Composing CTF Challenges

Conquer the world by IEEE-VIT

Introduction to a CTF

CTF stands for Capture The Flag, it is a competition that tests out your cybersecurity skills in the form of various challenges.

Primarily, there are 2 types of CTFs, Jeopardy-style and Attack-Defense.

Let’s discuss in detail the Jeopardy-style CTF.

In Jeopardy-style CTF, each team/individual is given a challenge by the organizers. On completion of each challenge, the team gets a flag which in turn gives you points. The team with the highest points wins the CTF.

While solving a CTF, you might have been blown away after solving a challenge that led you to make one yourself but you didn’t know how to get started, well this is the exact place you want to be at.

Let’s dive into the world of Creativity.

Types of challenges

OSINT

• One can learn about Open Source INTelligence and Google Dorks on YouTube or just by exploring the internet and various open sourced intel directories/exploitdb/GHDB. GHDB stands for google hacking database.

Crypto

• Online cryptanalysis tools such as iCyberChef, dcode.fr, crackstation may help you a lot.

Steganography

• One must have good knowledge of various file formats including NTFS ADS as well as files’ metadata.

Forensics

• One should be familiar with the right tools required for various challenges such as EXIF data, hexdump tools, file signatures.

Web

• One must know different types of vulnerabilities, especially OWASP Top 10, and can develop such vulnerable applications.

Jails

• One must be aware of Linux or Python, based on the type of jails they plan to make.

Reverse Engineering

• One must be aware of different compilers and decompilers, disassembly tools, and Obfuscation Techniques.

Binary

• One must be aware of memory corruption, different types of buffer overflow, Stack, Address, Pointers.

Okay, but where do I start?

Here! Right here! Building a CTF challenge can be done in 2 ways:

You make a question from scratch:

What’s going on in the back of your mind? Did you recently find out a vulnerability you didn’t know existed? Think of this like a Rubik’s cube. You have a brand new solved Rubik’s cube in your hand. Before giving the cube to your friend who knows how to solve it, you mix the cube’s patterns as much as you can to make it tough for them, right? In the same way, start adding layers to your challenge. Let’s say first you make a webpage that is vulnerable to SQL injection and you add a binary file, visible only after the SQLi bypass, that can be reverse engineered to get a URL, this URL will lead to the encrypted flag. Drop a hint somewhere about the encryption algorithm for the player to crack it and get the flag.

You tweak an existing question and customize it:

Did you recently solve a challenge and were impressed by it? Want to make a challenge that incorporates that challenge’s layers? Here’s the deal. There’s no harm in taking an existing challenge and tweaking it around. Make sure you tweak it enough that the previous challenge’s writeup is not enough to solve your challenge. You can either tweak the existing layers or add new layers to the challenge to make it more fun for your players.

Figuring out the unknowns regarding the challenge

After choosing a category, and figuring out whether you’re making a question from scratch or tweaking an already existing one, research about different types of challenges that can be made. Try to research the areas which you are not aware of. Figure out the tech stack you are planning to go for, make sure you learn it properly.

One can find out about the questions by investigating on google, understanding articles, websites and watching Youtube identified with weaknesses, advantage heightening, and doing inside and out research on missing pieces.

Hit a roadblock?

While making a challenge, if you ever get hit by a roadblock, the only advice is to read about whatever you’re stuck at!
It might look like it cannot be resolved but once you start researching about it, you will find a million ways to escape the roadblock and take a different route.
You might even end up finding something new which makes your challenge more interesting. At the end of the day, CTF is all about learning. While making a CTF question you learn twice the amount of new knowledge than you do while solving one.

Being Creative

This is the main piece of making a challenge. This is the thing that makes a challenge energizing and interesting, one’s imagination can be boundless. It very well may be just about as straightforward as concealing a clue in an undeniable spot which could prompt confusion and befuddle the players. Try to think out of the box but make sure you don’t get drifted away and lose track.

Planning a Challenge

Step 1. Naming

A challenge name ought to be snappy, appealing, and ought to be identified with the challenge.

The naming of a challenge ought to be done cautiously and simultaneously is an opportunity for you to hide a clue for the player. As a player, it is consistently something great to attempt to disentangle the challenge name.

Step 2. Storyline

A good storyline in a challenge is the same as one in a movie, you need to make sure every part of the challenge has a reason and it should gradually develop the interest of the player.

Make sure to build the storyline accordingly and engage your users by dropping hints somewhere in the storyline. If your challenge has a theme, this is the best place to use and take advantage out of it.

Step 3. Layering

Many times you will find challenges where after solving a part of it, you get another hint instead of the flag. This hint leads you to the next part of the challenge. This is called Layering.

A perfect balance in Layers will make the challenge interesting, however, having too many layers might be boring for the players.

Try to ramp up the difficulty gradually so that the participant engagement is high as they already might have spent a lot of time in your challenge thus are less likely to leave it midway now.

Step 4. The complexity of a challenge

The complexity of a challenge is subjective and depends on the player.

Endeavor to pick the gathering you are zeroing in on for your challenge that is either a novice or a readied capable.

Don’t try to be in the middle ground as in preparing a challenge that might be too easy for the experts and too difficult for the novice.
A Perfect challenge will have 2–3 layers of moderate level of difficulty.

Step 5. Hiding the Hints

The hint is like a mini answer to a layered challenge, each layer after solving gives you a hint for the next layer.

One should not hide all the hints in one place, one should spread the hints in different places and it should be layer-wise.

Make sure to hide the hints at the perfect place as this is the only connector to your next layer so if the players are unable to get the hint, they won’t be able to go ahead. It integrates all the pieces of the challenge and is like the backbone of your challenge.

Step 6. Naming the Flag

A flag should have a proper format that is followed across all the challenges so that there’s a uniformity and the player can just glance over it and know if they found the flag or not.

One must name the flag based on the challenge and it should have the final finishing punch. The flag should be more of a passphrase with more than 14 characters including combinations of letters, numbers, and special characters such that it shouldn’t be easy to brute-force.

The Flag should not be easily accessible or it shouldn’t have any other unintended loopholes to access the flag.

Now that we’ve covered the entire process, let’s talk about how we came up with one of the challenges we used in our CTF.

How did we come up with our challenge, “Happy Halloween”?

The idea of the Happy Halloween challenge started when we were solving a PHP file upload vulnerability challenge in bWAPP (Practice Web Application Penetration Testing by OWASP).

We thought of improvising this and this is when we came across a video through YouTube suggestions about Edward Mordrake, a person with 2 faces, which was interesting.

We tried including this in the challenge thus researched about him. As a person with 2 faces looks horrifying, we took a horror theme-based challenge.

Now we started developing the web application and thought of using black and red color designs, where black signifies darkness and red signifies blood. W now had a confusion to choose which color we should use for foreground and background. That’s when we got an idea of including both as invert colors, some sort of dark mode and light mode, and it switched when the <h1> hyperlink text is pressed.

Now we had to think about layering so we made it in such a way that when the login “Here” button is pressed it would redirect to a login page, which redirects 2 different paths based on the mode you login, and the login was a layer for beginners to solve, So we thought we could make it easier by providing basic SQLi to bypass the authentication.

1'OR'1'='1'-- -

So after exploiting it and logging in, it’s like 2 paths,

• One path leads you to the Easter egg and the other path leads you to Flag. In the first path, it will redirect you to a picture of 9-Gems which is a part of the theme, We thought of hiding something in it, so using steghide we hid a text file in that picture which contains 9 hints to solve that challenge, and we provided the password in the website’s source code indirectly.
• The 2nd path will redirect to an upload page that is vulnerable to the PHP file upload vulnerability which we said earlier. So here everything started from the last step. Unrestricted File Upload is a serious vulnerability with a significant impact on the application and its infrastructure. An attacker with the ability to upload a malicious file to the application can set up drive-by-download attacks, deface the website, or gain access to the file system through a web shell. Once they have access to the system they can try to escalate the privileges and then maybe add a rootkit to exploit and easily access the system later.

<?php system(ls); ?>

Fun Fact, this challenge was outlined months before the CTF. At first, it was named Ghost, later it was changed to Haunted House lastly a day before deploying, it was changed to Happy Halloween as our CTF was planned during the Halloween week. This was coincidentally making more sense. It added more flavor to the challenge.

And this is how we came up with our Happy Halloween

Walkthrough for the Happy Halloween challenge

This is the thought process that is generally used whenever you make a challenge for a CTF event. The next question that should come to your mind after making a question is

How do I host an actual CTF?

Set forth an endeavor not to push, we have you covered! The going with the site in our plan will brief you on the most capable technique to get it hosted! You can take a gander at them below:

• Frontend for our website
• Infrastructure Overview
• CTF challenges: Dockerizing and Repository structure
• Hosting CTF challenges on a Kubernetes cluster

Also checkout the related repositories and consider leaving a 🌟 if you like it:

• Frontend: https://github.com/IEEE-VIT/CTF-Frontend
• Backend: https://github.com/IEEE-VIT/CTF-Backend
• Questions and k8s: https://github.com/IEEE-VIT/IEEE-CTF-Questions