From 0 To 1337: A Beginner's Guide To Competitive Hacking - Vic Galvan

right y'all we're ready to get going thanks for bearing with me uh welcome to the top so uh today we're going to be talking about competitive hacking uh the title is from zero to Elite beginners be guide to competitive hacking I'm going to assume zero knowledge on the subject and we're just going to roll with what we have so a little about me I'm the galvon I'm a born and raised Floridian but a few years ago I packed up my life and I now live in Sweden it's my first time in leads first time speaking at a conference as you can tell uh so we're just making it happen today as we can I work in research and development at

crowdstrike mostly focusing on helping threat Hunters Advance their tooling if any of you have questions about crowd strike R&D anything of the sorts afterwards feel free to talk to me or connect with me on LinkedIn uh but also saying that all of the opinions expressed today are my own they are not reflective of crowd strike I attribute my role directly to my experience in Capture the Flag competition so it's something I'm really passionate about I've had some success in it and it's something that I want to share with you all today oh and uh I play rugby I know that's you guys kind of like that out here in the UK so we can talk about that too I have quite a

bit to cover uh the timing on this talk can really vary based on how much y all want to talk to me about it at the end of it so if you miss something or if I move too quickly if we go too slowly go ahead and scan that QR code it'll take you to a link tree with all the information for today's talk there's the slide deck and additional resources I've created a tooling script that will just download all the tools that you will need for hacking on a Linux device uh later so I assume you'll scan that I'll make it available at the end of the talk if you have missed it so to make it abundantly clear uh

this talk is designed for people with absolutely no knowledge of competitive hacking I'm going to assume you've not even heard of like pico CTF and we'll talk about that a bit later so we're building you up from a Seedling today we're not necessarily watering you we're just giving you all the tools that you will need to succeed I'll be covering what capture the [ __ ] competitions are uh why you should get into them how to approach hacking problems and then eventually we'll get on to some handson stuff which is a lot of fun and I will be praying to the demo gods that they work with me on that I will not cover anything Advanced so if you were

hoping to hack into the NHS after this I can't really help you with that but I can give you some tools that will get you there and we're also not talking about setting up an environment today uh but again this is something I feel like I could talk about for years and you can always talk to me about it after the home after the talk and afterwards I'm hoping you will leave with practical strategies for approaching hacking problems a set of tools that you can use uh they're really easy to learn at first but they will take you years to master and hopefully you will leave with the ability to understand and approach any hacking

problem that you encounter and most importantly I want you to be excited about competitive hacking cuz there is so much that you can do in this world uh so you might be wondering what is a capture the flag competition but simply it's a gamified cyber security competition the idea of a CTF originates from Capture the Flag the children's game where people go into enemy territory to grab a flag and bring it back to their own side for points one of the first ever ctfs that happened was at def Clon in 1990s six and since then it has exploded it seems like everybody has a CTF these days governments have ctfs uh companies have ctfs they're

independently hosted you can find one running at all times of year and there are three popular styles of Capture the Flag competitions they are attack and defend Jeopardy and the mix style and attack and defend you are going to be given a vulnerable machine and you'll be given a certain amount of time to make preparations and try your best to harden it and then after that your machine will be attacked by Red teamers pentesters other hackers and you will have to go through and make sure that your system stays secured uh the Jeopardy style is where you'll be given a series of categories like the US show Jeopardy and you get to pick through ranges of difficulties and different

types of problems and focus on those this is the style that we're going to be focusing on today because it is the most beginner friendly and accessible category but there's also the mix style which puts together attack and defend and Jeopardy uh where you are defending your machine while also solving problems and that is my favorite style because you really have to work with your team to make it happen and get points it's just really fun being under stress sometimes uh but no you don't have to compete with a team uh you can and should give yourself the grace to practice on your own and build yourself up from the ground what's important here is

knowledge um but why should you care about ctfs well competitive hacking is great for so much more than clout uh to put it lightly gaining expertise in any one CTF C category can change your life uh for all the reasons listed on this slide and so many more you should get into competitive hacking my favorite example of how life-changing CTS can be is myself so a few years ago I was a poor student I didn't have like really anything but my two cats and I didn't have a degree but I was really into competitive hacking I really just fixated it I had no knowledge at all and when I first started out I was just

obsessed with learning and doing and within a few months after some small successes nothing too major I got spouted by crowdstrike and then though I didn't have a degree they saw my competition experience and what I could do just by teaching myself and then my future employer saw that and basically hired me on the spot and since then I've been with them and uh now I'm here in the UK speaking to you lovely people so like your life can really change so quickly just with a lot of knowledge and a lot of persistence but I'm not saying to quit college and like Go full hacker Gremlin mode you don't have to do that uh but I am saying that Capture the Flag

competitions are a wonderful way for you to learn be part of a community and figure out where you want to be in the world of cyber security because it is so vast and when you're out here learning you can figure out what you care to learn about and you can really just cut the fat and save yourself time oh and uh you can hack some really cool [ __ ] so I've personally hacked everything on this list except for a tractor uh last year at defcom there was a really cool speech about tractor hacking though highly recommends looking into it uh basically if you can dream it you can hack it and uh who doesn't want

to be able to do that uh that being said if you're even slightly interested in competitive hacking uh there is a place for you in this industry and it doesn't always have to be technical it's so welcome and welcoming and everybody really pushes you to do your best and that was one of my favorite parts of competitively hacking when I was doing it basically every weekend the people I would meet the knowledge I would gain I took a lot of ibuprofen but we don't have to talk about that it was a good time uh that being said if you do choose to hack on a team uh these are some common roles that you'll see uh there's

often times a captain a second in command a documentation or business person a and then their roles per specialty the captain they don't always have to be the most technical they're often times good at guiding people they're the mouthpiece they talk to the organizers the co- captain in my experience is the one who can uh really like get [ __ ] done on a computer and they're the ones that are like hands on deck when there are problems when people are having issues they're doing that and then there's the business person I started off as a business person when I was doing hacking and I had no idea what I was doing but what I did do was I saw

what my teammates were doing I made note of everything I wrote it down as well as I could and then we went over and I learned by watching and then eventually I got to do and then there's always rules per specialty if you're good at cryptography but bad at web you're going to do cryptography you get to do what you like when you're on a team but you can also learn to be a jack of all trades of course so how do you get started in this wonderful world of Capture the Flag competition my advice to you is to start small uh this is a process that you can use for pretty much anything in life but it

works especially well with capture the flag competitions choose a category that interests you or a few uh learn the basics on sites like try hack me and hack the box I know everybody is always talking about these sites and how expensive they can be but they don't have to be expensive when you're starting off there are so many free resources out through in the websites and these sites even have free tiers too it's worth looking into to see if you're interested in it and how you can learn and then once you have like some knowledge or no knowledge at all you can really just go straight into hacking practice on sites like pctf if you've

not heard of pic CF it's amazing it's a capture the flag competition that runs at all times of year it's great for beginners intermediate up to Advanced I would say Advanced gets a little weird and the categories are robust but most importantly with anything in life repeat until Le I almost want to get that like tattooed to myself right like it's so good just repeat until lead When approaching ctfs these are a few common categories that you'll see uh this is by no means extensive but it's what I've seen as a beginner and what I've seen as a person who's done a lot of them my favorites are web app exploitation forensics and reverse engineering but you can pick whatever

you want there are tons of other categories like industrial Control Systems Hardware networking Cloud even Ai and blockchain these days like again like as soon as new technologies come out people are hacking it and then you're going to find it in ctfs but if you're overwhelmed and you don't know what categories that you're interested in I suggest you start with these three uh web app exploitation because the scope can be so large and it teaches you how to narrow down a problem uh when you're on a website there's so many like servers and different things that you can interact with it's very valuable to be able to look at something and narrow down the scope and be able to

form those hunches and follow them through password tracking because it teaches you how to really use your tool set you'll be seeing things like Hydra and John the Ripper and these are tools that you can use extensively for a very long time and open source intelligent because it teaches you to be a better researcher it teaches you how to look at problems differently and approach them creatively some general tips for approaching these problems is you can hack on things like a Windows device uh but I highly recommend setting up a virtual machine and playing around with things like a Cali or parrot box if any of these terms are confusing you can click on them at on my slide deck later

and they will take you to places where you can read about them uh you can document everything that you've done for a challenge Point values oftentimes indicate difficulty levels challenge names are hints descriptions are also hints and keywords are great so when looking at a Jeopardy style capture the fly competition it often times look something like this where the name again a hint we're looking at this one right here a basic injection in the web category when we see something like this we can think types of injections that we're going to see I'm thinking a SQL first of all and then point value is indicative of difficulty and then often times number of solves will give you an idea of how

well you'll be able to solve something depending on your difficulty level and preference for sleeping uh so this is the expanded version of the basic injection so you can see what the problem looks like and then it also shows you an expanded format of what the flag will generally look like so it's a in this case it is a word brackets and things within the brackets that tends to be the general format for Flags within Capture the Flag competitions but when you're a beginner focus on knowledge not your score your score is not what's going to get you hired it very rarely is unless you're doing a government competition or uh more of like a high stakes

competition the most important thing is that you're learning and you know how to approach a problem and uh we'll get into some live demos on approaching problems quite soon so say you have a problem in front of you and you want to solve it how would you do that well I use something called The Hacker mindset to do that it is both a framework and a way of thinking that will help you to solve any capture the frag problem or really most problems in life um excuse me I'm a bit ill and losing my voice but uh we're going to keep going so it's cyclical so you're going to keep doing it until you solve

the problem the first step is identification the second is the Gathering of information the third is forming a hunch fourth testing and fifth documenting I I would argue that documentation is the most important step here because when you're dealing with problems that have really large Scopes if you're trying to solve things it's very important that you're able to see what pieces you've explored so that you're not repeating yourself or getting lost and now we're going into a demonstration okay we're going to get fun with the so we're going to ex explore a web exploitation problem together so imagine that this is what we're seeing uh this one is actually taken from pf.com it's called inspector and going back to step one

which is investigating we're going to look here and see uh what it's saying names are often times hints so inspector I know that is a device that we can use in web applications often times in Firefox or any browser and here we have a link so we'll click on the link I'm going to do my best here and we're just going to click around so this is an easy challenge I believe the point value was okay I didn't put the point value it's something low like 30 and it says inspect me what and then how I've made my first website with HTML CS in JavaScript well let's see what we have here it's saying firstly to inspect

it so we can go directly to the inspector and if you don't know what that is or if you don't even know how to get to the inspector you could say like website inspect and then we'll see oh there's a s called inspect element and from there we can go into it and personally I don't really like this view never have uh I prefer to go into a view page Source see all at once and we're just reading looking through and we see right here ah we found the first part of our flag all great we have one of three let's go back we know that when we're looking at something like this we're in the HTML

right and I'm thinking okay one of three there's three different items here well let's see the CSS and we can go here let's see is it the CSS I can't see yep that's CSS and then oh goody here two of three and we slowly start solving this problem and taking it apart right then we go into the job JavaScript Y and three of three and just like that we have solved our problem and move on to this just looking at the problems again so we gathered the information we went directly to the inspector and we asked what is the problem asking me to do it wants me to inspect and find a flag wrote that down

mentally I wasn't taking notes but we can you see how this would work gathered information I Googled keywords inspector anything that stood out or that I didn't understand I put it down anything relevant if there were exploits vulnerabilities writeups those would also go into my notes and then we formed a hunch when I saw that the flag was broken up into three different parts then I saw that one of them was in the HTML CSS and JavaScript and an important part of forming a hunch is to look for tooling as well if you're ever looking at something and you're like okay I have an idea of what it wants me to do but I don't know how to do that

just Google what you want to do and then the word tool something might pop up and it'll save you a lot of time thank you and then finally test don't be afraid to test your hypotheses these environments are designed to be broken and they can be spun up really quickly if you break it you can spin it up again and take notes of behaviors especially with web applications in reverse engineering did anything change even the smallest things a character showing up on the screen a different error different errors that don't seem like they're useful but I promise they are and just make notes of those and then Google them just keep repeating the process until you can solve it and

finally document this is an example of a password cracking problem so this is the problem and then these are examples of what notes could look like and finally just the flag and I know documentation seems kind of boring nobody really enjoys it all that much but you can win prizes for them and prizes are fun competitions oftentimes have rewards for the best write up at the end of them and uh it's how I got a keyboard once cuz I didn't know anything but I knew how to type so like it worked out pretty well um so I don't think I have time to do my other uh demo that I had scheduled but it's in the slides and y'all can work it

through on your own time uh it's quite fun so I will now leave room for any questions if anyone has them and I'm also going to leave the QR code up on screen so uh any questions I'm an open book feel free to ask it anything 10 once Plus