Capture the Flag, or CTF, is a game involving a wide range of computer-subjects surrounding computer security, computer forensics and just plain computers. Typically played in teams, CTF is hosted by one group using their own servers and/or network equipment, and all other groups participate as clients typically by remote connections such as VPN or web servers. One of the more famous CTF tournaments is hosted at DefCon each year. In this event, each team as well as the host are all in the same room and they are all networked appropriately.
At DefCon and some other CTFs, the event abides by particular operating hours over a period of a few days. This allows the participating teams to have a life and get some friggin' sleep. Alternatively, other CTF events are open and operational for 24-72 hours non-stop. Teams area allowed to get as many points as possible until the event is officially over. This allows teams to spread out across the globe and have multiple groups work in shifts according to their time zones.
Points are awarded when certain tasks are completed. In some cases, a challenge will be presented and the team attempting to solve it will typically look for a key, or flag. The flag is typically a text file in a hidden location, or an encrypted text file in a not-so-hidden location. Some flags are hidden messages inside images, so the only way to find them is to manipulate the image file to reveal the message. For binary challenges, you may have to reverse-engineer the application to find a weakness to exploit and eventually pop a system shelll. Once the shell is obtained, it can be as easy as cat key.txt to get the flag.
Once obtaining the actual flag, typically the host provides a method to turn in the flag for credit. Depending on how creative the host wants to be, the submission process can be difficult but original. But many hosts prefer to use a simple web form to automatically count points and keep track of team scores.
Jeopardy Style
This style presents a range of subjects such as cryptography, network forensics, stegonography, reverse engineering, mobile security, web security, image manipulation, exploitation and more. Each subject has a number of challenges available worth points typically based on their difficulty. In some CTFs, additional challenges are added to the game as time goes on. For some challenges, there are multiple ways to obtain points, so there can be multiple flags. This can be confirmed when your team turns in a flag but the score rewarded is only part of the total points the challenge was worth. Some challenges will provide clues to help the teams solve them better. Others will simply inform the teams of exactly what format the key is expected (eg. an MD5 hash of a particular IP address, etc). But in other cases, all you get is a file to download or redirection to a web site. In the sections coming ahead, we will go over some examples of these challenges.
Here is a jeopardy style game board. Even though the categories aren't exactly organized, you can see the completed challenges are the boxes colored green.
Attack-Defense Sytle
This style is simply a very hostile environment in which each team is either locally present, connected to a VPN environment, or both. Each team has it's own subnet as part of a larger network. Most teams are given a /24 subnet or in some cases a /22 or /20 subnet. Located on that subnet are the teams' physical and virtual devices and the provided virtual machines. The virtual machines provided by the host are the machines that must remain up at all times. The host has automated service checks that ping each team's services on a frequent basis.
Typically, if the service is up, there is no general effect. But if a service is down, or unreachable by the host, that team is negatively affected. Sometimes points are lost, but in other cases the total down time for that team is counted and each service is ranked for it's percentage of uptime vs. downtime. The percentage of downtime will be the negative impact on the teams score. The number of points taken from a team could be directly related to the percentage of downtime, or the host may have developed a scale system to determine the number of points to be deducted.
Keeping your services up as much as possible may not be as easy as you think. The host server that is checking your service knows which port is open for that service. So everyone else knows that port is open as well. One good way for teams to get ahead is to make the other teams fall behind. You can do this by attacking other teams and taking down there servers or serivces forcing a reboot or otherwise. If it's down long enough, the host server will no be able to reach the service and the downtime begins.
http://www.reddit.com/r/netsec/comments/y0nnu/we_are_samurai_ctf_and_we_won_defcon_ctf_this/
"Everyone has the same vulnerable services running. You find the bugs, patch them, and exploit them on other people's boxes. When your exploit lands it will usually be retrieving a key file (or fucking shit up). Your score is also modified by how up all your services were, this prevents people from killing everything on their box and just trying to land keys."In addition to defense, your team can also attack other teams for additional points. Some services will have specific "values" associated in a configuration file or other areas related to the service or just basic file systems that have been locked down. Each team has they own "key" given to them by the host which is acts more like a signature. Upon successfully exploiting something, the value of this file is overwritten by the attacking team with that team's key. This is known as an "overwrite". If the host can detect this during the service check, the points are awarded automatically. For other games, teams will have to notify the host of when an overwrite occurs in order to get the points. If you can't get access to a file to overwrite, you can still get points by obtaining read access. These are known as "reads".
http://www.reddit.com/r/netsec/comments/y0nnu/we_are_samurai_ctf_and_we_won_defcon_ctf_this/"There is also the overwrite. Each team has a unique team key, and if they gain write access to a file location (which is restricted with 0700 access permissions most often to a single user account), they write that unique team key over the special file. The scoring system is monitoring the entire filesystem of each jail, notices the change, and gives credit to the owner of that unique team.
The scoring system then goes back into that file, resets the file to it's original condition. This is so that the next team that comes along, who only has read access, can pull off the time limited token inside it.
Writes are worth alot more than reads"Some other creative hacks and exploits have been known to accumulate additional points for the attacking team. Obtaining access to something that your team does not normally have access will earn your team "breakthrough" points.
The general rule is not to attack the host server because that stops the whole game. But in most cases, if the hack is clever enough, the team will get some points for it.
Each side of the team obviously consists of offense and defense. There are many different roles involved for each side of your team. The defense needs a system admin, a network admin, network defender. Offense needs at least one reverse engineer, a service attacker, a team/client attacker, a web attacker, and some folks to help write scripts. And the entire team needs a good leader to keep everyone organized. And if you are doing an important CTF like defcon, you will also need a few friends to act as gofers to bring you food and caffeine. Sadly, every minute counts and food breaks end up suffering during these events.
Defcon 17 presented a talk that gave a general introduction to this attack-defense style competition. Most CTF's have rules limiting the number of members per team, but there is lots of discussion about this showing how it's generally impossible to enforce and it ends up being more of a burden on the team and not the host.
Mixed Style
This version simply combines both Attack-Defense with Jeopardy styles. While you have the services you need to keep operational, and the services you want to attack on the other teams, you also have the categories of challenges/puzzles that will reward you with additional points.
What skills do you need for CTF?
At least some computer experience would be helpful, but even that isn't truly required for a Jeopardy style event. In a recent CTF, our team attempted to solve the surtA challenge. A woman in the room that was not even participating in the CTF ending up helping solve this challenge. If you have an interest and a laptop, you can typically tag along in a Jeopardy style CTF. The more experience you have with computer technology, the better. Like anything in life, the more you know the better you do. And with a team full of thinkers, you will have fun and learn a lot.
http://www.reddit.com/r/netsec/comments/y0nnu/we_are_samurai_ctf_and_we_won_defcon_ctf_this/"
I started quite a bit before then. In terms of years of experience we had everything from students with no job training to several years experience across a diverse set of backgrounds. Everything from system administration, networking, malware, programming, etc... All of that was necessary in the game. It was about bringing the skills you had to the game and finding a way to contribute. Experience level didn't matter as much as attitude and desire to learn."In general, it is advised you get familiar with linux.
For Attack-Defense style CTF, you really need to know your computer stuffs. You may find a team that will allow you to assist by googling things for them or bringing them food or other misc jobs. But in general, to participate in this style event, you need to know how to do one of the major roles involved in AD/CTF (reverse eng, exploitation, attack, defense, etc). So no computer skills at all could be quite boring or just plain confusing.
Let's do a jeopardy style CTF...
I'll show you a recent CTF we entered called Nullcon CTF. You would go to their event website typically announced at ctftime.org. Your team registers for the event at the event's site. Your team leader is likely the one to do this for you. Then the team's login information is distributed to the rest of the team. Each team member can now login and submit flags for points. Obviously, if you want to do it all yourself, you can just register on your own.
Upon login, you should be able to find the dashboard that has your challenges.
As pictured above, the categories are on the left and the challenges in that selected category are on the right with the point value of each listed as well.
Clicking on a particular challenge will take you to a new page.
In this case, it simply advises you to connect to a remote server on a specific port. That's all the info you are given and somehow you need to find the flag.
Here is another one under the MISC category. Not much of a clue, in fact it isn't a clue. But all we get is a file to download.
To see a step-by-stepwrite up of this challenge, click here.
From here you can see how this type of event generally goes. You are working with your team members to solve these challenges. You don't need to know everything, you don't even need to know a lot. You just need to bring what you know to the table. Two minds are better than one, so a team of minds is way better. You will spend a great deal of time on google searching for faster ways to do what you need done or ways to hack things you've never hacked before.
Preparation
Over time you will develop a better understanding about CTFs and you should be able to develop your own setup that best suits your own personality and work environment. Not everyone likes Red Hat or Ubuntu so don't take this section too seriously. In general, you need an OS that works well with Linux and allows installation of most linux software packages you will eventually end up downloading anyway. So Ubuntu is recommended for this reason.
However, make sure you pick one of the LTS releases of Ubuntu so you have extra time to suck from the repositories. The latest version of Ubuntu seems to help because you will very often need to install something from the repository (aka Ubuntu Software Center) and the latest version of Ubuntu will have the latest repo and that means the latest version of the repo software will be included. It can be a great time saver. Word of advice, don't bother installing Backtrack as your primary OS.
Before we get any further, you will want a laptop (NOT A DESKTOP) that is relatively recent. This is because you are going to run more than your main OS. You are going to run virtual machines and lots of concurrent applications. You will want multiple core CPUs and a lot of RAM and a little graphics power at least to take the stress off the CPU. Older machines just don't cut the mustard for CTF. They are great for personal laptops to be used for standard crap like surfing the internet. But for CTF, you need at least a little more power. The more, the better.
With your OS installed, now you want to install some VMs. Download Virtualbox or your favorite VM application. Be advised, this is one application you probably don't want to use the repos. I recommend installing by downloading the latest version from the vendor's website. The main VM you are going to want for CTF is the latest version of BackTrack (although Kali is the latest BT and appears to be easier to upgrade for future releases). BT has a ton of handy tools that will help you in many challenges. But it can't do everything and it uses older repos to support older hack software. So trying to install things from the Ubuntu Software Center or apt-get can cause problems installing and can also break other installed applications. It's much better to just leave it as is and use it in a VM. If you plan on brute-forcing a password, thats where you can use a desktop machine and just boot to the cd. Let the password cracker run at home while you hack with your team somewhere else.
If possible, try to get a VM of MS-Windows either XP, 7, or both. Eventually you will run into a situation where you just need windows. Ubuntu and other linux distros can run Windows EXEs using a tool called WINE. But you can't run EVERYTHING using just wine. A good example of this would be .NET applications because the .NET framework is required and good luck getting that to run using wine. You will also want a VM app so you can create a temporary machine to do god knows what, or maybe one of your challenges will involve a virtual hard drive in which you need to add it to a VM so you can boot it up and find the flag.
Now that you have your VMs, make sure you have a way to connect all the OS's together so you can open and save files to one master location (eg your home folder). For Virtualbox, you can use Shared Folders which is very effective but be sure you learn how to mount them and access them ahead of time. They can be frustrating at first. You could use USB drives, but you should find the best way on your own.
If your team uses some kind of file sharing software or anything else the team wants to use, you will want to install that asap and make sure it works.
Prep your favorite browser. I prefer Chrome but you can use whatever you want. Firefox is a popular one still, but in general you want at least one that allows and has a wide variety of add-ons (aka "extensions"). Dont overload with extensions, it will slow you down at some point. But start paying attention to what extensions are going to be helpful. A cookie editor ext will be nice. Check out Firebug and other developer tools. Aside from add-ons, you will want to start searching and thus collecting a wide range of web page bookmarks. Once gathered, organize them into folders and rename them if needed. Make them quickly accessible and easy to distinguish. Get more than one of each topic. There are a ton of different hashing and crypto sites out there, so you will want to save the ones that you like or just plain work better. This will save you the time of searching for them the day of the event.
As you read other write-ups, you will locate other tools you will want to download. So install those as you find them. MP3Stego is a nice one, but that is one that will require windows to at least compile. Once compiled, you might be able to get it working with wine. Here is a short list of handy tools you might want to check out, everything else you will find on google anyway.
- StegHide
- Wirehsark
- Network Miner
- Audacity
- WAMP/LAMP
- hex editor
- code editor (php editors are nice), Notepad++ is decent
- GIMP image editor or photoshop
- MS Office 2007+ might come in handy, Open Office can't do everything MS does
- 7zip
- ollydbg
- Learn Python the hard way
- Dive Into Python
- Google's Python Class
- Try Ruby
- Learn PHP Online
- Perl Tutorials
If you want to start reverse engineering, you need to start learning Assembly (ASM) language right away. IDA will be the next step, but assembly is literally the phase between computer language and human readable language/code. Since it's impossible to reverse a binary to get human readable code, all you can get is ASM. So you need to know ASM so you can re-write the binary from scratch (if needed), which will allow you to exploit it easier.
- http://www.opensecuritytraining.info/IntroX86.html
- Art of Assembly
- Intro to ASM
- How to use debug
- DefCon 16 - Reversing with IDA
- Here is a decent into to IDA, the first half is boring but the 2nd half is a good demo for noobs of how you breakdown the IDA layout and reverse a simple program
Links:
- http://pentest.cryptocity.net/capture-the-flag
- http://capture.thefl.ag
- http://ctftime.org
- http://www.root-me.org/en/Capture-The-Flag/CTF-all-the-day/
- http://www.reddit.com/r/netsec/comments/y0nnu/we_are_samurai_ctf_and_we_won_defcon_ctf_this/
- http://www.smashthestack.org/
- http://ctf.forgottensec.com/wiki/index.php?title=Training
- http://captf.com/
- Defcon 20 writeups and such