Scribd Logo
Upload

Welcome to Scribd!

  • Introduction To CTFs

    Uploaded by

    joash
    3 views20 pages

    Original Title

    Copy of Introduction to CTFs

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    3 views20 pages

    Introduction To CTFs

    Uploaded by

    joash

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 20

    What’s CTF?

    An Introduction to CTFs
    CCT
    Made by Bennett, hehe stego go brrrr
    What’s CTF?

    ● CTF = “Capture the Flag” = Cybersecurity Competition


    ● In CTFs, there will be multiple challenges in different categories
    ● The goal is to solve these challenges and capture the flag (string of text, e.g.
    FLAG{you_solved_the_challenge})
    Why CTF?

    ● Develop an understanding of how computers work


    ● Take part in competitions to gain exposure
    ● Try and win awards and prizes :)
    How to CTF?
    ● List of CTF challenge categories:
    ○ Binary Exploitation (Pwn)
    ○ Cryptography (Crypto)
    ○ Forensics
    ○ Mobile
    ○ Open Source Intelligence (OSINT)
    ○ Programming
    ○ Reverse Engineering (Rev)
    ○ Steganography (Stego)
    ○ Web Exploitation (Web)
    ○ Misc (Basically other random stuff, like Hardware, SIGINT, etc.)
    ● Bolded categories = Considered more “legit”
    Binary Exploitation (Pwn)

    ● Legit “hacking”
    ● Exploit a server by injecting some code into it
    ○ Buffer Overflow
    ○ Heap Overflow
    ○ Format String vulnerabilities
    ○ Remote Code Execution
    ○ etc.
    Cryptography (Crypto)

    ● Math (Outside syllabus, but doable)


    ○ RSA
    ○ AES
    ○ Hash Algorithms (MD, SHA, etc.)
    ○ ECC
    ○ etc.
    ● Exploit bad cryptographic practices
    ○ Bad encryption technique
    ○ Weak encryption parameters
    ○ Incorrect encryption
    ○ etc.
    Forensics

    ● Police work basically


    ● Figure out what a person has done on a computer (Memory Dump)
    ○ Files
    ○ Processes
    ○ Logs (What’s their search history? ( ͡° ͜ʖ ͡°))
    ○ etc.
    ● Figure out what a person has done over a network (Networking)
    ○ Packets
    Mobile

    ● Reverse engineering, but for mobile applications (mainly Android apps)


    Open Source Intelligence (OSINT)

    ● Become a private investigator


    ● Stalk a target person or organization and find info about them
    ○ Blogs
    ○ Linkedin
    ○ Social Media Posts
    ○ etc.
    ● Find information about a topic
    ○ Default credentials
    ○ etc.
    ● Find the coordinates of a place (GEOINT)
    ○ Given a video/photograph, find where it was taken
    ○ Motivation - 4chan airstrikes on ISIS: https://www.youtube.com/watch?v=LG1FWWX7ZPk
    Programming

    ● Competitive programming style challenges


    ○ Create efficient algorithms to solve problems
    ● Scripting style challenges
    ○ Python
    ○ Data Processing
    ○ Interface with a website to interact with it automatically
    ○ Image libraries
    ○ etc.
    Reverse Engineering (Rev)

    ● Reverse engineer an executable file to find out what it does (decompiling machine
    code into human readable code)
    ○ Heavy usage of C (aka C++)
    Steganography (Stego)
    ● Steganography is the act of hiding information, aka security through obscurity
    ● Encoding formats
    ○ Binary
    ○ Hexadecimal
    ○ Base64
    ○ Base85
    ○ etc.
    ● Ciphers
    ○ Caesar / ROT
    ○ Vigenere
    ○ Substitution
    ○ XOR
    ○ etc.
    Web Exploitation (Web)

    ● Similar to binary exploitation, but on a website


    ○ LFI Vulnerabilities
    ○ PHP Vulnerabilities
    ○ SQL Injections
    ○ XSS Attacks
    ○ etc.
    Who does CTFs?

    ● There are many CTFs organised locally and internationally


    ● For local CTFs, most participants will be students (Secondary, JC, Poly, University,
    etc.)
    ● For international CTFs, they are catered to people who have an interest in
    cybersecurity, i.e. also includes adults, so these are generally harder
    Where are CTFs held?

    ● International CTFs are held online


    ● Some local CTFs used to be held in person (e.g. WhiteHacks), but now due to
    COVID-19 all local CTFs are held online as well
    ● CTFs can last anywhere from 6 hours to 1 week
    When are CTFs?

    ● For international CTFs, you can view them at


    https://ctftime.org/event/list/upcoming
    ● For local CTFs,
    ○ WhiteHacks (March)
    ○ Cyberthon (May)
    ○ Cyber Defenders Discovery Camp (July?)
    ○ STACK the Flags (December?)
    ○ etc.
    How do I get started?

    ● We have setup an Internal CTF Training platform, comprising of challenges sourced


    from past CTFs (local and international)
    ● Challenges are split into specific categories and subcategories for ease of learning
    ● Disclaimer: It is possible to “cheat” by directly googling for the challenges’ flag.
    Don’t do that...
    ○ No point for you to cheat, since this is a training set
    ○ The goal is for you to learn
    ○ If you are really stuck on a challenge, seek help, it’s completely fine
    ● P.S. We can check your submission history and figure out who is cheating, cheaters
    will be dealt with accordingly
    Any Questions?
    Rough Timeline

    ● Start working on Crypto (Cipher) to gain fundamental knowledge


    ● Move on to Stego categories
    ● Branch off to other categories (tba)
    ● Note: We will be revisiting some concepts learnt in the C++ Training Set
    Register for a new account @
    ACS(I) CTF Training Platform:
    https://dunhack.me

    You might also like