Capture The Flag 101: Difference between revisions

From ICO wiki
Jump to navigationJump to search
Line 17: Line 17:
CTF problems can be divided into six categories. Most commonly used ones are:
CTF problems can be divided into six categories. Most commonly used ones are:
Web: This type of challenge test users on exploiting websites or knowledge on SQL Injection, XSS (Cross-Site Scripting), and many more.
Web: This type of challenge test users on exploiting websites or knowledge on SQL Injection, XSS (Cross-Site Scripting), and many more.
[[File:Example.jpg]]
What we did here was to insert SQL Injection code into database search which extracted all information. Reason this happened was due to non sanitized input.
What we did here was to insert SQL Injection code into database search which extracted all information. Reason this happened was due to non sanitized input.
Forensics: Participants are investigating some sort of data, such as doing packet analysis on .pcap file, memory dump analysis and so on.
Forensics: Participants are investigating some sort of data, such as doing packet analysis on .pcap file, memory dump analysis and so on.  
[[File:Example.jpg]]
We downloaded picture from the given link and then manipulated every substring with the word flag which was “wow!_data_is_cool”.
We downloaded picture from the given link and then manipulated every substring with the word flag which was “wow!_data_is_cool”.
Cryptography: Challgenes will focus on decryption or encryption of a file or strings of text it can be anything. There are many different types of cryptography such as Substitution cypto, Caesar cipher, and many more.
Cryptography: Challgenes will focus on decryption or encryption of a file or strings of text it can be anything. There are many different types of cryptography such as Substitution cypto, Caesar cipher, and many more.
[[File:Example.jpg]]  
   
When I observed the encrypted code it looked like a hex code. Because of that I used hex decoder and the problem was solved.
When I observed the encrypted code it looked like a hex code. Because of that I used hex decoder and the problem was solved.
Reversing(Reverse Engineering):  RE is exploring a binary file. The key is important and it is found by decompilation, disassemble using static or dynamic analysis, or other reverse engineering techniques.
Reversing(Reverse Engineering):  RE is exploring a binary file. The key is important and it is found by decompilation, disassemble using static or dynamic analysis, or other reverse engineering techniques.
[[File:Example.jpg]]
[[File:Example.jpg]]
[[File:Example.jpg]]
[[File:Example.jpg]]
[[File:Example.jpg]]
This one was more interesting from my point of view. We started from downloading the apk file and we decompiled it with apk decompiler. Then went to manifest xml file and went to com.example.secondapp .. file location where we found md5 hash and then followed through code -> If success then append _is_not_secure!.  
This one was more interesting from my point of view. We started from downloading the apk file and we decompiled it with apk decompiler. Then went to manifest xml file and went to com.example.secondapp .. file location where we found md5 hash and then followed through code -> If success then append _is_not_secure!.  
OSINT: Its main purpose is to show us how many information is available for us and we should understand the hind which is hidden in these information. It is more like a Sherlock Holmes deduction
OSINT: Its main purpose is to show us how many information is available for us and we should understand the hind which is hidden in these information. It is more like a Sherlock Holmes deduction

Revision as of 19:19, 4 May 2021

This wiki page will help you better understand the basics of CTF's.

What is Capture the Flag?

Introduction to CTF -What is CTF ? Capture The Flag is a contest, which is associated with Cyber Security. Participants are asked to solve the challenges and find the “flag”. It includes real life problems that happens very often and flag itself is typically snippet of code, a piece of hardware on a network, or perhaps a file. CTF difficulty level varies from high-school students to experts. It can start its way from scavenger hunt on Wikipedia to basic programming exercises, to hacking your way into a server to steal the data.

-How to join? Joining CTF is not difficult at all. Users who want to participate into different competitions can enroll from the internet by typing “Online CTF competitions” and you will be able to find many links to different websites, where you can practice there. You may ask, what is required knowledge to start? There is no fixed way of doing it, you can either learn by doing it or watch online videos and go through different exercises.

-Types of game? CTF can either be single events or ongoing challenges. Mainly they fall into three categories: Jeopardy, Attack-Defense. In Attack-Defense type of CTF teams defend a host PC, while they are trying to find vulnerabilities in opposite team. They have patched time to secure pc and attack. Team with most points win. In Jeopardy style CTF participants are given set of questions that reveal clues do next level problems. While finding answers, competitors are learning methodologies of current competition. The more difficult the problem is, the more points teams are getting. As in every game, team with most points win.

-Types of problems? CTF problems can be divided into six categories. Most commonly used ones are: Web: This type of challenge test users on exploiting websites or knowledge on SQL Injection, XSS (Cross-Site Scripting), and many more. What we did here was to insert SQL Injection code into database search which extracted all information. Reason this happened was due to non sanitized input. Forensics: Participants are investigating some sort of data, such as doing packet analysis on .pcap file, memory dump analysis and so on. We downloaded picture from the given link and then manipulated every substring with the word flag which was “wow!_data_is_cool”. Cryptography: Challgenes will focus on decryption or encryption of a file or strings of text it can be anything. There are many different types of cryptography such as Substitution cypto, Caesar cipher, and many more. When I observed the encrypted code it looked like a hex code. Because of that I used hex decoder and the problem was solved. Reversing(Reverse Engineering): RE is exploring a binary file. The key is important and it is found by decompilation, disassemble using static or dynamic analysis, or other reverse engineering techniques. This one was more interesting from my point of view. We started from downloading the apk file and we decompiled it with apk decompiler. Then went to manifest xml file and went to com.example.secondapp .. file location where we found md5 hash and then followed through code -> If success then append _is_not_secure!. OSINT: Its main purpose is to show us how many information is available for us and we should understand the hind which is hidden in these information. It is more like a Sherlock Holmes deduction Miscellaneous: Everything that is not listed but still relevant to Information Security is in this category. This require lots of Googling

Types of challenges

Binary Analysis

What is "Binary Analysis"?

In general, when we talk about "binary analysis" or "binary" mostly has a more limited meaning than this. In other words, they refer to "data files with an executable format" in a narrower sense. This executable format includes, for example, Windows PE (EXE file) and Linux ELF. For a simpler and more familiar image, imagine software that can be executed by double-clicking, such as a calculator or email software. These are also included in the "binary" category. In the CTF, you will frequently be asked to analyze these "binaries". This is a problem where you are given an unknown binary file, and you have to figure out how it works by using various methods. I would like you to get an idea of what it is like to analyze a binary file. If you were given an unknown program and asked to analyze its behavior, what would you do? I think most people would first try to run it. Also, if the source code of the program exists, you might try to read it, and the procedure of binary analysis is not much different from this basic one. The procedure for binary analysis is not much different from this basic one. First, you have to actually run the program to get a rough idea of how it works. Then read the code for the parts you want to know more about. However, there are two differences: first, we try to get more information by making use of various techniques and methods rather than just making it work, and second, we read code in a different form than source code, since source code does not exist in most cases. As mentioned earlier, even though it is binary, it is really an executable file, a program. The first thing to do is to try to run it. At that time, you cannot get more information than the standard input/output just by executing it, so it would be better if you understand that a special tool is used to get more information. In addition, just as we read the source code to understand the behavior of a program, we also read the code during binary analysis. However, since the binary code has been compiled once, you will not be reading the source code, but the assembly code obtained by a process called "disassembly". Disassembly is the process of converting machine language code into assembly language that is easy for humans to interpret. Many people think that reading assembly is difficult, but in fact it is not so different from reading source code.

The Significance of Analyzing Binaries

What is the significance of analyzing binaries? Of course, it is to win the CTF, but since the CTF is an information security competition, binary analysis itself should be useful for information security in some way. First of all, from the security point of view, it can be said that binary analysis is most useful for malware analysis, and many of the dynamic and static analysis techniques used in CTF binary analysis are the same as those required for malware analysis. Therefore, if you are skilled in binary analysis in CTF, you can become a malware analyst relatively easily, as long as you acquire knowledge specific to malware analysis. Binary analysis can also be used in vulnerability assessment, where you analyze software to find vulnerabilities. Other than security, binary analysis may be useful for debugging software that you have simply developed, or for maintaining software that has not been maintained sufficiently since it was created, and whose use is no longer known. As you can see, doing binary analysis has many more social implications than just enjoying CTF. Binary analysis may be a technology that is a little difficult to learn. But on the other hand, I think it is worth doing, and there are plenty of places where it can be used. If you can learn binary analysis in CTF through this book, and make use of it in your various activities, you will be more than happy.

Binary Problems in CTF

In CTFs, binary problems are one of the most frequently asked questions in almost all competitions. In many cases, the number of questions is relatively large or the score is high, so it can be said that it is one of the core areas of CTF. In addition, there is a problem area called PWN, which focuses on exploiting vulnerabilities, and having binary analysis skills is also an important factor in this area. What exactly are the binary problems in CTF? Of course, there are a great variety of forms of problems when it comes to analyzing binaries and understanding their behavior. In the simplest case, it is a matter of parsing the behavior and providing input that satisfies certain conditions; in other cases, it is a matter of recovering obfuscated FLAGs. Some of them are games, where you get FLAGs for your activity. Of course, it's getting harder to win just by playing, and most of them require you to make good use of the analysis results. There are also other problems where you are given a binary that cannot be executed, and you have to predict the result of the execution by static analysis. In addition to these, there are many other types of problems that cannot be easily described here. The name of the field of binary problems is also referred to in various ways depending on the CTF. Some CTFs use the term "Binary" directly, while others use "Reversing" or "Reverse Engineering".

Sample Problem

File and String Commands Let's take an example of a file whose file format is not known, and check the output of the File command against it.

When we execute the File command, we get the following output. Let's interpret the result. First of all, the "PE32 executable" part indicates the format of the executable file. The PE format is an executable file format used in Windows. "Intel 80386 MS Windows" part indicates the supported CPU architecture and OS. We can see that they are for i386 and Windows, respectively.

Extracting strings can also increase your knowledge of the binary being analyzed. In the case of very beginner CTF problems, the string extracted from the file may contain FLAGs as is. For example, if you see the string "Correct!" or "Wrong...", you can guess that there might be a correct/incorrect question in the vicinity to get the FLAG. If you see "Wrong! If you see "Wrong...", you can guess that there might be a correct/incorrect question to get the FLAG. For example, if you use the String command to answer the question "Can you read? which was asked in CTF for beginners, let's try to explain it using the String command.

Many of the strings are meaningless because they are image files. We know in advance that the flags are all in the form ctf4B{FLAG}. Let's use the Grep command to extract the string starting with "ctf4b".

We've found the flag!

PWN

What is PWN?

Origin and Meaning of PWN The word "Pwn" originated from a mistype of "own" by a user in an online game, and became a slang word meaning "to win" or "to beat. In CTF, the problem of gaining server privileges by conquering a problem is called "pwn" or "pwnable".

PWN

PWN is one of the genres of CTFs. It is a problem that exploits a vulnerability in a program to access and manipulate memory areas that are not normally accessible, and obtain flags.
It is also known as Exploit. The format of the problem is to connect to the server where the vulnerable program is located or running via ssh or nc, and crack it.
Since we cannot prepare a server for cracking this time, here is the source code of the program to be cracked.
You can compile it at hand and try it.
Incidentally, the Pwn problem often shows the source code of vulnerable programs.

Tool

Since Pwn is an extension of Binary Analysis, the tools used in binary analysis are useful. GDB is one of the debuggers, and probably the most famous one. With GDB, you can refer to the values (global variables, functions, etc.) and their addresses in the global area of your program, and you can get more information than you can by running the program normally when it has segmentation faults or overflows. These are very useful in doing pwn, so I will use them in solving the problems in this article.

Sample Problem

This time, I'm referring to a problem from a permanent CTF called PicoCTF. PicoCTF is a CTF that is designed for beginners, and it is a great place to learn CTF. If you want to try CTF, you should definitely try it.

The source code for the problem looks like this

We can see that this problem is good if the value of secret is 0xc0deface.
However, the value of secret is 0.
Moreover, there is no code to rewrite it.
How do I rewrite it? As the name of the problem implies, we make it overflow.
In line 8, you do strcpy, which rewrites the outside of buf when the input size is larger than the size of buf.
Let's actually give it a value of 16 bytes or more.

It is a good idea to put the command line arguments in a script such as Python.
If you use one extra byte, it is rewritten from 0 to 41.
41 is the value as ASCII code for 'A'.
In other words, you can guess that the buf variable is followed by 4 bytes of secret variable.
 In fact, local variables should be packed into the stack area of memory in the order in which they are declared. So, let's enter any value after 17 bytes

We have successfully obtained the flag!

Network

Packet analysis

A packet analyzer or packet sniffer is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or part of a network.[1] Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications. [1] A program like Wireshark is a packet analyzer and within it you can look at all of the network traffic that is passing through your device. These kind of programs are especially useful for a type of CTF that is called Attack/Defense CTF, in which the users are allowed to attack each others devices in an attempt to slow the opposition down or to steal flags from them. But even most regular CTF's have challenges in them that make use of packet analysis.

Network challenge example in a CTF

In magicCTF there was a challenge, which gave you a filed called 'secrets.pcap' and in it you had to find a secret. On the first glance the only thing that stood out is that there was a bunch of GET requests and only one POST request:
A GET request happens when a server provides you data and a POST request is when you post data to the server. By clicking on the packet you can see see what kind of information was sent within the packet and in this case there was an HTML form, in which the user had posted their username and password to the server.

As it turns out the password was the secret that you were looking for in this challenge.

Steganography

What is steganography?

Steganography is the art of hiding information in ways that prevent the detection of hidden messages. Steganography, derived from Greek, literally means “covered writing.” It includes a vast array of secret communications methods that conceal the message's very existence. These methods include invisible inks, microdots, character arrangement, digital signatures, covert channels, and spread spectrum communications.

Least significant bit (LSB) insertion is a common, simple approach to embedding information in a cover file. Unfortunately, it is vulnerable to even a slight image manipulation. Converting an image from a format like GIF or BMP, which reconstructs the original message exactly (lossless compression) to a JPEG, which does not (lossy compression), and then back could destroy the information hidden in the LSBs.[2] LSB works by changing the very last bit of a byte in a pixel. In a 24 bit image each pixel represents 3 bytes and by changing the last bit of those bytes you create a very insignificant change in the image itself. Since the change is so small if you compare the modified image with the original one the human eye can not tell the difference. However, the modified file can be later decoded by a computer in order to reveal the hidden message. In Bit Plane Complexity Segmentation (BPCS), a multi-valued image (P) consisting of n-bit pixels can be decomposed into set of n – binary pictures. Ordinary image data is represented by a pure binary code system which is commonly used in image processing. The important step in BPCS steganography is to find “complex” region in the vessel image so that data from secret image can be hidden without any suspicion.[3] By finding the most complex part of the image the deterioration of the original image becomes even less significant than in least significant bit insertion. A spectrogram is a photograph, image or a diagram of a spectrum [4] Messages can be inserted on top of a spectrogram of a normal audio file and with minor tweaks and adjustments it is very hard if not impossible to tell the difference between the original file and a modified one. The only way to find out whether something is hidden in a file is to look at the files spectrogram.

Common steganography challenges in CTF's

Two examples from https://ctfp.ee/, an Estonian CTF competition. One of the challenges called 'music' you had to find the flag in a file called "find_key_in_wav_file.wav". A way to hide messages in music files is by modifying the spectrogram, so if you were to open the file in a program that can view the spectrograms of sound files then you could see that a hidden message was embedded into the file.

Normal waveform of the file: Spectrogram of the file:

The hidden message can be fairly easily read from the spectrogram.


The second example is from a challenge called 'the blackhole' the usage of bit planes in steganography.

Normal picture: Bit plane version of the picture:

A QR code appears from the image seemingly out of nowhere.

Web

SQL Injections

Conclusion

References

Enjoy PWN[Japanese] https://gist.github.com/matsubara0507/72dc50c89200a09f7c61

Binary Code Analysis by White Hat Security https://www.whitehatsec.com/glossary/content/binary-code-analysis

BINARY CODE ANALYS by Contrast Security https://www.contrastsecurity.com/knowledge-hub/glossary/binary-code-analysis