GHC16 Hacking Like a Champ: Introduction to Capture the Flag Competitions
I came in to this Grace Hopper Conference session with no idea what to expect. Hacking Like a Champ: Introduction to Capture the Flag Competitions, it said. The abstract promised a workshop to “prepare participants to enter Capture the Flag (CTF) cyber security competitions.”
“In one hour?” my inner skeptic raised an eyebrow to that. I have never done CTF competitions and until this week, I was only vaguely aware of what it was. When I picture myself, I think less “badass cyber hacker” and more “frantic Googler/copy-paster.” As I would find out, those two apparently overlap a lot.
What is Capture the Flag? It is simply a puzzle where players attempt to find the “flag,” which is basically just a long series of strings. This type of game is commonly found in cyber security competitions. The point is to get as many flags as you can. At least, in one hour, that’s the gist I got from it.
Our speakers of the day were the quite badass Lizzy Alonzi and Kaitlin Farr. Their presentation consisted of introductions to the common types of CTF puzzles out there, real examples from previous competitions, and tips for how to solve each one.
A typical CTF problem includes a problem statement, some files that need to be downloaded, and a hint to get you started. Examples of problem types includ:
- Reconnaissance – finding info about a person or thing
- Exploitation – find bugs in a system
- Reversing – transforming machine code to human readable code
Things you learn in CTF
- Password cracking (hashing algo, open source tools)
- Web hacking (css, sql injection)
- Binary exploitation (reverse engineering)
- And a lot of Googling
List of well-known CTFs
- CSAW (hosted by NYU)
- Pico CTF (hosted by CMU)
- DEFCON CTF
- Ghost in the Shellcode (ShmooCon)
Okay, with all that intro out of the day, we got a warm-up sample, a simple site (unfortunately, the link didn’t work when I tried):
The page lies. If you look at web source, you see you can find the flag masked by white font. You can also see the text if you highlight the page. Neato.
In this example, the trick was to view the page source (or highlight the page), but what if you were really new to everything and didn’t know you could do this? From what I got, it pretty much came down to a few things: Look at previous examples, learn what tools they used and keep it in your own toolbox for the future, get experienced with searching for what you want, learn scripting to automate brute force work, and practice a lot! Over time, certain problems will seem familiar and you get better at solving them.
More resources for practicing and getting started:
- Read writeups by people from previous competitions
- Beginner Practice CTFs
- More Resources
- Kali Linux – It contains common security tools preinstalled
- John the Ripper – password cracker
- Wireshark – network analyzer
- Metasploit Framework – penetration testing
- A hex editor that allows you to view data in Hex and ASCII side-by-side and allows searching. An example is Bless hex editor.
- Python or other scripting languages to help brute force something or parse a lot of data. The point is to save time via automation. You want to get as many flags as possible. The “how” is less important.
- Browser tools for web problems. View source, developer tools (can turn CSS on/off, inspect elements, etc), plugins.
Useful Linux utilities (I guess most CTF competitions are done in Linux environments? Derp, my Linux is pretty rusty.)
- sed (substitution)
- awk (good for on-the-fly scripting)
- sort (does what it sounds like :P)
- uniq (remove duplicates)
Tips to Keep in Mind
- Everything is a clue. The title, file names, the picture (if any). It’s very unlikely that any part of the question is irrelevant.
- Take advantage of the flag format. This can be as simple as looking for the word or references to the word “flag.” Use grep (linux) or ctrl+F everywhere – code, metadata, etc.
- You won’t (and shouldn’t) know how to do everything right off the bat. Use search engines. If you think a tool exists to help analyze or test something, it probably does. Personally, I think effective searching is an improvable skill.
Now on to some more in-depth material. Lizzy and Kaitlin introduced us the =most common types of classic CTF problems. The Essentials!
1. Steganography problem
These problems involve concealing messages within nonsecret data, i.e., hiding in plain site. They can be in text, images, sound files, anything. Sometimes the image itself is a clue.
Tip: Look for tools to help! An example is Steghide
The following example is a picture of a man. That is the whole puzzle.
Lizzy and Kaitlin explained that a common approach to these kinds of puzzles is to reverse image search. When you do that, you find that this man is the inventor of the barcode. Looking very carefully at the bottom, we can find black dots, and extending those dots creates a barcode.
I’m sufficiently impressed. Up next.
2. Broken image problem
In this kind of problem, you get a broken image. A good way to start the problem is to find the file signature of the data. In this example, we assume a Linux environment, and we use the “file” command to look at the signature. You can then view it in a hex editor to find any human-readable clues. Also see if your file has checksum used to check redundant data (they suggest scripting this part).
(Excuse the bad image quality. It is not part of this CTF puzzle. ;))
I was uncertain I could figure this out at first, and after the explanation, I was almost certain I could not have figured this out on my own. I suppose these things just come with practice and from reading others’ write-ups for similar problems.
3. Mystery string problem
You get a string that looks like garbage. That’s pretty much it. So, how do you turn it into something readable? At this point I was thinking something along the lines of “WELL I GUESS I MUST BE PSYCHIC TO DO THIS.”
Lizzy and Kaitlin recommended looking for patterns to figure out what this string might be encoded in. Is it only using characters 0-9 and A-F? It’s probably hex. Is it only using characters 0-9, A-Z, and a-z, usually ending with ‘=’? Try Base64 encoded string. Suspect a common data encryption hash is used? They suggest Kali’s hashindentifier.
I feel nostalgic about college now. Also, I feel I must go tool hunting. They make you psychic!
4. Web problem
I believe this was one of the few examples that didn’t make me feel
stupid incompetent uninformed. The web space is one of the few where I feel I’m well versed in (3+ years of working on a browser will do that for ya).
Lizzy and Kaitlin presented a problem with a web page that basically just said “There is a flag hidden on this website!” Like the warm-up sample above, the first step is to look at the source.
At this point something interesting shows up. We open browser developer tools (F12) instead.
Whoo! Browser dev tools are awesome. You can also use it to toggle element properties and to modify or remove elements in order to reveal secrets!
5. Password problem
The gist: You need a password to gain access to something.
As always, look at any code for anything unusual. What strings can you find? What language is used to create the program? What’s readable? Can you decompile it? Can you reverse engineer it?
This requires some assembly knowledge (Oh god, please no). As always, there are plenty of tools to help with this. Yeah, I’m really starting to understand the importance of tooling and automation now. Their recommended tools: Ollydbg, IDA Pro. To be honest, I actually really like debugging programs, but maybe that’s mainly because I’ve had experience doing it. It’s actually more straightforward for me to outright debug something than to, say, do the out-of-the-box flavor of thinking associated with the “figure out what this garbage string/picture/file means” type of problems we talked about above + the tower of crazy we’re about to see below.
6. Recon problem
Given limited info about a person, find the flag. Get ready to put on your creativity hats. Lizzy and Kaitlin suggested when working with very limited information to pay attention usernames/handles. For instance, a twitter name might also be the email name for something. Use username search sites like namechk.com. As always, search a lot and get artistic.
With this, we were met with our final example problem of the day. I absolutely loved this problem, but if I had to solve it in an actual CTF challenge, I would probably flip tables.
At the start, you’re given a set of vague information, but it’s pretty clear this has something to do with music. So you look for sites that contains playlists with the id provided. In this example, Spotify was the culprit. Not shown in the picture below, but the title of the playlist was called “Awesome CTF,” hinting that you’re on the right track.
It turns out the first letters of each title spell a message. This is actually a very common way to hide messages in many puzzles, but this is not where it gets interesting. You go check out the last radio station as instructed, and …
Well the title of the playlist is still “Awesome CTF” so you’re on the right track, but what are you supposed to do with this?
At the workshop, we didn’t actually get the chance to listen to the tracks, but our speakers informed us that most people had gotten stuck at this part. The solution was to notice the different beats-per-minute (BPM) of each sound track (I kid you not) and convert those numbers to ASCII (No really, I kid you not).
The letters spell out “yo check out my mixtape I put in the cloud.” Oh, you thought that’s where the crazy ended? Somehow, you had to figure out that “cloud” meant SoundCloud. I suppose after a good chunk of brain time I could have made the connection, but it certainly wasn’t obvious (not that it should have been) from the start.
Whew. Look at the RSS feed, you say? Well that’s straightforward. Doing so displays a link to download a seemingly nonsensical WAV file.
Any time you see or hear 2 alternating tones or visuals, you know it’s binary. Convert to ASCII and congratulations! You’ve found your flag! How many tables did you flip in the process? 🙂
So this kind of problem is made up of different smaller problems like those introduced above. Sometimes there will be CTF references to help confirm that you’re still on the right track (like in the playlist titles of the last example).
Finally we were let loose to try our hands at some beginner puzzles. These included paper puzzles and online ones found here: ctf-ghc16.jhuapl.edu/challenges – You’ll need to register a team name first. It can just be any name you choose, and no, it doesn’t have to be a team. However, teams probably have more fun.
So, do I now feel sufficiently prepared to enter Capture the Flag cyber security competitions? Eh, maybe, not sure, but a hell of a lot more so than when I started the day. Besides, feeling unprepared has traditionally not been an excuse I like to use for opting out of something.
Was the workshop worth the hour? Absolutely. I had a lot of fun and my brain was adequately blown. Also, puzzles are fun. They just are.