Slashdot Mirror
Ask Slashdot: Capture the Flag Training
An anonymous reader writes "I'm a computer science professor and a group of students want me to help them train for a capture the flag competition. I am interested in this and I'm familiar with security in general, but I've never been involved in one of these competitions. Does anyone know of any resources which would be useful to train for this?"
lots of paintball capture the flags on roblox. not very realistic motions however unless you can jump higher than your head
Some drink at the fountain of knowledge. Others just gargle.
As in a real-world Capture the Flag or in a game like Team Fortress CTF?
...use Unreal Tournament 99. Lots of levels for CTF, Last Man Standing, Deathmatch, Team Deathmatch and Assault.
Most computer science students are fat and out of shape. Someone could get hurt.
The comments to this post are hilarious.
Pico CTf is a good start.
The Armed Forces are experts in this kind of training.
(what answer you expect when you don't clarify what this "capture the flag" thing is?)
"I'm a computer science professor and a group of students want me to help them train for a capture the flag competition."
Why not just be a scout leader?
Www.ingress.com. it's about dominating control points. Lots of strategy and games are ongoing abd dynamic.
Get as much information about the playing field as possible, and also the opponent robots. Study multiple strategies, and play them against each other. The optimum would identify the enemy's strategy and play the one strongest against that, but you may be unable to reliably identify it. When choosing a strategy, consider the rules and whether it is better to score as many flags as possible, or win as many games as possible.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Google Gruyere
OWASP's vulnerable web app project
HackThis Site
Not sure if the comments are hilariously misguided or weak trolls. Either way, good job.
Next month:
Team coached by Slashdotter banned from CTF competition. It took security two hours to apprehend all team members, who were running around non-stop. "We were just looking for their flag", said one of the members. When asked for their reasons to run like madmen on coke, they had this to say: "The other teams were not even trying, they were just fucking around on their computers. We found it strange at first, but kept looking". They accused other teams of cheating, stating "we searched for hours and found not a single flag, zero. The cheating bastards broke the rules, and even laughed at us. We found out and have been banned."
When pressed for comments, their coach mumbled something about "stupid [inaudible] beta" and walked away without making eye contact.
You didn't say how old your students are. If they're still in high school (or younger), consider the CyberPatriot competition. It's a National Youth Cyber Education Program, put on by the Air Force. In the competition, teams are given VM images that have various vulnerable operating systems that they have to keep operational while they keep them secure. The earlier rounds feature a scoring robot; in the later rounds the students face a Red Team.
The entire competition is focused on defense, so there are no points for attack. Teams from around the country compete for a trip to the national finals. Prizes include scholarships for the winning teams.
If you're interested, have a look at https://en.wikipedia.org/wiki/... . Today is the last day to register teams for this year's competition, so you might want to look quickly.
Even if you're not interested in standing up a competitive team, their site provides instructions on how to build practice images, and you can download their scoring bot to see how well your teams fared. http://www.uscyberpatriot.org/...
John
Similar competition but more focused on defense, rather than both offense and defense. Also designed to be done at the college level.
Not sure if the comments are hilariously misguided or weak trolls. Either way, good job.
Next month:
Team coached by Slashdotter banned from CTF competition. It took security two hours to apprehend all team members, who were running around non-stop. "We were just looking for their flag", said one of the members. When asked for their reasons to run like madmen on coke, they had this to say: "The other teams were not even trying, they were just fucking around on their computers. We found it strange at first, but kept looking". They accused other teams of cheating, stating "we searched for hours and found not a single flag, zero. The cheating bastards broke the rules, and even laughed at us. We found out and have been banned."
When pressed for comments, their coach mumbled something about "stupid [inaudible] beta" and walked away without making eye contact.
Best reply ever. Had me laughing my ass off.
I would recommend rolling your own mini CTF style competition. Here at Evergreen some of the members have been creating chals for the rest of the team to solve as practice for the upcoming CSAW finals. They range from the very simple to somewhat complicated.
For some examples on what you can do, check out:
ctf.hackevergreen.com
We often use resources from websites like:
root-me.org
phrack magazine
(esp good one about stack smashing http://phrack.org/issues/49/14...)
Sorry about following up to myself, but I just thought of another resource. The Information Security stackexchange site has several postings you might find of value. Search for CTF: http://security.stackexchange.... and you'll find really helpful sites like http://capture.thefl.ag/
John
I'm a traditionalist.
O lord, bless this thy holy hand grenade, that with it thou mayest blow thine enemies to tiny bits, in thy mercy.
My corporate overlord can kick your corporate overlord's butt.
That is, if you're trying to figure out WTF the CTF in question is. (I've never heard of it before, but it sounds cool.)
Capture the Flag (CTF) is a special kind of information security competitions. There are three common types of CTFs: Jeopardy, Attack-Defence and mixed.
Jeopardy-style CTFs has a couple of questions (tasks) in range of categories. For example, Web, Forensic, Crypto, Binary or something else. Team can gain some points for every solved task. More points for more complicated tasks usually. The next task in chain can be opened only after some team solve previous task. Then the game time is over sum of points shows you a CTF winer. Famous example of such CTF is Defcon CTF quals.
Well, attack-defence is another interesting kind of competitions. Here every team has own network(or only one host) with vulnarable services. Your team has time for patching your services and developing exploits usually. So, then organizers connects participants of competition and the wargame starts! You should protect own services for defence points and hack opponents for attack points. Historically this is a first type of CTFs, everybody knows about DEF CON CTF - something like a World Cup of all other competitions.
Mixed competitions may vary possible formats. It may be something like wargame with special time for task-based elements (like UCSB iCTF).
CTF games often touch on many other aspects of information security: cryptography, stego, binary analysis, reverse engeneering, mobile security and others. Good teams generally have strong skills and experience in all these issues.
https://ctftime.org/ctf-wtf/
For your convenience I have put some good resources in C:/ on the FBI mainframe.
When things get complex, multiply by the complex conjugate.
All the info is on their website - http://www.ctf.ca/ctfweb/en
The Fugitive Game, by J. Littman (9780316528696).
Um... that's it, really. Unless you got time, in which case you could pick up The Art of Intrusion, The Art of Deception, or Ghost in the Wires (all K. D. Mitnick).
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
I'm also a comp sci prof and have played many cybersec ctfs. If you want to have a chat on the phone pm me and I can give some tips.
Best
Gareth
quakelive kind of ctf? 2 runs after the flags, the rest guards the base, keep running keep running keep running never stop.
Stop pretending to posture, it's so banal.
Google search
Let me Google that for you
I went looking for some open-source software to facilitate multi-team cyber training. There didn't seem to be much around so I wrote this set of python scripts to provide some basic CTF-like training - http://sourceforge.net/project.... You still have to set up all the servers and networking, but this lets you set up new tokens and keep score.
Consult with Donkeylips.
I, for one, welcome our new corporate overlords.
Stop pretending to be banal, and sit up; it'll ruin your posture.
(for some reason the first time I loaded this page there were no comments, so some of this is duplicate)
Excellent! Very glad to hear it. There are a /ton/ of helpful resources out there for you. Here's a brain-dump of some of the most popular:
* CTFTime : http://ctftime.org/ : Website that tracks team scores, upcoming events, and writeups for previous events.
* CapTF : http://captf.com/ : My CTF dump-site that includes a calendar, links to "practice" sites (aka Wargames), and many years worth of CTF events archived
* Field Guide : http://trailofbits.github.io/c... : Specifically covering the skills / approaches, the field guide is a good read for anyone getting into this world.
* Guide for Running a CTF : https://github.com/pwning/docs... : Written by PPP (CMU's ever-dominant CTF team) along with feedback from the broader CTF community, this guide is more relevant when making a CTF, but can aid in understanding how the good CTFs are designed.
* PicoCTF : https://picoctf.com/ : PicoCTF is designed for high school students, but had an awesome difficulty curve, getting up to some relatively advanced challenges by the end of it. It's also extremely well designed, runs for a longer period of time and is a
* CSAW : https://ctf.isis.poly.edu/ : One of the best events targeted specifically at College students, unfortunately the qualifier round just finished, and the participants already selected for the final round, but you can always check out the archives of previous challenges to get a feel for the difficulty. Note that the qualifier event is typically intended to be much easier than the in-person finals to better encourage new students to get into the sport.
* IRC : irc.freenode.net#pwning : There's a lively and active community in #pwning on freenode that would be happy to help you with questions/advice related to CTFs.
* YouTube : There's a couple of different presentations/talks on CTFs over the years. If your'e interested in learning more about attack-defense CTFs and in-particular DEF CON CTF, I gave an old talk that's mostly still relevant (https://www.youtube.com/watch?v=okPWY0FeUoU), though I'd recommend you not focus on A/D at first, but just get into the regular challenge based or jeopardy boards as they're sometimes called.
The best way to prepare for CTF is by... playing CTFs. There's no real magic formula, just go out there and start working on challenges. Old CTFs are great as learning exercises since you can usually cheat and read a writeup, but avoid the temptation as much as possible. If stuck, go off and try another problem first, and only if you're /really/ stuck should you check out a writeup.
There's no real discussion here any more, just hordes of corporate defenders and a few odd posturing pretenders..
Read the articles that fit under "News for nerds, stuff that matters", you will find the good comments there.
Political shit articles, slashvertisments for the next iThing or scam and ask slashdot on things not related to technology attracts bad comments. That is because the readers aren't really interested in and use it for trolling.
Bring back good articles and you will see good and interesting comments.
To train for CTF you may practice on root-me.org
Also has IRC, forum, and some ressources.
$ grep -v flag ctf.txt
You'd best pack up and forget about such silly things! Haven't you been reading Slashdot?? Global Warming is coming! Be afraid!!
Obviously not banal enough for you to stop posting.
Along with the practice images others mentioned, some of your students may be interested in these free online classes, particularly the CYB-201 track.
http://www.teex.org/teex.cfm?p...
Trail of Bits have written a startup guide: https://trailofbits.github.io/ctf/ctf.html
You will probably like to take a look at the Kali Linux distribution: http://www.kali.org/
It's a Ubuntu based live distro (can be installed too) with lots of security tools.
For web security you should take a look at WebGoat: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
It's a deliberately insecure Java web application with tutorials on each vulnerability.
http://www.kioptrix.com/ - Is a couple of downloadable VM's with old but real vulnerabilities that you can use Metasploit or other public exploits on.
For reverse engineering you can go to http://crackmes.de/ where you can download thousands of crackmes written in many languages and for many architectures and in many levels of difficulty.
For binary exploitation try this one: http://io.smashthestack.org:84/
You get ssh access to the 'level1' user through which you can somehow elevate you privilege to the 'level2' user and read his password. You can then relogin as 'level2' and elevate to 'level3' aaaand so on. They start out easy but become devilish.
This one is also fun: http://treasure.pwnies.dk/
Many different challenges.
ShellStorm has an archive containing many challenges from previous CTFs: http://repo.shell-storm.org/CTF/
Play with and crack them.
If you like hours of videolectures goto http://opensecuritytraining.info/
When you feel like you know a little, go to https://ctftime.org/ and sign up for the next CTF, get your asses kicked and learn a lot...then sign up for the next and get your asses kicked a little less and learn a lot...repeat many times and become h4x0rz.
Could it have hurt to put a single link in this story to explain what the hell is meant by Capture the Flag? If ever proof were needed that Slashdot editors don't proof-read stories...
There's also the National Cyber League (you've just missed the enrollment cutoff for that), and if you'd like your students to participate in large-scale competitions against other colleges, there's the Collegiate Cyber Defense Competition.
Full Disclosure: I actively teach students at my alma mater in CTF challenges and we've participated for the past 4 years in NCL and CCDC.
HackThisSite has been around since 2003. Its missions are old, but it's one of many good starting points. They're updating their challenges, too .. eventually.
Take a look at this list of practice or permanent CTFs. The root of the site also has a great archive of past CTFs, and other useful stuff.
Some books by Packt:
Kali Linux CTF Blueprints
Instant Penetration Testing: Setting Up a Test Lab How-To
Building Virtual Pentesting Labs for Advanced Penetration Testing
This is the best advice for any competition.
Alsi arm yourselves with every tool you csn think of. Any minute spent familiarizing yourself with an extra tool is well spent.
Several years ago I led a team of capture the flag, our main tool was simply metasploit(the only tool we used more than once), 8 hours into the conpetition we were down to the last flag trailing the leading team by 15 minutes. We collected a hint stating that some users use the same password on multiple servers which got us to attempt to retrieve all passwords from an already compromised windows machine and try them on an apparently iron clad linux box with nothing but the latest openssh exposed. The other teams were using john the ripper but we had rainbow tabels. This is the only different tool we used and it gave us the win.
Eindbazen ebctf sources on github
Make sure you get specific written permissions, and execute your exercise in a controlled, preferably closed, network to prevent unintended or collateral damage. Lots of laws come into play, and you don't want to risk liability for damage or criminal culpability for breaking any laws.
Either way, start with portable computing. 0wn the server fake the flag. w00t.
who's IP is 69.144.75.19 ? =).
US Professor is the normal one. That's why most of the best universities in the world are in the US. We have like 5% of the world's population and nearly 60% of the top ranked universities.
Check out smashthestack
Most commentators are assuming a computer-based game which is a reasonable assumption, but not guaranteed. They might actually want to do something different and get out into the woods.
My experience with CTF games using paintball guns is the the vast majority of players want to strike out on their own or with a couple friends and be the hero. No concept of discipline, organization, or coordinated action exists. These groups of Rambos are easy pickings for any group that has learned to work together in a planned action. Military veterans and most people who have spent time playing in team sports will have developed the skills and ability to work in a group. Enlist people like that to teach your students to work together.