Unlock Your Potential by Dominating CTF

Capture the Flag (CTF) events provide a unique and exciting opportunity to enhance your cybersecurity skills. Whether you're a beginner or an experienced professional, participating in these events allows you to solve challenges and capture flags, all while competing against others. In this blog post, we’ll explore upcoming CTF events, useful tools for success, and how you can get started. We’ll also share highlights from the Queen City Conference CTF 2024, including the challenges faced and skills gained. If you or your company are interested in learning more about cybersecurity, our team is here to guide you. Contact us for a free consultation today!

What is a CTF?

Security Capture the Flag (CTF) events are a great way to show off, hone, and learn new skills while competing against others. A CTF event involves solving challenges to capture “flags”. Sometimes the flag will follow a standardized format, like FLAG{Some_random_words} so you know that’s the correct answer. Others are less obvious but may be an answer of the name of a file or command. Either way, the event will typically specify what the flag format is and specific challenges may indicate an exception to the rule.

Events can either be an individual effort or conducted in teams. CTF events have varying levels of difficulty - depending on who is hosting them. They can be story-based or [pseudo] real-world scenarios. Personally, I like the story-based events because they are more like a game.

Why Participate in a CTF?

CTF events are a great way to test and grow your cybersecurity knowledge. The best part is that you don’t need to be an expert to join. There are beginner-friendly CTF events that allow all types of people to engage and learn about security. I think everyone should participate in a CTF event at some point. That way, they can see how their knowledge applies towards cybersecurity.

This past weekend I was able to participate in the "Queen City Conference CTF 2024" event hosted by MetaCTF at Queen City Con. This event allowed teams of up to 4, had good participation, and was highly competitive. While 1st place was far in the lead, the next 5 places all ended within a few hundred points of each other. Unfortunately, my team only placed in 5th, but we still had a lot of fun.

What to Expect from a CTF

The Queen City Conference CTF had a wide range of challenges. Some were very technical and some were more hands-on physical challenges like lock picking and decoding by hand.

There were challenges of inspecting files for metadata or hidden data, decoding encryptions/encodings, viewing html and network data, and so much more. I particularly enjoyed the lock picking challenges, manually reading a QR code, and using my newly obtained Wireshark skills (from a workshop at the conference). I never thought I would know how a QR code is laid out and actually read one!

If you are new and want to participate in a CTF event, it may be useful to look at prior events that likely have walkthrough guides for some of the challenges (Here is a link to some write-ups on previous MetaCTF challenges). I am not doing a write-up in this article, but may do some in the future.

Upcoming CTF Events to Try

There are a few free holiday-themed CTF events coming up that would be great for beginners. A couple of recommendations I have are

• Advent of Cyber 2024 by TryHackMe

• SANS Holiday Hack Challenge 2024

These events are a great way to get started with CTF events and add some extra fun with the holiday theme.

Tools to use in a CTF

So, you signed up or are looking to sign up for a CTF event... now what?

There are some common tools that will likely come in handy for an event, but there are some challenges that may require some research or prior knowledge. Here are a few common tools or applications that can be used to help you along the way.

CyberChef

a tool that allows you to perform actions in a specified order on a given input (also recommended for use in a few challenges from MetaCTF)

VMWare Fusion/VirtualBox/Hypervisor

- this tool allows having a virtual operating system running on your current system. For example, you could have a version of Windows running inside of another Windows machine, or run a version of Linux (such as Kali).

Kali Linux

- A common open-source operating system used by security professionals and hackers. It includes many hacking, research, forensics, and reverse engineering tools with the operating system.

Ghidra

- a reverse engineering tool which allows you to decompile an application for reverse engineering

Strings

- a tool that gets all of the text of a given length out of a file

netcat

- a networking tool for sending and receiving communications

hexedit

- a tool allowing you to view the hexidecimal values of a file

John the Ripper

- a password cracking application that allows cracking passwords with known exploited password hashes (like a fingerprint of a password).

As an added tip: you can check if your passwords have been in a breach by checking Have I been Pwned - the best way to prevent getting exploited is to use a password manager like 1Password

Burp Suite

- An application allowing for inspection and manipulation of web requests

Browser developer tools (F12)

- built in tools in the internet browser application which allows you to view HTML and script components, see network activity, and view application data and cookies stored on your machine.

Google/DuckDuckGo/Bing

- If you aren't sure of something, Google often has some good answers. You may also be able to find a similar challenge from another CTF event that will help you in the one you are doing.

ChatGPT/Gemini/AI system

- These AI tools can be very helpful in determining your next steps in a challenge or pointing you in the right direction.

Be careful what you put into the AI system since the conversations may be stored in the AI's databases.

Our team also ran into a couple of instances where the AI chatbot would make up results instead of saying it didn't know how to solve something. So make sure you validate the answer it gives.

Many, many more

A quick web search can show you tools for your specific challenge. This particular CTF shows the category of the challenge so tool lookup may be a little easier in that case.

Learn More About Cybersecurity

Want to learn more about cybersecurity? We can help! Our team is ready to help guide you through your questions and improve your security posture. Contact us today for a free consultation. Let’s work together to secure your digital environment.