Intro to CTF

Um this morning we have the intro to CTF which is actually given by the cybears who have been the CTF runner for the last few years um but have handed over the mantle this year. So over to you. >> Thank you very much. >> Thank you. Um welcome everyone. Thanks for coming. Uh so this talk is a talk that I have given the last couple of years at Bides. Uh and it's an introduction to CTF. If you've never played a CTF, you don't know what it is, you're not sure how to spell it, and uh and um you're just interested in what it is and and uh how you might go about it. Um oh

>> uh so for for me my name is Trion. Um I'm part of a social CTF team called the Cybears. Uh we were lucky enough to win um the B-side CTF for the first 3 years. Uh and then uh we took over running it and we ran it for the next four not years because co and a few other things got in the way but we ran it for the next four bides. Um we regularly play CTF and we're just a group of friends that are camber based that that enjoy CTFing. Um so if you haven't heard of it, what is a CTF? So, it's traditionally a CTF or a capture the flag was an in-person

um physical activity where you had two teams um that each held a physical flag and the idea was kind of tagged that you had to kind of uh get the actual flag from the other team, bring it back to your home base and you'd get points. Um a cyber security CTF is a little bit different. uh less physical activity, more nerds uh and more computers. They're uh often time bound and sometimes they're associated with conferences or events like besides um but they can also be like longunning and not associated with any conference. Um they run all around the world uh and can be pitched at all different levels in participants. Um the flags in this case aren't

physical flags. uh they're special keys or tokens that prove that you've completed a puzzle or a challenge. So, normally what you'll need to do is solve a series of challenges uh and then upon solving those um you'll be given normally um a string. So, uh each CTF has their own flag format. um that it might be flag and then open brace and then some cool pun or nerdy thing that that you something that gives you some confidence that you've actually solved it and you haven't just randomly stumbled across something. These are the sole aim of the game. Uh, as I like to say, like all's fair and love, war in CTFs. Uh,

CTF come come in a couple of different flavors or a couple of different styles. The most common one you'll see uh is called Jeopardy style. Uh it's based on a US quiz show called Jeopardy uh where contestants get a large board of trivia questions uh that are broken up into different categories. It might be like romantic era music or Great Lakes of the US. Uh and then there are different questions with different point values assigned. Uh the higher the points, the harder the question. Contestants choose one of these categories and a value and try to answer the question. This is similar to many CTFs except the categories are now all cyber security related. So often CTFs will have a website uh

often the the scoreboard CTF uh is a particular kind of scoreboard. Uh and then clicking on a challenge so they're in categories and clicking on a point value challenge um will pop up a challenge that you need to try and solve. Uh often you'll need to create an account and log in or register, maybe create a team. Uh and then if you solve it, you earn your team the number of points that are listed on the challenge. Uh sometimes points are static. So for the whole competition, that will be what the scores and scoreboard will look like. Uh and sometimes they'll be dynamic. Uh sometimes called decaying or market value. Uh in this all challenges

start at let's say 500 points at the start and then the more people that solve a particular challenge the scores go down for everyone. Not not um uh what this means is that the easier challenges and the ones that are solved more often become lower value. Uh which kind of like automatically grades and scales the the scoring. And then the ones that are only solved by one or two teams end up staying around that starting level and are worth more because they're harder. Um that that leads to some interesting game theory. Sometimes you might try and solve a challenge um that you know your competitors solve to try and drop their points and increase yours. Um

uh yeah, but they get don uh updated throughout the competition for everyone as they go. Sometimes there's a special award or a point bonus for being the first to solve a challenge. Uh they often refer to this as first blood or blooding a challenge. So you might hear that term around. Uh and we'll come back and we'll talk about the categories in a minute. Uh I am trying to speedrun this a bit because we're running a bit late and I'll try and catch up, but we'll see. Uh there's a bunch of other uh styles. So, a big one that you might hear is called uh attack defense. Uh, this is what is used in the finals for what's called Defcon

CTF, one of the largest CTFs and most prominent and famous CTFs in the world that's played alongside the Defcon conference in the US. In that, it's a bit different. teams are given um a whole computer system that they have to run and manage and it's uh it contains a number of vulnerable services that are all yours. Your job is to both and everyone has the same set of services. Each team has the same set of services. Your job is to dy uh reverse engineer, understand and patch your services while at the same time attacking everyone else's and stealing their flags. So it's real time simultaneous uh attack defense. It's pretty wild. Um some of them are are boot to root. So

the the often the Jeopardy style challenges are quite self-contained. You need to do one or two things to get a flag. Boot to root. um you're often given a whole virtual machine and you need to go from reconnaissance to initial entry to privilege escalation to gaining route uh in in a standalone VM. Um war games are like Jeopardy style CTS but they are longunning and always open. Um, so over the wire uh is is a good example of these and Pico Gym uh is another example uh or like hack the box um speedrun. Uh so it's very exciting. This year we have the speedrun CTF uh running at at bides today. Uh so uh it is time

bound, time limited. I think you have 15 minutes to solve challenges live uh up on stage and then the finals will be played head-to-head. So it it should be it should be fun. Uh there's also a bunch of different CTFs that are happening at this Bside. So there's the black challenge where um it combines physical security, cyber security, social engineering to solve a series of challenges. Um and I think there's also a hardware CTF that that's happening. So there's a lot of different competitions and a lot of different things that you can do. So why would you do it? Um sometimes I wonder why I spend like my whole weekend beating my head against the wall and being unable to solve

challenges with not very much sleep. Um and then for that tiny little endorphin hit where you go, "Yes, I solved a challenge." Uh it's like it's that that's worth it. Um one of our crew calls it like fun straighting. Uh it's it's equal parts fun and frustrating. Uh but you know learning it's a really great way to learn new skills if you're new to cyber security. Um you'll definitely learn uh new ways of solving problems using new new tools, new techniques, uh new attack surfaces, new ideas. Um it's definitely a challenge. Uh it's definitely fun to work with other people uh and understand ideas and solve problems together. So uh yeah, even if you're not in a team or if you're not

playing by yourself in the competition hall, um if some people get super competitive, so if people say, "I don't want to play with you," that's totally fine. Um but there'll be a bunch of people that will be happy to work together and help solve problem together. So, uh, I want to go through some of the categories because sometimes they can be a bit intimidating to kind of start. Um, but again, I might need to speedrun it. Uh, so the first category, uh, is well, we refer to as Rev. Um, and it stands for reverse engineering. So often when we or programmers write code and write programs, we write it on the left in some semihuman readable

language. Um it goes through a compiler uh or a translator to translate it into something that a computer can actually understand. Um, with reverse engineering, the idea is to go backwards, to go the other way. So often you're given a compiled program or an executable file. Um, and your job is to try and make sense of it. Um, and that's what a reverse engineering challenge is all about. So the goal will normally be to understand some piece of code. uh and recover the flag. The whole point of the game um often the handout will be an executable file um that you're trying to to understand that you may run locally if you trust the challenge authors or you

can run it inside a VM or in some other other way or do it statically. So how do you start? Um there are tools to help you um do this kind of task. Uh you can look at strings in a binary often that's a good start. Um but there are also specialized tools that are called d disassemblers or decompilers. So gidra is free and open source that you can download. You can load it in and it will do that initial translation of going backwards to go from uh either compiled source to disassembly or even disassembly to what's called like pseudo uh compiled uh pseudo source code. Uh IDRO is another disassembler and decompiler and there is another free

version available as well. Um, and if you're looking at uh dynamic uh analysis on Linux at least, uh those bottom three, if you can run a program, often it might be like, you know, a Nintendo game room or something and you just can't run it uh and you might need to do it statically, but if you can run it, if it's a Linux executable and you trust it, um some other tools might be might be helpful. Uh just a few tips. Um, static and dynamic reverse engineering often work together. Uh, just take care of running unknown code. Um, yeah, there might be some password that you need to enter or something to unlock. The next is called pone, which doesn't

really make a lot of sense. Um, but the idea of a pone challenge is what's called binary exploitation. So all code has bugs. Some bugs can be turned into exploits that can change the control flow of code and provide attackers with complete control over a remote system. Um, this is sometimes called poning or owning a system. So that's why they often call these pone challenges. Vulnerabilities could be buffer overflows on the stack or the heap. Uh they could be use after free or double free issues related to memory. Um almost always memory corruption, but keep an eye out for logic bugs and things like that. So the goal is to take control of a remote service um using bugs or

vulnerabilities and obviously get the flag. Um often you're given executable files that you need to try and attack. So you might be able it allows you to test locally before you then try on the actual challenge server. So there might be a placeholder or a fake flag in the local file and then once you show that you can do that then you go cool my thing works and I can try it against the real system and get the real flag. Um and then there's directions on how to connect to that the the actual running service.

Um similly there might be some reverse engineering to start with so that you can understand it. Um so a lot of the tools are similar to what you do with reverse engineering. Um and then the interaction part of where you talk to the server and throw your exploits and things like that. Uh a lot of people use a Python library called pone tools which allows you to interact with remote servers. um really easily, more easily. Um like I said, try and test locally first. Make sure it's working before you start to uh doss the the skateboarding dog servers. Um and if you're interested and you don't know, one of our old uh cybers challenges was called Nearight. And

we've got a full write up and a full uh way that you can walk through on on our training page. And that that link will come up again uh a bit later. Another popular category is web um which are websites. Um they normally have security controls in place to protect privacy and company IP. Uh the aim of web challenges is to bypass these. It might be access a part of a website that you're not meant to um or get a file that you're not meaning to uh or be able to dump a client database with SQL injection or something like that. Uh sometimes say with cross-sight scripting or something uh you might know that there is an admin that logs in and

checks the the messages every now and then and so you might need to put something on the website knowing that an admin will visit it uh and then you can steal their tokens or steal their sessions or or whatever. Uh so the goal is to subvert the security of website and obviously get the flag. Um, often there are no handouts. In a similar way to a web pen test, um, you might just be given an external attack surface and you need to understand what's happening and um, figure out what's going on. Uh, but there should be there will be directions on how to reach the challenge website. Uh, so each browser like Firefox, Chrome, Safari has developer tools. Um,

often they're really handy in understanding the interactions with a website. Um, Burp Suite uh is a common tool to sit in the middle of uh interactions with a website and be able to uh replay, analyze, and understand what's going on in your connections. Uh, and Wireshark uh is a packet capture tool that will allow you to capture all of the traffic going between you and a website to understand what's going on. Uh I'm terrible at web challenges. So um definitely read the source. Uh read everything that's given to you. Um some of it might be in a comment or it might be hidden. Um or there might be links to other pages that you that aren't

initially aware. Definitely read everything that comes your way. Uh understand you're trying the goal that you're trying to achieve and then work backwards from there.

Crypto most often means cryptography not cryptocurrency. Um though sometimes they can um they can put cryptocurrency and blockchain challenges in but almost always crypto means cryptography. So confidential confidentiality integrity on authentication it's a pretty wide field. Um but using an understanding of cryptography to decrypt something that's encrypted or to log into a system protected with say public key cryptography. There might be some maths um but not always. Sometimes the goal might be uh you might get a bit of encrypted data that you have to decrypt or you might need to log into a site or bypass some authentication controls. often um because knowing how the system works isn't the challenge. Often crypto challenges have source code included so

you understand the system and the hard part is figuring out what to do from there. Uh so uh tools that you can use. So shout out to Cybersh. Cybersh is an online tool written by GCHQ. Um, it's a amazing web-based front end that allows you to do a lot of really cool things with data. Um, but including like encoding and decoding with B 64, doing some basic encryption stuff and allows you to chain um different processes into what's called recipes uh in a really easy to use system. So, you can play around with that. Uh, it's amazing. Uh, I use Python quite a bit with two libraries, either PI cryptodome or cryptography, which has a lot of the

cryptography related stuff baked into it. Um, and if you end up needing to use Sage Math, I'm sorry, you can blame Joseph from skateboarding dog. Um, that means you actually really need to do math stuff. Um, definitely check out uh often they're standardsbased. If you don't understand what a term or a system is, check out the Wikipedia articles, check out the protocols, check out the systems. Sometimes it helps to sketch out things on on paper. Um, just to figure out, I guess, the concepts involved. Okay, we're nearly there. Um, often there's a challenge called MISK, which uh is a catch all for everything that didn't fit into the other challenges. Uh, could be anything. Um, you need to

use your brains. It could be abstract problem solving, weird file formats, puzzles, and and some really fun challenges in there. As always, the goal is to get the flag. Who knows what the handouts will be? They might be stuck around the conference venue. They might be uh an audio file. It might be steganography. Um often the tool that you're going to use is going to be your brain just to figure out what um what the actual problem you're trying to solve is. So they're kind of the main categories that you'll see in almost every CTF. Every CTF can choose whatever they want to put into it. Uh like there's whole crypto CTFs which are amazing because

crypto is cool. Um but you might see these other ones that come up. So steganography um is where you want to hide uh a message inside an image or an audio file or a video. There might be PPC professional programming challenges where you have to understand data structures and algorithms to write an efficient implementation to solve something really fast. Uh like I said blockchain sandboxes become really popular. Um, so a sandbox is a way to constrain an execution environment, whether that's in a browser or a rendering environment or in an operating system. Um, and often a sandbox challenge will be you're given full reign, sorry, inside this little sandbox and your job is to escape

similar to like virtual m virtual machine escapes or hypervisor escapes. Your goal is to escape the little jail that they've put you in. um OSENT open source intelligence. Um so sometimes there might be a challenge where they give you a photo of a of a building and they're like find this building. Um so using or they give you an email address and they're like who is the real username behind this email address? So using open source intelligence going online and trying to to sort that out. Uh forensics might be where you're given a hard disk image or a memory dump um that's been compromised by malware and you need to understand some part of that system. Quantum I've

seen um so either quantum computing or quantum algorithms uh and there could be hardware challenges. So I don't think it's a secret but the final of the speedrun CTF was a hardware challenge. Cool. Okay. We did we did not too bad. So, from here, where do you go? Um, check out the competitions here at Bsides. Um, the speedrun CTF is running today. Uh, the, um, skateboarding dog CTF, which is the main BIDS competition, uh, and has the major prize, starts 10:00 a.m. tomorrow and runs until 3:00 p.m. Saturday. Um, If you have questions, uh, check out the talk to, um, the skateboarding dogs. They'll have an admin desk in the exhibition hall, in the competition

hall. Um, but they've also got a Discord which you can join and and ask support tickets about. Infosct is running a CTF drop-in session right after this. Um, they've got some, if you go into the exhibition hall and turn right, they've got four desks in the corner. They've got some guides on how to set up your computer for a CTF, some tips on things that you can do. So, definitely pop in and have a chat to them. Um, check out we've got some notes on our training page um on Cybers and Pico is a online uh CTF that's built for high school and university students. All of their old competitions they put in what's called Pico Gym. So you can go in

um and you can try out all of these challenges and have a bit of practice before you get to the real uh bside CTF. Good luck, have fun. Um and happy CTFing.