Last Saturday I attended my very first computer security Capture the Flag (CTF). This event consisted of teams competing in computer security related challenges to score points. Generally, at the end of the challenge, the team has caused the system we’re attacking to give up a file that says “This is the flag:” and has a long random number. Submitting the flag scores a point, hence “capture the flag.”
First things first: This was a great time, and I highly recommend attending events like this. I came without a team, sat at a table of strangers, and had a great time. Today I’ll talk about what the event was like.
Physically, the event was situated in a big, open room with folding tables and lots of power strips. Teams consisted of four or five people sitting at a table. The moderators went over some a few rules. The rules were designed to keep people from inadvertently attacking some infrastructure that wasn’t part of the game. They asked that if we were unsure whether some server was part of the games, to ask a moderator.
The challenges were published on a website that went live at the beginning of the games. Basically, this website described each challenge, and had enough information to get started, such as a file to download, or an application to run. It also had forms where we could submit the flags we found, and served as a scoreboard.
At the moderators recommendation, I installed Kali Linux in a VirtualBox VM prior to the event. Kali Linux is a distribution that comes loaded with tools for reverse engineering and penetration testing. For example, WireShark is already installed, as is
apktool, which is a tool for decompiling Android apps, tools for scanning open ports, tools for modifying http requests, etc. Using Kali Linux was a blast – it was good to have an ethical target for using these sorts of tools. I should mention that if you point these tools at someone else’s stuff without asking, you might get in trouble. They are for using to test the security of an application you’re working on, or in friendly competition like this CTF.
I don’t remember all of the challenges, but here are some of my favorites (spoilers! though I don’t know how often these challenges get re-used):
- Using steghide to extract a text file that had been hidden in a picture. Prompted by a clue, we looked at the JPEG’s metadata to get the author, then looked up that person on Wikipedia, and used their biography to guess the password that had been used to hide the image in the app.
- Decompiling an Android app, then using repl.it to run snippets of Java code in order to get the app to give up it’s key. (Part of the key was a string hidden in a resource file in the APK.)
- As more of a coding exercise, writing out a bunch of numbers as hex strings, then stripping out some letters, and taking an MD5 of the resulting file.
- Calling an API that jokingly implemented a Teapot over HTTP (in a nod to Hyper Text Coffee Pot Control), and cURLing made up verbs like `BREW` and `WHEN`.
There were other challenges, but I don’t remember them in as much detail. Some of the challenges, like the teapot challenge, felt a little contrived, but were still enjoyable. Other challenges, like getting a protected string out of the APK file of an Android app, felt like real security.
Anyway, this was a great event. I enjoyed the challenges and meeting the folks on my team. It was also fun to use my programming skills in a reverse-engineering mode, rather than a building/fixing mode. I highly recommend events like this.
Till next time, happy learning!