Getting Started with Capture The Flag (CTF)

Sometimes I know some pretty random things about technology because of my interest in security and doing CTFs which exposes me to technology on a different level then if I was merely doing simple web programming. I brought this up at a recent Ruby On Rails Meetup Group group that I go to and while trying to compile some links I decided to make a full blown post on how to do your first CTF challenges.

Random Awesome Links

Why it is Important to Learn Security

While Rails does a fantastic job of protecting you from many common web vulnerabilities that plague many other websites, its still important to understand how these vulnerabilities work so you don’t somehow reintroduce it either in code OR because of some sort of poor server configuration or setup.

Don’t give up

Neither of these two games are ‘hard’ but they require a lot of basic understanding of technologies we use every day. We tend to learn our tools just enough to get our jobs done, but never take time to really understand how (and the why) the tools and technology we use every day really work. I feel both these games do a great job of challenging our basic knowledge and inspiring us to learn more! As a web developer it is so much easier to troubleshoot issues when I can truly understand the behaviors/symptoms of a problem and at what layer it is truly happening on.

Getting Started with OverTheWire

OverTheWire generally works by first giving you the “Level 0” username and password and you must then figure out the password for the next level. The username will always be the game name followed by the level number. (ie: Level 4 on Natas will have a username of natas4). For starters I suggest looking into Nastas for web and Bandit for linux command line challenges.

OverTheWire’s Game: Bandit

Please check out the full game information but in general Bandit is all about linux command line and basic features of linux. Do you know how to do directory traversal? Use Grep? Ack? What can be done in /tmp?  What ‘fun’ things can be hidden in cron jobs? Do you know how to read and understand permissions? Read each level description carefully, it will often give you hits or what man pages to be looking at.

Bandit Level 0 [Info Link]

You must first SSH into the bandit host with the username bandit0 and the password (when prompted) bandit0.  Don’t know what the -l flag does? To the MAN PAGE we go! Searching this we see that it means login_name and we can use this method easily change the username per level with the up error rather then trying to edit something lie ssh each time.

On and command line my first instinct is always to do an ls -al to see what I can go or view from where I am. I sometimes will also do a pwd to see where I am.

Interesting. We (user bandit0) have read access to a file owned by bandit1. If you don’t know how to look at -rw-r—– and understand what it means there are lots of tutorials online for you to look at.

Lets read the file! Its isn’t big so i’m just going to run the concatenate command to make it appear on stdout (the screen)

Bingo!! We now have the password for the bandit1 level.

Bandit Level 1 [Info Link]

Interesting. We have read access to a file called – (dash), but if we try to cat it out we get some weird behavior. As suggetssed in the level info link we can google dashed filename and read about how the OS thinks that we mean to output directly to stdout. Cat however already as a default if you don’t redirect it somewhere else.  So to let the OS know we want to literally open the file – (dash) we want to do a dot slash to tell it look at the file called dash in this directory. So the OS won’t interpret the –  as stdout.

Sweet, that worked.  Now you have the password to bandit2. Have fun with the rest of the levels! Lots of help online, but be careful that you don’t accidentally look up the answer.

OverTheWire’s Game: Natas

Please check out the full game information but in generally Natas is all about using your knowledge how web and the technology around it works. Client vs Server? DOM? Cookies? Javascript? XSS? SQL Injections? Lots of fun stuff!

Natas Level 0

As suggested in the introduction, you must navigate your way to and enter the username and password which both have been lovely set to natas0. 

Once you load the page you get the following message:
You can find the password for the next level on this page.

After glancing around on the visual side of the page (the rendered view) you don’t find any key. Now what? Well this is where basic knowledge of how websites works come into play. Since you are only seeing a rendered view we can right-click > view source to see the source code of the page. Ding ding! We can see there is a comment that holds the username and password. You may laugh but i’ve see sensitive data ‘hidden’ merely in the html comments.

There were other bits of data we could be looking at (response headers for one) but view source is generally a quick go-to way to see what is going on.

Natas Level 1

What is this? They blocked right-click? Oh Noes, what shall we do? Keep in mind HTML is rendered on the client which means ultimately I have full control. (Which is why you never trust user inputs). Your browser will have an easy build in way to view the source, but even if it didn’t there are lots of ways to view the HTML source of a website.

On Chrome you View > Developer > View Source

We now have the password for level 2!

 Have Fun!

Always, and in all of your endeavors.