HBH CTF Practice

• THE PITCH
• THE DETAILS
  • Jeopardy-Style
  • Attack/Defend
• THE HOW
• THE TL;DR

¶THE PITCH

Let’s start playing in CTFs! I see that this has been tried (and failed) a few times over the past bunch of years, but figured that maybe this time it would be different. I’m planning on participating in a number of Capture The Flag (CTF) events over the next couple of weeks. I don’t really have any specific plans other than the fact that I’ll be checking ctftime on Thursday or Friday each week and picking one (or more) that seem like they could be interesting. I can’t promise I’ll be around every weekend or that I’m anticipating being competitive. Just that it’ll be a good way to continue to hone skills and practice old ones and I’ll be more than happy to help teach and work with anyone interested in helping participate.

Also, there’s usually a really good beginner-friendly CTF (CSAW) in November that would be a fun goal to build towards actually competing in, if that’s something that would be exciting for anyone else.

¶THE DETAILS

For those of you that don’t know, the CTF has come up as the sort of de-facto security/hacking competition type. They come in one of two types- either Jeopardy or Attack/Defend, with the majority living in the Jeopardy realm.

¶Jeopardy-Style

Someone (usually either a company or a club or another ctf team) has created or solicited a group of challenges over a number of different categories. Categories usually consist of the following

1. web : generic web-based exploitation: XSS, SQL injection, poorly-configured servers- the works. Sometimes you get code, other times you’re stuck with just trying to figure things out on your own. This is what HBH has been training you for!
2. pwn or exploit: Binary exploitation. You’re given a service running on a machine somewhere and you have to figure out how to convince it to give you a flag. Usually you’ll get the binary as a download so you can see/analyze exactly what it’s doing, however sometimes you’re left in the dark.
3. crypto: Breaking cryptographic assumptions. Oftentimes a challenge in this category boils down to two steps. The first is searching as much as you can with all the information you have until you happen upon a whitepaper and then the second is re-implementing the whitepaper (and the third is hoping for the best).
4. forensics: Usually you get a memory dump or a virtual machine or a packet capture or the like and you’re asked to find the secret. I’m not really good at this grouping so I usually just ignore it, but tools like wireshark or volatility tend to do most of the heavy lifting.
5. re: Reverse engineering. Most tend to be similar to the Application challenges we have here, where you’re given a binary that does something and you have to figure out how to get a flag out of it. Sometimes it’ll be by patching out something that takes a long time, sometimes it’ll be finding a way to take advantage of poor randomization, sometimes it’ll be about finding a bad key and using your cryptographic skills to generate a key.
6. beginner: Some groups will include a section that sort of melds the easiest challenges from all the other sections under this label.

Each challenge in each category is assigned a certain number of points, which your team can earn by solving the challenge and “capturing the flag”.

¶Attack/Defend

Similar to the above, however they tend to be more heavily-focused on the exploit category due to their difference. Each team is given a box/vm on the game field to live on and a series of services that they must keep running. Each service is created to be vulnerable in some way, so the teams must race one another to find, develop, and deploy exploits to capture the other teams’ flags. This is how the DEFCON finals tend to play out, and, speaking from experience, lead to a very different game flow and practice requirements. We probably won’t be practicing for a game like this for quite some time.

¶THE HOW

Just check back here on Thursdays or hang around in our slack come weekend-time and we’ll get going!

¶THE TL;DR

So yea, I suppose that’s it. I’ll be playing around with a bunch of challenges most weekends and would love if anyone else was interested in partaking. My fortes are exploit and re and, to a lesser extent, web, however I’ve done enough of these to be somewhat capable in the other sections as well. Finally, and I can’t stress this enough, this is a no-stress experiment. While I can’t in good faith say “no skills are necessary” since, well… you need to know something for it to be fun, I can say that I’m not trying to make money or win a championship or anything. I’m trying to facilitate learning and growth and, hopefully, some sense of community.

This weekend, I plan on seeing what zer0pts is all about.

Buckle up, it’s gonna be a fun ride :)

Just dropping notes here. Something I’ve learned these past few weeks working on smaller CTFs rather than just going for the “big ones”: don’t get too bogged down on a challenge you think is dumb. Sometimes it’s the first time these are being run or it’s someone new to challenge creation etc. Especially if you’re not actually “competing” (which isn’t the goal here), if you feel like it’s overly “guessy” and you’re not getting much out of it, it might be worth just stepping away and moving to something new.

All that being said, I’m not going to be here this coming weekend so I won’t be joining anyone who might be interested in playing. Based on a quick look through what’s running, I’d suggest looking at either T3N4CI0US since it seems to be running the longest (Fri - Sun) or LINE since it has the most teams registered and has more prizes (means more backing, heuristically means better organized).

I might be able to poke in for a bit and answer questions if folks are stuck, but it’s probably unlikely. If you wanted to download the challenges and ask questions after-the-fact, I’d be more than happy to take a look next week.

Until next time, good luck out there and keep learning!

Can I necromance this? This actually sounds like a fire idea.

I’m sure @Ce1tic13h0y would be down.

I’ve never done anything similar to this. Where would be a good place to start?

Sure! Let’s do it! Timing is a bit unfortunate as PlaidCTF (a historically good competition) just ran through over the weekend, but I’m sure we can find something acceptable coming up. Generally CSAW (runs around the middle of September) is a good “starter” CTF to play in, so maybe we can try to aim for being “competitive” by around then? No stress, of course, but sometimes I find it helps to have goals to work towards rather than just playing for funsies.

Anyway, I’m getting ahead of myself. Looks like there aren’t many coming up that spark high confidence on my “this is going to be a good event” meter, but that’s no worry- no harm in poking in, seeing what’s available and then deciding whether it’s worth the effort or not.

As for “a good place to start”, depends on what you’re trying to start. As I mentioned in my writeup at the start, there are tons of different types of things encompassed in the big ol’ bundle of “capture the flag.” Wanting to practice web-type exploits is different than wanting to practice reverse engineering or exploitation-based ones, for example. I’d suggest looking at my RE examples here for a quick intro to that, some notes for common exploitation terms/etc, other basic intro to terms/etc. I don’t really know, my biggest suggestion is to “learn by doing” and that requires something to be “doing” on and I don’t really have anywhere good to point off the top of my head. If folks are actually interested I can put more effort into searching though. I can be back with better info in a couple days :)

I’m keen for anything. I’m not even sure of how the format works or anything similar. I have a heap of other questions I would dare ask in public. But how else do you learn.

Throw me in the back seat and ill put on my propeller hat.

lmao yea I get it. How’s this- I’ll try to cook something up for the weekend and post here with a little more info. If one of the ctfs that are running happens to have a good challenge, I’ll mention that. If not, I’ll reach into my magic bag and pull out something interesting. I’m sure I can find good stuff somewhere.

DawgCTF Seems to be the best/most-accessible one running for then next couple of days, so I think I’ll suggest we point our efforts at it. I’m (unfortunately) not seeing any web-related challenges just yet, but maybe they’ll release a couple in the near future? In any case, the first binary exploitation and the few RE challenges I looked at seem doable and interesting enough. Not a huge fan of the fact that they’re using google drive to distribute their files but I guess that’s whatever.

There’s also sites similar to hbh- picoCTF seems to have some quality challenges available in most of the categories, which might be the better route. Up to y’all!

I’ll be available intermittently throughout the weekend so go ahead and try a couple things, figure out what’s the most interesting, and then hit me up and we can try to get a couple points or at least learn a few things.

I know this is rough, but until we can formalize our needs/wants a little bit better I think floundering around for a while won’t hurt too much. Feel free to help focus me on what’s most interesting to you if that’s what you’d prefer!

Hey Futility I’d definitely be up for joining an HBH team for some CTF’s when they come around man, I just need a couple of days notice so I can make sure I have nothing else on and I’ll be all yours.

And Scarecrow, you can PM me those questions you don’t want to ask in public, and I’ll answer them when I get time.

same here, just need some notice.