Welcome to HBH V2 ! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

HBH CTF Practice

Futility's Avatar
80 72


Let’s start playing in CTFs! I see that this has been tried (and failed) a few times over the past bunch of years, but figured that maybe this time it would be different. I’m planning on participating in a number of Capture The Flag (CTF) events over the next couple of weeks. I don’t really have any specific plans other than the fact that I’ll be checking ctftime on Thursday or Friday each week and picking one (or more) that seem like they could be interesting. I can’t promise I’ll be around every weekend or that I’m anticipating being competitive. Just that it’ll be a good way to continue to hone skills and practice old ones and I’ll be more than happy to help teach and work with anyone interested in helping participate.

Also, there’s usually a really good beginner-friendly CTF (CSAW) in November that would be a fun goal to build towards actually competing in, if that’s something that would be exciting for anyone else.


For those of you that don’t know, the CTF has come up as the sort of de-facto security/hacking competition type. They come in one of two types- either Jeopardy or Attack/Defend, with the majority living in the Jeopardy realm.


Someone (usually either a company or a club or another ctf team) has created or solicited a group of challenges over a number of different categories. Categories usually consist of the following

  1. web : generic web-based exploitation: XSS, SQL injection, poorly-configured servers- the works. Sometimes you get code, other times you’re stuck with just trying to figure things out on your own. This is what HBH has been training you for!
  2. pwn or exploit: Binary exploitation. You’re given a service running on a machine somewhere and you have to figure out how to convince it to give you a flag. Usually you’ll get the binary as a download so you can see/analyze exactly what it’s doing, however sometimes you’re left in the dark.
  3. crypto: Breaking cryptographic assumptions. Oftentimes a challenge in this category boils down to two steps. The first is searching as much as you can with all the information you have until you happen upon a whitepaper and then the second is re-implementing the whitepaper (and the third is hoping for the best).
  4. forensics: Usually you get a memory dump or a virtual machine or a packet capture or the like and you’re asked to find the secret. I’m not really good at this grouping so I usually just ignore it, but tools like wireshark or volatility tend to do most of the heavy lifting.
  5. re: Reverse engineering. Most tend to be similar to the Application challenges we have here, where you’re given a binary that does something and you have to figure out how to get a flag out of it. Sometimes it’ll be by patching out something that takes a long time, sometimes it’ll be finding a way to take advantage of poor randomization, sometimes it’ll be about finding a bad key and using your cryptographic skills to generate a key.
  6. beginner: Some groups will include a section that sort of melds the easiest challenges from all the other sections under this label.

Each challenge in each category is assigned a certain number of points, which your team can earn by solving the challenge and “capturing the flag”.


Similar to the above, however they tend to be more heavily-focused on the exploit category due to their difference. Each team is given a box/vm on the game field to live on and a series of services that they must keep running. Each service is created to be vulnerable in some way, so the teams must race one another to find, develop, and deploy exploits to capture the other teams’ flags. This is how the DEFCON finals tend to play out, and, speaking from experience, lead to a very different game flow and practice requirements. We probably won’t be practicing for a game like this for quite some time.


Just check back here on Thursdays or hang around in our slack come weekend-time and we’ll get going!


So yea, I suppose that’s it. I’ll be playing around with a bunch of challenges most weekends and would love if anyone else was interested in partaking. My fortes are exploit and re and, to a lesser extent, web, however I’ve done enough of these to be somewhat capable in the other sections as well. Finally, and I can’t stress this enough, this is a no-stress experiment. While I can’t in good faith say “no skills are necessary” since, well… you need to know something for it to be fun, I can say that I’m not trying to make money or win a championship or anything. I’m trying to facilitate learning and growth and, hopefully, some sense of community.

This weekend, I plan on seeing what zer0pts is all about.

Buckle up, it’s gonna be a fun ride :)

Futility's Avatar
80 72

Just dropping notes here. Something I’ve learned these past few weeks working on smaller CTFs rather than just going for the “big ones”: don’t get too bogged down on a challenge you think is dumb. Sometimes it’s the first time these are being run or it’s someone new to challenge creation etc. Especially if you’re not actually “competing” (which isn’t the goal here), if you feel like it’s overly “guessy” and you’re not getting much out of it, it might be worth just stepping away and moving to something new.

All that being said, I’m not going to be here this coming weekend so I won’t be joining anyone who might be interested in playing. Based on a quick look through what’s running, I’d suggest looking at either T3N4CI0US since it seems to be running the longest (Fri - Sun) or LINE since it has the most teams registered and has more prizes (means more backing, heuristically means better organized).

I might be able to poke in for a bit and answer questions if folks are stuck, but it’s probably unlikely. If you wanted to download the challenges and ask questions after-the-fact, I’d be more than happy to take a look next week.

Until next time, good luck out there and keep learning!