“CAPTURE THE FLAG”
If you’re going to make a living in defense, you have to think like the offense.
Submitted by
Kachkad Narender
December, 2018
Content
………………………………………………………………………………………
• How a CTF Competition works
• Example
• Types of challenges
• CTF preparedness
• Real World benefits
• How to participate
• Tools for web vulnerability hunting or web exploitation
• Tools for Networking
• Tools for Your Protection in Attack in Defend
• Some Linux Distributions Ideal for CTF
• CTF Guides and Resources
• Rules and Regulation
• Reference
Cyber security is a high priority of companies, small and big, as cyber attacks have been on the
rise in recent years. In response to these attacks, security professionals and college students have
been through rigorous training as how hackers are able to get into the companies and how to
defend against them. One way of cyber security training is through a cyber security capture the
flag (CTF) event. A cyber security CTF is a competition between security professionals and/or
students learning about cyber security. This competition is used as a learning tool for everyone
that is interested in cyber security and it can help sharpen the tools they have learned during their
training.
The very first cyber security CTF developed and hosted was in 1996 at DEFCON in Las Vegas,
Nevada. DEFCON is the largest cyber security conference in the United States and it was
officially started in 1993 by Jeff Moss. DEFCON had become a platform for a skills competition
and as the Internet grew, both DEFCON and the CTF competitions did as well. CTF
competitions have become global as they did not have any borders and can be done via the
Internet. International teams were competing for different types of prizes and bragging rights.
How a CTF Competition works
CTF or Capture the Flag is a traditional competition or war game in any hacker conferences like
DEFCON, ROOTCON, HITB and some hackathons. CTF games are usually categorized in the
form of Attack and Defend Style, Exploit Development, Packet Capture Analysis, Web Hacking,
Digital Puzzles, Cryptography, Stego, Reverse Engineering, Binary Analysis, Mobile Security,
etc.
Capture the Flag (CTF) is a special kind of information security competitions. There are three
common types of CTFs: Jeopardy, Attack-Defence and mixed
The Jeopardy-style CTF is similar to the actual Jeopardy game as the scoreboard looks like a
Jeopardy board with different categories and point values. There can be more than two teams as
the teams are not trying to attack each other. Some of the categories can include Cryptography,
Steganography, Physical Security and Scanning. There are several other categories that can be
used. Some of the challenges can be done against a main server that was developed for the CTF
and the flag is inputted into the CTF scoreboard to get points for the team. A timer is used to
start and stop the CTF and once the timer finishes, the game is over. The team with the most
points at the end wins.
Well, attack-defend CTF is where each team attacks the other team’s system, as well as defend
their own system. Usually, there are two rounds of game play in which one team is the attacking
team and the other team is the defending team in the first round and then they switch for the
second round. There are flags (text files, folders, images, etc.) in the defending machines that the
attacking team attempts to find as they compromise the machines. The attacking team is able to
use different hacking tools in order to compromise the defending machines but there are rules in
place to ensure that the teams are not at an advantage over the other. The defending team can do
anything within the rules to defend their machines against the attacking team. They are not
allowed to disable any network connections or turn off the machines. If there is any rule
violation, the team will incur a penalty or be disqualified.
Finally, a mixed CTF is arguably the most challenging for participants. Combining jeopardy and
attack-defense styles, successful teams must strategically divide their efforts and play to each of
their member’s strengths by completing security challenges while simultaneously hacking into
target vulnerable systems, maintaining access to these machines and defending them against their
competitors.
The winner is usually the team or individual with the most points at the end of the game. Like
many sporting events, prizes are commonly awarded for first, second and third place. In the
interest of contest integrity and respect for the game platform, CTF ground rules are shared with
participants prior to the event. Violation of these rules may result in restrictions or even
elimination from the competition.
CTFs are now global and can be online or in the same geographical area. Open Web Application
Security Project (OWASP) San Diego would usually do a Jeopardy-style CTF once a year that
participants are able to learn how to pick locks and use other tools to complete the CTF
competition. The National Cyber League (NCL) is another CTF that is for students and faculty of
universities and the NCL can be used as a curriculum in order to teach the students about cyber
security. There are several other CTFs that are available and can be found on the CTFTime
website.
Example
This the solution for the Capture the Flag Challenge and one of the easiest challenges
Okay, so let’s not waste much of your time and get started?
URL: https://anattacker31337.000webhostapp.com/
You will find a web application hosted on this particular domain, when you open it, it looks like:
So, i have written all the goals you need to achieve into a file named ‘goals.html’, You can find
the file on index page.
So, basically you will be given the credentials which you can find on the index page of the
challenge itself and those login credentials are of the ‘accountant’ username which have less
privileges than the superadmin’s account.
And i am echoing the current and active username and password on index page, in case someone
changes it and you can still login.
So, my target was to make you login and then make you penetrate from the user ‘s dashboard.
Now once you login with those given credentials, the screen looks something like:
I intentionally kept this ‘password change mechanism’ here and nothing else so that you can
concentrate on this password fields and can draw the application flow as you do on any other
Black Box PT’s.
People trying, were continuously throwing blind payloads to the password field, and some of
them were even throwing XSS payloads their without knowing the applications work flow.
So before we start explaining the exploitation let’s discuss how the application is working?
Actually the whole exploitation depends on the one line of code.
Query:
`UPDATE `users` SET `password` =
‘“.htmlspecialchars(mysqli_real_escape_string($connect, $pass_word)).”’ WHERE
`users`.`id` = “.mysqli_real_escape_string($connect,$id).”;`
Can you see the MySQL query is taking inputs on the id parameter?
And you will know if you have poked around, you can’t see the ID parameter sending some
‘magical’ values to server, until and unless you opens up the Cookie Manager to see whats
happening?
Screenshot to the Cookie Manager.
Can you see the name of the cookie ‘poordev’ which is taking one parameter and the value, which
is the database’s uniquely identified key, known as the primary key which cannot have duplicates.
So basically this is the application flow.
1. Changing the password, the application sends a request through the cookies with a numeric
value which is not only in my case but for everyone who is logging in into the ‘accountant’’s
account.
2. I am sure it’s now clear about the ‘$id’ parameter which is taking the inputs? Remember?
The $id parameter basically takes the input of the uniquely identified key in the backend pointing
to a particular account associated with that particular number.
What if an attacker manipulates the numeric value in $id parameter in the cookie section? Which
is possible because the cookies are on the client side which is tamperable, which might fool the
application and can make the application do the things, which the application is not intended to
do.
So here’s the table structure of the ‘’users’’ table.
You may ask, how you will know the exact id number as you don’t have the database access, in
this case you need to bruteforce the “id” and try to login with same changed password
everytime you change the id.Can you see the accountant’s account is associated with id = ‘1' ?
and if you notice the superadmin’s account is associated with the id ‘6’ and now if we relate the
SQL query it’s updating the password field by identifying it by the primary key ‘id’.
So i used the cookie manager to replace the id parameter’s value 1 with 6 after changing the
password to “1234”.
save it refresh the page. Once you refresh the page you will see the same “Successfully password
update” message which means you have successfully changed the superadmin’s account’s
password to 1234.
And there you go.. boom! Logged in as the superadmin and then you see my awesome looking
face greeting you.
Types of challenges
CTFs usually showcase different challenges that utilize or exercise specific areas of focus. Some
popular areas of focus are:
• Programming
These types of tasks usually require some sort of programming to solve. In most cases, it will
involve a mixture of programming and some reverse engineering.
• “Crypto”
These challenges feature common “real world” scenarios that often include the ever-popular
ransomware type of malware.
• Exploitation
These tasks will force you to determine how to exploit (using buffer overflow, string format,
SQL injection, etc.…) a given running process on the CTF target machine.
• Reverse Engineering
For tasks like this, reverse engineering will usually be required, for example, when the server
sends you an executable.
CTF preparedness
If you’ve never experienced a CTF event before, don’t get frustrated or give up, because the key
to any type of hacking is patience. While this is sometimes a difficult thing to have, the only way
to learn is to persist and practice on your own (see this post further down on how to practice) and
maybe next time you’ll score first place! One thing you can try to do during your first CTF
event, if possible, is find a experienced team that’s willing to let you join them. Make sure you’re
clear that this is your first CTF event and you’d really love for them to show you the ropes.
Members of the InfoSec community are usually very willing to share their knowledge with
anyone interested in trying to learn and grow in this field. At the same time, however, one
common theme you also often hear in the community is that there is a shortage of talent. At
times this can be a very real struggle, and many professionals who have worked their way up in
the field have spent considerable time to do so, sacrificing much to learn, practice and hone their
craft. For this reason, before reaching out for help with basic questions, you should first research
the topic and make an effort to figure things out on your own.
Within the InfoSec community, trust isn’t something you can place value on. If your job is to
hack into a client’s network, they last thing anyone wants is for that sensitive information to be
shared with anyone outside of the team. Trust is a critical component of this relationship and I
cannot express enough how important it is to remain ethical during competitions as well.
Real World benefits
Looking to start a career in cyber security or raise your industry profile? A CTF competition is a
great place to start. These events are often closely watched and attended by recruiters and
management hoping to spot budding talent and headhunt existing professionals.
Job seeking or not, a CTF is one of the best ways to challenge your expertise inside a safe,
forgiving and collaborative environment, whether you are a student, enthusiast or security guru.
Aside from the clear technical development benefits, CTFs also offer participants a great
opportunity to work on their soft skills, such as communication, teamwork, time management,
problem-solving and adaptability.
Despite the competitive environment, the occasion also has a strong social element. It gives
players a chance to meet up in real life to network, share knowledge and bond over common
goals, experiences and interests. But if you are the kind of person that likes to go for gold, many
CTFs, through sponsorship and funding, offer generous prizes.
Finally, CTFs are beneficial to security researchers and academics who can use the attack data
and network traffic generated during competitions as case studies to help model, predict and
prevent real-world security incidents.
How to participate
CTF competitions are held in a variety of shapes, sizes and formats around the world each year.
The popularity of these events is increasing as interest in cybersecurity and ethical hacking
rapidly enters the mainstream.
Typically, CTF events operate on a bring-your-own-device (BYOD) basis, meaning players who
wish to play will need to bring their own laptop to take part. However, it’s possible to run a CTF
with the appropriate setup and permission to utilize existing infrastructure, such as a high school,
college, office or even public computer lab.
If you are interested in taking part in a CTF competition, conduct a quick online search or chat
with a local IT security professional or computer science professor to find an event near you.
There is plenty of information and platforms online to help prospective participants prepare, train
and even find a team for an upcoming CTF event. The CTF field guide is a brilliant resource to
get started.
First-timers should not overprepare or worry too much. CTF games are inclusive events with
open and welcoming atmospheres. If you do not have a team to play with, you will be assigned
one prior to the competition or on the day.
Tools for web vulnerability hunting or web exploitation
• Burp Suite – commonly used for web application security testing and usually for finding
manual
• web vulnerabilities which has an intercepting proxy and customizable plugins
• OWASP ZAP – an Open Web Application Security Project similar to Burp but free and
open source
• WPScan – a blackbox WordPress Vulnerability Scanner
• W3af – open source web application security scanner
• OWASP Dirbuster – directory bruteforce or discovery tool
• Bizploit – open source ERP Penetration Testing framework
Tools for Networking
• aircrack-ng Suite – an open source WEP/WPA/WPA2 cracking tool which is usually
bundled in most pentesting distributions
• reaver – WiFi Protected Setup attacker tool
• Kismet – 802.11 layer2 wireless network detector, sniffer, and intrusion detection system
• Pixiewps – a tool used to bruteforce offline the WPS pin exploiting the low or non-
existing entropy of some APs (pixie dust attack)
• Nmap – an open source port scanner which has plugins for vulnerability assessment and
net discovery
• Wireshark – network sniffer and network protocol analyzer for Unix and Windows
• Netcat -the TCP/IP swiss army
• Captipper – a python tool to analyze, explore, and revive HTTP malicious traffic
• Scapy – a powerful interactive packet manipulation program
Tools for Your Protection in Attack in Defend
• Snort – lightweight and free network intrusion detection system for UNIX and Windows
• Iptables
• Any Antivirus and Two-Way firewall will do
• Chellam – Wi-Fi IDS/Firewall for Windows which detect Wi-Fi attacks, such as
Honeypots, Evil Twins, Mis-association, and Hosted Network based backdoors etc.,
against a Windows based client without the need of custom hardware or drivers
• peepdf – Python tool to explore PDF files in order to find out if the file can be harmful or
not
• Android IMSI-Catcher Detector – Android app for detecting IMSI-Catcher
Some Linux Distributions Ideal for CTF
• Santoku Linux – GNU/Linux distribution or distro designed for helping you in every
aspect of your mobile forensics, mobile malware analysis, reverse engineering and
security testing needs
• Kali Linux – a fully packed penetration testing Linux distribution based on Debian
• Backbox Linux – a simplistic penetration testing distro based on Ubuntu
• CAINE – Computer Aided Investigative Environment is a Live GNU/Linux distribution
which is aimed for digital forensics
• DEFT Linux – Digital Evidence & Forensics Toolkit Linux distribution
CTF Guides and Resources
• Practice CTF List / Permanent CTF List – a good collection and resource of CTFs that
are long-running
• Vulnhub – vulnerable machines you can practice or for your pentest laboratory
• CTF Resources – a repository and an archive of general topics for CTF and is somehow
the same with Trail of Bits CTF Guide
• Forensics Wiki – a wiki designed for computer forensics
Rules and Regulation
Let's start with some common rules - specifically what you and your team cannot do.
• It's strictly forbidden to perform any kind of Denial of Service Attack (DoS/DDoS)
against the servers or the competition's infrastructure.
• Do NOT try to use Brute Force on the flag submission system because the flags are not
possible to guess.
• Do NOT try to exchange flags or write-ups during the competition.
• Do NOT share recent discoveries related to challenges publicly on IRC channels, nor in
any other way with contestants of other teams.
• Clues will be given in a direct or indirect form, stay alert!
• The flag pattern will be as follows for example (CTF-BR{flag_here}).
• The competition will last for 48 hours in a row, breaks/no breaks (as said by incharge).
• The teams may have as many members as they want (differ by the company).
• Any kind of violation of these rules will mean immediate disqualification of the team.
Most important rule: Have fun and Learn a lot! 😊
REFERENCES
https://blogs.cisco.com/perspectives/cyber-security-capture-the-flag-ctf-what-is-it
https://securityintelligence.com/behind-the-scenes-at-a-capture-the-flag-ctf-competition/
https://pwn2win.party/rules/?lang=br
https://medium.com/secjuice/hack-the-superadmin-uncle-organisations-ctf-solution-
dd8bbe042945
https://www.alienvault.com/blogs/security-essentials/capture-the-flag-ctf-what-is-it-for-a-newbie
https://ctftime.org/ctf-wtf/

Capture the flag

  • 1.
    “CAPTURE THE FLAG” Ifyou’re going to make a living in defense, you have to think like the offense. Submitted by Kachkad Narender December, 2018
  • 2.
    Content ……………………………………………………………………………………… • How aCTF Competition works • Example • Types of challenges • CTF preparedness • Real World benefits • How to participate • Tools for web vulnerability hunting or web exploitation • Tools for Networking • Tools for Your Protection in Attack in Defend • Some Linux Distributions Ideal for CTF • CTF Guides and Resources • Rules and Regulation • Reference
  • 3.
    Cyber security isa high priority of companies, small and big, as cyber attacks have been on the rise in recent years. In response to these attacks, security professionals and college students have been through rigorous training as how hackers are able to get into the companies and how to defend against them. One way of cyber security training is through a cyber security capture the flag (CTF) event. A cyber security CTF is a competition between security professionals and/or students learning about cyber security. This competition is used as a learning tool for everyone that is interested in cyber security and it can help sharpen the tools they have learned during their training. The very first cyber security CTF developed and hosted was in 1996 at DEFCON in Las Vegas, Nevada. DEFCON is the largest cyber security conference in the United States and it was officially started in 1993 by Jeff Moss. DEFCON had become a platform for a skills competition and as the Internet grew, both DEFCON and the CTF competitions did as well. CTF competitions have become global as they did not have any borders and can be done via the Internet. International teams were competing for different types of prizes and bragging rights. How a CTF Competition works CTF or Capture the Flag is a traditional competition or war game in any hacker conferences like DEFCON, ROOTCON, HITB and some hackathons. CTF games are usually categorized in the form of Attack and Defend Style, Exploit Development, Packet Capture Analysis, Web Hacking, Digital Puzzles, Cryptography, Stego, Reverse Engineering, Binary Analysis, Mobile Security, etc. Capture the Flag (CTF) is a special kind of information security competitions. There are three common types of CTFs: Jeopardy, Attack-Defence and mixed The Jeopardy-style CTF is similar to the actual Jeopardy game as the scoreboard looks like a Jeopardy board with different categories and point values. There can be more than two teams as the teams are not trying to attack each other. Some of the categories can include Cryptography, Steganography, Physical Security and Scanning. There are several other categories that can be used. Some of the challenges can be done against a main server that was developed for the CTF and the flag is inputted into the CTF scoreboard to get points for the team. A timer is used to start and stop the CTF and once the timer finishes, the game is over. The team with the most points at the end wins.
  • 4.
    Well, attack-defend CTFis where each team attacks the other team’s system, as well as defend their own system. Usually, there are two rounds of game play in which one team is the attacking team and the other team is the defending team in the first round and then they switch for the second round. There are flags (text files, folders, images, etc.) in the defending machines that the attacking team attempts to find as they compromise the machines. The attacking team is able to use different hacking tools in order to compromise the defending machines but there are rules in place to ensure that the teams are not at an advantage over the other. The defending team can do anything within the rules to defend their machines against the attacking team. They are not allowed to disable any network connections or turn off the machines. If there is any rule violation, the team will incur a penalty or be disqualified. Finally, a mixed CTF is arguably the most challenging for participants. Combining jeopardy and attack-defense styles, successful teams must strategically divide their efforts and play to each of their member’s strengths by completing security challenges while simultaneously hacking into target vulnerable systems, maintaining access to these machines and defending them against their competitors. The winner is usually the team or individual with the most points at the end of the game. Like many sporting events, prizes are commonly awarded for first, second and third place. In the interest of contest integrity and respect for the game platform, CTF ground rules are shared with participants prior to the event. Violation of these rules may result in restrictions or even elimination from the competition. CTFs are now global and can be online or in the same geographical area. Open Web Application Security Project (OWASP) San Diego would usually do a Jeopardy-style CTF once a year that participants are able to learn how to pick locks and use other tools to complete the CTF competition. The National Cyber League (NCL) is another CTF that is for students and faculty of universities and the NCL can be used as a curriculum in order to teach the students about cyber security. There are several other CTFs that are available and can be found on the CTFTime website.
  • 5.
    Example This the solutionfor the Capture the Flag Challenge and one of the easiest challenges Okay, so let’s not waste much of your time and get started? URL: https://anattacker31337.000webhostapp.com/ You will find a web application hosted on this particular domain, when you open it, it looks like: So, i have written all the goals you need to achieve into a file named ‘goals.html’, You can find the file on index page.
  • 6.
    So, basically youwill be given the credentials which you can find on the index page of the challenge itself and those login credentials are of the ‘accountant’ username which have less privileges than the superadmin’s account. And i am echoing the current and active username and password on index page, in case someone changes it and you can still login. So, my target was to make you login and then make you penetrate from the user ‘s dashboard.
  • 7.
    Now once youlogin with those given credentials, the screen looks something like: I intentionally kept this ‘password change mechanism’ here and nothing else so that you can concentrate on this password fields and can draw the application flow as you do on any other Black Box PT’s. People trying, were continuously throwing blind payloads to the password field, and some of them were even throwing XSS payloads their without knowing the applications work flow. So before we start explaining the exploitation let’s discuss how the application is working? Actually the whole exploitation depends on the one line of code. Query: `UPDATE `users` SET `password` = ‘“.htmlspecialchars(mysqli_real_escape_string($connect, $pass_word)).”’ WHERE `users`.`id` = “.mysqli_real_escape_string($connect,$id).”;` Can you see the MySQL query is taking inputs on the id parameter?
  • 8.
    And you willknow if you have poked around, you can’t see the ID parameter sending some ‘magical’ values to server, until and unless you opens up the Cookie Manager to see whats happening? Screenshot to the Cookie Manager. Can you see the name of the cookie ‘poordev’ which is taking one parameter and the value, which is the database’s uniquely identified key, known as the primary key which cannot have duplicates. So basically this is the application flow. 1. Changing the password, the application sends a request through the cookies with a numeric value which is not only in my case but for everyone who is logging in into the ‘accountant’’s account. 2. I am sure it’s now clear about the ‘$id’ parameter which is taking the inputs? Remember? The $id parameter basically takes the input of the uniquely identified key in the backend pointing to a particular account associated with that particular number. What if an attacker manipulates the numeric value in $id parameter in the cookie section? Which is possible because the cookies are on the client side which is tamperable, which might fool the application and can make the application do the things, which the application is not intended to do.
  • 9.
    So here’s thetable structure of the ‘’users’’ table. You may ask, how you will know the exact id number as you don’t have the database access, in this case you need to bruteforce the “id” and try to login with same changed password everytime you change the id.Can you see the accountant’s account is associated with id = ‘1' ? and if you notice the superadmin’s account is associated with the id ‘6’ and now if we relate the SQL query it’s updating the password field by identifying it by the primary key ‘id’. So i used the cookie manager to replace the id parameter’s value 1 with 6 after changing the password to “1234”.
  • 10.
    save it refreshthe page. Once you refresh the page you will see the same “Successfully password update” message which means you have successfully changed the superadmin’s account’s password to 1234. And there you go.. boom! Logged in as the superadmin and then you see my awesome looking face greeting you.
  • 11.
    Types of challenges CTFsusually showcase different challenges that utilize or exercise specific areas of focus. Some popular areas of focus are: • Programming These types of tasks usually require some sort of programming to solve. In most cases, it will involve a mixture of programming and some reverse engineering. • “Crypto” These challenges feature common “real world” scenarios that often include the ever-popular ransomware type of malware. • Exploitation These tasks will force you to determine how to exploit (using buffer overflow, string format, SQL injection, etc.…) a given running process on the CTF target machine. • Reverse Engineering For tasks like this, reverse engineering will usually be required, for example, when the server sends you an executable. CTF preparedness If you’ve never experienced a CTF event before, don’t get frustrated or give up, because the key to any type of hacking is patience. While this is sometimes a difficult thing to have, the only way to learn is to persist and practice on your own (see this post further down on how to practice) and maybe next time you’ll score first place! One thing you can try to do during your first CTF event, if possible, is find a experienced team that’s willing to let you join them. Make sure you’re clear that this is your first CTF event and you’d really love for them to show you the ropes.
  • 12.
    Members of theInfoSec community are usually very willing to share their knowledge with anyone interested in trying to learn and grow in this field. At the same time, however, one common theme you also often hear in the community is that there is a shortage of talent. At times this can be a very real struggle, and many professionals who have worked their way up in the field have spent considerable time to do so, sacrificing much to learn, practice and hone their craft. For this reason, before reaching out for help with basic questions, you should first research the topic and make an effort to figure things out on your own. Within the InfoSec community, trust isn’t something you can place value on. If your job is to hack into a client’s network, they last thing anyone wants is for that sensitive information to be shared with anyone outside of the team. Trust is a critical component of this relationship and I cannot express enough how important it is to remain ethical during competitions as well. Real World benefits Looking to start a career in cyber security or raise your industry profile? A CTF competition is a great place to start. These events are often closely watched and attended by recruiters and management hoping to spot budding talent and headhunt existing professionals. Job seeking or not, a CTF is one of the best ways to challenge your expertise inside a safe, forgiving and collaborative environment, whether you are a student, enthusiast or security guru. Aside from the clear technical development benefits, CTFs also offer participants a great opportunity to work on their soft skills, such as communication, teamwork, time management, problem-solving and adaptability. Despite the competitive environment, the occasion also has a strong social element. It gives players a chance to meet up in real life to network, share knowledge and bond over common goals, experiences and interests. But if you are the kind of person that likes to go for gold, many CTFs, through sponsorship and funding, offer generous prizes. Finally, CTFs are beneficial to security researchers and academics who can use the attack data and network traffic generated during competitions as case studies to help model, predict and prevent real-world security incidents.
  • 13.
    How to participate CTFcompetitions are held in a variety of shapes, sizes and formats around the world each year. The popularity of these events is increasing as interest in cybersecurity and ethical hacking rapidly enters the mainstream. Typically, CTF events operate on a bring-your-own-device (BYOD) basis, meaning players who wish to play will need to bring their own laptop to take part. However, it’s possible to run a CTF with the appropriate setup and permission to utilize existing infrastructure, such as a high school, college, office or even public computer lab. If you are interested in taking part in a CTF competition, conduct a quick online search or chat with a local IT security professional or computer science professor to find an event near you. There is plenty of information and platforms online to help prospective participants prepare, train and even find a team for an upcoming CTF event. The CTF field guide is a brilliant resource to get started. First-timers should not overprepare or worry too much. CTF games are inclusive events with open and welcoming atmospheres. If you do not have a team to play with, you will be assigned one prior to the competition or on the day. Tools for web vulnerability hunting or web exploitation • Burp Suite – commonly used for web application security testing and usually for finding manual • web vulnerabilities which has an intercepting proxy and customizable plugins • OWASP ZAP – an Open Web Application Security Project similar to Burp but free and open source • WPScan – a blackbox WordPress Vulnerability Scanner • W3af – open source web application security scanner • OWASP Dirbuster – directory bruteforce or discovery tool • Bizploit – open source ERP Penetration Testing framework
  • 14.
    Tools for Networking •aircrack-ng Suite – an open source WEP/WPA/WPA2 cracking tool which is usually bundled in most pentesting distributions • reaver – WiFi Protected Setup attacker tool • Kismet – 802.11 layer2 wireless network detector, sniffer, and intrusion detection system • Pixiewps – a tool used to bruteforce offline the WPS pin exploiting the low or non- existing entropy of some APs (pixie dust attack) • Nmap – an open source port scanner which has plugins for vulnerability assessment and net discovery • Wireshark – network sniffer and network protocol analyzer for Unix and Windows • Netcat -the TCP/IP swiss army • Captipper – a python tool to analyze, explore, and revive HTTP malicious traffic • Scapy – a powerful interactive packet manipulation program Tools for Your Protection in Attack in Defend • Snort – lightweight and free network intrusion detection system for UNIX and Windows • Iptables • Any Antivirus and Two-Way firewall will do • Chellam – Wi-Fi IDS/Firewall for Windows which detect Wi-Fi attacks, such as Honeypots, Evil Twins, Mis-association, and Hosted Network based backdoors etc., against a Windows based client without the need of custom hardware or drivers • peepdf – Python tool to explore PDF files in order to find out if the file can be harmful or not • Android IMSI-Catcher Detector – Android app for detecting IMSI-Catcher
  • 15.
    Some Linux DistributionsIdeal for CTF • Santoku Linux – GNU/Linux distribution or distro designed for helping you in every aspect of your mobile forensics, mobile malware analysis, reverse engineering and security testing needs • Kali Linux – a fully packed penetration testing Linux distribution based on Debian • Backbox Linux – a simplistic penetration testing distro based on Ubuntu • CAINE – Computer Aided Investigative Environment is a Live GNU/Linux distribution which is aimed for digital forensics • DEFT Linux – Digital Evidence & Forensics Toolkit Linux distribution CTF Guides and Resources • Practice CTF List / Permanent CTF List – a good collection and resource of CTFs that are long-running • Vulnhub – vulnerable machines you can practice or for your pentest laboratory • CTF Resources – a repository and an archive of general topics for CTF and is somehow the same with Trail of Bits CTF Guide • Forensics Wiki – a wiki designed for computer forensics
  • 16.
    Rules and Regulation Let'sstart with some common rules - specifically what you and your team cannot do. • It's strictly forbidden to perform any kind of Denial of Service Attack (DoS/DDoS) against the servers or the competition's infrastructure. • Do NOT try to use Brute Force on the flag submission system because the flags are not possible to guess. • Do NOT try to exchange flags or write-ups during the competition. • Do NOT share recent discoveries related to challenges publicly on IRC channels, nor in any other way with contestants of other teams. • Clues will be given in a direct or indirect form, stay alert! • The flag pattern will be as follows for example (CTF-BR{flag_here}). • The competition will last for 48 hours in a row, breaks/no breaks (as said by incharge). • The teams may have as many members as they want (differ by the company). • Any kind of violation of these rules will mean immediate disqualification of the team. Most important rule: Have fun and Learn a lot! 😊
  • 17.