using WordPress platform.
    • Focus on Cookies that the web use.
      • if the cookies false, make it true.
    • Focus on User Agent that the web use.
    • Use Burpsuite or Fiddler software to intercept request.
    • Try execute some Linux/Windows command at textbox in the web.
    • Try upload php shell on file uploader. For file uploader vulnerability.
    • Look for index.php for the web.
    • Use /../../../ for file traversing.
    • Try to find /etc/passwd of the web.
    • OWASP Top 10.
    • Use URL injection.
    • Use URL Trick like modify the parameter.
    • Use SQL Injection.
    • Use Cross-Site-Scripting method.
    • Local File Inclusion.
    • Remote File Inclusion.
    • Use SQL and XSS sidebar
    • Look for backup file like index.php.bak.
    • XSSer – Automated XSS testor. Of course, command line.

Trivia Challenge

  • Google is your friend. Use quote mark.
  • Maybe the source code of CTF platform.
  • Reverse image.
  • File traversing on CTF platform.

 

Tools in CTF

  1. https://github.com/zardus/ctf-tools
  2. https://github.com/MrMugiwara/CTF-Tools
  3. https://github.com/apsdehal/awesome-ctf

There are many online CTF / Hacking websites out there that you can train yourself and improve your knowledge in infosec world.

Here some of them that I got by some google-fu and also from variety of other sources.

List of Hacking & CTF Challenge Sites

General CTF

  1. https://www.net-force.nl/challenges/
  2. https://ctfs.me/
  3. http://www.wechall.net/challs
  4. http://www.mod-x.co.uk/main.php
  5. https://www.root-me.org/?lang=en
  6. https://picoctf.com/
  7. http://hax.tor.hu/welcome/
  8. https://ringzer0team.com/home
  9. https://backdoor.sdslabs.co/
  10. http://shell-storm.org/repo/CTF/
  11. https://w3challs.com/
  12. https://ctflearn.com/
  13. https://ctf365.com/
  14. https://www.hellboundhackers.org/
  15. https://www.hackthis.co.uk/
  16. https://www.enigmagroup.org/
  17. http://ctf.komodosec.com/index.php
  18. http://bright-shadows.net/
  19. https://ctf101.org/
  20. https://hackcenter.com
  21. https://www.hackthissite.org/
  22. https://www.rankk.org/
  23. https://canhack.me/
  24. https://hackburger.ee/challenge/
  25. https://www.hackergateway.com/
  26. https://www.wixxerd.com/challenges/
  27. https://www.sabrefilms.co.uk/revolutionelite/
  28. https://www.challengeland.co/#
  29. https://ctf.hackerfire.com/
  30. http://ctf.infosecinstitute.com/index.php

 

Web Exploitation

  1. https://hack.me/s/
  2. http://www.gameofhacks.com/
  3. https://join.eset.com/en/challenges
  4. http://www.dvwa.co.uk/
  5. http://google-gruyere.appspot.com/
  6. http://www.hackertest.net/
  7. http://solveme.peng.kr/
  8. http://www.hacking-challenges.de/
  9. https://redtiger.labs.overthewire.org/
  10. https://www.hackthebox.eu/

 

Reverse Engineering

  1. https://microcorruption.com/
  2. http://reversing.kr/challenge.php
  3. https://www.malwaretech.com/beginner-malware-reversing-challenges
  4. https://crackmes.one/
  5. https://challenges.re/
  6. https://reverse.put.as/crackmes/
  7. https://join.eset.com/en/challenges
  8. http://flare-on.com/
  9. https://ropemporium.com/

Pwn

  1. http://pwnadventure.com/
  2. https://exploit-exercises.com/
  3. http://pwnable.kr/play.php
  4. https://pwnable.tw/challenge/
  5. https://www.pentestpractice.com/

 

Wargames

  1. http://io.netgarage.org/
  2. http://smashthestack.org/wargames.html
  3. http://overthewire.org/wargames/
  4. https://chall.stypr.com/
  5. http://www.underthewire.tech/wargames.htm

 

Cryptography

  1. http://cryptopals.com/
  2. https://id0-rsa.pub/
  3. http://www.caesum.com/game/
  4. https://www.trytodecrypt.com/index.php
  5. https://www.cryptoclub.org/challenges/index.php

Network Forensics

  1. https://forensicscontest.com/

 

Feel free to leave your comment and give suggestion for this list.