CTF: 8 Ways To Succeed In Your First Capture The Flag (CTF)
Sumber: https://blog.lumen.com/8-ways-to-succeed-in-your-first-capture-the-flag-ctf/
Introduction
DEF CON adalah konferensi hacker yang biasanya berlangsung pada musim panas di Las Vegas. Bersama dengan Black Hat, DEF CON adalah salah satu konferensi paling terkenal di Amerika Serikat untuk para hacker dan pakar keamanan komputer. DEF CON menampilkan virtual village yang didedikasikan untuk topik tertentu seperti lockpicking, perangkat IoT (Internet of Things), dan rekayasa sosial. Tujuan umum dari acara ini adalah untuk menyatukan komunitas keamanan untuk berbagi informasi dan mendapatkan pengetahuan tentang alat dan eksploitasi yang dapat digunakan oleh aktor jahat. Dengan mempelajari taktik terbaru dan berbagi kerentanan, praktisi keamanan dapat mempertahankan jaringan dengan lebih baik dari serangan di masa mendatang.
Tim “penyerang” dalam latihan keamanan siber dikenal sebagai Tim Merah. Tugas mereka adalah mengadopsi metode dan mensimulasikan jenis serangan yang mungkin digunakan musuh sebenarnya terhadap organisasi. Pembela dalam skenario ini adalah Tim Biru. Tujuan diadakannya latihan tim merah/tim biru adalah untuk memperbaiki postur keamanan organisasi, bukan untuk menimbulkan kerusakan yang sebenarnya. Istilah terkait termasuk "keamanan ofensif" (sekali lagi, menyiratkan postur menyerang) dan "pen test" (mencoba menembus pertahanan komputer atau keamanan siber).
Acara CTF telah berevolusi dari permainan anak-anak di mana tim menyerang wilayah satu sama lain dan berusaha merebut dan membawa kembali bendera tim lain. Di bidang keamanan siber, CTF telah menjadi kompetisi untuk menunjukkan keahlian dalam menyerang (atau mempertahankan) sumber daya komputer. Bendera dalam konteks ini biasanya berupa file atau kode yang dipulihkan oleh tim dan diberikan sebagai bukti keberhasilan penetrasi pertahanan mereka.
Inti dari CTF adalah memecahkan teka-teki. Tantangan diciptakan oleh dan untuk orang-orang yang suka memecahkan teka-teki. Salah satu aspek yang berpotensi membuat frustrasi para pemula adalah bahwa tujuan tantangan mungkin tidak disebutkan. Ambillah itu dengan tenang. Jika tantangan memberikan alamat IP dan porta, coba sambungkan menggunakan alat sederhana seperti telnet atau netcat. Lihat apa yang bisa Anda ketahui. Setiap tantangan memiliki solusi yang diinginkan.
Tipe Challenge
Berikut adalah beberapa jenis tantangan umum yang mungkin Anda temui di CTF:
- RCE – (Remote Code Execution) – Memanfaatkan kerentanan perangkat lunak untuk mengizinkan eksekusi kode di server jarak jauh.
- Cryptography – Memecahkan sandi dan kode, mulai dari sandi klasik (misalnya, Caesar, transposisi) hingga kriptografi modern seperti AES, 3DES, RC4, dan Twofish.
- Programming – Tantangan yang membutuhkan pengkodean solusi dalam bahasa komputer pilihan Anda. Memecahkan ini secara manual umumnya akan terlalu membosankan atau memakan waktu.
- OSINT (Open Source Intelligence) – Menemukan petunjuk tersembunyi di internet publik dan platform media sosial. Bawa Google-fu terbaik Anda untuk mengatasi ini.
- Reverse engineering – Mempelajari file yang dapat dieksekusi biner, sampel malware, atau file lain untuk memahami maksud atau perilakunya.
- Forensics – Menganalisis file log, penangkapan paket jaringan, atau artefak lain untuk mendeteksi bagaimana peretas menyusup ke sistem.
- Steganography – Seni dan ilmu menyembunyikan (dan mendeteksi) pesan dalam gambar, file audio, dan sejenisnya.
Tools
While you might use a limitless variety of tools to solve challenges, here are some to get you started:
- Python is an extremely useful scripting language, with a rich ecosystem of packages to add functionality. You should develop new code in python3 (python 2.7 the old version and no longer supported). Pip is the Python utility to use for installing additional packages.
- CyberChef is a Javascript-based website for easily creating recipes, or a series of steps, to decode text or data. There is also a code repository if you want to deploy a standalone instance.
- Boxentriq is another website with a solid overview of ciphers and analysis tools.
- Kali is a Linux distribution which already includes many tools useful for penetration testing. More tools can be installed with the apt-get utility. You can also run Kali as a virtual machine on another computer.
- Dirb is a handy tool for scanning directories and files on a web server. Or try Gobuster – a similar tool implemented in the Go language, for improved performance.
- Metasploit is a powerful set of exploit tools for penetration testing. A related tool, Msfvenom, can create and encode an exploit payload.
- Pwntools is a Python-based framework for CTFs and exploit development.
- exploit-db is a useful website for finding proof-of-concept exploit code.
- IDA is an interactive disassembler and debugger. The professional version (IDA Pro) is both pricey and powerful. You can get started with the free version from the link above.
- Ghidra is a powerful (and free!) set of Java-based tools from the NSA for reverse engineering software. It includes a decompiler to convert binary code to high-level C code.
- Debugging tools allow you to interact with programs, pause execution, investigate the contacts of registers and memory locations, and many other things. They are indispensable for creating exploits. There are many options for debuggers, such as x64dbg, OllyDbg, or Immunity. On Linux, you also have an option of gdb, the Gnu debugger. To enhance gdb, you also might look at plugins such as PEDA or GEF (pronounced “Jeff”).
- Your brain! Sometimes the best analysis comes from thinking carefully about the problem you are presented, and how to leverage the information at hand.
Best Practices And Suggestions
Here are some best practices and suggestions to follow if you’re just getting started:
- Read the ground rules before you start – and follow them
Understand what is in scope and what is not. If a given IP address or port is off limits, respect that. The ground rules may vary from one competition to the next, but as a general guideline: don’t break them. Feel free to leverage resources to solve the challenges, but avoid actions which intentionally impede others from making progress. CTFs are designed to be learning opportunities, so avoid depriving others of the satisfaction of learning and solving.
- Take notes!
Once you start making progress it is easy to get carried away by your own momentum, but remember to take notes as you go along. You may need to backtrack, and a few notes can streamline the process of getting back to an earlier step. Record the essential things you discover such as IP addresses, flags, port numbers or command syntax. When brainstorming new approaches to try, review what you have already tried. Notes will also be handy if you want to write up your solution later.
- Try again later
Sometimes a challenge is based on a server being in a certain state, say, providing responses in a TCP session. Given that myriad teams may be deploying various hacking tools against a server, it is possible that the target machine will become unstable or unavailable. The organizers usually have a way to reset the state of the server. The same steps you attempted (which failed) might succeed for you a few hours later. (See above about taking notes!)
- Search the web
You may find a hint (or even a partial solution) by searching on whatever information you have. Indeed, some types of challenges (such as OSINT) demand this. Check for clues hidden in materials that seem like mere window dressing, such as images. Are there pop culture references or memes which might guide your research? If you are stuck, look for similar challenges from the past.
It takes a significant time investment to create CTF challenges, and individual challenge may get re-purposed for another CTF. People enjoy posting their solutions, so you may find hints there.
- Try a different challenge
Often there are challenges which are designed to be solved in sequence; try to understand the intended sequence. Sometimes the difficulty level is designed to ramp up slowly, so what you learn by solving one challenge in the series will help you learn what you need to do for the next challenge. There may be natural gates built into the series: until you exploit that bastion server, you will be unable to pivot to attack the one with an internal 10.x.x.x IP address.
Don’t assume you always have to tackle the challenges in sequence. Look for clues whether a later challenge can be attempted without solving a prior challenge.
If you are stuck on one type of challenge, give another type of challenge a try. Look for challenges that sound fun, that connect to things you already know, or that leverage skills you are trying to improve. If you are stuck on trying to exploit that server, try instead a cryptography challenge, an OSINT challenge or a programming challenge.
- Ask for a hint
Each challenge you try to solve was created by a human. They are likely proud of their creation and would like you to succeed. In the challenge description you might see the name of the author or their Twitter handle. Feel free to reach out and politely ask for help. Be succinct, but tell them what you’ve already tried. They just might be willing to drop a hint to get you unstuck, or to at least help you understand how the challenge was intended to be solved.
- Sharpen your tools
If you don’t already know Python, learn it… it will serve you well. If you are already an expert at Python, you might use the CTF as an opportunity to become more proficient at another language which intrigues you, such as Go or Rust. Think about how easy (or difficult) solving a particular challenge might be using different tools. If you routinely script things in Python, try writing a bash script (or vice versa).
- Do a post-mortem
At the end, review what worked and what failed. Look for published walkthroughs for the puzzles that stumped you to learn what you need to know for next time. Think about the skills you need to be successful and commit to improving these. Sign up for another CTF in a month or two… to motivate your learning and as a milestone to test yourself on what you have learned.
- A Few Suggested CTFs
Note that there are hundreds of CTF events taking place every year. Some CTFs are virtual, while others happen on-site at a conference or meeting. They all present opportunities for learning and improving your cybersecurity skills.
Here are three examples of CTFs I would recommend, for a variety of skill levels:
- Beginner: PicoCTF provides year-round cyber security education content (PicoGym practice challenges) for learners of all skill levels. Their annual competition is aimed at high school teams.
- Intermediate: The Red Team Village website has a couple events a year. In 2021, the DEF CON 29, Red Team Village CTF opens with a 24-hour prequalification round starting August 5. Twenty teams will progress to an immersive pen testing scenario. Based on last year, the prequal challenges should remain available through the weekend. The team at Lumen found this CTF had a nice range of difficulty and some satisfying series of challenges. We have been sharpening our skills and will try our hand again at the same competition this year.
- Elite: The main DEF CON CTF (separate from the Red Team Village CTF above), is currently run by “Order of the Overflow.” The qualifiers usually happen in May, with 16 teams competing in the finals during DEF CON in August.
Finally, ctftime.org lists many upcoming CTF events by date. The list does not include every CTF happening, but it is a good place to look for your next CTF. You can filter by location (on-line, or on-site) and restrictions (open or otherwise).
Conclusion
CTFs are a fun way to learn and hone your skills, in the guise of a competition. If you have never tried one before, you may realize you have been missing out!
If you are just getting started with CTFs, I recommend checking out the PicoGym practice challenges. You can sign up for free and try your hand at challenges from previous PicoCTF competitions. The practice challenges are available year-round, and the website has resources to get you started in tackling various challenge types.