All about Capture The Flag (including CTF tips 👀)

Capture The Flag (CTF) 101

By Artisan’s bureau (N0H4TS)

You might have heard of Capture the Flag competitions while exploring the world of cybersecurity. Surely, you think to yourself, a physical game of capturing a flag could not be related to the world of cybersecurity. So, what really is a Capture the Flag competition?

What is a CTF?

Much like how a physical CTF game involves capturing a literal flag, cybersecurity CTFs involves capturing a digital flag. This digital flag could be as simple as a sequence of characters such as flag{haha_u_got_de_flag} hidden within a vulnerable application. To obtain such flags, teams have to rely on their skill and knowledge to hack through systems or applications. As with any game, there are multiple variations and CTFs are no different.

Types of CTF

CTF competitions may be conducted in various formats, of which Jeopardy and Attack and Defence are the most popular.

Jeopardy

Jeopardy CTFs are perhaps the most popular CTF format out there. With various challenges from different domains, participants can pick and choose which challenges to solve. Solving a challenge would yield a flag which can be later exchanged for points. Naturally, harder challenges would command more points than easier challenges. The team or participant with the most points accumulated within the time period will be declared the winner of the CTF.

Some variations of Jeopardy CTFs would involve the use of dynamic scoring, where the points for a challenge are determined by the number of solves a challenge has. An easier challenge with hundreds of solves would yield a lower point as compared to a harder challenge with one or two solves. Once again, the team or participant with the most points accumulated within the time period will be declared the winner.

Attack & Defence

Unlike Jeopardy CTFs, Attack and Defence CTFs are a whole different ball game. Here, teams are given their own network with systems running vulnerable applications. Teams can earn points from defending their own system or exploiting their competitor’s systems. Attack and Defence CTFs emphasise on vulnerability research skills, forensics, and other blue-team related skills as one can capture your competitor’ attacks and replay them. Thus, it really is a battle of wits with teams attacking and defending their services, requiring good teamwork and time management. Similar to Jeopardy CTFs, the winner is the team or participant with the most points accumulated within the time period.

CTF Categories

No matter the type of CTF mode, all challenges and vulnerable applications can be classified into different categories. Some of the more common ones include cryptography, web, binary etc.

Cryptography

Most cryptography challenges involve either symmetric or asymmetric encryption. Symmetric encryption is typically based purely off bitwise manipulation. As such, there is little prerequisite knowledge needed to understand and exploit such cryptosystems. Asymmetric encryption however involves some heavier mathematics, requiring some prerequisite knowledge in number theory. One would need familiarity in the specific area of mathematics to understand and exploit such cryptosystems. Occasionally, the solution for a challenge might be found in research papers detailing a specific attack.

Web

Modern day websites often include a web server, database, and an application programming interface (API) amongst other services. While challenges may not contain all the above components, knowledge of the above components are beneficial in web exploitation. Often times, web challenges require knowledge of language-specific or framework-specific bugs, scripting, databases and other domain-specific knowledge. Fret not, a browser is all one needs to get started in the world of web exploitation. As one ventures further into web exploitation, tools such as Burp Suite or Zap will be useful in performing reconnaissance and manipulation of network requests.

Binary

A normal desktop has dozens of non-web related services running on it, all providing exposed communications with binaries running on the remote system. Vulnerabilities in such binaries can have drastic effects, with the worst being execution of malicious code. In CTFs, participants receive the challenge binary and connection details of a remote deployment of the binary. These small-scale binaries may be accompanied by its source code, but usually this is not the case and participants will instead have to reverse engineer their way to discover vulnerable pieces of code. To gain points, one will have to exploit a remote instance of the binary to leak out the flag from the system. Common exploits in binary exploitation include Buffer Overflows, Integer Overflows, Return Orientated Programming (ROP), Heap exploits, Shellcode etc. Decompilers such as IDA and Ghidra, and debuggers like GDB are useful in finding vulnerabilities, with Python and the Pwntools library helping to craft exploit scripts.

Reverse Engineering

Reverse Engineering is the art of understanding code that is obfuscated by someone else. Of course, CTFs will never be kind enough to give you the source code — where’s the fun in that? One can look forward to being tortured by barely understandable and obfuscated assembly code, generated by compilation of the source code. Reverse Engineering requires the ability to recognize patterns of code — whether it be a simple XOR cipher or RC4 encryption, to something as complicated as a custom hashing algorithm. While CTFs will attempt to make your life a living hell, decompilers such as Ghidra, IDA or Binary Ninja and debuggers such as GDB will help you reverse your way to the flag!

Forensics

While forensics may not sound as glamorous as web exploitation or binary exploitation, it is a deeply useful skill in the cybersecurity industry. CTFs generally require knowledge in network forensics, disk forensics, file formats and memory forensics. Network forensics involves using tools such as Wireshark to make sense of network traffic passing through a system. In disk forensics, participants are tasked with extracting forensics information from digital storage devices such as hard disks. Tools such as FTK Imager are often used in disk forensics. The memory of any system is full of information and memory forensics is the art of extracting information from memory dumps of a system. Here the tool of choice is Volatility. No matter what challenge, knowledge of file formats is essential in analysing and repairing files. Often, flags are hidden within files.

Steganography

Steganography is the practice of hiding or concealing information within a file, message, image, or video. Such concealing methods could be done via tools or via a custom method. The flag would usually be hidden in files that participants are required to analyse, and subsequently extract. Steganography challenges may sometimes be included under the Forensics category.

Mobile

In mobile challenges, one may be tasked to achieve various goals such as winning an impossible game or finding various secrets hidden within the application. It is very similar to Reverse Engineering or Binary Exploitation, except the challenge is running on a phone. Most challenges are Android applications released in the form of an APK file, with a Java decompiler needed to reverse engineer it and can be debugged with Frida.

Miscellaneous

With so many categories described above, surely there cannot be any more right? In CTFs, challenges not fitting the above categories are classified under the miscellaneous category. Challenges classified under the miscellaneous category include programming challenges, signal intelligence and many other random unprecedented challenges. There is no sure-fire way to prepare for these, but such challenges require only simple logic, knowledge, and patience to be solved.

Tips for CTF

Will all this information, you might be worrying over how to prepare for a CTF. Here are some tips that we have compiled from our time participating in CTFs.

Keep Googling

Outside of directly asking for help on forums, most CTFs have no restriction on using Google. For simple challenges, you might even be able to find writeups from past CTFs that can guide you through the entire process of solving the challenge. There are only so many iterations of well-known problems that one can use as CTF challenges.

Practice, Practice, Practice

There is no better way to get good than to keep on practicing. A CTF is more than just the number of challenges solved or points gained. Rather, the process of solving the challenge is far more important. Just by reading through papers, forums and blogs whilst attempting the challenge, you are able to widen your knowledge.

Even if you did not manage to solve a challenge, read others’ writeups on the challenge — perhaps they had a unique perspective on the challenge, or found a key idea that you missed. Learning how to solve challenges is very similar to being a good researcher — it is always good to keep yourself updated on the latest techniques. Always read about new techniques used to solve challenges and learn deeper about how the underlying system works, whether it be web, pwn or cryptography.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
N0H4TS

N0H4TS

Start as an Apprentice, and become a Master.