The sheer amount of info regarding information systems (computers and other electronic devices and how they work, programming, etc.) is mind boggling, honestly. How do you read through it all, hoping to understand at least a sliver of what you’ve read, and then apply it from a security research standpoint? From encodings to encryption algorithms and the tools available to do many things in between, it can be daunting thinking you must know it all in order to be any good. Though there is some truth to that, that statement or thought isn’t entirely true in and of itself.
Don’t get me wrong, the more you know the more useful you are, but is it feasible for one person to retain all that information? Imagine the note-taking skills and staying organized – that in itself is a grand feat! I know I’m not the best notetaker, much less at keeping my notes organized. I will take notes feeling I’ll be able to recollect the context when revisiting my notes, only to come back to them some time later and wonder what in the world I was doing or trying to make sense of what I personally wrote. Hey, I’m working on it though!
Aside from that, and as this post’s title suggests, I am going to write about capture the flag (CTF) competitions and how to break into the scary unknown. Many security researchers I’ve studied on YouTube or read articles on recommend CTF challenges. Some are really tough, challenging user skills, while others are geared more towards newcomers and target newbs (noobs; newbies, that is). WatchGuard’s Threat Lab does a badge challenge competition every year for Black Hat / DefCon. Badge challenges are similar to CTF but not entirely the same. Technicalities aside, they aim at allowing researchers, or hackers, to prove their skills.
While doing some research in the mobile realm of the vast technological hemisphere, a researcher commented on completing CTF challenges and that triggered some thoughts I’ve held onto. I’ve known of CTFs for quite a while, seeing that our team hosts something similar, but never really spent too much time doing others’ challenges. It’s been on my to-do list but wasn’t in the forefront of my mind. Now, however, I took some time to research “newb friendly ctfs” online and came across a pretty cool resource that I decided I’d blog about.
What Are CTFs
Before discussing the CTF challenge I’ve selected at the moment, I want to clarify what CTFs are for those who may not be as in the know about them. I by no means am an expert in them either – at least not yet – so I figured this would be a great opportunity to shed some light.
From what I gather, there are many formats to how CTFs are conducted. For starters you can take the challenge yourself or you can form or join a team. Next, CTFs can be competitive in that there is a preset start and end date that the challenge is live. The objective is to get through the challenges before the end date and accumulate as many points as possible. The challenges within the competition vary based on difficulty and leading players or teams are rewarded with money, prizes, or just street cred.
What’s more, and a huge appeal to me, is that you get to learn new things along the way and get a snippet of the many realms of technology. For instance, some challenges revolve around cryptography, others about forensics such as how to view the hexadecimal values of files and comparing them with other files, and others reveal the different methods of encodings (base64, base2, etc.). It’s cool to see the many facets of how and what computers can do and how you can use them for what you need to.
Lastly, there are many participants that compete and do write-ups that are publicized (hopefully) after the competitions time period. I will say that going straight for the answers versus learning about the question and the context in which its applicatory is not the way I want to go, nor would I. Afterall, the point of these challenges is, well, to challenge yourself! Take the bull head on by the horns and learn by trial and fire. If you get stuck, spend some time exploring thoughts but don’t get stuck and stop because of it! Alternatively, you can reach out to the challenge’s IRC channel (if there is one live) or find alternative groups that you can reach out to for guidance or hints. Ultimately if that doesn’t work, I don’t see an issue with seeing if there is a published answer online. The key here is to learn the answer, study it and make it click as to why that’s the answer and how it fits. This is a crucial learning moment.
What to Expect in Upcoming Blogs
Moving on, I want to introduce the challenge platform I’ve selected and my first thoughts about it. I also want to set the basis of how I will write future posts about my progress through it. No, I did not fully complete the challenges. Yes, I did give each independent challenge my best go. Yes, I did have to look up the answers and yes I did study why they are the answer.
The challenge platform I opted for is picoCTF and it is a free computer security game created by security experts at Carnegie Mellon University. It’s targeted towards middle and high school students but don’t let that phase you if you’re “out of school” or “a lot older” than that. Personally, I’ve been out of high school for a while, but I know that I want to learn and grow, and I am okay with humbling myself, if you will. So, I embarked on this journey and was quite impressed with the content’s presentation and felt that I was off to a fair start. I’ll blog about that separately though. Based on the introduction so far, I highly recommend it for anyone who wants to get started with cyber security or even if you’re already a security veteran. I’ve always been a firm believer in solidifying one’s foundation and there’s no harm in testing, and proving, yourself to yourself.
Note that the challenge timeframe already lapsed but access is still permitted. I started going through the challenges and using my best judgement and only looked for solutions that I felt absolutely stuck in. I didn’t fret over “not knowing” every answer. I went in unsure of how I’d do. Though I feel I did okay, to say the least, I did not know everything. There were many things I had to look up along the way and I learned new concepts that I hope to retain and reuse at some point down the line. For now, I am going to keep at it and grow how I know.
I noticed that the layout has different rooms that are titled according to their topic. For instance, the first room was titled “General Skills” that I went through. There are over 15 challenges of a good mix. Obviously, the ones I knew made me feel good about my skillset while the other ones I took as a learning opportunity. Some of the answers I looked up just blew my mind like, “how did someone come up with that answer?”
My objective is to write a post about each room and discuss any challenges I had and how I overcame them. Perhaps I’ll add some background detail about the technicalities of the challenge where seen fit, and also what I’ve learned along the way.