What’s CTF?

An Introduction to CTFs
CCT
Made by Bennett, hehe stego go brrrr
What’s CTF?

● CTF = “Capture the Flag” = Cybersecurity Competition

● In CTFs, there will be multiple challenges in different categories
● The goal is to solve these challenges and capture the flag (string of text, e.g.
FLAG{you_solved_the_challenge})
Why CTF?

● Develop an understanding of how computers work

● Take part in competitions to gain exposure
● Try and win awards and prizes :)
How to CTF?
● List of CTF challenge categories:
○ Binary Exploitation (Pwn)
○ Cryptography (Crypto)
○ Forensics
○ Mobile
○ Open Source Intelligence (OSINT)
○ Programming
○ Reverse Engineering (Rev)
○ Steganography (Stego)
○ Web Exploitation (Web)
○ Misc (Basically other random stuff, like Hardware, SIGINT, etc.)
● Bolded categories = Considered more “legit”
Binary Exploitation (Pwn)

● Legit “hacking”
● Exploit a server by injecting some code into it
○ Buffer Overflow
○ Heap Overflow
○ Format String vulnerabilities
○ Remote Code Execution
○ etc.
Cryptography (Crypto)

● Math (Outside syllabus, but doable)

○ RSA
○ AES
○ Hash Algorithms (MD, SHA, etc.)
○ ECC
○ etc.
● Exploit bad cryptographic practices
○ Bad encryption technique
○ Weak encryption parameters
○ Incorrect encryption
○ etc.
Forensics

● Police work basically

● Figure out what a person has done on a computer (Memory Dump)
○ Files
○ Processes
○ Logs (What’s their search history? ( ͡° ͜ʖ ͡°))
○ etc.
● Figure out what a person has done over a network (Networking)
○ Packets
Mobile

● Reverse engineering, but for mobile applications (mainly Android apps)

Open Source Intelligence (OSINT)

● Become a private investigator

● Stalk a target person or organization and find info about them
○ Blogs
○ Linkedin
○ Social Media Posts
○ etc.
● Find information about a topic
○ Default credentials
○ etc.
● Find the coordinates of a place (GEOINT)
○ Given a video/photograph, find where it was taken
○ Motivation - 4chan airstrikes on ISIS: https://www.youtube.com/watch?v=LG1FWWX7ZPk
Programming

● Competitive programming style challenges

○ Create efficient algorithms to solve problems
● Scripting style challenges
○ Python
○ Data Processing
○ Interface with a website to interact with it automatically
○ Image libraries
○ etc.
Reverse Engineering (Rev)

● Reverse engineer an executable file to find out what it does (decompiling machine
code into human readable code)
○ Heavy usage of C (aka C++)
Steganography (Stego)
● Steganography is the act of hiding information, aka security through obscurity
● Encoding formats
○ Binary
○ Hexadecimal
○ Base64
○ Base85
○ etc.
● Ciphers
○ Caesar / ROT
○ Vigenere
○ Substitution
○ XOR
○ etc.
Web Exploitation (Web)

● Similar to binary exploitation, but on a website

○ LFI Vulnerabilities
○ PHP Vulnerabilities
○ SQL Injections
○ XSS Attacks
○ etc.
Who does CTFs?

● There are many CTFs organised locally and internationally

● For local CTFs, most participants will be students (Secondary, JC, Poly, University,
etc.)
● For international CTFs, they are catered to people who have an interest in
cybersecurity, i.e. also includes adults, so these are generally harder
Where are CTFs held?

● International CTFs are held online

● Some local CTFs used to be held in person (e.g. WhiteHacks), but now due to
COVID-19 all local CTFs are held online as well
● CTFs can last anywhere from 6 hours to 1 week
When are CTFs?

● For international CTFs, you can view them at

https://ctftime.org/event/list/upcoming
● For local CTFs,
○ WhiteHacks (March)
○ Cyberthon (May)
○ Cyber Defenders Discovery Camp (July?)
○ STACK the Flags (December?)
○ etc.
How do I get started?

● We have setup an Internal CTF Training platform, comprising of challenges sourced

from past CTFs (local and international)
● Challenges are split into specific categories and subcategories for ease of learning
● Disclaimer: It is possible to “cheat” by directly googling for the challenges’ flag.
Don’t do that...
○ No point for you to cheat, since this is a training set
○ The goal is for you to learn
○ If you are really stuck on a challenge, seek help, it’s completely fine
● P.S. We can check your submission history and figure out who is cheating, cheaters
will be dealt with accordingly
Any Questions?
Rough Timeline

● Start working on Crypto (Cipher) to gain fundamental knowledge

● Move on to Stego categories
● Branch off to other categories (tba)
● Note: We will be revisiting some concepts learnt in the C++ Training Set
Register for a new account @
ACS(I) CTF Training Platform:
https://dunhack.me