CTFs Aren’t Just a Game

Posted: October 1, 2021
Category: Cybersecurity - General

This post is going to be a little different, I want to talk about Capture the Flag games.  I want to offer a perspective from someone who is relatively new to the space but knows just enough to be almost interesting.  I have spent the last year or so playing hacking games, studying, reading, and gobbling up any kind of content that I can get my paws on.  I watch more YouTube now than I ever did before.  I subscribe to content creators, build backlogs of videos to watch, and have endless ideas about what I want to try next.  I have a backlog of content that could last a lifetime, and the backlog grows by the day.  I am registered in nearly every learning platform I can find from TryHackMe to HackerOne’s CTF Hacker101.  I picked a name that sounds appropriate for a character in the Matrix movies, I use dark mode exclusively, and I have a lot of awesome hoodies when the weather here in Texas cools off a bit.  I am building a pretty good collection of stickers for my laptops and hardware.  I guess you could say I am a fan of this stuff, but mostly I just find it all interesting and fun.

Borders by xkcd.com is licensed under CC BY-NC 2.5

That is the thing about hacking, it should be fun.  Sure, this could be just a job to pay the bills, but for me it is an entertaining hobby and a job.  I wake up thinking about what I can learn next, or how I might get past the most recent problem I found.  I try not to go to sleep with a problem on my mind, because I’ll just lay there thinking about it.  I am a little bit obsessive about things sometimes.  It turns out that quirk of my personality works well when trying to solve a problem.  My obsessions are varied, I don’t just think about hacking stuff all the time.  I also think about pumpkin stuff, and the latest Stitch merchandise that is up for sale.  I am running out of room for all the new Stitch stuff, and yet I keep buying more and admiring it as I sip my pumpkin spice coffee and eat pumpkin cookies.  I live a charmed life, but I am getting off topic.  Back to the CTFs, as soon as I put this Disney order in and get another coffee.

There is no way (at least not that I have found) to get good at solving CTF challenges, except to keep solving challenges.  There’s no secret sauce.  The puzzles are surprisingly easy, once you solve them the first time, but that first time can be a challenge.  That is exactly the point.  It is a puzzle, not a task.  Experience solving a variety of puzzles exposes you to some of the tell-tale signs and the tools that can be used, but these things are meant to make you think about things differently, try new things, and explore what might be possible.

I cannot count how many times I “accidentally” solved a CTF challenge by trying something crazy, just to see what would happen.  Taking a leap of faith and pushing the button to see what happens in a controlled environment gives me an opportunity to learn.  When it pays off, I go back and figure out why it worked so that I understand it better next time I see that kind of challenge.  This loop re-enforces the whole process and makes it fun.  CTFs are like lab days in Physics class where I got to use catapults to throw marbles and predict where they would land.  Lab days were always the best.

If you have any sort of interest in hacking stuff, information security, penetration testing, red-teaming, blue-teaming, or solving weird problems with computers, I encourage you to do CTFs from time to time.  To that end, I am going to use this post to talk about how I approach a CTF.  As it happens there is a CTF competition starting in a few days that I am going to use as an example.

Preparation – Get your gear!

For most CTFs, a simple laptop will get it done.  I suggest something with enough power to run virtual machine and the base operating system.  A Raspberry Pi will work for most CTFs.  I use Kali Linux, Windows, and Ubuntu – and I move between them frequently.  My base machines are almost all Windows, except for the experimental machine that has Ubuntu as the base OS – that’s a story for another day.  Use whatever you are comfortable with, and don’t let anyone tell you that you have to use one operating system or another.  There are amazing hackers out there that work entirely from Windows, there are some folks that use Kali Linux as their daily driver, with a Windows VM running on top for the special Windows stuff.

When it comes to Kali, I feel that there is value in the pre-packaged tools and the way it is built.  Kali is basically ready to hack with, of the box.  You can get most of the tools to run on most any Linux distribution, but it takes extra work.  With that said, Kali is a special Linux distribution that has been tweaked in several ways, mostly around the network stack, and it may not work for everything. Having a vanilla OS ready to work with during a CTF can be helpful.

Being the spoiled brat that I am, I work from several machines at once.  I have a large desk, 6 screens, and 3-5 machines with a combination of software and hardware for sharing mouse and keyboard between machines.  This is ridiculous, and awesome – at least I think it is.  I know folks that work perfectly fine from a single laptop screen.  Use what works for you – this will be a recurring theme, along with pumpkin cookies.  I have spent years figuring out how to see as many things as possible.  I spend a lot of time in front of this setup, it is my happy place.  I don’t bother with cable management because I change it every few weeks and I don’t have time for that stuff.

I build new Kali VMs every couple of months, mostly in time with their releases.  I just like building VM’s, and I need the practice setting things up, so I do it that way.  Over time I have built up my list of extra things that I want on the machine to get started.  I choose the “most popular tools” to be installed with Kali, as opposed to “everything” option during installation.  On top of that, I add Docker because some of the newer tools are packaged as containers.  I add Visual Studio Code, and make sure I have the latest Python, because there is usually some code to work with at some point along the way. I throw Obsidian MD on there for note taking.  Notes are important, always take good notes. That is about it for my base system.

Tools change, rather quickly it seems. I try out new tools as I see them, some get added to the toolbox, others don’t.  Part of the reason I build new VM’s all the time is because I try new tools all the time, and I’m a little paranoid about “clean” configurations.  I got burned one time trying to use impacket tools that had dependency issues and lost a couple hours trying to figure it out. I learned several things during that adventure, and one of those lessons was that isolating some tools from other tools can be a good idea, and Python virtual environments are awesome.

When I first started CTFs about a year ago I used a vanilla Kali image and that was fine.  Today I have some opinions about tools that fit my style.  Here is a short, and incomplete list of the tools that I use the most often during a CTF, these can be found on GitHub:

  • FeroxBuster
    • Directory and file enumeration like GoBuster, or DirBuster, but written in Rust.
  • RustScan
    • Kind of like a turbo-boost for Nmap. It does a very quick port scan, then passes open ports to Nmap for more work.  A full port scan in a few seconds is nice.
  • PyWhat
    • Great utility that can help identify what a file is, and sniff out interesting content within files. Particularly good at sniffing simple stuff out of a tcpdump file.
  • Name-That-Hash
    • Utility that identifies hash types, there are several of these out there, but name-that-hash (nth) seems to work best for me.
  • Ciphey
    • This is a tool that can identify and break some cipher texts. It doesn’t always work, but it’s not bad to have running in the background while trying other things.
  • CyberChef
    • This tool is available online, and it can be installed locally. It is incredibly helpful in for working with data to decipher a string or figure out something is.

For each of these tools there are at least 5-6 popular alternatives out there.  Explore what works for you and have some fun.  I use Burp Suite and OWASP ZAP for exploring web applications.  I find that both are effective, and while there is considerable overlap between the tools, I get different results from each one and both provide value.  I use RustScan and Nmap.  In fact, I often run both on the same target.  RustScan for the quick results, and Nmap for more details.  In a CTF, making a lot of noise isn’t usually a problem.

The creators of CTF challenges will often put things in that trip up the tools or make them less effective.  Forced browsing tools like FeroxBuster can be tripped up by the webserver responding to everything with a HTTP 200 or 302 redirect page instead of HTTP 404 Not Found.  The tools can be adapted to this, but ultimately it is important to understand what the tools are doing in case adjustments need to be made.

The last tool that I want to talk about is the internet.  I spend more time on Google than any other thing during a CTF.  Google rarely just gives up the answer to a problem, but it can lead to ideas for where to look.  There are also a few sites that have some good starting points that I reference all the time:

  • https://book.hacktricks.xyz/
    • Whenever I get stumped, I come here to get a bunch of ideas for things to try. It’s a pentesting and CTF run book that covers pretty much anything, at least as far as I can tell.
  • https://ippsec.rocks/
    • Ippsec is a master of the CTF. This page allows you to search all Ippsec’s YouTube videos by keyword.
  • https://github.com/JohnHammond/ctf-katana
    • Another fabulous resource from John Hammond specifically about weird stuff that shows up in CTF puzzles. John Hammond also puts out a lot of really good content for all levels of CTF players and information security professionals.

The hardest part about learning to do CTFs is learning what to search for.  Experience and practice will help with that.  While many CTFs are time-boxed, it is important to avoid racing through the challenges just to get them completed.  Take the time to understand both the challenge and the solution so that the next time you see it is easier.  It is frustrating to know you did a thing one time, but not remember how you did it, or how you found the answer – and that is what notes are for.  While I rarely publish writeups online, I write up almost every single challenge that I complete and save it for reference later.  My writeups include the problem, my though process, things that work, and the things that didn’t work.  Over time, my library grows, and I don’t have to keep as much stuff in my brain.

Game Time

Many CTF competitions have a scheduled period.  Some games will be during the week, others will be on the weekend.  Some go on for 1-2 weeks, others only last a few hours.  I am not particularly fast, so I prefer the longer games. H@ctivityCon CTF is part of  HackerOne’s H@ctivity Con 2021.  My schedule is not very forgiving this week, so I am probably not going to spend as much time on this CTF as I normally would.  But I haven’t done one of these in a while and I miss it.

Jeopardy style CTF’s, the only CTFs I currently play, involve a series of challenges in various categories.  Depending on the CTF organizer the challenges will range in difficulty from easy to hard, though that measurement is subjective.  I find it best to go into the CTF with an open and optimistic mindset.

Warmup challenges, the “gimmies” at the top of the list give me an idea of what kind of difficulty I am in for.  The H@ctivityCon CTF includes a nice “Read the Rules” challenge.  I think that these challenges are here to separate folks that registered for the CTF from those that are playing.  Thousands of people may sign up for a CTF, but not everyone will end up playing the game.  When I am deciding how much I am going to let imposter syndrome rule my emotions, I look at the number of folks that solved the gimmies, not the number that registered.  Then I remember that I play these games to learn new things and everyone else’s progress doesn’t impact my own learning, I have a cookie, and I get back to work.

Reading the rules for the CTF and doing just the tiniest amount of digging gives up a flag.  Happy brain chemicals fire off, and we’re off to the races.  Onward to the next challenge.

Some CTF’s do not sort the challenges from easiest to hardest.  After the rules challenge, the first challenge I picked was called “oddball”, and I’ll tell you right up front, I couldn’t solve it.  I still have no idea what this thing is about.  I started a little late so there were already several solves for most of the challenges.  The “Read The Rules” challenge was solved a few hundred times, and Oddball had only been solved about 50 or so.  That’s different.  Even at the end of the game, this challenge had only been solved 189 times.  Compared to more than a thousand solves for several of the other warmup challenges.  Clearly this puzzle was difficult for a lot of folks.

Sometimes the challenge creator makes a puzzle that seems easy but isn’t easy for everyone else.  This is where dynamic scoring will help.  Dynamic scoring can be compared to scoring exams on a curve, but not really.  The more people who solve the challenge the less points the challenge is worth.  There are several variants of dynamic scoring, and my only objection is when the scoring is set to reward faster people.  If the challenge is worth the same number of points for everyone, regardless of when they solve it, I am happy.  Reading the rules for the CTF is important.  The rules are almost always the same, don’t be a jerk, don’t attack the game infrastructure, don’t hack other participants, try to have fun, oh yeah and here’s how the scoring works for this game.  Nobody wants to read the rules, so to encourage folks to read the rules the organizers give us a flag for at least pretending to do it.  This would work better if they offered stickers.  I will do almost anything for stickers.

You may be asking what a challenge will look like.  It may look like this:

A file called bass64 is downloadable, and there is some description, and the title.  All three things are important.  For this one, bass64 looks like base64 so that’s probably a hint.  I’ll download the file and look at it.  The filecommand tells me that this is text, so I’ll print the file out and see what it looks like.

That’s a big ol’ mess, isn’t it?  But I have seen this before.  Zoom, out a little and something interesting will happen.  No this isn’t like those puzzles in the 90’s where you stare through it, and it becomes a zebra or something.

Well, how about that?  We have text!  So, I’ll type this out, and base-64 decode it and see what happens.

Houston, we have a flag.  This is the other reason to read the rules.  Knowing the flag structure or format can be REALLY helpful.  You might be tempted to just dump the text from the zoomed-out view, but really you need to keep going.  Remember math classes in high school where the teacher told you that you could check your work during the test by plugging the values back into the equation and make sure it works?  No? Well, they probably did, and you can.  A defined flag structure like this tells me know when I am done solving the challenge.  That was a warmup challenge, it’s meant to be easy.  It’s meant to be an invitation to keep going and try the harder challenges.

The challenges get harder, and weirder.  But they can be fun.  The next challenge is Tsunami.  This is also a warmup.  This time the file is a wav file.  Audio files and images could mean steganography of some sort.  Stego challenges are kind of fun.  For this challenge I am going to use the Stego-Toolkit docker container.  This is handy and saves me some time trying to install a bunch of tools just to see if I am going to need it.

Within the toolkit there are several tools installed.  There is also VNC/Remote Desktop option because some tools need to be used from an interactive desktop.  With an audio file, the first thing to try, after listening to the file, is to get a visualizer open.  The idea here is to look at the frequency graphs.  When I listed to the file there is a lot of weird “noise” at the end of the file.  So that is probably where I am going to be looking for something to be “odd”.

I am going to add a spectrogram of the file to see what is going on in there.  The graph does look a little weird there at the end, so I’ll move the slider over that way and see what comes up.

What does that part there at the end look like to you?  To me, it looks like a flag, but I’ll need to zoom in a bit to make it readable.

Tah-freaking-dah!  That’s another challenge down.  When I did my first CTF a year ago, it was around the second or third challenge that I was pretty sure I was hooked for life.  Happy brain chemicals fire off to  reward the patience and diligence of solving the puzzle and provide motivation to keep going.

Not all the challenges will be solved every time

This CTF was not my best showing, in fact this was the worst that I have done in any CTF.  Most of the problem was time.  I just didn’t have enough time to dedicate to the CTF this week.  That happens.  Another issue was that I got tied up with a couple of challenges early where I couldn’t see the solution. I spent more time on them than I should have before moving on.  I never got past the warmups – in fact, the challenges above were the only challenges I completed this time.  It’s ok, I’m not going to beat myself up about it.

This CTF had 62 challenges.  About 6 or so were challenges like ReadTheRules or check discord channels.  After the warmups I estimate about 50 or so challenges were “real” in a CTF that lasted 2 days.  To solve them all, the player has less than an hour to complete each challenge.  In my experience that is a lot.  CTF is increasingly a team sport.  A group of folks work together by dividing up the challenges.  A solo hacker can compete against a team, but they are at a bit of a disadvantage.  CTFs are about experience more than anything else. Many minds can work together to see things differently.  I have never done a CTF as part of a team, and generally, I rank in the top 20% or so, which is perfectly fine with me.

Completing the 3 challenges that I did, I got 150 points, and earned the 1,320th place, out of 2,527 teams registered.  There were 1,721 teams on the scoreboard, so I didn’t do so well. I still learned some things.  I’ll spend some time over the next few days looking at the write-ups for the challenges that I was stuck on as well as the challenges that I didn’t get to.  I have already done a little bit of that, and I see where I screwed up.  I’ll adapt my methodology and hopefully next time I see challenges like those, I will do better.

I will spend some more time with HackTheBox, TryHackMe, and other CTF type platforms to build some skills and next month when I compete again in another CTF, I’ll do better.  The lack of happy brain chemicals at the end of this competition is motivation to chase them next time.  The end of a CTF is usually a good time for me.  I am usually solving challenges right up until the end, and I am having fun.  I had fun this time too, I just didn’t get to spend as much time on the CTF as I normally do, and my progress reflected that.

If you’ve never tried a CTF before, or if you are looking for a CTF to participate in, Set Solutions will be hosting a CTF in October for Cyber Security Awareness Month.  To get more information about the CTF, the prizes, our sponsors, or to register to play, go to https://ctf.setsolutions.com/.  Since we are based in Houston, and because we like to have a little bit of fun, the theme for the CTF is inspired by Space Force.  I hope you will join us.

 

This year’s CTF is sponsored by: Crowdstrike, Cloudflare, CyberArk, and iboss

***

This blog was written by Greg Porterfield, Senior Security Consultant at Set Solutions.