Point3 Security hosted a CTF (Capture the Flag) yesterday for roughly 3-4 hours. During this time, participants had a chance to test drive their platform, Escalate.
This article will cover some key lessons learned from the experience and provide some options for getting your development environment ready for your first CTF. Note: I'm not a Security Professional; this is written from a web developer's perspective.
CTF Events
There are primarily two types of CTF events, detailed below.
Jeopardy-style
Individuals/teams find and submit flags to score points. The individual/team with the most points wins. This primer is catered to the jeopardy style of Capture the Flag.
Attack/Defense
Attack and Defense is another style of play, where teams attack and defend the opposing teams. Teams are left with vulnerable servers and must fend off attacks from others trying to hack in. I can't comment much on this though as I've never tried this style, but it's useful to be aware of this event type. I personally think the jeopardy style of play is more beginner-friendly.
What You'll Do
Rather than tell you precisely how to do it, I'll explain what you'll likely need to do during a CTF, and you can decide which option works best for you.
Inspect Files
You'll likely inspect files of various kinds for information that may provide clues on where the flag may reside. Sometimes, these files will be in familiar formats, such as images, pdfs, docs, audio clips, etc. Sometimes these will be binaries or network traffic. This process will likely require you to use a combination of command line utilities, scripting, and software.
Write Code
You'll likely need to write some simple scripts to solve challenges. What languages you use or how you do it is completely up to you and perhaps the challenge you're attempting. But to address this task, you'll need to have a means of writing the code best suited to your development style, whether that's using an IDE, text editor, or the command console. You'll also want to make sure the programming languages you plan to use are set up appropriately for your environment (i.e. setting up environment variable paths, etc.) Python and bash are often used.
Solve Problems
Bring your curiosity and an investigative attitude. Each challenge comes with its own twists and turns. But finding that flag at the end of a challenge is so rewarding!
Development Environment Options
The Browser
This CTF host made available the option of using their in-browser VM, which was connected to their platform so you didn't have to install anything. This is a great option if you're just curious to explore. It's hassle-free and easy to get started. Be aware that not all CTFs will offer this option.
Your Current Development Environment
Another option is to install all the software/program you think you'll need locally to your existing dev environment. I'm not a fan of this though, as I'm always afraid I'll accidentally leave some vulnerabilities on my system as a result of participating in a CTF. I also don't want to add bloat to my current development environment by installing stuff I may never use more than once a year.
A Virtual Machine
Kali OS is known to be the most advanced penetration testing distribution available. It comes pre-loaded with a ton of tools to help you on your hacking journey. This can be served through a virtual machine to provide you with all the tools you'll need to get started.
The disadvantage of using a VM though is the amount of RAM it may require to run efficiently. In my experience, some software (cough Java-based cough, I started as a Java Dev) opened on Kali experienced lag, even though I allocated 4GB of RAM to the VM instance. Make sure you allocate enough RAM on your instance, otherwise it may run too slowly to be useful. Java applications can be a memory hog...
For this event, I used Virtualbox and opted for a VM installation of Kali Linux, using osboxes.org's downloadable images. Kali comes ready to go with all the software you'll need for your first hacking exploration. The image from osboxes.org allows you to skip the OS installation step.
Dedicated Machine
There's always the option of a dedicated machine for this type of work. You would be free from the limitations of using a VM, and you can customize it completely to your needs. This is potentially the same as the 'your current development environment' option. If you plan to partake in CTFs pretty regularly, this is a good option.
Additional Recommendations
Regardless of which option you choose, I found I still had to customize the installation a bit:
- Install ghidra
- Install pwndbg
- Install libreoffice
Libreoffice isn't really needed, but having a means of extracting text from a docx file is always handy. This could be a simple script, if you're comfortable scripting. Or it could be software. Sometimes you'll need code more than software, but most beginner-friendly CTFs will make clues available by opening files in software programs.
Frequently Used Commands and Software
I'll provide a quick overview for some commands you'll likely want to use, so you should become familiar with them if you're not already.
The File Command
This command allows a quick inspection of any file to indicate what type of file it is. This sometimes makes it clear what type of extension to append to a file so that it can be opened by the appropriate programs.
For example, this markdown file will yield the following info:
file blog-file.md
blog-file.md: ASCII text, with very long lines
During CTFs, this can be useful for identifying whether it's a stream capture, which can then be examined in Wireshark, or whether it's a document, image, audio file, etc. Sometimes, files are provided without any extension, so you must figure out what type of file it is on your own. I've also done one CTF a while back where a file was hidden within a file ... hidden within a file. Or some nested craziness like that! So, keep this command in mind - it's useful!
Strings Command
The strings
command can be run on a file to identify groups of ASCII text within a file and output it to the console. This is interesting because it can help you identify whether there's anything obvious (i.e. human readable) that could be used to solve a challenge.
It can be used on binaries and similar files for clues on how to begin the investigation process.
Object Dump Command
From Wikipedia:
objdump
is a program for displaying various information about object files on Unix-like systems. For instance, it can be used as a disassembler to view an executable in assembly form.
Flags used included -f
and -D
, for file inspection and decompiling the program respectively.
When decompiling software, you begin the investigation process by looking for function calls and jumps.
This is where ghidra & pwndbg come into play, allowing you to analyze the binary in greater detail.
ghidra + pwndbg
ghidra allows you to examine the decompiled binary to identify jumps, calls, and functions that may lead to interesting action.
pwndbg allows you to run a binary, add in arguments, and set breakpoints to see how the binary behaves as it runs.
Combine the two and you have a very powerful combination for reverse engineering files.
Wireshark
I think nearly every CTF I've participated in has required the use of Wireshark. Wireshark allows the capture of streams of data for inspection and analysis. There's plenty of documentation/tutorials available online if you want to take a deeper dive, but it's quite handy to be somewhat familiar with Wireshark before the CTF begins. You'll likely need to examine network traffic and extract files from the stream for further analysis.
HexFiend
For MacOS, this was recommended as a hex editor for examining large files for changes/inserts/deletions. It's lightweight, and (a hint:) it can be used to identify bits of data that may be appended, prepended, or inserted into otherwise normal files without changing the appearance of the file when opened by normal programs.
Python
You'll likely need to use Python to write some basic scripts or programs to handle input/output. I rarely use python, so I had to brush up a bit...during the CTF (haha, not the best time!).
Oh, and understanding bitwise arithmetic and hex/decimal/binary conversion is also handy.
Until Next Time
I hope this was useful for knowing what to expect and getting ready for your first CTF. Let me know if I've left out anything that would also be worth noting.
Happy Hacking!
Special Thanks
- Photo by Matthew Fournier on Unsplash
Top comments (2)
I participated in the CTF too. How did you do?
I got through the networking foundation challenges and the reverse engineering challenge shown live. Started the programming foundation challenges but ran out of time. I should have tried something else instead as I know I wasted too much time on the programming one.