KN
Uploaded byKachkad Narender
878 views

Capture the flag

The document provides an overview of Capture The Flag (CTF) competitions in cybersecurity, detailing how they work, types of challenges, and their real-world benefits for participants. CTFs serve as valuable training tools for both students and professionals, enhancing technical skills and soft skills while fostering networking opportunities. It also discusses preparedness, participation guidelines, tools for various tasks, and common rules to ensure fair play during competitions.

Embed presentation

Download to read offline
“CAPTURE THE FLAG” If you’re going to make a living in defense, you have to think like the offense. Submitted by Kachkad Narender December, 2018
Content ……………………………………………………………………………………… • How a CTF Competition works • Example • Types of challenges • CTF preparedness • Real World benefits • How to participate • Tools for web vulnerability hunting or web exploitation • Tools for Networking • Tools for Your Protection in Attack in Defend • Some Linux Distributions Ideal for CTF • CTF Guides and Resources • Rules and Regulation • Reference
Cyber security is a high priority of companies, small and big, as cyber attacks have been on the rise in recent years. In response to these attacks, security professionals and college students have been through rigorous training as how hackers are able to get into the companies and how to defend against them. One way of cyber security training is through a cyber security capture the flag (CTF) event. A cyber security CTF is a competition between security professionals and/or students learning about cyber security. This competition is used as a learning tool for everyone that is interested in cyber security and it can help sharpen the tools they have learned during their training. The very first cyber security CTF developed and hosted was in 1996 at DEFCON in Las Vegas, Nevada. DEFCON is the largest cyber security conference in the United States and it was officially started in 1993 by Jeff Moss. DEFCON had become a platform for a skills competition and as the Internet grew, both DEFCON and the CTF competitions did as well. CTF competitions have become global as they did not have any borders and can be done via the Internet. International teams were competing for different types of prizes and bragging rights. How a CTF Competition works CTF or Capture the Flag is a traditional competition or war game in any hacker conferences like DEFCON, ROOTCON, HITB and some hackathons. CTF games are usually categorized in the form of Attack and Defend Style, Exploit Development, Packet Capture Analysis, Web Hacking, Digital Puzzles, Cryptography, Stego, Reverse Engineering, Binary Analysis, Mobile Security, etc. Capture the Flag (CTF) is a special kind of information security competitions. There are three common types of CTFs: Jeopardy, Attack-Defence and mixed The Jeopardy-style CTF is similar to the actual Jeopardy game as the scoreboard looks like a Jeopardy board with different categories and point values. There can be more than two teams as the teams are not trying to attack each other. Some of the categories can include Cryptography, Steganography, Physical Security and Scanning. There are several other categories that can be used. Some of the challenges can be done against a main server that was developed for the CTF and the flag is inputted into the CTF scoreboard to get points for the team. A timer is used to start and stop the CTF and once the timer finishes, the game is over. The team with the most points at the end wins.
Well, attack-defend CTF is where each team attacks the other team’s system, as well as defend their own system. Usually, there are two rounds of game play in which one team is the attacking team and the other team is the defending team in the first round and then they switch for the second round. There are flags (text files, folders, images, etc.) in the defending machines that the attacking team attempts to find as they compromise the machines. The attacking team is able to use different hacking tools in order to compromise the defending machines but there are rules in place to ensure that the teams are not at an advantage over the other. The defending team can do anything within the rules to defend their machines against the attacking team. They are not allowed to disable any network connections or turn off the machines. If there is any rule violation, the team will incur a penalty or be disqualified. Finally, a mixed CTF is arguably the most challenging for participants. Combining jeopardy and attack-defense styles, successful teams must strategically divide their efforts and play to each of their member’s strengths by completing security challenges while simultaneously hacking into target vulnerable systems, maintaining access to these machines and defending them against their competitors. The winner is usually the team or individual with the most points at the end of the game. Like many sporting events, prizes are commonly awarded for first, second and third place. In the interest of contest integrity and respect for the game platform, CTF ground rules are shared with participants prior to the event. Violation of these rules may result in restrictions or even elimination from the competition. CTFs are now global and can be online or in the same geographical area. Open Web Application Security Project (OWASP) San Diego would usually do a Jeopardy-style CTF once a year that participants are able to learn how to pick locks and use other tools to complete the CTF competition. The National Cyber League (NCL) is another CTF that is for students and faculty of universities and the NCL can be used as a curriculum in order to teach the students about cyber security. There are several other CTFs that are available and can be found on the CTFTime website.
Example This the solution for the Capture the Flag Challenge and one of the easiest challenges Okay, so let’s not waste much of your time and get started? URL: https://anattacker31337.000webhostapp.com/ You will find a web application hosted on this particular domain, when you open it, it looks like: So, i have written all the goals you need to achieve into a file named ‘goals.html’, You can find the file on index page.
So, basically you will be given the credentials which you can find on the index page of the challenge itself and those login credentials are of the ‘accountant’ username which have less privileges than the superadmin’s account. And i am echoing the current and active username and password on index page, in case someone changes it and you can still login. So, my target was to make you login and then make you penetrate from the user ‘s dashboard.
Now once you login with those given credentials, the screen looks something like: I intentionally kept this ‘password change mechanism’ here and nothing else so that you can concentrate on this password fields and can draw the application flow as you do on any other Black Box PT’s. People trying, were continuously throwing blind payloads to the password field, and some of them were even throwing XSS payloads their without knowing the applications work flow. So before we start explaining the exploitation let’s discuss how the application is working? Actually the whole exploitation depends on the one line of code. Query: `UPDATE `users` SET `password` = ‘“.htmlspecialchars(mysqli_real_escape_string($connect, $pass_word)).”’ WHERE `users`.`id` = “.mysqli_real_escape_string($connect,$id).”;` Can you see the MySQL query is taking inputs on the id parameter?
And you will know if you have poked around, you can’t see the ID parameter sending some ‘magical’ values to server, until and unless you opens up the Cookie Manager to see whats happening? Screenshot to the Cookie Manager. Can you see the name of the cookie ‘poordev’ which is taking one parameter and the value, which is the database’s uniquely identified key, known as the primary key which cannot have duplicates. So basically this is the application flow. 1. Changing the password, the application sends a request through the cookies with a numeric value which is not only in my case but for everyone who is logging in into the ‘accountant’’s account. 2. I am sure it’s now clear about the ‘$id’ parameter which is taking the inputs? Remember? The $id parameter basically takes the input of the uniquely identified key in the backend pointing to a particular account associated with that particular number. What if an attacker manipulates the numeric value in $id parameter in the cookie section? Which is possible because the cookies are on the client side which is tamperable, which might fool the application and can make the application do the things, which the application is not intended to do.
So here’s the table structure of the ‘’users’’ table. You may ask, how you will know the exact id number as you don’t have the database access, in this case you need to bruteforce the “id” and try to login with same changed password everytime you change the id.Can you see the accountant’s account is associated with id = ‘1' ? and if you notice the superadmin’s account is associated with the id ‘6’ and now if we relate the SQL query it’s updating the password field by identifying it by the primary key ‘id’. So i used the cookie manager to replace the id parameter’s value 1 with 6 after changing the password to “1234”.
save it refresh the page. Once you refresh the page you will see the same “Successfully password update” message which means you have successfully changed the superadmin’s account’s password to 1234. And there you go.. boom! Logged in as the superadmin and then you see my awesome looking face greeting you.
Types of challenges CTFs usually showcase different challenges that utilize or exercise specific areas of focus. Some popular areas of focus are: • Programming These types of tasks usually require some sort of programming to solve. In most cases, it will involve a mixture of programming and some reverse engineering. • “Crypto” These challenges feature common “real world” scenarios that often include the ever-popular ransomware type of malware. • Exploitation These tasks will force you to determine how to exploit (using buffer overflow, string format, SQL injection, etc.…) a given running process on the CTF target machine. • Reverse Engineering For tasks like this, reverse engineering will usually be required, for example, when the server sends you an executable. CTF preparedness If you’ve never experienced a CTF event before, don’t get frustrated or give up, because the key to any type of hacking is patience. While this is sometimes a difficult thing to have, the only way to learn is to persist and practice on your own (see this post further down on how to practice) and maybe next time you’ll score first place! One thing you can try to do during your first CTF event, if possible, is find a experienced team that’s willing to let you join them. Make sure you’re clear that this is your first CTF event and you’d really love for them to show you the ropes.
Members of the InfoSec community are usually very willing to share their knowledge with anyone interested in trying to learn and grow in this field. At the same time, however, one common theme you also often hear in the community is that there is a shortage of talent. At times this can be a very real struggle, and many professionals who have worked their way up in the field have spent considerable time to do so, sacrificing much to learn, practice and hone their craft. For this reason, before reaching out for help with basic questions, you should first research the topic and make an effort to figure things out on your own. Within the InfoSec community, trust isn’t something you can place value on. If your job is to hack into a client’s network, they last thing anyone wants is for that sensitive information to be shared with anyone outside of the team. Trust is a critical component of this relationship and I cannot express enough how important it is to remain ethical during competitions as well. Real World benefits Looking to start a career in cyber security or raise your industry profile? A CTF competition is a great place to start. These events are often closely watched and attended by recruiters and management hoping to spot budding talent and headhunt existing professionals. Job seeking or not, a CTF is one of the best ways to challenge your expertise inside a safe, forgiving and collaborative environment, whether you are a student, enthusiast or security guru. Aside from the clear technical development benefits, CTFs also offer participants a great opportunity to work on their soft skills, such as communication, teamwork, time management, problem-solving and adaptability. Despite the competitive environment, the occasion also has a strong social element. It gives players a chance to meet up in real life to network, share knowledge and bond over common goals, experiences and interests. But if you are the kind of person that likes to go for gold, many CTFs, through sponsorship and funding, offer generous prizes. Finally, CTFs are beneficial to security researchers and academics who can use the attack data and network traffic generated during competitions as case studies to help model, predict and prevent real-world security incidents.
How to participate CTF competitions are held in a variety of shapes, sizes and formats around the world each year. The popularity of these events is increasing as interest in cybersecurity and ethical hacking rapidly enters the mainstream. Typically, CTF events operate on a bring-your-own-device (BYOD) basis, meaning players who wish to play will need to bring their own laptop to take part. However, it’s possible to run a CTF with the appropriate setup and permission to utilize existing infrastructure, such as a high school, college, office or even public computer lab. If you are interested in taking part in a CTF competition, conduct a quick online search or chat with a local IT security professional or computer science professor to find an event near you. There is plenty of information and platforms online to help prospective participants prepare, train and even find a team for an upcoming CTF event. The CTF field guide is a brilliant resource to get started. First-timers should not overprepare or worry too much. CTF games are inclusive events with open and welcoming atmospheres. If you do not have a team to play with, you will be assigned one prior to the competition or on the day. Tools for web vulnerability hunting or web exploitation • Burp Suite – commonly used for web application security testing and usually for finding manual • web vulnerabilities which has an intercepting proxy and customizable plugins • OWASP ZAP – an Open Web Application Security Project similar to Burp but free and open source • WPScan – a blackbox WordPress Vulnerability Scanner • W3af – open source web application security scanner • OWASP Dirbuster – directory bruteforce or discovery tool • Bizploit – open source ERP Penetration Testing framework
Tools for Networking • aircrack-ng Suite – an open source WEP/WPA/WPA2 cracking tool which is usually bundled in most pentesting distributions • reaver – WiFi Protected Setup attacker tool • Kismet – 802.11 layer2 wireless network detector, sniffer, and intrusion detection system • Pixiewps – a tool used to bruteforce offline the WPS pin exploiting the low or non- existing entropy of some APs (pixie dust attack) • Nmap – an open source port scanner which has plugins for vulnerability assessment and net discovery • Wireshark – network sniffer and network protocol analyzer for Unix and Windows • Netcat -the TCP/IP swiss army • Captipper – a python tool to analyze, explore, and revive HTTP malicious traffic • Scapy – a powerful interactive packet manipulation program Tools for Your Protection in Attack in Defend • Snort – lightweight and free network intrusion detection system for UNIX and Windows • Iptables • Any Antivirus and Two-Way firewall will do • Chellam – Wi-Fi IDS/Firewall for Windows which detect Wi-Fi attacks, such as Honeypots, Evil Twins, Mis-association, and Hosted Network based backdoors etc., against a Windows based client without the need of custom hardware or drivers • peepdf – Python tool to explore PDF files in order to find out if the file can be harmful or not • Android IMSI-Catcher Detector – Android app for detecting IMSI-Catcher
Some Linux Distributions Ideal for CTF • Santoku Linux – GNU/Linux distribution or distro designed for helping you in every aspect of your mobile forensics, mobile malware analysis, reverse engineering and security testing needs • Kali Linux – a fully packed penetration testing Linux distribution based on Debian • Backbox Linux – a simplistic penetration testing distro based on Ubuntu • CAINE – Computer Aided Investigative Environment is a Live GNU/Linux distribution which is aimed for digital forensics • DEFT Linux – Digital Evidence & Forensics Toolkit Linux distribution CTF Guides and Resources • Practice CTF List / Permanent CTF List – a good collection and resource of CTFs that are long-running • Vulnhub – vulnerable machines you can practice or for your pentest laboratory • CTF Resources – a repository and an archive of general topics for CTF and is somehow the same with Trail of Bits CTF Guide • Forensics Wiki – a wiki designed for computer forensics
Rules and Regulation Let's start with some common rules - specifically what you and your team cannot do. • It's strictly forbidden to perform any kind of Denial of Service Attack (DoS/DDoS) against the servers or the competition's infrastructure. • Do NOT try to use Brute Force on the flag submission system because the flags are not possible to guess. • Do NOT try to exchange flags or write-ups during the competition. • Do NOT share recent discoveries related to challenges publicly on IRC channels, nor in any other way with contestants of other teams. • Clues will be given in a direct or indirect form, stay alert! • The flag pattern will be as follows for example (CTF-BR{flag_here}). • The competition will last for 48 hours in a row, breaks/no breaks (as said by incharge). • The teams may have as many members as they want (differ by the company). • Any kind of violation of these rules will mean immediate disqualification of the team. Most important rule: Have fun and Learn a lot! 😊
REFERENCES https://blogs.cisco.com/perspectives/cyber-security-capture-the-flag-ctf-what-is-it https://securityintelligence.com/behind-the-scenes-at-a-capture-the-flag-ctf-competition/ https://pwn2win.party/rules/?lang=br https://medium.com/secjuice/hack-the-superadmin-uncle-organisations-ctf-solution- dd8bbe042945 https://www.alienvault.com/blogs/security-essentials/capture-the-flag-ctf-what-is-it-for-a-newbie https://ctftime.org/ctf-wtf/

More Related Content

PPTX
Intrusion detection system
byAparna Bhadran
 
PPTX
Caputre the flag
byUIT
 
PPT
Port Scanning
byamiable_indian
 
PPTX
Introduction of CTF and CGC
byKir Chou
 
PPTX
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
PDF
Computer Security and Intrusion Detection(IDS/IPS)
byLJ PROJECTS
 
PDF
DNS Attacks
byHimanshu Prabhakar
 
PPTX
A5: Security Misconfiguration
byTariq Islam
 
Intrusion detection system
byAparna Bhadran
 
Caputre the flag
byUIT
 
Port Scanning
byamiable_indian
 
Introduction of CTF and CGC
byKir Chou
 
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
Computer Security and Intrusion Detection(IDS/IPS)
byLJ PROJECTS
 
DNS Attacks
byHimanshu Prabhakar
 
A5: Security Misconfiguration
byTariq Islam
 

What's hot

PDF
Capture The Flag
byHuu Tung Nguyen
 
PPTX
A closer look at CTF challenges
byDNIF
 
PPT
Penetration Testing Basics
byRick Wanner
 
PPTX
Play,Learn and Hack- CTF Training
byHeba Hamdy Farahat
 
PPTX
Cyber Security Best Practices
byEvolve IP
 
PDF
Pen-Testing with Metasploit
byMohammed Danish Amber
 
PPT
Introduction To OWASP
byMarco Morana
 
PPTX
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
PDF
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
byMITRE ATT&CK
 
PDF
Cybersecurity - Mobile Application Security
byEryk Budi Pratama
 
PDF
Introduction to MITRE ATT&CK
byArpan Raval
 
PPTX
Career In Information security
byAnant Shrivastava
 
PPTX
Ethical hacking presentation
bySuryansh Srivastava
 
PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
PPTX
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
PPTX
System hacking
byCAS
 
PPTX
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
PPTX
Ransomware
byChaitali Sharma
 
PDF
Analysing Ransomware
byNapier University
 
PPTX
Hacking and Types of Hacker.
byCoder Tech
 
Capture The Flag
byHuu Tung Nguyen
 
A closer look at CTF challenges
byDNIF
 
Penetration Testing Basics
byRick Wanner
 
Play,Learn and Hack- CTF Training
byHeba Hamdy Farahat
 
Cyber Security Best Practices
byEvolve IP
 
Pen-Testing with Metasploit
byMohammed Danish Amber
 
Introduction To OWASP
byMarco Morana
 
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
byMITRE ATT&CK
 
Cybersecurity - Mobile Application Security
byEryk Budi Pratama
 
Introduction to MITRE ATT&CK
byArpan Raval
 
Career In Information security
byAnant Shrivastava
 
Ethical hacking presentation
bySuryansh Srivastava
 
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
System hacking
byCAS
 
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
Ransomware
byChaitali Sharma
 
Analysing Ransomware
byNapier University
 
Hacking and Types of Hacker.
byCoder Tech
 

Similar to Capture the flag

PDF
A Beginner’s Guide to Capture the flag (CTF) Hacking
byinfosec train
 
PPTX
CTF CyberX-Mind4Future[4].pptx
bycifoxo
 
PPTX
Winter Hacks CTF.pptx
byPRIYATHAMDARISI
 
PPTX
Cyber Security Workshop Presentation.pptx
byYashSomalkar
 
PDF
Why should you consider playing CTF.pdf
byinfosec train
 
PDF
Capture The Flag
byOmar Fathy
 
PDF
Flag4 CTF
byijtsrd
 
PPTX
Cyber Security Career
byHesham Elzoghby
 
PDF
CTFs, Bugbounty and your security career
byIbrahim El-Sayed
 
PPT
HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and...
byAnthony Lai
 
PDF
[2012 CodeEngn Conference 06] posquit0 - Defcon 20th : The way to go to Las V...
byCode Engn
 
PPTX
Getting ready for a Capture The Flag Hacking Competition
byJoe McCray
 
PDF
earning by s/doing/h4ck1ng/ - Our experience learning application security th...
byNECST Lab @ Politecnico di Milano
 
PDF
How to strengthen the ctf web field for beginners(English)
bykazkiti
 
PPTX
Emotional Support for "48 hours of failure"
byGDSC UofT Mississauga
 
PPTX
Playing CTFs for Fun & Profit
byimpdefined
 
PPTX
A Brief Intro to CTF Contests!
byM. S.
 
PDF
Club hack 2011 precon ctf walkthrough
byn|u - The Open Security Community
 
PDF
Capture the Flag Exercise Using Active Deception Defense
byFidelis Cybersecurity
 
PDF
Introduction to Cybersecurity | IIT(BHU)CyberSec
byYashSomalkar
 
A Beginner’s Guide to Capture the flag (CTF) Hacking
byinfosec train
 
CTF CyberX-Mind4Future[4].pptx
bycifoxo
 
Winter Hacks CTF.pptx
byPRIYATHAMDARISI
 
Cyber Security Workshop Presentation.pptx
byYashSomalkar
 
Why should you consider playing CTF.pdf
byinfosec train
 
Capture The Flag
byOmar Fathy
 
Flag4 CTF
byijtsrd
 
Cyber Security Career
byHesham Elzoghby
 
CTFs, Bugbounty and your security career
byIbrahim El-Sayed
 
HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and...
byAnthony Lai
 
[2012 CodeEngn Conference 06] posquit0 - Defcon 20th : The way to go to Las V...
byCode Engn
 
Getting ready for a Capture The Flag Hacking Competition
byJoe McCray
 
earning by s/doing/h4ck1ng/ - Our experience learning application security th...
byNECST Lab @ Politecnico di Milano
 
How to strengthen the ctf web field for beginners(English)
bykazkiti
 
Emotional Support for "48 hours of failure"
byGDSC UofT Mississauga
 
Playing CTFs for Fun & Profit
byimpdefined
 
A Brief Intro to CTF Contests!
byM. S.
 
Club hack 2011 precon ctf walkthrough
byn|u - The Open Security Community
 
Capture the Flag Exercise Using Active Deception Defense
byFidelis Cybersecurity
 
Introduction to Cybersecurity | IIT(BHU)CyberSec
byYashSomalkar
 

Recently uploaded

PDF
Agent Factory -AIOUG Multicloud - Feb 2026
bySandesh Rao
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PPTX
Exploring-AI-Basics in Artificial Intelligence
bysharmilas219546
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
final.pdf
byomarbishtawi04
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
AI in the Real World: From University to Industry
byDarvan Shvan
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
Reality Drift: Why Systems Keep Working After Meaning Drops Out
byReality Drift Archive | A. Jacobs
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
Chapter 6 Authentication and Access Control.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Agent Factory -AIOUG Multicloud - Feb 2026
bySandesh Rao
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Exploring-AI-Basics in Artificial Intelligence
bysharmilas219546
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
final.pdf
byomarbishtawi04
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
AI in the Real World: From University to Industry
byDarvan Shvan
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
Reality Drift: Why Systems Keep Working After Meaning Drops Out
byReality Drift Archive | A. Jacobs
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
Chapter 6 Authentication and Access Control.pdf
byGetnet Tigabie Askale -(GM)
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 

Capture the flag

  • 1.
    “CAPTURE THE FLAG” Ifyou’re going to make a living in defense, you have to think like the offense. Submitted by Kachkad Narender December, 2018
  • 2.
    Content ……………………………………………………………………………………… • How aCTF Competition works • Example • Types of challenges • CTF preparedness • Real World benefits • How to participate • Tools for web vulnerability hunting or web exploitation • Tools for Networking • Tools for Your Protection in Attack in Defend • Some Linux Distributions Ideal for CTF • CTF Guides and Resources • Rules and Regulation • Reference
  • 3.
    Cyber security isa high priority of companies, small and big, as cyber attacks have been on the rise in recent years. In response to these attacks, security professionals and college students have been through rigorous training as how hackers are able to get into the companies and how to defend against them. One way of cyber security training is through a cyber security capture the flag (CTF) event. A cyber security CTF is a competition between security professionals and/or students learning about cyber security. This competition is used as a learning tool for everyone that is interested in cyber security and it can help sharpen the tools they have learned during their training. The very first cyber security CTF developed and hosted was in 1996 at DEFCON in Las Vegas, Nevada. DEFCON is the largest cyber security conference in the United States and it was officially started in 1993 by Jeff Moss. DEFCON had become a platform for a skills competition and as the Internet grew, both DEFCON and the CTF competitions did as well. CTF competitions have become global as they did not have any borders and can be done via the Internet. International teams were competing for different types of prizes and bragging rights. How a CTF Competition works CTF or Capture the Flag is a traditional competition or war game in any hacker conferences like DEFCON, ROOTCON, HITB and some hackathons. CTF games are usually categorized in the form of Attack and Defend Style, Exploit Development, Packet Capture Analysis, Web Hacking, Digital Puzzles, Cryptography, Stego, Reverse Engineering, Binary Analysis, Mobile Security, etc. Capture the Flag (CTF) is a special kind of information security competitions. There are three common types of CTFs: Jeopardy, Attack-Defence and mixed The Jeopardy-style CTF is similar to the actual Jeopardy game as the scoreboard looks like a Jeopardy board with different categories and point values. There can be more than two teams as the teams are not trying to attack each other. Some of the categories can include Cryptography, Steganography, Physical Security and Scanning. There are several other categories that can be used. Some of the challenges can be done against a main server that was developed for the CTF and the flag is inputted into the CTF scoreboard to get points for the team. A timer is used to start and stop the CTF and once the timer finishes, the game is over. The team with the most points at the end wins.
  • 4.
    Well, attack-defend CTFis where each team attacks the other team’s system, as well as defend their own system. Usually, there are two rounds of game play in which one team is the attacking team and the other team is the defending team in the first round and then they switch for the second round. There are flags (text files, folders, images, etc.) in the defending machines that the attacking team attempts to find as they compromise the machines. The attacking team is able to use different hacking tools in order to compromise the defending machines but there are rules in place to ensure that the teams are not at an advantage over the other. The defending team can do anything within the rules to defend their machines against the attacking team. They are not allowed to disable any network connections or turn off the machines. If there is any rule violation, the team will incur a penalty or be disqualified. Finally, a mixed CTF is arguably the most challenging for participants. Combining jeopardy and attack-defense styles, successful teams must strategically divide their efforts and play to each of their member’s strengths by completing security challenges while simultaneously hacking into target vulnerable systems, maintaining access to these machines and defending them against their competitors. The winner is usually the team or individual with the most points at the end of the game. Like many sporting events, prizes are commonly awarded for first, second and third place. In the interest of contest integrity and respect for the game platform, CTF ground rules are shared with participants prior to the event. Violation of these rules may result in restrictions or even elimination from the competition. CTFs are now global and can be online or in the same geographical area. Open Web Application Security Project (OWASP) San Diego would usually do a Jeopardy-style CTF once a year that participants are able to learn how to pick locks and use other tools to complete the CTF competition. The National Cyber League (NCL) is another CTF that is for students and faculty of universities and the NCL can be used as a curriculum in order to teach the students about cyber security. There are several other CTFs that are available and can be found on the CTFTime website.
  • 5.
    Example This the solutionfor the Capture the Flag Challenge and one of the easiest challenges Okay, so let’s not waste much of your time and get started? URL: https://anattacker31337.000webhostapp.com/ You will find a web application hosted on this particular domain, when you open it, it looks like: So, i have written all the goals you need to achieve into a file named ‘goals.html’, You can find the file on index page.
  • 6.
    So, basically youwill be given the credentials which you can find on the index page of the challenge itself and those login credentials are of the ‘accountant’ username which have less privileges than the superadmin’s account. And i am echoing the current and active username and password on index page, in case someone changes it and you can still login. So, my target was to make you login and then make you penetrate from the user ‘s dashboard.
  • 7.
    Now once youlogin with those given credentials, the screen looks something like: I intentionally kept this ‘password change mechanism’ here and nothing else so that you can concentrate on this password fields and can draw the application flow as you do on any other Black Box PT’s. People trying, were continuously throwing blind payloads to the password field, and some of them were even throwing XSS payloads their without knowing the applications work flow. So before we start explaining the exploitation let’s discuss how the application is working? Actually the whole exploitation depends on the one line of code. Query: `UPDATE `users` SET `password` = ‘“.htmlspecialchars(mysqli_real_escape_string($connect, $pass_word)).”’ WHERE `users`.`id` = “.mysqli_real_escape_string($connect,$id).”;` Can you see the MySQL query is taking inputs on the id parameter?
  • 8.
    And you willknow if you have poked around, you can’t see the ID parameter sending some ‘magical’ values to server, until and unless you opens up the Cookie Manager to see whats happening? Screenshot to the Cookie Manager. Can you see the name of the cookie ‘poordev’ which is taking one parameter and the value, which is the database’s uniquely identified key, known as the primary key which cannot have duplicates. So basically this is the application flow. 1. Changing the password, the application sends a request through the cookies with a numeric value which is not only in my case but for everyone who is logging in into the ‘accountant’’s account. 2. I am sure it’s now clear about the ‘$id’ parameter which is taking the inputs? Remember? The $id parameter basically takes the input of the uniquely identified key in the backend pointing to a particular account associated with that particular number. What if an attacker manipulates the numeric value in $id parameter in the cookie section? Which is possible because the cookies are on the client side which is tamperable, which might fool the application and can make the application do the things, which the application is not intended to do.
  • 9.
    So here’s thetable structure of the ‘’users’’ table. You may ask, how you will know the exact id number as you don’t have the database access, in this case you need to bruteforce the “id” and try to login with same changed password everytime you change the id.Can you see the accountant’s account is associated with id = ‘1' ? and if you notice the superadmin’s account is associated with the id ‘6’ and now if we relate the SQL query it’s updating the password field by identifying it by the primary key ‘id’. So i used the cookie manager to replace the id parameter’s value 1 with 6 after changing the password to “1234”.
  • 10.
    save it refreshthe page. Once you refresh the page you will see the same “Successfully password update” message which means you have successfully changed the superadmin’s account’s password to 1234. And there you go.. boom! Logged in as the superadmin and then you see my awesome looking face greeting you.
  • 11.
    Types of challenges CTFsusually showcase different challenges that utilize or exercise specific areas of focus. Some popular areas of focus are: • Programming These types of tasks usually require some sort of programming to solve. In most cases, it will involve a mixture of programming and some reverse engineering. • “Crypto” These challenges feature common “real world” scenarios that often include the ever-popular ransomware type of malware. • Exploitation These tasks will force you to determine how to exploit (using buffer overflow, string format, SQL injection, etc.…) a given running process on the CTF target machine. • Reverse Engineering For tasks like this, reverse engineering will usually be required, for example, when the server sends you an executable. CTF preparedness If you’ve never experienced a CTF event before, don’t get frustrated or give up, because the key to any type of hacking is patience. While this is sometimes a difficult thing to have, the only way to learn is to persist and practice on your own (see this post further down on how to practice) and maybe next time you’ll score first place! One thing you can try to do during your first CTF event, if possible, is find a experienced team that’s willing to let you join them. Make sure you’re clear that this is your first CTF event and you’d really love for them to show you the ropes.
  • 12.
    Members of theInfoSec community are usually very willing to share their knowledge with anyone interested in trying to learn and grow in this field. At the same time, however, one common theme you also often hear in the community is that there is a shortage of talent. At times this can be a very real struggle, and many professionals who have worked their way up in the field have spent considerable time to do so, sacrificing much to learn, practice and hone their craft. For this reason, before reaching out for help with basic questions, you should first research the topic and make an effort to figure things out on your own. Within the InfoSec community, trust isn’t something you can place value on. If your job is to hack into a client’s network, they last thing anyone wants is for that sensitive information to be shared with anyone outside of the team. Trust is a critical component of this relationship and I cannot express enough how important it is to remain ethical during competitions as well. Real World benefits Looking to start a career in cyber security or raise your industry profile? A CTF competition is a great place to start. These events are often closely watched and attended by recruiters and management hoping to spot budding talent and headhunt existing professionals. Job seeking or not, a CTF is one of the best ways to challenge your expertise inside a safe, forgiving and collaborative environment, whether you are a student, enthusiast or security guru. Aside from the clear technical development benefits, CTFs also offer participants a great opportunity to work on their soft skills, such as communication, teamwork, time management, problem-solving and adaptability. Despite the competitive environment, the occasion also has a strong social element. It gives players a chance to meet up in real life to network, share knowledge and bond over common goals, experiences and interests. But if you are the kind of person that likes to go for gold, many CTFs, through sponsorship and funding, offer generous prizes. Finally, CTFs are beneficial to security researchers and academics who can use the attack data and network traffic generated during competitions as case studies to help model, predict and prevent real-world security incidents.
  • 13.
    How to participate CTFcompetitions are held in a variety of shapes, sizes and formats around the world each year. The popularity of these events is increasing as interest in cybersecurity and ethical hacking rapidly enters the mainstream. Typically, CTF events operate on a bring-your-own-device (BYOD) basis, meaning players who wish to play will need to bring their own laptop to take part. However, it’s possible to run a CTF with the appropriate setup and permission to utilize existing infrastructure, such as a high school, college, office or even public computer lab. If you are interested in taking part in a CTF competition, conduct a quick online search or chat with a local IT security professional or computer science professor to find an event near you. There is plenty of information and platforms online to help prospective participants prepare, train and even find a team for an upcoming CTF event. The CTF field guide is a brilliant resource to get started. First-timers should not overprepare or worry too much. CTF games are inclusive events with open and welcoming atmospheres. If you do not have a team to play with, you will be assigned one prior to the competition or on the day. Tools for web vulnerability hunting or web exploitation • Burp Suite – commonly used for web application security testing and usually for finding manual • web vulnerabilities which has an intercepting proxy and customizable plugins • OWASP ZAP – an Open Web Application Security Project similar to Burp but free and open source • WPScan – a blackbox WordPress Vulnerability Scanner • W3af – open source web application security scanner • OWASP Dirbuster – directory bruteforce or discovery tool • Bizploit – open source ERP Penetration Testing framework
  • 14.
    Tools for Networking •aircrack-ng Suite – an open source WEP/WPA/WPA2 cracking tool which is usually bundled in most pentesting distributions • reaver – WiFi Protected Setup attacker tool • Kismet – 802.11 layer2 wireless network detector, sniffer, and intrusion detection system • Pixiewps – a tool used to bruteforce offline the WPS pin exploiting the low or non- existing entropy of some APs (pixie dust attack) • Nmap – an open source port scanner which has plugins for vulnerability assessment and net discovery • Wireshark – network sniffer and network protocol analyzer for Unix and Windows • Netcat -the TCP/IP swiss army • Captipper – a python tool to analyze, explore, and revive HTTP malicious traffic • Scapy – a powerful interactive packet manipulation program Tools for Your Protection in Attack in Defend • Snort – lightweight and free network intrusion detection system for UNIX and Windows • Iptables • Any Antivirus and Two-Way firewall will do • Chellam – Wi-Fi IDS/Firewall for Windows which detect Wi-Fi attacks, such as Honeypots, Evil Twins, Mis-association, and Hosted Network based backdoors etc., against a Windows based client without the need of custom hardware or drivers • peepdf – Python tool to explore PDF files in order to find out if the file can be harmful or not • Android IMSI-Catcher Detector – Android app for detecting IMSI-Catcher
  • 15.
    Some Linux DistributionsIdeal for CTF • Santoku Linux – GNU/Linux distribution or distro designed for helping you in every aspect of your mobile forensics, mobile malware analysis, reverse engineering and security testing needs • Kali Linux – a fully packed penetration testing Linux distribution based on Debian • Backbox Linux – a simplistic penetration testing distro based on Ubuntu • CAINE – Computer Aided Investigative Environment is a Live GNU/Linux distribution which is aimed for digital forensics • DEFT Linux – Digital Evidence & Forensics Toolkit Linux distribution CTF Guides and Resources • Practice CTF List / Permanent CTF List – a good collection and resource of CTFs that are long-running • Vulnhub – vulnerable machines you can practice or for your pentest laboratory • CTF Resources – a repository and an archive of general topics for CTF and is somehow the same with Trail of Bits CTF Guide • Forensics Wiki – a wiki designed for computer forensics
  • 16.
    Rules and Regulation Let'sstart with some common rules - specifically what you and your team cannot do. • It's strictly forbidden to perform any kind of Denial of Service Attack (DoS/DDoS) against the servers or the competition's infrastructure. • Do NOT try to use Brute Force on the flag submission system because the flags are not possible to guess. • Do NOT try to exchange flags or write-ups during the competition. • Do NOT share recent discoveries related to challenges publicly on IRC channels, nor in any other way with contestants of other teams. • Clues will be given in a direct or indirect form, stay alert! • The flag pattern will be as follows for example (CTF-BR{flag_here}). • The competition will last for 48 hours in a row, breaks/no breaks (as said by incharge). • The teams may have as many members as they want (differ by the company). • Any kind of violation of these rules will mean immediate disqualification of the team. Most important rule: Have fun and Learn a lot! 😊
  • 17.