8 ways to succeed in your first Capture the Flag (CTF)
Introduction
Last August, Black Lotus Labs participated in the DEF CON Red Team Village CTF. If that sentence reads as gobbledygook to you, read on as we unpack it. This blog will introduce CTFs and related security concepts, then show how the learning we gain by competing in CTFs helps inform the way Black Lotus Labs tracks cyber threat actors in the real world.
DEF CON is a hacker’s conference that normally takes place in the summer in Las Vegas. Along with Black Hat, DEF CON is one of the best-known conferences in the United States for hackers and computer security experts. DEF CON features virtual villages dedicated to specific topics such as lockpicking, IoT (Internet of Things) devices and social engineering. The general purpose of the event is to bring the security community together to share information and gain knowledge about tools and exploits that can be used by bad actors. By learning the latest tactics and sharing vulnerabilities, security practitioners can better defend networks from future attack.
The “attacking” team in cybersecurity exercises is known as a Red Team. Their job is to adopt the methods and simulate the kinds of attacks that actual adversaries might use against an organization. The defenders in these scenarios are the Blue Team. The point of conducting red team/blue team exercises is to improve the security posture of the organization, not to cause actual damage. Related terms include “offensive security” (again, implying an attacking posture) and “pen test” (attempting to penetrate computer or cybersecurity defenses).
CTF events have evolved from a children’s game where teams invade each other’s territory and attempt to capture and bring back the other team’s flag. In the area of cybersecurity, CTFs have become competitions to demonstrate expertise in attacking (or defending) computer resources. The flag in this context is typically a file or code a team recovers and provides as proof of their successful penetration of defenses.
The essence of a CTF is puzzle solving. The challenges are created by and for people who like solving puzzles. One aspect potentially frustrating to beginners is that the goal of the challenge may not be spelled out. Take that in stride. If the challenge provides an IP address and a port, try connecting to it using a simple tool such as telnet or netcat. See what you can figure out. Every challenge has an intended solution.
Types of challenges
Here are some common types of challenges you might encounter in a CTF:
- RCE – (Remote Code Execution) – Exploiting a software vulnerability to allow executing code on a remote server.
- Cryptography – Solving ciphers and code, ranging from classic ciphers (e.g., Caesar, transposition) to modern cryptography such as AES, 3DES, RC4 and Twofish.
- Programming – Challenges which will require coding a solution in the computer language of your choice. Solving these manually would generally be too tedious or time-consuming.
- OSINT (Open Source Intelligence) – Finding clues hidden on the public internet and social media platforms. Bring your best Google-fu to tackle these.
- Reverse engineering – Studying a binary executable, malware sample, or other file to understand its intent or behavior.
- Forensics – Analyzing log files, network packet captures or other artifacts to detect how a hacker infiltrated a system.
- Steganography – The art and science of hiding (and detecting) messages in images, audio files and the like.
Tools
While you might use a limitless variety of tools to solve challenges, here are some to get you started:
- Python is an extremely useful scripting language, with a rich ecosystem of packages to add functionality. You should develop new code in python3 (python 2.7 the old version and no longer supported). Pip is the Python utility to use for installing additional packages.
- CyberChef is a Javascript-based website for easily creating recipes, or a series of steps, to decode text or data. There is also a code repository if you want to deploy a standalone instance.
- Kali is a Linux distribution that already includes many tools useful for penetration testing. More tools can be installed with the apt-get utility. You can also run Kali as a virtual machine on another computer.
- Dirb is a handy tool for scanning directories and files on a web server. Or try Gobuster – a similar tool implemented in the Go language, for improved performance.
- Metasploit is a powerful set of exploit tools for penetration testing. A related tool, Msfvenom, can create and encode an exploit payload.
- Pwntools is a Python-based framework for CTFs and exploit development.
- exploit-db is a useful website for finding proof-of-concept exploit code.
- IDA is an interactive disassembler and debugger. The professional version (IDA Pro) is both pricey and powerful. You can get started with the free version from the link above.
- Ghidra is a powerful (and free!) set of Java-based tools from the NSA for reverse engineering software. It includes a decompiler to convert binary code to high-level C code.
- Debugging tools allow you to interact with programs, pause execution, investigate the contacts of registers and memory locations, and many other things. They are indispensable for creating exploits. There are many options for debuggers, such as x64dbg, OllyDbg, or Immunity. On Linux, you also have an option of gdb, the Gnu debugger. To enhance gdb, you also might look at plugins such as PEDA or GEF (pronounced “Jeff”).
- Your brain! Sometimes the best analysis comes from thinking carefully about the problem you are presented, and how to leverage the information at hand.
Best Practices and Suggestions
Here are some best practices and suggestions to follow if you’re just getting started:
- Read the ground rules before you start – and follow them
Understand what is in scope and what is not. If a given IP address or port is off limits, respect that. The ground rules may vary from one competition to the next, but as a general guideline: don’t break them. Feel free to leverage resources to solve the challenges, but avoid actions which intentionally impede others from making progress. CTFs are designed to be learning opportunities, so avoid depriving others of the satisfaction of learning and solving.
- Take notes!
Once you start making progress it is easy to get carried away by your own momentum, but remember to take notes as you go along. You may need to backtrack, and a few notes can streamline the process of getting back to an earlier step. Record the essential things you discover such as IP addresses, flags, port numbers or command syntax. When brainstorming new approaches to try, review what you have already tried. Notes will also be handy if you want to write up your solution later.
- Try again later
Sometimes a challenge is based on a server being in a certain state, say, providing responses in a TCP session. Given that myriad teams may be deploying various hacking tools against a server, it is possible that the target machine will become unstable or unavailable. The organizers usually have a way to reset the state of the server. The same steps you attempted (which failed) might succeed for you a few hours later. (See above about taking notes!)
- Search the web
You may find a hint (or even a partial solution) by searching for whatever information you have. Indeed, some types of challenges (such as OSINT) demand this. Check for clues hidden in materials that seem like mere window dressing, such as images. Are there pop culture references or memes that might guide your research? If you are stuck, look for similar challenges from the past.
It takes a significant time investment to create CTF challenges, and individual challenges may get re-purposed for another CTF. People enjoy posting their solutions, so you may find hints there.
- Try a different challenge
Often there are challenges designed to be solved in sequence; try to understand the intended sequence. Sometimes the difficulty level is designed to ramp up slowly, so what you learn by solving one challenge in the series will help you learn what you need to do for the next challenge. There may be natural gates built into the series: until you exploit that bastion server, you will be unable to pivot to attack the one with an internal 10.x.x.x IP address.
Don’t assume you always have to tackle the challenges in sequence. Look for clues as to whether a later challenge can be attempted without solving a prior challenge.
If you are stuck on one type of challenge, give another type of challenge a try. Look for challenges that sound fun, that connect to things you already know, or that leverage skills you are trying to improve. If you are stuck on trying to exploit that server, try instead a cryptography challenge, an OSINT challenge or a programming challenge.
- Ask for a hint
Each challenge you try to solve was created by a human. They are likely proud of their creation and would like you to succeed. In the challenge description, you might see the name of the author or their Twitter handle. Feel free to reach out and politely ask for help. Be succinct, but tell them what you’ve already tried. They just might be willing to drop a hint to get you unstuck, or to at least help you understand how the challenge was intended to be solved.
- Sharpen your tools
If you don’t already know Python, learn it… it will serve you well. If you are already an expert at Python, you might use the CTF as an opportunity to become more proficient in another language that intrigues you, such as Go or Rust. Think about how easy (or difficult) solving a particular challenge might be using different tools. If you routinely script things in Python, try writing a bash script (or vice versa).
- Do a post-mortem
At the end, review what worked and what failed. Look for published walkthroughs for the puzzles that stumped you to learn what you need to know for next time. Think about the skills you need to be successful and commit to improving these. Sign up for another CTF in a month or two… to motivate your learning and as a milestone to test yourself on what you have learned.
A few suggested CTFs
Note that there are hundreds of CTF events taking place every year. Some CTFs are virtual, while others happen on-site at a conference or meeting. They all present opportunities for learning and improving your cybersecurity skills.
Here are three examples of CTFs I would recommend, for a variety of skill levels:
Beginner: PicoCTF provides year-round cyber security education content (PicoGym practice challenges) for learners of all skill levels. Their annual competition is aimed at high school teams.
Intermediate: The Red Team Village website has a couple events a year. In 2021, the DEF CON 29, Red Team Village CTF opens with a 24-hour prequalification round starting August 5. Twenty teams will progress to an immersive pen-testing scenario. Based on last year, the prequalifying challenges should remain available through the weekend. The team at Lumen found this CTF had a nice range of difficulty and some satisfying series of challenges. We have been sharpening our skills and will try our hand again at the same competition this year.
Elite: The main DEF CON CTF (separate from the Red Team Village CTF above), is currently run by “Order of the Overflow.” The qualifiers usually happen in May, with 16 teams competing in the finals during DEF CON in August.
Finally, ctftime.org lists many upcoming CTF events by date. The list does not include every CTF happening, but it is a good place to look for your next CTF. You can filter by location (online, or on-site) and restrictions (open or otherwise).
Conclusion
CTFs are a fun way to learn and hone your skills, in the guise of a competition. If you have never tried one before, you may realize you have been missing out!
If you are just getting started with CTFs, I recommend checking out the PicoGym practice challenges. You can sign up for free and try your hand at challenges from previous PicoCTF competitions. The practice challenges are available year-round, and the website has resources to get you started in tackling various challenge types.
Read the next blog to understand how CTFs enhance many of the skills Black Lotus Labs uses to track cyber threat actors in the real world.
This information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk.