What is Capture The Flag ?

Poornesh Adhithya
Oct 26, 2020 · 10 min read

“ Capture The Flag or CTF ” is a game which comprises 2 teams and each team’s objective is to grab the flag from the opponent’s side and return to their side without being caught by the rival team members at the same time, both the teams have to protect their flag.

What does this have to do with Computers?

Similar to the children’s game, even this CTF is also a game where teams/players participating have to get their flag, and the points for the flag depends on the players who have captured the flag. Here a CTF player will have challenges, where they may face few hurdles, their final objective is to Capture the Flag surpassing the hurdles. It’s more of playing around with computers.

How does it work?

There are mainly 3 Styles of CTF namely,

  1. Jeopardy
  2. Attack Defense
  3. Mixed

Other than this there are a few more variations and styles of CTF like King of the Hill, Linear.

We will be looking at Jeopardy Style in detail

Jeopardy:

In Jeopardy, each team/individual is given a challenge by the organizers, on completion of every challenge the CTF team gets a flag, by submitting the flag each team will get points based on the number of submissions.

Attack Defense:

In Attack-Defense, each team is given a machine/server to defend. Teams are scored on both their success in defending their assigned machines and on their success in attacking the other team’s machines.

Mixed:

In Mixed, as the name suggests, it’s a combination of both Jeopardy and Attack-Defense, where each team should defend their machine and attack their opponent’s machines at the same time they must solve a set of predefined challenges from the organizers.

Categories in CTFs:

The challenges are mainly based on 8–9 categories, and these categories may vary from different CTFs and organizers, but the below listed are the common categories:

Web:

Web challenges are focused on web application penetration testing concepts, where a player has to exploit the vulnerabilities in the web application to obtain the Flag. This may involve static analysis of web application by viewing the source page of the website, and OWASP Top 10 Vulnerabilities, etc. In simple words, there will be few loopholes on the website, CTF players should try to find and break into/bypass the security measures to obtain the flag.

Pwn:

Pwn/Binary challenge focuses on playing around with binaries, in this challenge usually, the source code would be provided, and if it’s not provided, then one must have to reverse engineer and then create a payload to exploit the binary and obtain the flag. These challenges may be like RowHammer, Memory Corruption, etc.

Reverse Engineering:

Reverse Engineering challenge focuses on reversing a given binary by decompiling and disassembling using the static or dynamic analysis to obtain the flag. In simple words, finding the pseudo-code of an executable (elf/exe/apk) to understand the logic, and to get the flag by applying that logic.

Cryptography:

Cryptography is an art of manipulating characters in such a way that only authorized people can understand. So, for example, when the crowd speaks English but only 2 people are communicating in a different language because they don’t want others to understand. The evolved version of this is cryptography. Cryptography has been there from ancient times even before the existence of computers. A few examples of which are ciphers like Caesar cipher, Enigma cipher, etc.

Cryptography was widely used during wars to communicate confidential strategies to allies. Cryptography challenge focuses on decoding the encoded ciphertext, decrypting the encrypted text, at times even reverse-engineering the ciphertext. It’s also called cryptanalysis.

Steganography:

Steganography is the art and science of communicating in a way which hides the existence of the communication. A typical example is of a text can be hidden inside a picture. Only people who know about it will be able to extract the data. This technique is used by many terrorists and also by cybercriminals to hide malicious applications behind a legitimate application.

So in this type of challenge, participants are expected to extract the data out of a given file/picture/document/audio/video/in any other form, and finally, get the flag from the extracted data.

Forensics:

CTF players are expected to investigate the data and trace out the details, these challenges may include memory dump analysis, mounting encrypted disks, analyzing different files in the disks, obtaining the deleted history, etc.

Jails:

Jails are a sandboxed environment where commands are limited and participants can use only a few specific commands, with those commands they should manage to obtain the flag either by finding a way out to get the access necessary commands either by privilege escalation, or else trying to figure out a way to get those commands or else by jailbreaking.

OSINT:

Open Source Intelligence, in short OSINT, is a type of challenge where participants are given a few pieces of information and steps to proceed further, with that information they have to look around the social media handles, Internet, and other publicly available data and finally get the flag using the clues and hints. It’s more like an online treasure hunt game.

Miscellaneous:

Miscellaneous is the type of challenge which is either not covered in any of the above-mentioned categories but still relevant to Information Security, or which are a combination of two or more categories.

Why should one participate in CTFs?

  1. To research, learn and gain knowledge about many important topics in Information Security domain
  2. To have hands-on practical experience and exposure to exploit the vulnerable systems.

Are there any pre-requisites to play CTF?

If you want to gain knowledge and want to learn then you don’t require any pre-requisite, you can play and keep playing till you acquire the skills by participating in more CTFs.

But if you want to win in CTF, you must be well versed in one or more of the following topics:

  1. Networking
  2. Programming
  3. Server and DBMS
  4. OS (Linux, Windows)
  5. Cryptography and Steganography
  6. Containers (Jails, Dockers, Kubernetes)
  7. Debugging, Reverse Engineering, and Binary Exploitation
  8. Application Testing

And it’s also a big advantage if you know about the specific tools which are necessary to use, for the above-mentioned concepts.

CTF Example:

My first task after I joined IEEE-VIT in the Cyber Security domain was to solve a CTF challenge:

Find the flag in given e-diary website to know your future with a secret message!

Flag format: CHERRY{}

Writeup:

In that challenge, I had to find the username and password of an e-diary website where the secret message is hidden. First I went to Inspect Element (Ctrl+Shift+I) and then saw the source code (Ctrl+U). In Inspect Element, I noticed this line,

<script src=”js/index.js”></script>

This was quite suspicious, as it referenced a JavaScript file, So I edited the website URL accordingly, which displays the Javascript code:

From this code, we can breakdown the code to find the username and password.
In line 04:

if(user != String.fromCharCode(97,100,109,105,110)) {//Invalid Username}

To make this condition true, user we input shouldn’t be equal to the correct username. So our objective is to find the correct username,
Hence, we can observe five numbers: 97,100,109,105,110.
The ASCII values of these five numbers, 97,100,109,105,110 are a,d,m,i,n respectively and hence the user = admin
And similarly, in line 18:

if(asciisum == 1450)

Hence from the above code, we can observe that the ASCII sum of all the characters should be equal to 1450.
Therefore, the pass can be any combinations of characters where the ASCII sum of the characters should be equal to 1450.

For Eg.

user = admin
pass = zzzzzzzzzzzl

Where the ASCII value of z: 122

and the ASCII value of l: 108

Total: 122*11+108 = 1450

Therefore, It passes the test case and shows the secret message.

And over here the secret message contains the flag: CHERRY{JavaScript_Is_AwESoME}

Later on, I figured out another method to find out the same flag. There were some hex values in the JavaScript code which upon decoding also gave me the flag. This shows that there can be many ways to solve a particular challenge. Also, don’t forget about the misdirection too!

Tips: If you fall into the trap or misdirected, remember that these things are all basic and simple. So take a break, which would help your brain to note the things which are just right next to you. Don’t waste your time on the same question, you may try to solve other challenges. There is a chance that you may get some hints to solve a particular challenge from other challenges, this happens often in OSINT type challenges.

Popular CTFs:

Where to find and play CTFs?

Live CTFs are a good place for beginners to start,

CTFtime is a website where one can get to know what all CTF events happening at a specific time.

Top CTFs are as follows:

  • DEFCON CTF
  • Google CTF
  • Metasploit CTF
  • NULLCON HACKIM CTF
  • CISCO SECCON CTF
  • Pico CTF

Practice Sites:

To start off with some CTFs, There are many practice websites which will help one to gain more experience in CTF,

  • Hack This Site
  • Try Hack Me
  • Hack The Box
  • Hacker101 CTF
  • Crackmes
  • OverTheWire’s Wargames
  • Ringzer0 CTF
  • Root-Me

These are a few websites where you can practice CTF online.

Conclusion:

I would recommend everyone to try CTF. I believe that practice is the only requirement to master any field, and one need not be in the Cyber Security domain to play CTF. Anyone having the willingness to learn something new can start with CTFs.
I learned many important and challenging concepts through CTFs. Like other competitions, you don’t only attempt or answer the questions you know, but in the process of solving a challenge, you tend to learn a lot of concepts. More than solving the challenge, the process is more important. You will learn more when you face challenges, CTFs’ are there to help you out!
Even if your unable to solve CTF challenges, don’t give up, refer to the writeup, read blogs, articles, watch some walkthroughs and tutorials, and try to implement whatever you have learned. I’m pretty sure you can conquer the world.

Tools are necessary, but I don’t believe much in tools. If you ask me, “Which is the best tool to play CTF?”, then I would say it’s Google, as you can access all the tools using Google itself, but how to access them? If you ask the right questions to Google you will get the answers accordingly. So now you need to google what’s the correct question.

Skills + Tools = Master the art

Upcoming CTF:

IEEE-CTF : Conquer the world

31 October — 1 November

Links and Resources:

Tutorials and Walkthroughs:

  • LiveOverflow
  • John Hammond
  • GynvaeIEN
  • YouTube

Tools, Docs and Resources:

  • pwntools
  • List of Tools
  • CTF Field Guide
  • Google

Happy Hacking 😃

Techloop

We, IEEE-VIT Student Branch, are a team of tech enthusiasts who aim to develop and support the tech community. In alignment of our vision, we present to you our medium blog where we guide people through the basics and discuss the most emerging technologies.

Poornesh Adhithya

Written by

0x41414141

Techloop

We, IEEE-VIT Student Branch, are a team of tech enthusiasts who aim to develop and support the tech community. In alignment of our vision, we present to you our medium blog where we guide people through the basics and discuss the most emerging technologies.