H4C3R5?

Cybersecurity has become a recent interest of mine. I didn't know much about this field of technology except for the little bits of information here and there about hacking and ways to counter hacking. However I remembered hearing about a challenge know as Capture the Flag (CTF) which was designed to teach people about cybersecurity by providing an environment to hack in.

(The image above was made using Inkscape and GIMP in case you were wondering! Leave a comment below if you like it!)

Turns out these challenges are pretty common, especially for high schools and colleges. Naturally I decided to try my hand at cracking, decrypting, and reverse engineering these problems. First though I should probably explain how these challenges work. The main objective of the challenge is to find "flags" which are simply strings of characters and numbers such as "flag{th1s_1s_4_f14g}". There are two types of CTF competitions: Attack/Defend and Jeopardy. The Jeopardy format is most common with beginners as it is a list of challenges that you can do, each with its own value (yes, there is a scoreboard). The Attack/Defend format is different but as I have yet to participate in this style of event I cannot really explain it.

After researching CTF competitions, I found one taking place March 13-20 called EasyCTF. That was only about 3 days away at that point, so I decided to join. I can say that EasyCTF was one of the most fun experiences I have had! The challenges were divided up into categories, mainly cryptography, binary exploitation, web exploitation, forensics, and reverse engineering. I found the binary exploitation relatively hard, so I avoided most of those challenges. The others however were very fun and taught me a lot about the way files work and web sites operate.

For example, one particular forensics problem provided a picture and asked you to find what secrets it was hiding. After examining opening the file in a hex editor and examining the data, it appeared there was actually multiple pictures. My teammate who worked with me during this competition had also noticed that the thumbnail changed when it was very small. So I took the data from the file for each picture and saved it as separate images. Sure enough, one of them was an image containing the text for a flag. I was extra excited about this one because we were only the fourth team to solve it!

Hex data for image. You can see multiple JFIF headers indicating multiple images!

Image hidden inside another image! Clever!

One of the web exploit problems involved looking at the stored cookies. Here the flag was clearly found. Another required SQL injection causing the site to spit out the flag. Many of the challenges required a large amount of googling and reading previous CTF write-ups to learn how to solve the problems. My team ranked 473 out of 1938. Not bad for the first try!

This past week I have been working on PicoCTF, one of the biggest CTF competitions for high schools. It doesn't end until Friday so I can't show any of the great challenges I solved (but I will as soon as the competition is over!). If you're interested in cybersecurity or just want to know more about computers and the way they work, check out the many resources available. There is even a GitHub page dedicated for tools for CTF challenges.