Getting Started with CTF

HIEN DO
10:54 22/06/2018

We’ve created a small guide to get you started with CTF and more or less infosec in general. There are a few selected resources for each of the major CTF disciplines that should help you get up to speed in those.

Prerequisites

Basic Linux/Unix skills and some knowledge of programming should suffice to begin with.

CTF in general

Probably the best way to get started with CTF is by reading through the CTF Field Guide, so go there first. Additionally there is also the following blog post on how to get started with CTF.

Other than that you’ll usually learn a lot from writeups for CTF challenges (especially for ones you tried but couldn’t solve). A writeup is just a guide walking you through the solution for a challenge. There is a CTF writeup repository on github that contains a lot of them. You’ll also find writeups for the corresponding CTFs on ctftime.org.

If you want to practice a bit (and you definitely should!) you can always take a look at previous CTF challenges here or the overthewire wargames, but first check out the following section.

You should also make yourself familiar with ctftime.org. The site keeps a global team rating for all CTFs and upcoming events will be announced there. You’ll also find some other useful things around the site.

How to get started in…

Binary Exploitation

Personally I can strongly recommend the book “Hacking - The Art of Exploitation”. There is also the following extensive tutorial on exploitation: A Journey into Exploitation.

For a nice overview on memory corruption bugs and exploitation see this white paper History of Memory Corruption Attacks (pdf) or Project Zero’s blogpost series on memory corruption vulnerabilities. That should get you up to speed on memory corruption bugs so you can recognize these vulns in the challenges and then do more research on them if needed.

To develop some more practical skills you can take a look at the microcorruption game. It’s a browser based exploitation course guiding you through memory corruption exploitation on an embedded platform. It’s designed for beginners but you will need to read up on the topics on your own.
Also, you should give the overthewire wargames mentioned above a try.

For a decent introduction to Return Oriented Programming (ROP) see this article.

Cryptography

The cryptopals challenges are a nice set of exercises that guide you through modern cryptography and how to break it. You’ll also be doing quite a lot of programming throughout the course.

Web Security

The Web Application Hackers Handbook is basically the bible of web security. It will take some time reading through the book but it’s definitely worth it.

You can also take a look at the following online challenges/courses for learning some web security:

Moreover there is the Open Web Application Security Project which also has some nice resources on web security.

Reversing

To get started with reversing you’ll probably want make yourself familiar with some assembly first. There are a lot of guides on that topic out there, just pick one and write a HelloWorld Linux program in assembly.

After that a good idea is to grab a disassembler, compile some small C code snippets and load the resulting binary into your disassembler of choice to see what the compiler generated. This will give you a good feeling for assembly and help you recognize code patterns and functions in disassembled binaries. You can also take a look at some crackmes (for example from here) to get some hands-on experience.

Moreover I can recommend the books “Reversing - Secrets of Reverse Engineering” and (if you already have some reversing skills) “Practical Reverse Engineering”.

Coding

While not really a core CTF discipline some good coding skills will definitely proof useful (not only for CTF obviously). There are some nice sites to practice on out there, for example talentbuddy or hackerrank.
Also, there are some websites organizing regular coding contests like the Google Code Jamtopcoder or codeforces.

TIN LIÊN QUAN
✨ Nhằm khởi động một năm học mới đầy sôi động cho sinh viên mới bắt đầu tìm hiểu về bảo mật thuộc trường đại học Công nghệ Thông tin, ĐHQG-HCM, Phòng thí nghiệm An toàn thông tin - UIT InSecLab quyết định tổ chức cuộc thi cho sinh viên...
Trong bài viết này, CLB Wanna.W^n sẽ hướng dẫn các bạn cách sử dụng nền tảng wannaGame với các bước thực hiện như sau: Đăng ký tài khoản Bước 1: Truy cập đường dẫn nền tảng wannaGame: https://cnsc.uit.edu.vn/ctf/ Bước 2: Chọn nút Register Bước 3: Tại màn hình đăng ký,...
CLB An toàn Thông tin Wanna.One chia sẻ một số Challenges giải được và việc chia sẻ writeup nhằm mục đích giao lưu học thuật. Mọi đóng-góp ý-kiến bọn mình luôn-luôn tiếp nhận qua mail: wannaone.uit@gmail.com hoặc inseclab@uit.edu.vn và fanpage: fb.com/inseclab Web @AP DISCO PARTY @AP GITFILE EXPLORER @AP miniblog++...