CTF Overview

CTF UCLA has three types of questions:

Flag

An offline challenge which usually provides a small file to download. Example: “Take this binary and exploit it to get it to emit a hidden phrase (the flag).” Flags can be of many types, but common ones are:

Binary exploitation or reverse-engineering: find a hidden phrase in a binary (compiled program) or modify its behavior in unintended ways

Cryptography: A challenge in which you need to decode a file or plain text, CTF UCLA has no crypto questions this year. Example: “This plain text file is encoded. Decode it to find the hidden message.”

Steganography: A challenge involving finding or extracting a hidden message from a picture. Example: “Here is a .jpg image, find the flag hidden in it.”

Base

An online challenge where an up-and-running system must be compromised. We don’t have any base problems during this CTF, but maybe next year! Example: “This web app is vulnerable. Compromise and get it to emit a hidden phrase (the flag)”

Quiz

A short question to which you input an answer. Example: “What is the largest key size for AES?”

What is an Exploit?

An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized).

A better question though, is how do you figure out what exploit to use? Unfortunately, there isn’t any kind formula or algorithm that can guarantee you an answer, however, here are a few tips:

Tips

Read the question title and text carefully. Questions often contain hints about the exploit to use, or at least what you need to google.

Google anything and everything. Seriously, Google is your best friend during a CTF. Google terms remotely related to the question, heck if you are really stuck, Google ‘common CTF flag questions’ or check cybersecurity Stack Overflow. For beginners, CTFs often become a competition about who can google the best and learn new topics fastest.

Often, knowing the background or underlying infrastructure behind operating systems or the basic functioning of ports makes figuring out an approach easier. Wikipedia articles are usually sufficient.

Common ports used:

OSI:

HTTP:

TCP/IP:

Here’s a quick reference to figure out what kind of challenge you are facing, based on what’s given in the question:

Web link : Web question (relating to/using HTTP, PHP, Javascript, SQL, curl, nc)

: Web question (relating to/using HTTP, PHP, Javascript, SQL, curl, nc) Image/Music File : Steganography (https://en.wikipedia.org/wiki/Steganography)

: Steganography (https://en.wikipedia.org/wiki/Steganography) Jumbled Text File: Cryptography (we don’t have any for this CTF)

Still in doubt? Never fear, use the file command on terminal/command line:

file <filename>

Let’s interpret the results

PCAP/anything web or packet related : Web question

: Web question ELF/an executable : Reverse engineering (a kind of flag, need to disassemble using GDB)

: Reverse engineering (a kind of flag, need to disassemble using GDB) Any other output? Plug the results into Google.

This link provides a more in depth explanation of the things I mentioned above and can serve as a great supplementary resource:

Quiz

Quiz questions are pretty straightforward, you’ll get a question based on your understanding of computer systems and cybersecurity. The right answer will give you the points you need.

The best way to approach these problems? Google. Google strategically and play close attention to the phrasing of questions (they often provide clues).

Quizzes test your knowledge of basic cybersecurity and trivia (either historical/linux/port related).

Some quizzes may seem like a test of your googling ability, but in reality they aim to teach you about some really cool aspects of cybersecurity while you read up on new concepts.

Example

How many cookies does ctf.linux.ucla.edu use?

7

Explanation:

Cookies are pieces of data a website tells a browser to store on its behalf. They’re typically used to maintain state for a website, such as which user the browser is logged in as, or what is in the shopping cart.

The simplest way to look at cookies is to use the browser’s developer console and inspect the Cookies tab. Doing so will show 7 cookies.

Unfortunately, a pure HTTP tool like curl may not work here, due to the possibility of a website using JavaScript and AJAX to set additional cookies beyond the initial page load.

Steganography

To quote our lord and savior Google,

“Steganography is the hiding of a secret message within an ordinary message and the extraction of it at its destination.”

In simpler words, steganography is basically hiding a secret in an image. To be able to solve a steganography question, you need to process the image until you uncover something suspicious. Knowledge of how image data is stored will also come in handy.

The two most common approaches to steganography include:

Applying filters using GIMP/Photoshop and playing around with it Processing pictures using online software/scripts

Reading this link will greatly help you during the CTF: https://github.com/ctfs/resources/tree/master/topics/steganography/file-in-image

Example:

https://ctfs.github.io/resources/topics/steganography/invisible-text/README.html

GDB

GDB is the GNU Project debugger, that allows you to step through a program. It’s generally used to catch bugs, and in our case, to exploit these bugs as well. To quote the official GDB guide, this is what you can do with GDB to try solving challenges:

Start your program, specifying anything that might affect its behavior.

Make your program stop on specified conditions (setting breakpoints/watchpoints).

Examine what has happened, when your program has stopped.

Change things in your program, so you can experiment with correcting the effects of one bug and go on to learn about another.

Here are two cheatsheets of key GDB commands

These are the basic commands you definitely need to know, run these in terminal/command line:

gdb program [core] : debug program [using coredump core]

b [file:] : function set breakpoint at function

[in file] run [arglist] : start your program [with arglist]

bt : backtrace: display program stack

p expr : display the value of an expression

c :continue running your program

n : next line, stepping over function calls

s : next line, stepping into function calls

Flags

The goal is simple, find a string of characters — the flag. Doing it? Not so much! But we’re here to help. Flags generally involve downloading a file and figuring out what vulnerability in the file to exploit.

Here are some common exploits:

Buffer overflow

Binary exploitation/Reverse Engineering

SQL Injection

Cross Site Scripting

Example:

Quote of the Day 1 (An actual problem from last year’s CTF!)

A certain distinguished captain is fond of speaking words of wisdom. As such, he provides a quote-of-the-day service so his followers can be touched by his brilliance every day. Not everyone has access though; it will only let you in if you know the password!

You managed to convince a sailor to steal the qotd binary and send it to you.

However, the quote in the binary is out of date. Analyze the binary, retrieve today’s quote from the server, and give us its md5 hash!

Hint: There’s a very obvious segment of code in serve_request

Flag: 51de72fc70308c816406370a71e56012

Explanation:

secure_qotd is the attachment with the outdated quote.

This challenge requires reverse engineering the binary given to you. The binary is a service that listens on a port. When you connect to it (via nc or telnet), it asks for a password and dispenses a quote if you get it right. You need to figure out the password, connect to the real service running on ctf2.linux.ucla.edu:7001, and retrieve the quote on the server.

Reverse engineering may be fresh in the minds of CS33 students. People typically approach it first by calling the readelf or strings utilities and check if any interesting info comes up. In this case however, this approach isn’t very useful.

Before diving straight into the gdb grinder though, it might be useful to take a quick look through the disassembly:

objdump -d secure_qotd > secure_qotd.S

If you scan through the disassembly, you will find libc library functions, as well as normal-sounding functions like reap_children, serve_request, and main. In the process of skimming through it, you may also notice a big block of code inside serve_request:

400cd6: c6 45 d0 67 movb $0x67,-0x30(%rbp)

400cda: c6 45 d1 31 movb $0x31,-0x2f(%rbp)

400cde: c6 45 d2 66 movb $0x66,-0x2e(%rbp)

400ce2: c6 45 d3 66 movb $0x66,-0x2d(%rbp)

400ce6: c6 45 d4 6d movb $0x6d,-0x2c(%rbp)

400cea: c6 45 d5 65 movb $0x65,-0x2b(%rbp)

400cee: c6 45 d6 66 movb $0x66,-0x2a(%rbp)

400cf2: c6 45 d7 61 movb $0x61,-0x29(%rbp)

400cf6: c6 45 d8 62 movb $0x62,-0x28(%rbp)

400cfa: c6 45 d9 51 movb $0x51,-0x27(%rbp)

400cfe: c6 45 da 75 movb $0x75,-0x26(%rbp)

400d02: c6 45 db 30 movb $0x30,-0x25(%rbp)

400d06: c6 45 dc 74 movb $0x74,-0x24(%rbp)

400d0a: c6 45 dd 65 movb $0x65,-0x23(%rbp)

400d0e: c6 45 de 73 movb $0x73,-0x22(%rbp)

400d12: c6 45 df 21 movb $0x21,-0x21(%rbp)

If you’ve read the hint (or if you’re just plain perceptive!), you may realize that all of these bytes are alphanumeric ASCII characters. Looking this up in an ASCII table, you’ll find that it translates to

g1ffmefabQu0tes!

And that is indeed the password! From the terminal:

$ echo -n “g1ffmefabQu0tes!” | nc ctf2.linux.ucla.edu 7001

Welcome to my fabulous Quote of the Day dispenser!

To receive my wisdom, please enter the password.

Password:

Here’s the quote of the day:

Only Eat Breakfast In the Morning

To retrieve the md5 hash of this, you can use an online tool, or simply the md5sum utility:

$ echo -n “Only Eat Breakfast In the Morning” | md5sum -

51de72fc70308c816406370a71e56012

SQL Injection

SQL Injections generally consist of entering malicious SQL statements into web page input fields.

First things first, what is SQL?

SQL or Structured Query Language is a programming language that deals with the storage of data in relational databases, basically storing data in tables.

Fun fact: SQL isn’t case sensitive!

Common SQL commands

Data Manipulation

SELECT: Display/get data from a database

SELECT <column_name> from <table_name>;

UPDATE: Change existing data of database

UPDATE <table_name> SET <column_name>=<value>;

DELETE: Delete rows/data from database

Deletes all rows: DELETE FROM <table_name> Deletes rows with a condition: DELETE FROM <table_name> WHERE <column_name>=<value>;

Data Definition

ALTER: Modify a table’s definition by adding a column

ALTER TABLE <table_name> ADD <column_name> <column_datatype>;

DROP: Remove either a table or database

Table: DROP TABLE <name>; Database: DROP DATABASE <name>;

Aggregate Functions

AVG: Prints average of a column

SELECT AVG(column) from table;

SUM: Prints sum of a column

SELECT SUM(column) from table;

Operators/Keywords

WHERE: Evaluate where condition is true

WHERE <column_name>=<value> SELECT * FROM table WHERE col1=4;

AND: Same thing as && in C++, both conditions must be true

DELETE FROM table WHERE col1=2 AND col2=4;

OR: Same thing as || in C++, either condition must be true

DELETE FROM table WHERE col1=2 OR col2=4;

ORDER BY: Display rows of a table after sorting by a given column

SELECT * FROM table ORDER BY col1 <ASC or DESC>;

GROUP BY: Group output based on value of aggregate functions

SELECT COUNT(*) FROM table GROUP BY column;

Cheatsheets

Methods generally used during SQL Injection

Adding SQL statements to the end of a URL:

Eg: websitename.com/stuff.php?id=3 order by 1

Entering SQL statements into any form on the website

If putting single quotes in forms leads to a page saying something about syntax error, then the website is probably vulnerable to SQL injection. So, when you approach a question involving forms, make sure to try adding single quotes to different fields.

Eg: Putting the argument ’ OR 1=1; /*‘ “in the USERNAME field and */ — in the PASSWORD field of a form

This statement will be evaluated to this by the website:

SELECT * FROM Users WHERE user_id=’’ OR 1=1; /* ‘ AND password= ‘ */ — ‘

Everything after the /* essentially becomes a comment and since 1=1 always evaluates to true, you just circumnavigated around entering a valid username and password.

Also, make sure to remember two dashes( — ) denotes a comment in SQL. It is the equivalent of // in C++.

For further reading: https://en.wikipedia.org/wiki/SQL_injection#Technical_implementations

Check out the guides in the Resources section of the guide below to learn more about SQL Injection.

Example:

https://ehsandev.com/pico2014/web_exploitation/injection_1.html

One Last Thing

CTF UCLA is meant to be a way for students of all experience levels to come together to learn about cybersecurity and compete against each other. We want you to gain exposure to a field that’s usually hard to get into, and have fun while doing so!

If you hit a wall while solving a problem, or if you don’t understand any concepts or exploits, ask a mentor. We’re here to help nudge you in the right direction.

Sometimes, if you get stuck, it’s best to take a step back and do another problem. It helps to look at a problem later with fresh eyes. Make sure you and your teammates are on the same page and consider making a game plan for what order you want to solve problems in.

Make use of the resources and guides linked below, they may come in handy.

If you have any feedback about how to make this guide more comprehensive, or if there’s anything that needs to be explained more thoroughly, please let us know! We want to make learning about cybersecurity as accessible as possible.

Resources and Online Guides:

CTF Resources:

CTF Field Guide:

PicoCTF 2014 Challenge Explanation (For more examples of problems similar to the ones at CTF UCLA)

Tools and Resources to Prepare for a Hacker CTF Competition or Challenge (lists commonly used software you may need)

Learn X in Y Minutes (Python 3)

Reverse Engineering for Beginners

The Essential Newbie’s Guide to SQL Injections

Step By Step Guide to SQL Injection

SQL Injection Tutorial for Beginners

Forensics Wiki

SecList (A collection of lists used during security assessments)

Hacksplaining (Lessons with exercises)

SQLBolt (SQL guide)

GDB Guides

Linux Commands Cheat Sheet

Ryan’s Tutorial

Bash Scripting

More practice for next year:

Fun Articles/Blogs about Cybersecurity: