InCTF Quals : The savory kick-start of a roller-coaster journey.

Team Probably
4 min readApr 8, 2019

--

In our last blog, we discussed what capture the flag competitions are and how to get started with CTFs. In this blog, we will discuss about our experience of the online qualifiers of InCTF.

If you’ve missed the Intro to CTF and it’s types(Jeopardy and A-D style) check out our previous blog Part 1/4.

Our very first experience of a CTF was awarded to us by one of our professors, Mrs. Anooja Joy who is an alumni of Amrita Vishwa Vidyapeeth University.

InCTF is India’s premier annual CTF organised by team bi0s, Amrita University. The competition consists of two stages. The first stage is an online qualifier round, which is a jeopardy style CTF. Teams that stood in the top 30 in the qualifiers are invited for the onsite Attack and Defence style CTF.

The qualifier round

The qualifier round was held on 6th and 7th of December 2018 for a period of 36 hours, in which 100+ teams from all over India competed against one another. The problems were divided into five categories namely Web, Crypto, Pwn, Reverse Engineering(RE) and Forensics.

The key aspect of cracking any challenge is to understand the main parts of the source code or executable provided. Since this was the qualifier round, the challenges could be solved with a few basic tools such as md5 cracker, a disassembler (radare/IDA/ Hopper), hex-editors, binwalk, sound analyzer, etc. More important than the various tools, is having a basic understanding of various concepts such as different ciphers (XOR, RSA, AES, etc.), buffer overflows, steganography and SQL injection.

A few tips and tricks for cracking web challenges:

  • Analyze the page using Wappalyzer: It gives us a basic idea of the technologies used in frontend and backend.
  • Check the source code for all the hints or comments using the developer tools tab.
  • Check if the program is server-side or local.
  • If necessary, use dirsearch or dirbuster to crawl over all the directories. Some special webpages could be /.git, /.passwd, /.robots.
  • Sometimes a clue could be hidden in the response header.
A SQL command for SQL injection

A few tips and tricks for cracking crypto challenges:

  • First of all, identify the encoding of the crypto.
  • Try out the standard stream ciphers. (ROT13, XOR, Caeser, Vigenere, Substitution) Online Tool
  • Check for hints in the source code to identify the cipher.
  • Run various inputs to identify how the output changes based on the inputs.
  • The size of the key and the ciphertext can help in identifying the type of encryption and exploit to be used.
  • Check for known exploit Link

A few tips and tricks for cracking pwn/RE challenges:

  • Using the file command check whether the file is stripped, non-stripped, static and dynamic linked.
  • Next, run the strings command and if you’re lucky then you’ll find the answer right here.
  • If you’re not lucky, then you’re in for a frustrating treat.
  • Run the executable file multiple times with different inputs and understand all the functionalities.
  • Check if you can cause a segmentation fault.
  • Disassemble the code using GDB for ELF files and IDA for .exe file.
  • Analyze the assembly code using R2/Hopper.
Hopper Disassembler preview.

A few tips and tricks for cracking forensics challenges:

  • In forensics, a common practice is to encapsulate multiple files in each other, so the following commands will help you to find the files and analyze them:
  • file <file_name>
  • strings <file_name>
  • binwalk -Mre <file_name>
  • For analyzing the files, stegano tools, hex editors, file signatures, sound analyzers can be used.
Volatility command used to extract details from volatile memory(RAM).

To check out the contest details, Click Here

Finally, after a frustrating 24 hours and refreshing the scoreboard a million times (it was literally on auto-refresh 😉), at the stroke of 7 pm on 7th December we stood 7th and qualified for the on-site final round at the Amrita Vishwa Vidyapeeth University, Kerala, which was going to be an attack & defense challenge.

If you are hooked up to our story then the next part of our journey is a must watch….. go to Part 3/4 to live the moments we had.

--

--