SlideShare a Scribd company logo

Flag4 CTF

I
ijtsrd

In today’s world a place where there is a large scope for Security, many people are busy building applications, web pages and many more but no one actually concentrates on security aspect of it. As the technology increases, the flaws in the security system also increases. The CTF machine is one such solution for this problem, where the person who is learning hacking can use these kind of machines and learn security in a much deeper way. Capture The Flag are games where the hackers have to solve puzzles and find bugs so that they can get through system flaws and find flag, which is the main goal. Typical CTFs offer many challenges, most commonly the hackers have to exploit some kind of service so that you can get remote access to the server and read the content of the file that contains a special string called “flag”, which is a proof that he she has hacked the system. Dr. C. Umarani | R P Shruti "Flag4 CTF" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-6 , October 2020, URL: https://www.ijtsrd.com/papers/ijtsrd35734.pdf Paper Url: https://www.ijtsrd.com/computer-science/computer-security/35734/flag4-ctf/dr-c-umarani

Education
1 of 2
Download to read offline
International Journal of Trend in Scientific Research and Development (IJTSRD) Volume 4 Issue 6, September-October 2020 Available Online: www.ijtsrd.com e-ISSN: 2456 – 6470 @ IJTSRD | Unique Paper ID – IJTSRD35734 | Volume – 4 | Issue – 6 | September-October 2020 Page 1643 Flag4 CTF Dr. C. Umarani1, R P Shruti2 1Assistance Professor, 2Student, 1,2Masters in Computer Applications, Jain (Deemed-to-be) University, Bangalore, Karnataka, India ABSTRACT In today’s world a place where there is a large scope for Security,manypeople are busy building applications, web pages and many more but no one actually concentrates on security aspect of it. As the technology increases, the flaws in the security system also increases. The CTF machine is one such solution for this problem, where the person who is learning hacking can use these kind of machines and learn security in a much deeper way. Capture The Flag are games where the hackers have to solve puzzles and find bugs so that they can get through system flaws and find flag, which isthemain goal. Typical CTFs offer many challenges, most commonly the hackers haveto exploit some kind of service so that you can get remote access to the server and read the content of the file that contains a special string called “flag”, which is a proof that he/she has hacked the system. KEYWORDS: CTF, vulnerability, flag, security, capture the flag, remote desktop service, tftpd, tftpd32/64, mssql server How to cite this paper: Dr. C. Umarani | R P Shruti "Flag4 CTF" Published in International Journal of Trend in Scientific Research and Development(ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-6, October 2020, pp.1643-1644, URL: www.ijtsrd.com/papers/ijtsrd35734.pdf Copyright © 2020 by author(s) and International JournalofTrendinScientific Research and Development Journal. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (CC BY 4.0) (http://creativecommons.org/licenses/by/4.0) I. INTRODUCTION There can be many ways to learn hacking and CTF machines are one among the most effective ways. TheMaingoalofCTF is to find the flags hidden in the machine by remotelygetting access through the vulnerabilities set up. The concept CTFs came from the traditional outdoor game where two teams each have few flags and their objective is to capture other team’s flags from the base and bring it back to their base which would end the game. Finding out the vulnerabilities using some tools or techniques like nmap, sql-injection, etc. is the toughest job. But once the vulnerability has been found,thehackercan get into the machine using some other tools like metasploit. Vulnerability: It is the weakness in system which can be exploited by the attacker to gain unauthorized access.These vulnerabilities can allow attackers to run code, access system’s memory, installmalwarethroughwhichhe/she can steal, destroy or modify sensitive data which may affect the company’s status, fame and trust. Flag: Flags are secrets hidden in purposefully vulnerable programs or websites. There are two type of CTFs based on the flags. An attacker steals flag from his competitor, this is known as attacker/defence style CTF.Theotheriswherethe flags are obtained from organizations, which is known as jeopardy-style. II. Existing System The aim of this paper is to help hackers learn break into vulnerabilities. In the existing system there are many combinations of vulnerabilities set up to help hackers. Setting up vulnerabilities can be in many ways like web vulnerability, database vulnerability, weak password vulnerability and many more. There are many new CTFs everyday with every vulnerability glooming. CTFs are a way to practice hacking. III. Proposed System The combination of different vulnerabilities includedmakes every CTF different. In the proposed system, combination of few vulnerabilities have been used. RDS (Remote Desktop service) is one of the vulnerability through whichthehacker gets remote access. Another vulnerability is through MSSql which has code execution vulnerability. Another vulnerability is tftpd32 which has buffer overflow vulnerability which can cause denial of service. These vulnerabilities combined causesthecreationoftheflag4CTF machine. Any hacker can use these CTFs and get to know vulnerabilities in real time machines. A. Securing a machine It is really important to secure a machine in the organization point of view because data is everything they have and that is what they have to secure. This is when CTF comes into picture. The hackers are rewarded as per the level of difficulty for finding the vulnerabilities and bugs. But when it comes to CTF’s, more the vulnerability much easier to get through. Therefore based of the level of difficulty required, the difficulty is setup. In the flag4 CTF, I have set the difficulty to medium as I have configured three vulnerabilities which will be discussed further in the paper. IJTSRD35734
International Journal of Trend in Scientific Research and Development (IJTSRD) @ www.ijtsrd.com eISSN: 2456-6470 @ IJTSRD | Unique Paper ID – IJTSRD35734 | Volume – 4 | Issue – 6 | September-October 2020 Page 1644 B. Setting up the vulnerabilities Vulnerabilities can be setup in many ways and in many levels. There are three levels of difficulty, they are: Simple: This level of difficulty will require installation of some affected software. Moderate: This level of difficulty will require installation of some affected software on a specific operating system. Complex: This level of difficulty will requireinstallationand configuration of some affected software on a specific operating system. In the flag4 CTF, we are using windows operating system. Since windows has GUI and many of the users are familiar with the architecture of windows, it becomes easy for the attackers to guess where the flag can be placed. As most of the real world systems in our country are installed with windows OS, this can be a really practical thing to hack into. In this flag4 CTF, I have installed three software’s and configured them according to my needs. These software’s include Adobe ColdFusion, MSSQL, and TFTP. A. Adobe ColdFusion: In flag4 CTF I have installed Adobe ColdFusion 9. There are newer versions of adobe available, but having some vulnerabilities is good for us. By setting this up, RDS login methodcan beattackedthrough a metasploit module and can gain administrative login, this can further be used to gain shell access. Another method is default credentials can be set up as a vulnerability, and directory traversal can be used togainthe flag. B. MSSQL: In most of the systems MSSQL is run almost all the time.This can be used as a vulnerability. Here, in flag4CTFmachine we are using MSSQL 2005 and MSSQL management suite to set up the vulnerabilities. Since this is the vulnerability, we get access to the database directly with least effort. C. TFTP: Which can be abbreviated as TrivialFile Transfer Protocol,is an old service which provides FTP services to unauthenticated users. Here,weareusingTftpd32insteadof Tftpd64, again for the same reason of vulnerability. Tftpd32 is also vulnerable to buffer overflow. And there is also a metasploit module associated with Tftpd32 which can be really easy to begin with. C. Flag Placement In the flag4 CTF machine, the flag is hidden in the form of string and also in the steno graphed image which can be retained using some stenographic tools. This is just to make sure that the attacker thinks in many ways while trying to crack a real world machines. Placing a flag is completely the creator’s idea. The file which contains flag can be simply named as flag.txt if the creator wants it to be too simple. But it can alsobe namedsomething else and also the file containing flag can be placed with different extension just to make it a bit tricky. Even the credentials can be placed as flags. In flag4, the flags are placed in different folders and also few of them are placed within an image just to trick the attacker. D. Flowchart Fig: Flowchart of CTF IV. Conclusion As we are getting advanced in technology,wearealsocalling threat by our self. That is why every person who uses technology should have basic awareness about how to safeguard his/her device. This is only possible when they know about the flaws and vulnerabilities in system. This paper helps to know how the everydaysimplemistakesofus can cause serious damage to the data. The flag4 CTF is very useful to the beginners who have not cracked any CTF’s as it is of moderate difficulty. References [1] https://ieeexplore.ieee.org/abstract/document/7427 865 [2] https://ieeexplore.ieee.org/Xplore/home.jsp [3] https://www.usenix.org/conference/3gse15/summit -program/presentation/chothia [4] https://ieeexplore.ieee.org/abstract/document/7092 098 [5] https://www.usenix.org/conference/3gse14/summit -program/presentation/chung [6] https://dl.acm.org/doi/abs/10.1145/3017680.30177 83 [7] https://ieeexplore.ieee.org/abstract/document/8614 801 [8] https://ieeexplore.ieee.org/abstract/document/7911 890 [9] https://www.sciencedirect.com/science/article/pii/ B9781931836692500389 [10] https://patents.google.com/patent/US7293282B2/e n [11] https://patents.google.com/patent/US7246171B1/e n [12] https://www.hjp.at/doc/rfc/rfc1350.html [13] https://owasp.org/www-project-top-ten/

Recommended

Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!
Tsukasa Oi
 
Nsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwideNsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwide
Waqas Amir
 
An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition
Fraunhofer AISEC
 
A technique for removing an important class of trojan horses from high order ...
A technique for removing an important class of trojan horses from high order ...A technique for removing an important class of trojan horses from high order ...
A technique for removing an important class of trojan horses from high order ...
UltraUploader
 
Caputre the flag
Caputre the flagCaputre the flag
Caputre the flag
UIT
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
IJERA Editor
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
 

Recommended

Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!
Tsukasa Oi
 
Nsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwideNsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwide
Waqas Amir
 
An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition
Fraunhofer AISEC
 
A technique for removing an important class of trojan horses from high order ...
A technique for removing an important class of trojan horses from high order ...A technique for removing an important class of trojan horses from high order ...
A technique for removing an important class of trojan horses from high order ...
UltraUploader
 
Caputre the flag
Caputre the flagCaputre the flag
Caputre the flag
UIT
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
IJERA Editor
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
 
Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering Attacks
DamaineFranklinMScBE
 
Introduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSecIntroduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSec
YashSomalkar
 
Cyber Security Workshop Presentation.pptx
Cyber Security Workshop Presentation.pptxCyber Security Workshop Presentation.pptx
Cyber Security Workshop Presentation.pptx
YashSomalkar
 
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Jasmin Hami
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
shreyng
 
Hacking and its types
Hacking and its typesHacking and its types
Hacking and its types
Rishab Gupta
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
APT - Project
APT - Project APT - Project
APT - Project
Dev Lavaniya
 
Module 3 (scanning)
Module 3 (scanning)Module 3 (scanning)
Module 3 (scanning)
Wail Hassan
 
Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile Attack
IRJET Journal
 
u10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacobu10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacob
Beji Jacob
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
Wail Hassan
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection system
Maulana Arif
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection system
Duwinowo NT
 
The Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan WarThe Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan War
Mandy Cross
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
Andrea Bissoli
 
Security technology
Security technologySecurity technology
Security technology
Praveen Kumar V
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsA Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
IRJET Journal
 
‘Six Sigma Technique’ A Journey Through its Implementation
‘Six Sigma Technique’ A Journey Through its Implementation‘Six Sigma Technique’ A Journey Through its Implementation
‘Six Sigma Technique’ A Journey Through its Implementation
ijtsrd
 
Edge Computing in Space Enhancing Data Processing and Communication for Space...
Edge Computing in Space Enhancing Data Processing and Communication for Space...Edge Computing in Space Enhancing Data Processing and Communication for Space...
Edge Computing in Space Enhancing Data Processing and Communication for Space...
ijtsrd
 

More Related Content

Similar to Flag4 CTF

Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Jasmin Hami
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
u10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacobu10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacob
Beji Jacob
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection system
Maulana Arif
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection system
Duwinowo NT
 
The Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan WarThe Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan War
Mandy Cross
 

Similar to Flag4 CTF (20)

Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering Attacks
 
Introduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSecIntroduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSec
 
Cyber Security Workshop Presentation.pptx
Cyber Security Workshop Presentation.pptxCyber Security Workshop Presentation.pptx
Cyber Security Workshop Presentation.pptx
 
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Hacking and its types
Hacking and its typesHacking and its types
Hacking and its types
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
APT - Project
APT - Project APT - Project
APT - Project
 
Module 3 (scanning)
Module 3 (scanning)Module 3 (scanning)
Module 3 (scanning)
 
Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile Attack
 
u10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacobu10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacob
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection system
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection system
 
The Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan WarThe Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan War
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 
Security technology
Security technologySecurity technology
Security technology
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsA Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
 

More from ijtsrd

‘Six Sigma Technique’ A Journey Through its Implementation
‘Six Sigma Technique’ A Journey Through its Implementation‘Six Sigma Technique’ A Journey Through its Implementation
‘Six Sigma Technique’ A Journey Through its Implementation
ijtsrd
 
Edge Computing in Space Enhancing Data Processing and Communication for Space...
Edge Computing in Space Enhancing Data Processing and Communication for Space...Edge Computing in Space Enhancing Data Processing and Communication for Space...
Edge Computing in Space Enhancing Data Processing and Communication for Space...
ijtsrd
 
Dynamics of Communal Politics in 21st Century India Challenges and Prospects
Dynamics of Communal Politics in 21st Century India Challenges and ProspectsDynamics of Communal Politics in 21st Century India Challenges and Prospects
Dynamics of Communal Politics in 21st Century India Challenges and Prospects
ijtsrd
 
Assess Perspective and Knowledge of Healthcare Providers Towards Elehealth in...
Assess Perspective and Knowledge of Healthcare Providers Towards Elehealth in...Assess Perspective and Knowledge of Healthcare Providers Towards Elehealth in...
Assess Perspective and Knowledge of Healthcare Providers Towards Elehealth in...
ijtsrd
 
The Impact of Digital Media on the Decentralization of Power and the Erosion ...
The Impact of Digital Media on the Decentralization of Power and the Erosion ...The Impact of Digital Media on the Decentralization of Power and the Erosion ...
The Impact of Digital Media on the Decentralization of Power and the Erosion ...
ijtsrd
 
Online Voices, Offline Impact Ambedkars Ideals and Socio Political Inclusion ...
Online Voices, Offline Impact Ambedkars Ideals and Socio Political Inclusion ...Online Voices, Offline Impact Ambedkars Ideals and Socio Political Inclusion ...
Online Voices, Offline Impact Ambedkars Ideals and Socio Political Inclusion ...
ijtsrd
 
Problems and Challenges of Agro Entreprenurship A Study
Problems and Challenges of Agro Entreprenurship A StudyProblems and Challenges of Agro Entreprenurship A Study
Problems and Challenges of Agro Entreprenurship A Study
ijtsrd
 
Comparative Analysis of Total Corporate Disclosure of Selected IT Companies o...
Comparative Analysis of Total Corporate Disclosure of Selected IT Companies o...Comparative Analysis of Total Corporate Disclosure of Selected IT Companies o...
Comparative Analysis of Total Corporate Disclosure of Selected IT Companies o...
ijtsrd
 
The Impact of Educational Background and Professional Training on Human Right...
The Impact of Educational Background and Professional Training on Human Right...The Impact of Educational Background and Professional Training on Human Right...
The Impact of Educational Background and Professional Training on Human Right...
ijtsrd
 
A Study on the Effective Teaching Learning Process in English Curriculum at t...
A Study on the Effective Teaching Learning Process in English Curriculum at t...A Study on the Effective Teaching Learning Process in English Curriculum at t...
A Study on the Effective Teaching Learning Process in English Curriculum at t...
ijtsrd
 
The Role of Mentoring and Its Influence on the Effectiveness of the Teaching ...
The Role of Mentoring and Its Influence on the Effectiveness of the Teaching ...The Role of Mentoring and Its Influence on the Effectiveness of the Teaching ...
The Role of Mentoring and Its Influence on the Effectiveness of the Teaching ...
ijtsrd
 
Design Simulation and Hardware Construction of an Arduino Microcontroller Bas...
Design Simulation and Hardware Construction of an Arduino Microcontroller Bas...Design Simulation and Hardware Construction of an Arduino Microcontroller Bas...
Design Simulation and Hardware Construction of an Arduino Microcontroller Bas...
ijtsrd
 
Sustainable Energy by Paul A. Adekunte | Matthew N. O. Sadiku | Janet O. Sadiku
Sustainable Energy by Paul A. Adekunte | Matthew N. O. Sadiku | Janet O. SadikuSustainable Energy by Paul A. Adekunte | Matthew N. O. Sadiku | Janet O. Sadiku
Sustainable Energy by Paul A. Adekunte | Matthew N. O. Sadiku | Janet O. Sadiku
ijtsrd
 
Concepts for Sudan Survey Act Implementations Executive Regulations and Stand...
Concepts for Sudan Survey Act Implementations Executive Regulations and Stand...Concepts for Sudan Survey Act Implementations Executive Regulations and Stand...
Concepts for Sudan Survey Act Implementations Executive Regulations and Stand...
ijtsrd
 
Towards the Implementation of the Sudan Interpolated Geoid Model Khartoum Sta...
Towards the Implementation of the Sudan Interpolated Geoid Model Khartoum Sta...Towards the Implementation of the Sudan Interpolated Geoid Model Khartoum Sta...
Towards the Implementation of the Sudan Interpolated Geoid Model Khartoum Sta...
ijtsrd
 
Activating Geospatial Information for Sudans Sustainable Investment Map
Activating Geospatial Information for Sudans Sustainable Investment MapActivating Geospatial Information for Sudans Sustainable Investment Map
Activating Geospatial Information for Sudans Sustainable Investment Map
ijtsrd
 
Educational Unity Embracing Diversity for a Stronger Society
Educational Unity Embracing Diversity for a Stronger SocietyEducational Unity Embracing Diversity for a Stronger Society
Educational Unity Embracing Diversity for a Stronger Society
ijtsrd
 
Integration of Indian Indigenous Knowledge System in Management Prospects and...
Integration of Indian Indigenous Knowledge System in Management Prospects and...Integration of Indian Indigenous Knowledge System in Management Prospects and...
Integration of Indian Indigenous Knowledge System in Management Prospects and...
ijtsrd
 
DeepMask Transforming Face Mask Identification for Better Pandemic Control in...
DeepMask Transforming Face Mask Identification for Better Pandemic Control in...DeepMask Transforming Face Mask Identification for Better Pandemic Control in...
DeepMask Transforming Face Mask Identification for Better Pandemic Control in...
ijtsrd
 
Streamlining Data Collection eCRF Design and Machine Learning
Streamlining Data Collection eCRF Design and Machine LearningStreamlining Data Collection eCRF Design and Machine Learning
Streamlining Data Collection eCRF Design and Machine Learning
ijtsrd
 

More from ijtsrd (20)

‘Six Sigma Technique’ A Journey Through its Implementation
‘Six Sigma Technique’ A Journey Through its Implementation‘Six Sigma Technique’ A Journey Through its Implementation
‘Six Sigma Technique’ A Journey Through its Implementation
 
Edge Computing in Space Enhancing Data Processing and Communication for Space...
Edge Computing in Space Enhancing Data Processing and Communication for Space...Edge Computing in Space Enhancing Data Processing and Communication for Space...
Edge Computing in Space Enhancing Data Processing and Communication for Space...
 
Dynamics of Communal Politics in 21st Century India Challenges and Prospects
Dynamics of Communal Politics in 21st Century India Challenges and ProspectsDynamics of Communal Politics in 21st Century India Challenges and Prospects
Dynamics of Communal Politics in 21st Century India Challenges and Prospects
 
Assess Perspective and Knowledge of Healthcare Providers Towards Elehealth in...
Assess Perspective and Knowledge of Healthcare Providers Towards Elehealth in...Assess Perspective and Knowledge of Healthcare Providers Towards Elehealth in...
Assess Perspective and Knowledge of Healthcare Providers Towards Elehealth in...
 
The Impact of Digital Media on the Decentralization of Power and the Erosion ...
The Impact of Digital Media on the Decentralization of Power and the Erosion ...The Impact of Digital Media on the Decentralization of Power and the Erosion ...
The Impact of Digital Media on the Decentralization of Power and the Erosion ...
 
Online Voices, Offline Impact Ambedkars Ideals and Socio Political Inclusion ...
Online Voices, Offline Impact Ambedkars Ideals and Socio Political Inclusion ...Online Voices, Offline Impact Ambedkars Ideals and Socio Political Inclusion ...
Online Voices, Offline Impact Ambedkars Ideals and Socio Political Inclusion ...
 
Problems and Challenges of Agro Entreprenurship A Study
Problems and Challenges of Agro Entreprenurship A StudyProblems and Challenges of Agro Entreprenurship A Study
Problems and Challenges of Agro Entreprenurship A Study
 
Comparative Analysis of Total Corporate Disclosure of Selected IT Companies o...
Comparative Analysis of Total Corporate Disclosure of Selected IT Companies o...Comparative Analysis of Total Corporate Disclosure of Selected IT Companies o...
Comparative Analysis of Total Corporate Disclosure of Selected IT Companies o...
 
The Impact of Educational Background and Professional Training on Human Right...
The Impact of Educational Background and Professional Training on Human Right...The Impact of Educational Background and Professional Training on Human Right...
The Impact of Educational Background and Professional Training on Human Right...
 
A Study on the Effective Teaching Learning Process in English Curriculum at t...
A Study on the Effective Teaching Learning Process in English Curriculum at t...A Study on the Effective Teaching Learning Process in English Curriculum at t...
A Study on the Effective Teaching Learning Process in English Curriculum at t...
 
The Role of Mentoring and Its Influence on the Effectiveness of the Teaching ...
The Role of Mentoring and Its Influence on the Effectiveness of the Teaching ...The Role of Mentoring and Its Influence on the Effectiveness of the Teaching ...
The Role of Mentoring and Its Influence on the Effectiveness of the Teaching ...
 
Design Simulation and Hardware Construction of an Arduino Microcontroller Bas...
Design Simulation and Hardware Construction of an Arduino Microcontroller Bas...Design Simulation and Hardware Construction of an Arduino Microcontroller Bas...
Design Simulation and Hardware Construction of an Arduino Microcontroller Bas...
 
Sustainable Energy by Paul A. Adekunte | Matthew N. O. Sadiku | Janet O. Sadiku
Sustainable Energy by Paul A. Adekunte | Matthew N. O. Sadiku | Janet O. SadikuSustainable Energy by Paul A. Adekunte | Matthew N. O. Sadiku | Janet O. Sadiku
Sustainable Energy by Paul A. Adekunte | Matthew N. O. Sadiku | Janet O. Sadiku
 
Concepts for Sudan Survey Act Implementations Executive Regulations and Stand...
Concepts for Sudan Survey Act Implementations Executive Regulations and Stand...Concepts for Sudan Survey Act Implementations Executive Regulations and Stand...
Concepts for Sudan Survey Act Implementations Executive Regulations and Stand...
 
Towards the Implementation of the Sudan Interpolated Geoid Model Khartoum Sta...
Towards the Implementation of the Sudan Interpolated Geoid Model Khartoum Sta...Towards the Implementation of the Sudan Interpolated Geoid Model Khartoum Sta...
Towards the Implementation of the Sudan Interpolated Geoid Model Khartoum Sta...
 
Activating Geospatial Information for Sudans Sustainable Investment Map
Activating Geospatial Information for Sudans Sustainable Investment MapActivating Geospatial Information for Sudans Sustainable Investment Map
Activating Geospatial Information for Sudans Sustainable Investment Map
 
Educational Unity Embracing Diversity for a Stronger Society
Educational Unity Embracing Diversity for a Stronger SocietyEducational Unity Embracing Diversity for a Stronger Society
Educational Unity Embracing Diversity for a Stronger Society
 
Integration of Indian Indigenous Knowledge System in Management Prospects and...
Integration of Indian Indigenous Knowledge System in Management Prospects and...Integration of Indian Indigenous Knowledge System in Management Prospects and...
Integration of Indian Indigenous Knowledge System in Management Prospects and...
 
DeepMask Transforming Face Mask Identification for Better Pandemic Control in...
DeepMask Transforming Face Mask Identification for Better Pandemic Control in...DeepMask Transforming Face Mask Identification for Better Pandemic Control in...
DeepMask Transforming Face Mask Identification for Better Pandemic Control in...
 
Streamlining Data Collection eCRF Design and Machine Learning
Streamlining Data Collection eCRF Design and Machine LearningStreamlining Data Collection eCRF Design and Machine Learning
Streamlining Data Collection eCRF Design and Machine Learning
 

Recently uploaded

Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Recently uploaded (20)

HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 

Flag4 CTF

  • 1. International Journal of Trend in Scientific Research and Development (IJTSRD) Volume 4 Issue 6, September-October 2020 Available Online: www.ijtsrd.com e-ISSN: 2456 – 6470 @ IJTSRD | Unique Paper ID – IJTSRD35734 | Volume – 4 | Issue – 6 | September-October 2020 Page 1643 Flag4 CTF Dr. C. Umarani1, R P Shruti2 1Assistance Professor, 2Student, 1,2Masters in Computer Applications, Jain (Deemed-to-be) University, Bangalore, Karnataka, India ABSTRACT In today’s world a place where there is a large scope for Security,manypeople are busy building applications, web pages and many more but no one actually concentrates on security aspect of it. As the technology increases, the flaws in the security system also increases. The CTF machine is one such solution for this problem, where the person who is learning hacking can use these kind of machines and learn security in a much deeper way. Capture The Flag are games where the hackers have to solve puzzles and find bugs so that they can get through system flaws and find flag, which isthemain goal. Typical CTFs offer many challenges, most commonly the hackers haveto exploit some kind of service so that you can get remote access to the server and read the content of the file that contains a special string called “flag”, which is a proof that he/she has hacked the system. KEYWORDS: CTF, vulnerability, flag, security, capture the flag, remote desktop service, tftpd, tftpd32/64, mssql server How to cite this paper: Dr. C. Umarani | R P Shruti "Flag4 CTF" Published in International Journal of Trend in Scientific Research and Development(ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-6, October 2020, pp.1643-1644, URL: www.ijtsrd.com/papers/ijtsrd35734.pdf Copyright © 2020 by author(s) and International JournalofTrendinScientific Research and Development Journal. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (CC BY 4.0) (http://creativecommons.org/licenses/by/4.0) I. INTRODUCTION There can be many ways to learn hacking and CTF machines are one among the most effective ways. TheMaingoalofCTF is to find the flags hidden in the machine by remotelygetting access through the vulnerabilities set up. The concept CTFs came from the traditional outdoor game where two teams each have few flags and their objective is to capture other team’s flags from the base and bring it back to their base which would end the game. Finding out the vulnerabilities using some tools or techniques like nmap, sql-injection, etc. is the toughest job. But once the vulnerability has been found,thehackercan get into the machine using some other tools like metasploit. Vulnerability: It is the weakness in system which can be exploited by the attacker to gain unauthorized access.These vulnerabilities can allow attackers to run code, access system’s memory, installmalwarethroughwhichhe/she can steal, destroy or modify sensitive data which may affect the company’s status, fame and trust. Flag: Flags are secrets hidden in purposefully vulnerable programs or websites. There are two type of CTFs based on the flags. An attacker steals flag from his competitor, this is known as attacker/defence style CTF.Theotheriswherethe flags are obtained from organizations, which is known as jeopardy-style. II. Existing System The aim of this paper is to help hackers learn break into vulnerabilities. In the existing system there are many combinations of vulnerabilities set up to help hackers. Setting up vulnerabilities can be in many ways like web vulnerability, database vulnerability, weak password vulnerability and many more. There are many new CTFs everyday with every vulnerability glooming. CTFs are a way to practice hacking. III. Proposed System The combination of different vulnerabilities includedmakes every CTF different. In the proposed system, combination of few vulnerabilities have been used. RDS (Remote Desktop service) is one of the vulnerability through whichthehacker gets remote access. Another vulnerability is through MSSql which has code execution vulnerability. Another vulnerability is tftpd32 which has buffer overflow vulnerability which can cause denial of service. These vulnerabilities combined causesthecreationoftheflag4CTF machine. Any hacker can use these CTFs and get to know vulnerabilities in real time machines. A. Securing a machine It is really important to secure a machine in the organization point of view because data is everything they have and that is what they have to secure. This is when CTF comes into picture. The hackers are rewarded as per the level of difficulty for finding the vulnerabilities and bugs. But when it comes to CTF’s, more the vulnerability much easier to get through. Therefore based of the level of difficulty required, the difficulty is setup. In the flag4 CTF, I have set the difficulty to medium as I have configured three vulnerabilities which will be discussed further in the paper. IJTSRD35734
  • 2. International Journal of Trend in Scientific Research and Development (IJTSRD) @ www.ijtsrd.com eISSN: 2456-6470 @ IJTSRD | Unique Paper ID – IJTSRD35734 | Volume – 4 | Issue – 6 | September-October 2020 Page 1644 B. Setting up the vulnerabilities Vulnerabilities can be setup in many ways and in many levels. There are three levels of difficulty, they are: Simple: This level of difficulty will require installation of some affected software. Moderate: This level of difficulty will require installation of some affected software on a specific operating system. Complex: This level of difficulty will requireinstallationand configuration of some affected software on a specific operating system. In the flag4 CTF, we are using windows operating system. Since windows has GUI and many of the users are familiar with the architecture of windows, it becomes easy for the attackers to guess where the flag can be placed. As most of the real world systems in our country are installed with windows OS, this can be a really practical thing to hack into. In this flag4 CTF, I have installed three software’s and configured them according to my needs. These software’s include Adobe ColdFusion, MSSQL, and TFTP. A. Adobe ColdFusion: In flag4 CTF I have installed Adobe ColdFusion 9. There are newer versions of adobe available, but having some vulnerabilities is good for us. By setting this up, RDS login methodcan beattackedthrough a metasploit module and can gain administrative login, this can further be used to gain shell access. Another method is default credentials can be set up as a vulnerability, and directory traversal can be used togainthe flag. B. MSSQL: In most of the systems MSSQL is run almost all the time.This can be used as a vulnerability. Here, in flag4CTFmachine we are using MSSQL 2005 and MSSQL management suite to set up the vulnerabilities. Since this is the vulnerability, we get access to the database directly with least effort. C. TFTP: Which can be abbreviated as TrivialFile Transfer Protocol,is an old service which provides FTP services to unauthenticated users. Here,weareusingTftpd32insteadof Tftpd64, again for the same reason of vulnerability. Tftpd32 is also vulnerable to buffer overflow. And there is also a metasploit module associated with Tftpd32 which can be really easy to begin with. C. Flag Placement In the flag4 CTF machine, the flag is hidden in the form of string and also in the steno graphed image which can be retained using some stenographic tools. This is just to make sure that the attacker thinks in many ways while trying to crack a real world machines. Placing a flag is completely the creator’s idea. The file which contains flag can be simply named as flag.txt if the creator wants it to be too simple. But it can alsobe namedsomething else and also the file containing flag can be placed with different extension just to make it a bit tricky. Even the credentials can be placed as flags. In flag4, the flags are placed in different folders and also few of them are placed within an image just to trick the attacker. D. Flowchart Fig: Flowchart of CTF IV. Conclusion As we are getting advanced in technology,wearealsocalling threat by our self. That is why every person who uses technology should have basic awareness about how to safeguard his/her device. This is only possible when they know about the flaws and vulnerabilities in system. This paper helps to know how the everydaysimplemistakesofus can cause serious damage to the data. The flag4 CTF is very useful to the beginners who have not cracked any CTF’s as it is of moderate difficulty. References [1] https://ieeexplore.ieee.org/abstract/document/7427 865 [2] https://ieeexplore.ieee.org/Xplore/home.jsp [3] https://www.usenix.org/conference/3gse15/summit -program/presentation/chothia [4] https://ieeexplore.ieee.org/abstract/document/7092 098 [5] https://www.usenix.org/conference/3gse14/summit -program/presentation/chung [6] https://dl.acm.org/doi/abs/10.1145/3017680.30177 83 [7] https://ieeexplore.ieee.org/abstract/document/8614 801 [8] https://ieeexplore.ieee.org/abstract/document/7911 890 [9] https://www.sciencedirect.com/science/article/pii/ B9781931836692500389 [10] https://patents.google.com/patent/US7293282B2/e n [11] https://patents.google.com/patent/US7246171B1/e n [12] https://www.hjp.at/doc/rfc/rfc1350.html [13] https://owasp.org/www-project-top-ten/