Hacking 101

• What are CTFs?
• Why should I do CTFs?
• Example Challenge - ROT13
• The Different Fields of CTFs
• CTF Resources
  • Places to Learn Theory
  • Places to Practice
• The CTF Mindset

So you’re looking to get started into hacking, but have no clue where to start? That’s totally understandable. Hacking is a huge field where experts can spend their entire lives trying to master, so it can look daunting at first. However, one super easy way to get your toes wet is with CTFs!

What are CTFs?

CTFs stand for Capture the Flag. These are short, self-contained hacking challenges designed to test various parts of your hacking ability. As the name suggests, you are typically given something such as some text, a piece of code, or a website that you can go to, and you are asked to hunt down the ever elusive flag. Once you find it, you can submit them to get points for the CTF challenge.

Why should I do CTFs?

CTFs are a great way to start learning the basics of hacking. They are designed to be short and self-contained, meaning that each challenge allows you to learn one or two new skills at a time, which means that you get overwhelmed by an avalanche of information. CTF’s can also teach you alot about a the problem solving perspective, and the hacker persistence required to tackle difficult projects. But most of all their just so gosh-darned fun! It’s great fun to compete with your friends, and push yourself to see just how many of these challenges you can conquer :)

Example Challenge - ROT13

If all that sounds a bit abstract, let’s do a basic challenge. Here’s a secret message that has been encoded with ROT13. Use an online decoder such as https://rot13.com/ to decode the secret message and submit it!

Secret Message:

SYNT{l0h_whfg_fbyirq_l0he_s1efg_punyyratr!}

Submit

Well done!

Sorry, that’s not quite right…

The Different Fields of CTFs

CTF’s challenges come in a variety of different flavours. Each one will require a different set of knowledge and a different skillset to complete. I recommend picking one that’s of interest of you and just starting there. You can always branch out to the other ones later on.

Here is a list of the common CTF categories, and a brief explanation of each one

• General / Misc
  • These challenges will test your general skills. These will test general computing knowledge as well as anything else that doesn’t quite fit into any of the other categories. These can be a good starting spot, as many easy challenges fall into this field.
• Cryptography
  • Anything and everything to do with codes and ciphers. A good understanding of binary and manipulating bytes will be useful for this category. The ROT13 challenge from above is an example of a cryptography challenge.
• Web Exploitation
  • Challenges that explore attacking servers. Typically, you’ll be going through websites, and trying to see how you can abuse bad code in order to gain admin access, or access to resources that you wouldn’t normally have. Some techniques that can be learnt here include XSS, CSRF, SSRF, and SQL injection (That’s alot of acronyms!).
• Forensics
  • This is the process of putting on our detective hats and unearthing the past of data. You will be using tools in order to figure out extra information about data, recovering corrupted or seemingly deleted data, and also finding hidden messages within data. Examples include looking through file metadata or Steganography
• Binary Exploitation
  • Binaries (sometimes known as executables) are files or programs which can be executed on a computer. Binaries can sometimes store secret information that the author doesn’t want you to access. However, there are many tricks that a user can use in order to sidestep these safeguards and allow users to modify the programs functions, or even gain full shell control. Examples of exploits used in Binary Exploitation include Buffer Overflow and Format String Vulnerabilities.
• Reverse Engineering
  • This is the art of looking at a program and working out exactly how it works. This has some overlap with Binary Exploitation, as understanding how a program works may allow you to exploit any security flaws you find in it. This area requires a strong understanding of assembly language.

CTF Resources

So you’re raring to get started? Then look no further. Here’s a list of great resources for you to get started!

Places to Learn Theory

If you’re more interested in learning some theory first, here are some great resources for you.

• CTF 101
  • This site is a great resource to get you started in each of the areas of CTF. Though it’s by no means exhaustive, it should act as a great starting resource for people looking to dip their toes in.
• LiveOverflow Youtube
  • This is a youtube channel Fabian Faessler, a security researcher who makes engaging and informative videos. He’s got a video series on just about every topic you can imagine, plus his super entertaining, so definitely recommend giving his videos a try.
• Hacker101
  • Provides great resources and videos lessons for learning web security. It also has a companion site called Hacker101 CTF, where you can put your skills to the test.
• OWASP
  • OWASP is the Open Web Application Security Project, an organisation that was founded to improve security. You’ll typically find OWASP whenever you google search any of the exploits mentioned above. OWASP provides great advice on how to exploit each attack, and best practices to avoid it.

Also check out my own blog posts about common tools and software that I’ve used in CTF’s

• CTF Tools of the Trade
  • A list of common softwares used in CTFs
• CTF Command Line Tools
  • A list of common command line tools used in CTFs

Places to Practice

If you just want to get your hands dirty, here are some great sites that host a range of CTF challenges. Make sure you pick one with a category that fits your interests!

• OverTheWire
  • A large variety of wargames waiting to be attempted. It’s super beginner friendly, and teaches alot of the basics of command line programming. Not only that, it features challenges from all sorts of categories.
• PicoCTF
  • A competition held by Carnegie Mellon University every year
  • The problems can get a bit tough, but the earlier ones are great practice for beginners
• Crackmes.one
  • Crackmes hosts a range of user submitted reverse engineering challenges. You can sort these by difficulty and quality, so there’s a good challenge ready for everyone.
• PentesterLab
  • Hosts a variety of Web Exploitation Challenges
• HackThisSite
  • Despite the name, this site hosts challenges of all different types. It’s also one of the few places where you can find forensics and steganography challenges.
• Hacker101 CTF
  • The companion site to Hacker101. Hosts a variety of web hacking challenges, with a focus on challenges that show up in bug bounties.

The CTF Mindset

Finally, I’d just like to talk a little bit about the mindset you should adopt when approaching CTF challenges, because I think it’s something that isn’t really talked about too often. Here is a quick list of tips from my own experience to keep in mind when solving problems.

• Start challenges by gathering as much data as possible, and be exhaustive.
  • Starting the exploitation phase too early is like trying to solve a jigsaw puzzle while you’re still missing some pieces.
• When you feel like you’re stuck, try just a little bit longer before giving up.
  • You’d be surprised how many problems you can solve just by spending a little more time on it
  • That being said, if you’re getting stuck and frustrated, feel free to take a peek at a hint or even the full solution. There’s no shame in doing so, as long you’re learning something.
• Have fun!
  • Don’t forget that the entire purpose of CTF’s is to enjoy yourself while learning.
  • If you get tired of learning new things, or it’s starting to get overwhelming, that’s fine! Take a break, knowing that when you come back, you’ll be refreshed and ready to take another swing at it.