If you want to learn how to defeat computer security, nothing beats hands-on experience. Of course, if you get your hands on someone’s system without their permission, you may end up having a very short training that ends with a jail term. And that’s where capture-the-flag (CTF) events come in.
A CTF is a system of increasingly-difficult challenges that can’t be too easy or too hard. A well-designed CTF teaches all of the participants stuff that they didn’t know, no matter how far they get and what skills they came in with. Designing a good CTF is difficult.
But since it’s also a competition, running one also involves a lot of horrible bookkeeping for the folks running it. Registering teams and providing login pages is the dirty work that you have to do in the background, that takes away time from building the systems which others are going to take apart.
Which is why it’s great that Facebook is opening up their CTF-hosting platform, along with a few starter challenges, for us all to play along. We love CTFs and related hacking challenges. If this spurs the creation of more, we’re all for it. You can find the whole setup on GitHub.
If you’re new to CTFs, here’s an awesome collection of CTF-related material on GitHub to get you started. And if your tastes run more toward hardware hacking, we’ve covered previous firmware CTFs, but frankly there’s a lot more material out there. We feel a feature post coming on…
Thanks [ag4ve] for the unintentional tip!
There’s a great game of capture-the-flag that takes place every year at HITCON. This isn’t your childhood neighborhood’s capture-the-flag in the woods with real flags, though. In this game the flags are on secured servers and it’s the other team’s mission to break into the servers in whatever way they can to capture the flag. This year, though, the creators of the game devised a new scoreboard for keeping track of the game: a lightsaber.
In this particular game, each team has a server that they have to defend. At the same time, each team attempts to gain access to the other’s server. This project uses a lightsaber stand that turns the lightsabers into scoreboards for the competition at the 2015 Hacks In Taiwan Conference. It uses a cheap OpenWRT Linux Wi-Fi/Ethernet development board, LinkIt Smart 7688 which communicates with a server. Whenever a point is scored, the lightsaber illuminates and a sound effect is played. The lightsabers themselves are sourced from a Taiwanese lightsabersmith and are impressive pieces of technology on their own. As a bonus the teams will get to take them home with them.
While we doubt that this is more forced product integration advertisement from Disney, it certainly fits in with the theme of the game. Capture-the-flag contests like this are great ways to learn about cyber security and how to defend your own equipment from real-world attacks. There are other games going on all around the world if you’re looking to get in on the action.
Continue reading “Capture the Flag with Lightsabers”
If you’ve ever been to a capture the flag hacking competition (CTF), you’ve probably seen some steganography challenges. Steganography is the art of concealing data in plain sight. Tools including secret inks that are only visible under certain light have been used for this purpose in the past. A modern steganography challenge will typically require you to find a “flag” hidden within an image or file.
[Anfractuosus] came up with a method of hiding packets within a stream of network traffic. ‘Timeshifter’ encodes data as delays between packets. Depending on the length of the delay, each packet is interpreted as a one or zero.
To do this, a C program uses libnetfilter_queue to get access to packets. The user sets up a network rule using iptables, which forwards traffic to the Timeshifter program. This is then used to send and receive data.
All the code is provided, and it makes for a good example if you’ve ever wanted to play around with low-level networking on Linux. If you’re interested in steganography, or CTFs in general, check out this great resource.
Hacking conferences often feature a Capture the Flag, or CTF event. Typically, this is a software hacking challenge that involves breaking into targets which have been set up for the event, and capturing them. It’s good, legal, hacking fun.
However, some people are starting to build CTFs that involve hardware hacking as well. [Balda]’s most recent hardware hacking challenge was built for the Insomni’hack 2014 CTF. It uses an MSP430 as the target device, and users are allowed to enter commands to the device over UART via a Bus Pirate. Pull off the exploit, and the wheel rotates to display a flag.
For the first challenge, contestants had to decompile the firmware and find an obfuscated password. The second challenge was a bit more complicated. The password check function used memcpy, which made it vulnerable to a buffer overflow attack. By overwriting the program counter, it was possible to take over control of the program and make the flag turn.
The risk of memcpy reminds us of this set of posters. Only abstaining from memcpy can 100% protect you from overflows and memory disclosures!
The folks at Matasano Security and Square have teamed up to build an online capture the flag (CTF) competition. The Microcorruption CTF focuses on embedded security and challenges players to reverse engineer a fictional “Lockitall LockIT Pro” lock system.
Each level places you in a debugging environment with a disassembly listing, live memory view, register view, and debugging console. You can set breakpoints, step through code, and modify registers like in a real debugging environment. Your goal is to figure out how to bypass the lock to collect bearer bonds.
While the device and motive may be fictional, the assembly is actual MSP430 code. The debugger is similar to GDB connected to a remote target using OpenOCD. There’s even a manual (PDF) to help you get up to speed with writing MSP430 code for the device.
This CTF looks like a great introduction to embedded security, and doesn’t require buying real hardware. It even includes a full tutorial to get you started.
Last month, in preparation for Defcon 17, the qualifiers were held for capture the flag, one of Defcon’s most well known events. One participant, [mongii], did a writeup on how to solve problem B300. The challenge was to find the decryption key used by a program that had several twists that hindered debugging. After grappling with self-modifying code and junk instructions, the team was finally able to find the answer. This win helped Sapheads place in the top 10. Over at xchng.info, they are collecting solutions to the other problems. Sadly, they’re not all in comic form.
Kenshoto, organizer of the official Defcon Capture the Flag contest for the last four years, has stepped down from the position, and thus Defcon is looking for a new organizer for the event. If you’re highly competent, and maybe a little crazy, this might be your chance to step in and run one of the most well-known and prestigious hacking contests in the world. Please understand that the staff is looking for someone who wants to take ownership of the contest and make something new, unique, and challenging, and that Kenshoto has left extremely huge shoes to fill. Merely offering to replicate the existing contest and keep things mostly unchanged isn’t going to cut it.
If you’re up to the challenge, check out Dark Tangent’s post on the Defcon forums (which, for some odd reason, sounds strikingly like his 2005 post calling for a CTF organizer), where he comprehensively lays out what the staff is looking for in a new event organizer. If it jives well with you, get in touch with the Defcon staff, and maybe we’ll be covering your contest later this year.