What is CTF? How to get started with CTF for novices?

What is CTF

CTF is the abbreviation of Capture The Flag. In Chinese, we call it Capture The Flag. Its original meaning is a traditional sport in the West. In the game, the two armies will compete for the flag, and when one of the flags has been captured by the enemy, it represents that side's defeat. The CTF in the field of information security means that through various attack methods, after obtaining the server, look for a specified field, or a field in a fixed format in a file. This field is called flag, and its form is generally flag{xxxxxxxx}, which is submitted to the referee. The machine can be scored.

The history of information security CTF can be said to be very long. It originated at the DEFCON Global Hacking Conference in 1996.

Why participate in CTF

Entry penetration, it must have all kinds of hands-on practice, right? However, due to the promulgation of the "Network Security Law", random scanning of other people's websites or unauthorized penetration testing have certain risks. There is also a news recently:

To be honest, this guy was just scanning, and the attack was blocked by the firewall, and nothing was obtained. The result was still the same sentence. It can be said that it is a steal...

So remember not to scan domestic websites, especially education and government websites. However, it is impossible for beginners to learn penetration testing without a corresponding environment, and common target machines are too complicated for Xiaobai, and it is easy to not know how to start.

At this time, CTF is very suitable. CTF is generally a topic that has one or several knowledge points combined with each other, relatively speaking, the goal is relatively strong. CTF is a good choice if you want to experience a safe sense of accomplishment and fun, and promote yourself to learn while practicing.

Types of CTF

CTF topic types are generally divided into Web penetration, RE reverse engineering, Misc miscellaneous, PWN binary vulnerability exploitation, and Crypto password deciphering. Students who are interested in penetration testing are recommended to start with the topic of Web penetration, supplemented by Misc miscellaneous and Crypto cryptography.

CTF is mainly divided into two modes, one is the problem-solving mode. For Web security, you will be required to invade a website or a target machine. After the attack is successful, the system will display a flag or search for a Flag in a directory file database, and submit it to the answering system to score. The general form of reverse engineering problems is to crack the registration machine, dynamic debugging, dump memory and so on. These problems can be found in Baidu or Google's problem-solving report (keyword: CTF writeup).

The disadvantage of this model is similar to "examination-oriented education". The current trend is to focus on the difficulty and deviation of the questions, without considering the actual situation, just like the Mathematical Olympiad. Moreover, this mode only has attack, but not defense, and working in the enterprise is more about how to protect. At this time, the AWD offensive and defensive game mode came into being.

The second is the offensive and defensive game, also called AWD (Attack With Defense, both offensive and defensive) mode. You need to play the attacker and the defender in a game, the attacker scores, and the loser will get points deducted. In other words, when a target drone that attacks someone else can get Flag points, others will be deducted points. At the same time, you must protect your host from being scored by others to prevent deductions.

This mode is very intense, the preparations must be very sufficient, and sufficient defensive schemes and EXP attack scripts must be on hand. I was beaten to QWQ the first time I participated in this kind of competition, but the more I participated later, the more experience I would accumulate. So, don't panic in this kind of game, just play more, learn more and accumulate.

There is also a blood in the CTF, who is the first to hand in the Flag to get the score bonus, so it is also very important to say that the hand is fast. But generally speaking, it is not as fast as other big bosses.

Comparison of CTF and reality penetration

A realistic penetration test will have a very complete process, starting with information collection and vulnerability detection, and then attacking item by item. In many cases, nothing will be achieved. In contrast, the goal of CTF will be clearer. Questions below medium difficulty will generally indicate the location of the vulnerability in the title description. If there is no prompt, there will not be many detection points. Screening one by one is enough.

Secondly, there are many CTF topics that will penetrate a little bit from reality. There are more routines and brain holes, and some knowledge points are not practical... how to say?

Sometimes, in order to produce a new question, the person who asked the question will set the question to be very brainy in order to do it. Misc Safety Miscellaneous is the hardest hit area of this kind of question. Doing this kind of question actually doesn't help real penetration. For example, for this password question, the first time I see it, my head is so big, you can guess what it is:

anyway...

Students who have done a lot of CTF should know that this is a "contradiction to Buddhism" password encryption, and they don't know who came up with it...

It's not uncommon for questions like this kind of puzzles, which require strange postures or routines to do questions. In fact, this also deviates from the original intention of CTF to a certain extent. We want to improve our safe posture level, rather than brainstorming.

Therefore, the simpler and slightly larger CTF questions are just for expanding the knowledge. Having said that, the CTF competitions are now moving in the direction of actual combat. Many high-level CTF topics will simulate real websites, giving you a more sense of penetration and penetration techniques that are closer to actual combat. The more conscientious CTFs in China include DDCTF, Anheng Cup Monthly CTF and so on.

For information about CTF events, please follow the links to the events compiled by the XCTF community or CTFtime. For details, please click to read the original text. Although it is very likely that I will not be able to beat all the big guys in the game, it is also very good to paddle and learn knowledge.

Summarize

I have collected some CTF shooting ranges that are good for getting started. After thinking about it, I put the collection of articles on my long-abandoned blog. I will update the technical articles on the blog in the future. I still don’t talk about the technology here, but some hard experience. Dry goods will be fine. Shooting range collection click on the link to view in the browser:

Novice friendly CTF data shooting range finishing collection

If you are a novice, you should slowly brush up the questions in the shooting range. For questions that you don’t know, you will have a lot of problem solving reports on Baidu or Google. When you encounter knowledge points you don’t know, you should also be good at using search engines. The best way is to join a CTF group, where everyone helps each other and improves more quickly. If there is any aspect that I need to say in more detail, please leave a message or send a message.

There have been a lot of things recently, and there has been a sudden situation. The article has been difficult to give birth for a long time... I'm sorry to all of you.