What is CTF?
Probably, is the common notion shared by all the team members which led to the inception of our team, CTF_Probably.
In this series of blogs, we will be sharing our experience about a lesser-known field of computer science which is usually overlooked by people or that people have misconceptions about, and that is cybersecurity.
Now, a great entry point to this field, which is recommended by amateurs and pros alike, is ‘capture the flag’ competitions, commonly referred to as CTFs.
The first question that comes to mind is — What is a 'Capture The Flag' competition?.
A CTF is just a contest in which you are provided with challenges, puzzles on solving which you get an alphanumeric string known as a flag.
What kinds of questions? — you may ask. The challenges span multiple topics, the most common ones being web, forensics, cryptography, reverse engineering, and binary exploitation; and since a job in security demands in-depth knowledge of such a huge number of fields it is daunting for beginners and people get discouraged from pursuing it.
Types of CTFs
CTFs are broadly classified as Jeopardy style and Attack and Defence style.
In jeopardy style CTFs, you’ll be given a set of questions of varying difficulty (and thus a varying amount of points are awarded to the question) from the above-mentioned fields. Successfully solving a challenge provides you with a flag(alphanumeric string), which on submitting, you are awarded the points corresponding to that problem. The scoreboard displays the points earned by the teams in a descending fashion. Depending on the level of CTF, challenges can be based on steganography, buffer overflows, SQLi, crypto ciphers, etc. An example of a jeopardy style CTF is the pico ctf.
Attack and Defence CTFs are more fun and vary from competition to competition. The basic idea of an attack-defense style CTF is to exploit services of other user and patch your own services for each tick.
Sounds confusing? Well, it isn’t.
Let’s break down the above statement to understand what exactly it is.
A-D style CTF’s are generally played in teams and each team is provided with a virtual machine which has a number of services running on it. Unlike jeopardy style CTFs wherein we have specialized binaries, webpages or programs which when exploited, resulting in the flag, A-D CTFs have functional services up and running on every team's server (in most cases a VM). For example, a calculator service which provides basic arithmetic functionalities and also the ability to save and read previous calculations. So, in this case, a service refers to the calculator running on a specified port of the VM Server which is to be exploited.
These services have vulnerabilities which the teams can exploit to obtain flags which they submit to the game server to get points. (That’s the attack part). Usually, every service has multiple vulnerable points which have varying level of difficulty. In the above example, there can be multiple vulnerabilities such as buffer overflow or maybe on saving and reading the saved calculations we can use Linux cat commands or maybe something else to access the flag.
The teams can also patch their services so that while the service still does what it was originally supposed to do, the other teams cannot exploit it (Yep, that’s the defense part). A patch is something that stops the vulnerabilities from being exploited and giving access to the flags, or maybe solves the vulnerability. This can be done with basic if statements to check and filter the input so as to avoid injection of exploits or it could be to change the whole code. One thing to take care of while patching is to keep the functionality intact as it is verified by the game server.
To spice things up, the duration of the CTF is divided into almost equal time intervals called ticks. In each tick, the game server (just a special server designed by the organizers), replaces/adds the flags in the services. Flags are valid only for the tick in which it is added, so one has to continuously exploit every other teams’ services and keep submitting the flags in each tick, the game server then verifies the flags and points are awarded accordingly.
The game server also checks that the services of all the teams are up and functional randomly in each tick. This is the reason that one has to maintain a backup in case their services crash or some other team exploits the service and destroys the server by deleting/modifying the files (advice from previous experiences😅). Also, while applying the patch, the service might need to restart depending on its architecture.
Scoring in A-D CTFs is divided into attack and defense points — for each flag that you exploit(except your own, duh) you get points, called attack points, and for every tick that you successfully defend against the other teams you get points, called defense points. There’s also the SLA which changes from game to game (Read the next blog for details about the SLA in InCTF, which we participated in).
A recommended YouTube channel for understanding the mindset of how to approach CTF challenges and exploit it is Live Overflow
Interested in knowing the Tips and tricks for cracking CTFs?...head over to Part 2/4.
