Learn how to hack through CTF

WTF is a CTF?

CTF short for Capture the Flag, is a special kind of information security competition. It is a hands-on way of learning about cyber security by allowing participants to exploit live vulnerable systems, files and websites.

Can I really learn how to hack through CTF?

Yes and No! If all you want is to impress your friends by hacking their Facebook accounts, then no. A FUD keylogger would probably be the easiest way to do that. However, CTF's are designed to allow participants to think like a hacker. How to analyze the system, what to look for and therefore exploiting it's vulnerabilities.

There are two common types of CTFs: Jeopardy and Attack-Defense.

Jeopardy-style

Jeopardy-style CTFs are probably the most common type of CTF. The participant is presented with a Jeopardy-like scoreboard with different categories and point values. Categories usually include Forensics, Cryptography, Pwning, Binary and Web exploitation, Steganography and Recon. The more challenging the problem is the more points it is worth.

Attack-Defense style

In Attack-Defense, two teams (red team vs blue team) are usually given their own vulnerable networks, The two teams will then try to hack each other for attack points while simultaneously defending their own for defence points.

Goal

The Goal of CTF is to find the "flag". Flags take many different forms. Sometimes it's a text a file, an image or even a sound file. These flags are usually hidden and encrypted. It is your goal to find and decrypt it as how the challenge is stated.

To fully appreciate CTF , I will show you an example.

This problem is taken from CTFLearn.com. The challenge is pretty straightforward, leak the whole database and you will see the flag.

As you can see, it is asking us for an input. The problem is we don't know what to input.

Viewing the Source Code, you will notice that it is asking for a specific input. If the Input is not in the database then it will yield 0 results. Trying all those names didn't work either, except Luke.

If you remember your SQL, we can manipulate the input to trick the system.

Input: ' or ''='

The code at the server will result in :

SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""

Since, the SQL above is valid it will return all rows from the "Users" table, since OR ""="" is always TRUE.

Andddd there goes our flag! Submitting it to CTFLearn and Voila! Problem Solved!

But I don't know SQL!

That's okay! When I first started joining in CTFs, I have no idea what was going on, on how to tackle challenges like this. The beauty of CTFs is that as you join more, the more you will learn. Next time you encounter a problem like this, your first step would probably SQL Injection, but it's probably not anymore SQL so you're stuck again, so you'll wait for the competition to finish and read their writeups on how they solved the problem and used that approach to solve the next problem until you get the hang of it.

If you wanna know more about CTF, I suggest you to visit CTFTime.org. There you can see Upcoming and Past Events for CTF. If you don't wanna compete and just want to learn, a lot of writeups are also written in there.