Getting Started With CTF’s by Jeff Moye

Okay, so CTFs, capture the flag challenges are an excellent way to learn some cyber skills, and the good news is there's loads of free ones online. This is the story about how one noob started on his own, nowhere near Rickmansworth, how he started off on his hacking journey with some of the less frequently talked about CTFs. I'll tell you what CTFs are, why you should use them in your journey, where you can find them, and I'll walk through an example challenge so you get a feel for how they work. So, this is me. I'm Black Rat. I work in physical security, not IT security just yet, but I'm working on that. So, Black Rat, he's just this guy, you

know? What am I What's my background? Well, I had one of these first time they were cool. I enjoy making model rockets. I like playing with locks, and and radios, and electronics, and defying gravity, and also volunteer with the RAF Air Cadets, which gives me an excuse to teach some of this stuff to kids. Oh, yeah, I teach kids how to play with guns as well. So, what could possibly go wrong? Uh and I'm a massive Hitchhiker's Guide to the Galaxy fan. If you've been paying attention, you've probably noticed about three references already. So, anything I say here is my own opinion, and not that of my boss. My opinions might be wrong. You're welcome to disagree with me.

If you do something and it because of something that I've said and it works, then you're welcome. If it goes wrong, then that's your problem. Like it or not, there are guidelines, rules, laws if you like. People don't tend to see the funny side if you take down a company's website and lose all their data for them, so don't break other people's stuff, unless they say you can, and they sign it. Uh anything I say here that sounds like legal advice is just that. It's words that sound like legal advice. I'm not responsible for keeping you out of jail. That's your job. Okay. Capture the flags, then. The CTFs are capture the flag challenges. They're a series of puzzles that

someone's put together to help you learn or demonstrate a particular set of skills. It might be a learning environment, or it might be in a competition where you're competing against others to score the most points. CTFs can also be run as a competition. Jeopardy style is where the CTF runs for a certain period of time, and you score points by solving as many challenges as you can. The person or team with the most points at the end wins. Attack and defense CTFs are a bit different. You have a network or a host on a network. You've got a period of time to secure your system and get exploits and tools ready. Then the organizers connect the networks, so now

you need to defend your system and attack the other players to score the points. So, what are the flags? Well, the flag is a token. It's normally a a text or a a piece of text or a reference number, and you have to enter that into the back end scoring system to prove that you've solved the challenge. A lot of the learning environments these days don't actually show you the flag, and so for the purposes of this talk, I'm going to say that those flagless CTFs are just like any other CTF. So, when you solve the problem, you get a congratulatory message, you give yourself a pat on the back, you allow yourself a small air punch.

Sorry, you punch the air. Uh and then you move on to the next challenge. There are loads of free CTF learning environments out there. Uh Hack The Box has been a long time supporter of B-Sides. They're a CTF style online training platform. They've got a wide variety of online labs that you can pick and choose from at any time, and they keep updating what's there. If you pay for a subscription, then you get access to all of their retired labs as well. Uh a big shout out to Immersive Labs. That's a a commercial offering that businesses can buy licenses so their staff can access their their labs. Um but if, like a lot of people in the

industry, you're neurodivergent or a student or ex-military, then you might qualify for free access to a subset of their content. Uh and I currently rank fourth on the Neurodivergent Academy leaderboard. Uh the SANS Holiday Hack Challenge is a Christmas-themed CTF. Look out for this year's event, which is going to be starting very soon at holidayhackchallenge.com. More on this later. Uh there's HackerOne, uh the planet's biggest bug bug bounty platform. They've got their HackerOne01 CTF with dozens of free to explore puzzles to challenge you there. Uh other systems I used when I was starting include defendtheweb.net, tryhackme.com, and the one that I actually started with was hackthissite.org. They've been going since around 2004, and this site looks a little bit dated

these days, but the the training is is still relevant, and it's a great place to start. Uh so, what's the point of of these games? Well, how else do you learn these skills? Let's say, hypothetically, you start going after a website without the owner's permission. You might stumble across what looks like login credentials stored in plain text, and before engaging your brain, you might accidentally discover that those creds give you root on their website. So, now what do you do? Do you tell the site owner, "Hey, uh I just hacked your site cuz you're giving away root creds"? You'd imagine the response would be, "Good catch. I'll fix that. Thanks." But what if you get no response? Well,

then I'd imagine you've probably got a couple of months quite uncomfortable waiting for the feds to come and knock on your door and talk about computer misuse or something, possibly. The point is, with CTFs, you've got the owner's permission, so this is all legal and above board. And they're fun, too. So, what subjects do they cover? Well, there's all the standard stuff. Broken access controls, cryptographic failures, injection, insecure design, misconfiguration, uh all this stuff. Um you might recognize this list. Uh this is the OWASP Top 10 for 2021. Uh OWASP as in the Open Web App Security Project. Uh but CTFs aren't just about web apps. Uh they cover crypto, programming, bash, uh network enumeration, reverse

engineering, uh embedded. The list just goes on and on. So, how difficult are they? Well, some CTFs are designed to be really straightforward. You probably get an obvious clue as to what it is you need to do, or some hints to give you an idea of the sequence of steps you've got to go through. Um or a CTF could be designed to challenge you to see what you can do. Uh you might need to try a few different techniques before you find something that works. I've seen one challenge in a CTF where you started off in a Vim environment, and the challenge was you need to quit out of Vim back to the command line.

Uh and then I've seen some easy ones as well. Uh I've also seen a challenge where you need to reverse engineer a self-modifying binary to recover a password. Uh this one, MBR Land, is actually on the B-Sides website. Have a look at it. So, what do you need to know before you start? Well, there's a a proverb that the internet tells me is African. How do you eat an elephant? The answer, fairly obviously, is one bite at a time. There's a shedload of stuff to learn. You can take it You can't take it all in one go, so dip into it as you need to. Can you access a website? Yeah? Well, that's probably all your prerequisite

satisfied to begin with. Away you go. Some real basic stuff you might want to get a handle on. Uh HTML. Now, you don't need to be able to handcraft a website, but can you press Ctrl U in your browser and read basic HTML for a in a simple page? Uh you might want to get some Linux basics um down pat. Uh understand files, directories, basic command line stuff like who am I, PWD, LS CD uh all those things. That's probably enough to make a start. Have a go at some learning style CTFs that designed for beginners. They assume zero prior knowledge to help you out what you need to know along the way, and it'll all run in your browser,

at least to begin with, so your choice of OS won't matter. As you progress, um you'll probably want to learn a programming language to start automating some of this stuff. So, pick a language, any language. Uh Python is popular. Anything else is perfectly valid. Maybe not Rockstar, though. Uh the idea is once you understand a language, uh the others are more like different accents than different languages. They just put the punctuation in different places. Uh there's loads of free resources on online. www.w3schools.com has got loads of well-written basic tutorials on all sorts of languages and various other web technologies as well. At some stage you're likely going to want to get your hands on practicing in

a in your own Linux machine. Some CTFs might give you a vulnerable virtual machine that you need to attack to get the flags out. So virtual machines are cool. You run a simulated computer on your computer. Most likely you can get two or three virtual computers running at the same time and you can set them all up so they're on their own virtual network inside your machine. I still get a kick out of doing that but then I still think that digital watches are pretty neat idea. So you're going to need the ability to run VMs and it probably doesn't matter too much if you use VMware or Open Box but hey, why not learn how to use both?

So where do you find the answers? Well, as a style note, don't go looking for answers or solutions. If you want the answers it's kind of cheating. You don't learn much. It is however perfectly valid to research how to do something. For me CTFs are about the journey rather than the destination. It's the capture rather than the flag. Google is your friend. Other search engines exist. DuckDuckGo or Bing if you're a masochist. YouTube is your chum. There's lots of content providers out there. Some are better than others. Find the ones that you like. The the researchers that talk about the areas you're interested in. And if you do find yourself struggling if you really can't solve a particular

problem, take a break. Try something different. Sleep on it. The brain's a funny old thing. It will keep on working on a problem in the background if you allow it to rest. Okay, so before we get to the walk-through, a note on etiquette. In general, it's not the done thing to publish answers to someone else's CTF challenge. If the contest is live, definitely don't release any spoilers and if you're taking part, don't cheat dishonestly. But each year SANS host their Christmas CTF Holiday Hack Challenge and then they go and publish the official answers and a selection of the winning write-ups. And then they give prizes for the best write-ups. So they actively encourage and publish write-ups. So I figure I'm

not going to give too much away if I hold your hand through one of those puzzles so you can see how they work. So we're going to talk about the name game from the 2018 Holiday Hack Challenge KringleCon by SANS. So the Holiday Hack Challenge has this high-res 3D third-person environment where you can walk around this virtual conference. The name game is a terminal challenge. Now we've spoken with the elf Minty Candy Cane and we've found out that she thinks this system uses PowerShell and SQLite3 and there's a suggestion that the PowerShell call operator the ampersand might be useful. So we access the terminal through the magic through the magic of clicking on it and we get some poetry.

And if we read through that we find out that this system is used to onboard new employees and print their name badges. There's a new employee whose surname is Chan and we need to find their first name in order to print the badge. And then once we've done that we have to run run to answer to check the name that we've just found. So step one as always is recon. Play with the system and see what it does. So option one just allows us to put in some employee information. So I will put some stuff in and we'll see what happens. Okay, so that's telling us that it it looks like this the script uses command line utility to

save our data into the database. Okay, that's interesting. What about option two? Well, that asks us for a server address. I don't have a server address. So I'll just press enter and see what happens. Ah. So now the menu is trying to run ping to probably to try and access a server and see if it's up. Okay. And it tells us that the SQLite is probably trying to access a file called onboard.db. Okay. So stop for a minute and and think about what's going on. What is that script trying to do? Well, it's probably trying to call something like this. So ping -c3 so that means do it three times and then stop and then

an IP address whatever input the user gives. So if the menu is not sanitizing the user input, there's scope for a hack there. So we might be able to get a command injection here. Now remember the clue at the beginning about the call operator? Well, with that call operator the ampersand, we might be able to get the command line to execute an extra command for us. And with PowerShell we could also do it this way with just a semicolon just to chain the commands instead. But we'll give this a go. We'll see what happens. So we'll go back to the system and we'll just type this in. We don't need to make up a server address. We'll just put

ampersand ls in and see what happens. And yes, the the ping command fails but look, there's the result of our ls command. So now we know that there is indeed a file there called onboard.db and run to answer is is in this folder as well and there's also this menu.ps1. Now I'm willing to bet that's probably the menu system that that we're in at the moment. So let's see if we can have a look at that and see what's going on with the menu. Okay, first guess less isn't installed on this system. So as always there's more than one way to to solve a problem. So we'll try more menu.ps1 instead. There we go. So there's the content of

the of the script. So we've got the show menu function. If we scroll through this there's the employee onboarding form. That just prompts the user for some data, stores it in variables and then there's this line which runs SQLite3, opens the file onboard.db. So there's our confirmation that is the database that we're using and then there's a a SQL query that squirts that data into the database. Okay, so I think we're probably good to go and have a go at getting some data out of that database. So we'll try running SQLite3. That seems to have worked. We've got a SQLite prompt and there's some clues on there as well. The program tells us how to use it which is handy if you've never

used SQLite3 before. So we use the command dot open to open the file. Well, that appears to have worked. And then there's another clue on the screen there. There's a command dot help to get some help. That's always useful. And there's a command there called schema which will show the the structure of the database. So we'll give that a go. And there we are. So the database the table in the database is called onboard and then there's all the file all the fields for the table. So ID, F name and L name. Now I'm willing to bet that's probably first name and last name and some other stuff. So I think we've probably got everything

we need to know to try and get the data out of that database now. So so here's a really simple SQL query and it's human readable which is great. So select star because I'm too lazy to type F name from onboard which is the name of our table where L name equals Chan. So show me every row in the database where the surname is Chan. And what do you know? There's one employee, Mr. Chan, Scott from Los Angeles. So now the last step of the challenge is to run run to answer. It takes a moment to load up and it asks us for a first name. We'll put Scott's name in and boom, there's the result. Hello Scott

and congratulations. So in the background, the CTF is updated. It's told that we've passed the challenge. When we go back into the environment, we get some more clues and various other challenges are opened up for us.

So CTFs are great for learning. They're great fun. They're great challenges. But they've all got guaranteed wins at the end. Quite often you'll be hinted or even outright shoved in the right direction by the way the question is posed and the hints and clues you get along the way. But real life hacking isn't like that. You've got all your homework you've done all your homework. You've got all those skills. You've got your first proper in your engagement. You've got hundreds of different things that you could do. So where do you start? Well, a wise friend of mine puts it this way. You know how to use every tool in the workshop? At some stage, you've got to

learn how to be a carpenter. So, my advice is have a great time with CTFs, but as soon as you feel ready, or probably even before you feel ready, have a go at something real. Perhaps a bug bounty, perhaps a physical thing, maybe a router or a webcam, maybe a friend will let you test their website. In the meantime, enjoy CTFs. Pretty soon, there'll be no stopping you. Good luck. Any questions?