2. Agenda
- What is a CTF?
- CTF Types
- What to do in a CTF
- Types of Challenges
- How to Get Started
- Write-Up
- Demo
- Useful links
3. What is a CTF?
Capture the Flag (CTF) in computer security is an exercise in which "flags" are secretly
hidden in purposefully-vulnerable programs or websites.
It can either be for competitive or educational purposes. Competitors steal flags either
from other competitors (attack/defense-style CTFs) or from the organizers (jeopardy-
style challenges).
Several variations exist.
Competitions can include hiding flags in hardware devices, they can be both online or
in-person, and can be advanced or entry-level.
The game is based on the traditional outdoor sport of the same name.
4. CTF Types
Attack-Defense
This style of competition is much closer to the backyard capture the flag game than the Jeopardy style. In these types of
events, teams defend a host PC while still trying to attack opposing teams’ target PCs. Each team starts off with an
allotted time for patching and securing the PC, trying to discover as many vulnerabilities as possible before the opponent
attacking teams can strike. The team with the most points wins.
5. CTF Types
Jeopardy CTF
Jeopardy-style CTFs present competitors with a set of questions that reveal clues that guide them in solving complex tasks in a specific order. By revealing
clues, contestants learn the right direction regarding techniques and methodologies that are needed going forward. Teams receive points for each solved
task. The more difficult the task, the more points you can earn upon its successful completion. Ongoing, online CTF competitions are most likely to be
Jeopardy style. It’s easier to play solo and requires less coordination among players than an Attack and Defend competition.
6. CTF Types
Story based CTF
It is like the Jeopardy-style CTFs but the questions are presented in order. Solve the first question enable the player to advance to the next
question. This approach is good to explain a story telling and can be used to represent how the things and events happen during an incident.
7. What to do in CTF?
If you’ve never experienced a CTF event before, don’t get frustrated or give up,
because the key to any type of hacking is patience.
While this is sometimes a difficult thing to have, the only way to learn is to persist
and practice on your own.
Some challenge provides helps or hints and also if this can reduce the points
earned, this permits a player to advance to the next challenge.
8. Types of Challenges
Challenges are typically divided into 6 categories for CTF, common the types of
challenges are:
Web Reversing
Forensics OSINT
Cryptography Miscellaneous
9. How to Get Started
Before you even get to a CTF you should know what tools you need to win. As you
do practice exercises and go to CTFs, keep a list of tools you find yourself using
and keep them stored in one place on your computer.
You can start by setting up a Kali Linux (available also as virtual machine if you’re
using Windows), so you can get hands-on experience immediately.
When you’re ready, work through the CTF challenges, review the write-ups, and
maybe even enter a competition.
10. Write-Up
A CTF write-up is a document or blog post that explains how a particular challenge or task was
solved in a Capture The Flag (CTF) competition.
A CTF write-up provides a detailed explanation of the thought process, methodology, and
techniques used to solve a specific CTF challenge.
It typically includes a description of the challenge, the tools and resources used, and the steps
taken to solve the problem.
CTF write-ups can be very helpful to those who are new to CTFs or seeking to learn more about
specific topics in cybersecurity, as they provide insight into the strategies and techniques used by
experienced participants.
Additionally, CTF write-ups can be a useful reference for future CTF participants who may
encounter similar challenges.
13. Demo
The insider CTF consists in the following scenario:
After Karen started working for 'TAAUSAI,' she began to do some illegal activities
inside the company. 'TAAUSAI' hired you to kick off an investigation on this case.
You acquired a disk image and found that Karen uses Linux OS on her machine.
Analyze the disk image of Karen's computer and answer the provided questions.
14. Demo
The available information is an AD1 image.
AD1 images are files that are used to map and represent the Hard disk contents.
They can be adjusted to present the hard disk as a whole or just contain specific
necessary parts of the file system.
This type of file can be opened with tools such as FTK imager
(https://go.exterro.com/l/43312/2022-08-23/f7rylq)
19. Demo
Hashes are used to ensure file’s integrity and can be accessed by exporting the
hash list of the required log file.
The logs can be found in the varlog directory
20. Demo
The Apache access.log is located inside the apache2 folder.
Right-clicking on it we can select “Export File Hash List” thus obtaining the MD5
and SHA2 hashes.
21. Demo
The third question is:
It is believed that a credential dumping tool was downloaded? What is the file
name of the download?
22. Demo
To answer the question, we can locate the download folder.
By looking in it we can find the following file:
24. Demo
To answer the question, we can look inside the .bash_history file that stores the
history of the user commands entered through the command line.
This file can be found in the root directory.
25. Demo
The fifth question is:
What program used didyouthinkwedmakeiteasy.jpg during execution?
26. Demo
Looking inside the .bash_history file we can notice that the requested image was
provided as input to the binwalk program.
30. Demo
Looking again at the Apache log folder, we can notice that all the files are empty.
Therefore, we can conclude that Apache was not ran.
31. Demo
The eighth question is:
It is believed this machine was used to attack another. What file proves this?
32. Demo
Looking inside the hard disk, we can notice that inside the root directory there is
the irZLAohL.jpeg file that is a screenshot of the windows attacked machine.
Note: files with weird names should always attract your attention!
33. Demo
The ninth question is:
Within the Documents file path, it is believed that Karen was taunting a fellow
computer expert through a bash script. Who was Karen taunting?
34. Demo
Inside the document directory, there is the myfirsthack folder.
Inside it, there are different files. Among them, we can notice that the
firstscript_fixed file contains the following text:
36. Demo
“su” stands for switch user and allows to execute commands with different user
privileges.
If used without arguments, this command elevates the current user into a
superuser (root).
The /var/log directory contains the auth.log file that is used to store
authentication attempts.
39. Demo
To answer the question, we can look for the cd command in the bash history
which is used to change the current directory.
The last occurrence of this command is:
41. Demo
The RE101 CTF consists in…
a binary analysis exercise - a task security analysts do to understand how a specific
malware works and extract possible intel
42. Demo
The first question is:
File: MALWARE000 – I’ve used this new encryption I heard about online for my
warez; I bet you can’t find the flag!
43. Demo
To answer this question, we can use pestudio
(https://www.winitor.com/download) to open the file.
Inside the strings there is a Base64 encrypted string
44. Demo
This string can be decrypted using CyberChief (https://gchq.github.io/CyberChef/)
46. Demo
The file is written with the JSFuck language.
It can be opened with any text editor.
Then, the file content can be pasted here (https://www.dcode.fr/jsfuck-language)
to find the second flag:
console.log("flag<what_a_cheeky_language!1!>")
47. Demo
The third question is:
File: This is not JS – I’m tired of Javascript. Luckily, I found the grand-daddy of
that lame last language!
48. Demo
In this case, the file is written with the Brainfuck language.
It can be opened with any text editor.
Then, the file content can be pasted here (https://www.dcode.fr/brainfuck-
language) to find the third flag:
flag<Now_THIS_is_programming>
49. Demo
The fourth question is:
File: Unzip Me – I zipped flag.txt and encrypted it with the password “password”,
but I think the header got messed up… You can have the flag if you fix the file
50. Demo
In this case, we are dealing with a manipulated zip header.
To fix it we can compare the current header with a normal one.
To this aim we can use a hex editor such as HXD editor (https://mh-
nexus.de/en/downloads.php?product=HxD20)
51. Demo
A normal file zip file header has the following structure:
0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xa 0xb 0xc 0xd 0xe 0xf
0x0000 Signature Version Flags Compression Mod Time Mod Date CRC-32
0x0010 CRC-32 Compressed size Uncompressed size Filename len Extra field len
0x0020 File name (variable size)
0x0030 Extra field (variable size)
53. Demo
Looking at the file name length (in bytes) we have
0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xa 0xb 0xc 0xd 0xe 0xf
0x0000 Signature Version Flags Compression Mod Time Mod Date CRC-32
0x0010 CRC-32 Compressed size Uncompressed size Filename len Extra field len
0x0020 File name (variable size)
0x0030 Extra field (variable size)
55. Demo
Therefore, we have to modify the filename length to 08 00 and save the file as a
zip file.
By uncompressing it we obtain the flag:
flag<R3ad_th3_spec>
56. Demo
The fifth question is:
File: MALWARE101 – Apparently, my encryption isn’t so secure. I’ve got a new
way of hiding my flags!
57. Demo
To answer this question, we can use the IDA software (https://www.hex-
rays.com/ida-free/)
It is an interactive disassembler. IDA will give you hints about suspicious
instructions, unsolved problems and so on.
58. Demo
Opening the main function, we obtain the following set of strings:
garins>ksaT__lfstLCAOg<M
83. Demo
The sixth question is:
File: MALWARE201 – Ugh… I guess I’ll just roll my own encryption. I’m not too
good at math, but it looks good to me!
84. Demo
To answer this question, we can use again the IDA software and inspect the main
function we get
85. Demo
Inspecting the variable unk_40082B contains the encrypted flag:
0x6d,0x78,0x61,0x6c,0xdd,0x7e,0x65,0x7e,0x47,0x6a,0x4f,0xcc,0xf7,0xca,0x73,
0x68,0x55,0x42,0x53,0xdc,0xd7,0xd4,0x6b,0xec,0xdb,0xd2,0xe1,0x1c,0x6d,0xd
e,0xd1,0xc2
86. Demo
Looking at the pseudocode we obtain
From this, we see that we have to inspect the sub_400620 function
87. Demo
Doing so, we obtain
From this it is possible to understand that the encrypted flag is XORed with a key
and then shifted right.
88. Demo
The key is obtained from (i % 0FF) | 0xA0 and is equal to
0xa0,0xa1,0xa2,0xa3,0xa4,0xa5,0xa6,0xa7,0xa8,0xa9,0xaa,0xab,0xac,0xad,0xae,
0xaf,0xb0,0xb1,0xb2,0xb3,0xb4,0xb5,0xb6,0xb7,0xb8,0xb9,0xba,0xbb,0xbc,0xbd
,0xbe,0xbf
These values can be entered in CyberChef (https://gchq.github.io/CyberChef/) to
find the flag.
89. Demo
The recipe can be defined by stating that:
● we are entering hex values
● we want to perform a XOR operation
● we want to perform a right shift
91. Useful Links
CyberDefenders is a training platform focused on the defensive side of
cybersecurity.
TryHackMe is a free online platform for learning cyber security, using hands-on
exercises and labs, all through your browser.
CTFTime contains Capture The Flag, CTF teams, CTF ratings, CTF archive, CTF
writeups.
Cybersecurity National Laboratory is an italian Training Portal.
Cyberchef is a web app for encryption, encoding, compression and data analysis.
Editor's Notes
binwalk is a command-line tool in Linux that is used to analyze and extract the contents of binary files. It is commonly used to reverse engineer firmware images or other types of binary files to discover hidden or encoded data, such as bootloaders, kernel images, or filesystems.
JSFuck is an esoteric subset of JavaScript, where code is written using only six characters: [, ], (, ), !, and +
Brainfuck is an esoteric programming language created in 1993 by Urban Müller.[1]
Notable for its extreme minimalism, the language consists of only eight simple commands,
A hex editor (or binary file editor or byte editor) is a computer program that allows for manipulation of the fundamental binary data that constitutes a computer file.
A hex editor (or binary file editor or byte editor) is a computer program that allows for manipulation of the fundamental binary data that constitutes a computer file.
A hex editor (or binary file editor or byte editor) is a computer program that allows for manipulation of the fundamental binary data that constitutes a computer file.
A hex editor (or binary file editor or byte editor) is a computer program that allows for manipulation of the fundamental binary data that constitutes a computer file.
Selezioniamo il byte, edit e mettiamo il byte nuovo
IDA is an interactive disassembler, which means that the user takes active participation in the disassembly process. IDA is not an automatic analyzer of programs. IDA will give you hints about suspicious instructions, unsolved problems etc. It is your job to inform IDA how to proceed.
All the changes that you made are saved to disk. When you run IDA again, all the information on the file being disassembled is read from the disk, so that you can resume your work.
A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler. A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language. Disassembly, the output of a disassembler, is often formatted for human-readability rather than suitability for input to an assembler, making it principally a reverse-engineering tool.
