KYRIAKOS GEORGIOU

Engineer @Instacart

 

SEC: Capturing digital flags

What?

Borrowing from Google’s great explanation:

“Capture The Flag” (CTF) competitions (in the cybersecurity sense) are not related to running outdoors or playing first-person shooters. Instead, they consist of a set of computer security puzzles (or challenges) involving reverse-engineering, memory corruption, cryptography, web technologies, and more. When players solve them they get a “flag,” a secret string which can be exchanged for points. The more points a team earns, the higher up it moves in rank.

Taking a stab at solving cybersecurity challenges in CTF competitions can be a rewarding and fun experience. Especially when participating as a team where you can bounce ideas off each other and exchange nuggets of knowledge in the process.

But how do these challenges look like?

The most elementary Web challenge would be a flag (e.g. flag{_tHat_w0z_eaZy_}) “hidden” inside the source code of the web page. Another example would be a username & password protected portal that’s vulnerable to a simple SQL injection, e.g. entering ' OR 1=1 -- as the username and password.

When it comes to Crypto(graphy), one of the most basic challenges would read: “My friend Caesar sent me this message but I can’t decrypt it. Can you help? synt{l0h_f0yi3q_gur_p1cu3e}”. The description serves as a strong hint on how to solve this by pointing to the Caesar Cipher (ROT13).

Some other challenge categories include: steganography, reverse engineering, forensics, miscellaneous.

Some notes to keep in mind:

Why?

Most of the benefits of participating in this kind of competitions are intangible, like learning and picking up new skills while having fun. However, sometimes, especially if you do well, there are some tangible benefits up for grabs also! 💰

Where do I begin?

Personally my first interaction with solving CTF style puzzles was HackThisSite.

But there are plenty of beginner friendly resources out there:

Natas Wargames - Natas teaches the basics of serverside web-security
PicoCTF - CMU Cybersecurity Competition
Cryptopals - A collection of 48 exercises that demonstrate attacks on real-world crypto
CyberChef - The Cyber Swiss Army Knife

Personal Note

I partake in CTF competitions, whenever my schedule permits, with the super bright folks of CYberMouflons by my side.

This blog post was fuelled by my excitement when this item arrived in the mail, as a reward for us placing 23rd in Facebook’s 2019 CTF.

Facebook CTF 2019 coin

(Lemon, in lieu of banana, for scale.)

It may just be a round piece of wood for some, but for us it’s the first tangible prize we received from a CTF and we’re definitely framing it on the wall!

Post Scriptum

Tyler Nighswander of Plaid Parliament of Pwning (Carnegie Mellon’s hacking team) explains all of the above in detail in his talk at USENIX Enigma 2016: