0x02: CTF 101 Part I  January 2019

Collin (Unkn0wn)

Founder of Shad0w Synd1cate

We held another successful and historic event in January for Shad0w Synd1cate. We had nearly 70 members show up making this the largest event yet! We want to thank each and every one of you for your continued support. As we always say, without you all this group would be nothing, and for that we are thankful!

To start the new year off strong, we went over a topic that many people find extremely interesting, Capture The Flag (CTF)! Since there is just so much information to discuss regarding Cyber CTFs, we decided to break up this post into two parts. In this first part, we will go over what a Cyber CTF is, why you should take part in them, followed by the first three types of categories you can expect to run into during a Cyber CTF. Part two will pick up where this one stops, continuing with the remaining categories and finishing off with some useful resources to learn more about CTFs as well as  test out your skills!

Along with the presentation, we also created a lab that gives you some hands-on experience with some of the tools that we will be mentioned here. We fully believe that in order to really solidify your understanding regarding a topic, it is vital to actually get hands-on experience! You can download the PowerPoint slide deck as well as the lab worksheet from the links to the left including the VM that you will need to complete the lab. With that being said, let’s jump into it…

We broke the presentation into different segments in order to provide bite-sized pieces of information. Let’s start from the very beginning:

 

  What is a Cyber CTF?

A cybersecurity CTF is an event/competition that involves utilizing all of your cybersecurity/IT skills in order to solve and complete the different puzzles and questions presented. Sometimes that can include attacking/defending systems! Cyber CTFs first started back in 1996 at none other than DEF CON 4!

A lot has changed since the original CTF. As an example, originally there were judges that would decide on who received points dependent on certain criteria. In today’s CTFs nearly all of them are developed on some form of CTF platform that is used to not only provide the participants with questions/puzzles, but will also automatically provide points based on correct answers or other criteria.

 

  Why Should I Get Involved/Care About CTFs?

There are numerous different reasons why you should get involved in Cyber CTFs however, if I had to name a few, these are what I believe to be the most beneficial reasons:

1. Learning

The amount of information you gain from participating in CTFs is truly amazing. The reason being is because you force yourself in a situation where you don’t have all the answers. This is what I like to call “throwing yourself in a fire”. You have no choice but to go and try to figure out how to solve the challenges. This is where you use your good old friend Google to start searching. I cannot tell you how many times I have came across opensource tools or other great information that I was able to not only use to solve the challenge, but keep that newly learned ability in my tool bag for future use!

2. Teaming Up With Others

CTFs also provide a great opportunity to work with others as well as learn from them. Surprisingly, most people are more than willing to help you out if you get stuck or at least point you in the right direction. This interaction is priceless and you cannot only learn a ton from others, but potentially gain new cyber buddies!

3. Prizes

If you don’t really care about the last two then maybe these last two will resonate with you. If you get really good at CTFs, you could win a lot of money and prizes doing it! A lot of the CTFs that are held have prizes for the top 3 winners, varying from cash prizes to awesome electronic giveaways!

4.  Fun

The last reason kind of goes without being said. CTFs are a blast, ‘nuff said!

 

  So What Does a Cyber CTF Entail Of?

Now that you have some background information as to what a Cyber CTF is, and some reasons as to why you should participate in them, let’s go further in-depth regarding what you can expect when participating in a CTF.

There are numerous potential categories that can be involved in a Cyber CTF. We will go over some of the more common ones below, explaining what they are and some tools that may come in handy.

 

  Steganography

Steganography is the art of concealing a message or information within another form of data. Let’s give an example. What if I sent you an image of a duck,  and in that picture there was a text bubble that said “quack!”. Now any normal person would contrive that if the picture shows an animal that looks like a duck and it quacks like a duck, then the image must be a picture of a duck. What if I told you that it wasn’t just a picture of a duck, but there also happened to be an embedded file within it? This is what Steganography is all about, concealing hidden messages and files within another form of data. Some adversaries actually use this technique in order to transmit secret messages in the clear!

During a CTF, you may be provided an image or other media like an audio file, and your job is to discover the hidden message/flag embedded in it. So what tools can we use to do this?

There are tons of steganography tools that are available but we will name a few that are some of the more prevalent ones:

-Steghide: this tool allows you to not only extract hidden embedded data from an image or an audio file, but it will also allow you to embed data to create your own steganography file. More information regarding steghide can be found here: http://steghide.sourceforge.net/documentation/manpage.php

-Sonic Visualizer: In some cases, you may be given an audio file. It is possible to actually embed a message into an audio file that can only be seen visually within the spectrogram of the audio file. You can use a tool like Sonic Visualizer to view the spectrogram and the hidden message! More information regarding Sonic Visualizer can be found here: https://www.sonicvisualiser.org/

-Bless: Bless is a hexeditor and is honestly a multi-use tool. We decided to place it in the Steganography category because sometimes the challenge is an easy one and the message may just be hidden in the raw data of the file. You can use a hexeditor like Bless to view the raw data in ASCII format to see the message/flag.

 

  Forensics

Digital forensics is the scientific process of acquiring and analyzing digital data in an effort to gather evidence based on a specific alert or event. In CTF events, a lot of times you are given a memory dump, image, packet capture, etc. that you must then analyze and extract the relevant information in order to solve the challenge. Let’s see what tools we can use to help solve these challenges:

-Exiftool: Exiftool allows you to read and write metadata from a file. As an example, there has been times during CTFs where I have been given a photo and I need to determine the make and model of the camera that was used to take the photo. Most people don’t realize that those photos have a ton of metadata information embedded. Using a tool like exiftool, you can easily extract that information. More information regarding exiftool can be found here: https://www.sno.phy.queensu.ca/~phil/exiftool/

-Volatility: Volatility is one of the most, if not the most, popular memory forensic tools out there. As previously mentioned, you may be given a memory dump in which you need to analyze in order to gather the proper information to solve the challenge. Volatility easily allows you to perform this analysis. Using it, you can extract information such as running processes, network connections, listening ports, and even potentially password hashes! More information regarding volatility can be found here: https://www.volatilityfoundation.org/

-Wireshark: Wireshark is by far the most used network sniffer/network protocol analyzer out there. What makes it so well liked is the fact that it is GUI based! In many CTFs, at some point in time you will be given a .pcap file in which you are required to analyze and find the requested information required to solve the challenge. Wireshark is the perfect tool to use to easily parse through the massive amounts of data that a .pcap file contains. To include, Wireshark can also be used to extract files from the packet capture or extract the raw file data that you can then use to rebuild a file! More information regarding Wireshark can be found here: https://www.wireshark.org/

 

  Password Cracking

Password cracking entails of trying to figure out the password of a system, file, application etc. based on an extracted hash or attempt to brute force the authentication. Password cracking can come in real handy during CTF events, and you can pretty much expect to use some form of it in order to solve a challenge. Let’s take a look at some useful tools for that:

-John The Ripper: JTR is one of the most well-known password crackers out there. It has incredible community support with a ton of extra modules that allow for cracking of passwords on files such as .pdfs, .rars .zips, etc. Using JTR’s modules, you can actually extract/formulate hashes from a file and then take that hash and perform a dictionary/wordlist or brute force attack on it in hopes of finding a matching password with the same hash. More information regarding JTR can be found here: https://www.openwall.com/john/

-Hashcat: Hashcat has a lot of the same capabilities that JTR has, the main difference is that Hashcat is built to utilize the Graphics Processing Unit (GPU) in order to crack passwords as opposed to JTR which relies on the CPU. Using the GPU for cracking is much faster and therefore Hashcat is known as the fastest password cracker out there. (Note: John The Ripper also does support the use of GPU, it just needs to be configured for that first.). More information regarding Hashcat can be found here: https://hashcat.net/hashcat/

-Hydra: Both JTR and Hashcat are designed to crack passwords that are local on the system, but what happens when you need to try and brute force a remote web application? This is where Hydra comes into play! Hydra really becomes helpful when you are dealing with more of an offensive based CTF which we will be discussing in part 2! More information regarding Hydra can be found here: https://sectools.org/tool/hydra/

 

Part two will pick up where this left off, going through the remaining categories and finishing up with a list of useful resources! Stay tuned for the part two release!

 

Icons made by Smashicons from www.flaticon.com is licensed by CC 3.0 BY