A beginner’s guide to Capture The Flag
During my second week at Spring there was a Capture The Flag (CTF) event. In this case the CTF was organised by cobalt.io and every employee in the company had the possibility to participate. Promoting these types of events allows for more people to get interested in security and to practice their skills. I’ve participated in such events before, so I was very pleased to join this one too.
But what are CTF events?
As the name implies, the main goal is to find the “flag” of the challenge. CTF events are a series of challenges, usually between 10–30, that can be solved in a period of time that ranges between 24 hours and several days. These competitions allow people to practice a variety of hacking skills in a safe environment.
The flag is a code e.g. HTB{Th1s1s4T3stFl4g} that allows the player to verify that a particular challenge was solved. Each challenge is worth a number of points based on their difficulty. The more flags you find the higher your score.
What are CTFs for?
CTFs are for learning, improving your skills and having fun. These challenges are one of the best ways to learn and practice specific security skills. Although they aren’t “real life”, many are based on real scenarios. They make you google a lot, find new ways of thinking and, most importantly, they teach you how to deal with frustration.
Types of challenges
Most CTFs have challenges in a number of different categories. Some common types of challenges include:
- Cryptography (Crypto): You are given a bit of gibberish text, but no information about what it is — you have to determine the cryptographic algorithm or how it’s been encoded. If you manage to decrypt the cypher, then you get the flag.
- Steganography (Stego): Steganography is a technique that hides messages inside a file. Similar to the Crypto challenge, you’re given an image, zip file, or something similar and you have to find the hidden message.
- Reverse Engineering: The challenge provides an executable that you can download and run locally. The program implements some kind of algorithm that checks an input key. By giving the algorithm the correct key, you can solve the challenge.
- Pwn: You’re given an executable and the IP address of a server running the program. You have to figure out how to exploit the program to gain remote code execution in the server (usually a buffer overflow).
- Web: These challenges focus on exploiting vulnerabilities in a web application. Common vulnerabilities include SQL Injection, XSS, bruteforcing logins, CSRF.
- Forensics: You are provided with a file to analyze that contains a flag. It can be a network capture (.pcap), a memory dump or a disc dump.
- Miscellaneous: Sometimes challenges are made up of more than one type of the challenges from the above categories.
Challenges normally have a title, a short description with hints and a file to download or a URL to access to.
Where and how do I start?
There are plenty of websites that offer competitions online. If you want to be up to date and know when new CTF competitions are happening, check out https://ctftime.org/.
To get an idea of how each type of challenge works in practice and which tools to use you can visit CTF 101.
Let’s find a flag!
Let’s look at a web challenge from a website called hackthebox. This easy challenge is called HDC, and the goal is to find the email address of a certain person and send them a message through the site. In this case the email address is not the flag, but we’re not told what the actual flag is. Maybe it’s something we get by sending out the email to the correct person?
When accessing the website we find a login screen that asks us for our credentials. When facing these types of challenges I normally click around everything in hopes of triggering something and test the input fields with different values. In this case I don’t see many things to click so I try to log in with random credentials, but of course the website kindly declined our request.
Since this is a web challenge, let’s take a look at the pages’ HTML source code. This is something I normally do, since a lot of CTF challenges and also real live applications, tend to share more information than they should. In the case of CTF you can often find hints in the comments or like in this case hidden fields.
If we inspect the source code in the browser we see that there are two hidden form fields, maybe these are somehow useful? We can change the type of the field from hidden to text and the two input fields appear in the site. I continue clicking around and writing different things in the input fields, but nothing new happens. It looks like we’ve reached a dead end.
So every time I reach a dead end (or at least what I think is one) I retrace my steps to see if I’ve missed something. So let’s do that! If we check the source code again we see that when we click submit a function called doProcess() is called, but what does this function do? At the top of the site we can see that there are two JavaScript files ( jquery-3.2.1.js and myscript.js) so let’s see what they do. I decide to first take a look at myscript.js because it seems more suspicious, and of course I’m wrong! There is nothing useful in this script.
If we check the other JavaScript file jquery-3.2.1.js and search for doProcess(), we see that inside the function there are two hidden fields with an attribute set. It looks like we’ve found our way in!
Let’s see if we can use these values to log in.
Looks like it worked!
Once inside the system we notice in the menu two main tasks:
- Send email: we can guess that we will have to send the email from here
- Mailbox of special customer: maybe we can find more information on users or e-mail addresses?
As we can see the send email functionality is what we expected, but we still don’t have an address.
When checking the other main task, we notice a menu icon next to the header. Having some experience in CTF challenges, this looks weird/random enough to get my attention.
We can open this image in another tab and we see that it is stored in a path called secret_area_. If we go into this path we can find the gif file and a text file with users. Bingo! Now we have a list of emails that we can test.
We can now try to send an email and intercept this request with BurpSuite. BurpSuite is a tool used in cybersecurity that allows you to intercept traffic, do security scans, generate attacks,… If you are new to this tool check out this tutorial. Once we have intercepted the request with BurpSuite we can take advantage of the intruder option and create a list with the emails found before and use it as a payload to inject into the e-mail address.
We clear all positions and select only the email. We select attack type “Sniper” and load the list in the Payloads tab. Once all of this is done we can start the attack. After running the list we find that when sending the e-mail to fishroesalad@mail.com we get a different length in the response. This normally means that something went right. If we take a look there it is! The flag! Congrats! You found your first flag!
What to do next?
I personally recommend solving the initial challenge and creating an account in Hack The Box. This site not only has a wide range of CTF challenges, but also virtual machines that you can use to learn how to root different systems.
Don’t worry if you don’t understand anything at the beginning or get frustrated, that is part of the deal! In order to overcome this initial (and ongoing) frustration, practice with challenges that already have a writeup. Doing this you can give it a go, and if you get stuck you can read the solution. Don’t give up too easily! I promise if you do this often enough you won’t need a writeup anymore.
