Slashdot Mirror
Ask Slashdot: Capture the Flag Training
An anonymous reader writes "I'm a computer science professor and a group of students want me to help them train for a capture the flag competition. I am interested in this and I'm familiar with security in general, but I've never been involved in one of these competitions. Does anyone know of any resources which would be useful to train for this?"
lots of paintball capture the flags on roblox. not very realistic motions however unless you can jump higher than your head
Some drink at the fountain of knowledge. Others just gargle.
As in a real-world Capture the Flag or in a game like Team Fortress CTF?
...use Unreal Tournament 99. Lots of levels for CTF, Last Man Standing, Deathmatch, Team Deathmatch and Assault.
Most computer science students are fat and out of shape. Someone could get hurt.
The comments to this post are hilarious.
Pico CTf is a good start.
"I'm a computer science professor and a group of students want me to help them train for a capture the flag competition."
Why not just be a scout leader?
Www.ingress.com. it's about dominating control points. Lots of strategy and games are ongoing abd dynamic.
Get as much information about the playing field as possible, and also the opponent robots. Study multiple strategies, and play them against each other. The optimum would identify the enemy's strategy and play the one strongest against that, but you may be unable to reliably identify it. When choosing a strategy, consider the rules and whether it is better to score as many flags as possible, or win as many games as possible.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Google Gruyere
OWASP's vulnerable web app project
HackThis Site
Not sure if the comments are hilariously misguided or weak trolls. Either way, good job.
Next month:
Team coached by Slashdotter banned from CTF competition. It took security two hours to apprehend all team members, who were running around non-stop. "We were just looking for their flag", said one of the members. When asked for their reasons to run like madmen on coke, they had this to say: "The other teams were not even trying, they were just fucking around on their computers. We found it strange at first, but kept looking". They accused other teams of cheating, stating "we searched for hours and found not a single flag, zero. The cheating bastards broke the rules, and even laughed at us. We found out and have been banned."
When pressed for comments, their coach mumbled something about "stupid [inaudible] beta" and walked away without making eye contact.
You didn't say how old your students are. If they're still in high school (or younger), consider the CyberPatriot competition. It's a National Youth Cyber Education Program, put on by the Air Force. In the competition, teams are given VM images that have various vulnerable operating systems that they have to keep operational while they keep them secure. The earlier rounds feature a scoring robot; in the later rounds the students face a Red Team.
The entire competition is focused on defense, so there are no points for attack. Teams from around the country compete for a trip to the national finals. Prizes include scholarships for the winning teams.
If you're interested, have a look at https://en.wikipedia.org/wiki/... . Today is the last day to register teams for this year's competition, so you might want to look quickly.
Even if you're not interested in standing up a competitive team, their site provides instructions on how to build practice images, and you can download their scoring bot to see how well your teams fared. http://www.uscyberpatriot.org/...
John
I would recommend rolling your own mini CTF style competition. Here at Evergreen some of the members have been creating chals for the rest of the team to solve as practice for the upcoming CSAW finals. They range from the very simple to somewhat complicated.
For some examples on what you can do, check out:
ctf.hackevergreen.com
We often use resources from websites like:
root-me.org
phrack magazine
(esp good one about stack smashing http://phrack.org/issues/49/14...)
Sorry about following up to myself, but I just thought of another resource. The Information Security stackexchange site has several postings you might find of value. Search for CTF: http://security.stackexchange.... and you'll find really helpful sites like http://capture.thefl.ag/
John
I'm a traditionalist.
O lord, bless this thy holy hand grenade, that with it thou mayest blow thine enemies to tiny bits, in thy mercy.
That is, if you're trying to figure out WTF the CTF in question is. (I've never heard of it before, but it sounds cool.)
Capture the Flag (CTF) is a special kind of information security competitions. There are three common types of CTFs: Jeopardy, Attack-Defence and mixed.
Jeopardy-style CTFs has a couple of questions (tasks) in range of categories. For example, Web, Forensic, Crypto, Binary or something else. Team can gain some points for every solved task. More points for more complicated tasks usually. The next task in chain can be opened only after some team solve previous task. Then the game time is over sum of points shows you a CTF winer. Famous example of such CTF is Defcon CTF quals.
Well, attack-defence is another interesting kind of competitions. Here every team has own network(or only one host) with vulnarable services. Your team has time for patching your services and developing exploits usually. So, then organizers connects participants of competition and the wargame starts! You should protect own services for defence points and hack opponents for attack points. Historically this is a first type of CTFs, everybody knows about DEF CON CTF - something like a World Cup of all other competitions.
Mixed competitions may vary possible formats. It may be something like wargame with special time for task-based elements (like UCSB iCTF).
CTF games often touch on many other aspects of information security: cryptography, stego, binary analysis, reverse engeneering, mobile security and others. Good teams generally have strong skills and experience in all these issues.
https://ctftime.org/ctf-wtf/
For your convenience I have put some good resources in C:/ on the FBI mainframe.
When things get complex, multiply by the complex conjugate.
The Fugitive Game, by J. Littman (9780316528696).
Um... that's it, really. Unless you got time, in which case you could pick up The Art of Intrusion, The Art of Deception, or Ghost in the Wires (all K. D. Mitnick).
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
I'm also a comp sci prof and have played many cybersec ctfs. If you want to have a chat on the phone pm me and I can give some tips.
Best
Gareth
quakelive kind of ctf? 2 runs after the flags, the rest guards the base, keep running keep running keep running never stop.
I went looking for some open-source software to facilitate multi-team cyber training. There didn't seem to be much around so I wrote this set of python scripts to provide some basic CTF-like training - http://sourceforge.net/project.... You still have to set up all the servers and networking, but this lets you set up new tokens and keep score.
Stop pretending to be banal, and sit up; it'll ruin your posture.
(for some reason the first time I loaded this page there were no comments, so some of this is duplicate)
Excellent! Very glad to hear it. There are a /ton/ of helpful resources out there for you. Here's a brain-dump of some of the most popular:
* CTFTime : http://ctftime.org/ : Website that tracks team scores, upcoming events, and writeups for previous events.
* CapTF : http://captf.com/ : My CTF dump-site that includes a calendar, links to "practice" sites (aka Wargames), and many years worth of CTF events archived
* Field Guide : http://trailofbits.github.io/c... : Specifically covering the skills / approaches, the field guide is a good read for anyone getting into this world.
* Guide for Running a CTF : https://github.com/pwning/docs... : Written by PPP (CMU's ever-dominant CTF team) along with feedback from the broader CTF community, this guide is more relevant when making a CTF, but can aid in understanding how the good CTFs are designed.
* PicoCTF : https://picoctf.com/ : PicoCTF is designed for high school students, but had an awesome difficulty curve, getting up to some relatively advanced challenges by the end of it. It's also extremely well designed, runs for a longer period of time and is a
* CSAW : https://ctf.isis.poly.edu/ : One of the best events targeted specifically at College students, unfortunately the qualifier round just finished, and the participants already selected for the final round, but you can always check out the archives of previous challenges to get a feel for the difficulty. Note that the qualifier event is typically intended to be much easier than the in-person finals to better encourage new students to get into the sport.
* IRC : irc.freenode.net#pwning : There's a lively and active community in #pwning on freenode that would be happy to help you with questions/advice related to CTFs.
* YouTube : There's a couple of different presentations/talks on CTFs over the years. If your'e interested in learning more about attack-defense CTFs and in-particular DEF CON CTF, I gave an old talk that's mostly still relevant (https://www.youtube.com/watch?v=okPWY0FeUoU), though I'd recommend you not focus on A/D at first, but just get into the regular challenge based or jeopardy boards as they're sometimes called.
The best way to prepare for CTF is by... playing CTFs. There's no real magic formula, just go out there and start working on challenges. Old CTFs are great as learning exercises since you can usually cheat and read a writeup, but avoid the temptation as much as possible. If stuck, go off and try another problem first, and only if you're /really/ stuck should you check out a writeup.
To train for CTF you may practice on root-me.org
Also has IRC, forum, and some ressources.
$ grep -v flag ctf.txt
Along with the practice images others mentioned, some of your students may be interested in these free online classes, particularly the CYB-201 track.
http://www.teex.org/teex.cfm?p...
Trail of Bits have written a startup guide: https://trailofbits.github.io/ctf/ctf.html
You will probably like to take a look at the Kali Linux distribution: http://www.kali.org/
It's a Ubuntu based live distro (can be installed too) with lots of security tools.
For web security you should take a look at WebGoat: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
It's a deliberately insecure Java web application with tutorials on each vulnerability.
http://www.kioptrix.com/ - Is a couple of downloadable VM's with old but real vulnerabilities that you can use Metasploit or other public exploits on.
For reverse engineering you can go to http://crackmes.de/ where you can download thousands of crackmes written in many languages and for many architectures and in many levels of difficulty.
For binary exploitation try this one: http://io.smashthestack.org:84/
You get ssh access to the 'level1' user through which you can somehow elevate you privilege to the 'level2' user and read his password. You can then relogin as 'level2' and elevate to 'level3' aaaand so on. They start out easy but become devilish.
This one is also fun: http://treasure.pwnies.dk/
Many different challenges.
ShellStorm has an archive containing many challenges from previous CTFs: http://repo.shell-storm.org/CTF/
Play with and crack them.
If you like hours of videolectures goto http://opensecuritytraining.info/
When you feel like you know a little, go to https://ctftime.org/ and sign up for the next CTF, get your asses kicked and learn a lot...then sign up for the next and get your asses kicked a little less and learn a lot...repeat many times and become h4x0rz.
HackThisSite has been around since 2003. Its missions are old, but it's one of many good starting points. They're updating their challenges, too .. eventually.
Take a look at this list of practice or permanent CTFs. The root of the site also has a great archive of past CTFs, and other useful stuff.
This is the best advice for any competition.
Alsi arm yourselves with every tool you csn think of. Any minute spent familiarizing yourself with an extra tool is well spent.
Several years ago I led a team of capture the flag, our main tool was simply metasploit(the only tool we used more than once), 8 hours into the conpetition we were down to the last flag trailing the leading team by 15 minutes. We collected a hint stating that some users use the same password on multiple servers which got us to attempt to retrieve all passwords from an already compromised windows machine and try them on an apparently iron clad linux box with nothing but the latest openssh exposed. The other teams were using john the ripper but we had rainbow tabels. This is the only different tool we used and it gave us the win.
Eindbazen ebctf sources on github
Make sure you get specific written permissions, and execute your exercise in a controlled, preferably closed, network to prevent unintended or collateral damage. Lots of laws come into play, and you don't want to risk liability for damage or criminal culpability for breaking any laws.
Either way, start with portable computing. 0wn the server fake the flag. w00t.
who's IP is 69.144.75.19 ? =).
Most commentators are assuming a computer-based game which is a reasonable assumption, but not guaranteed. They might actually want to do something different and get out into the woods.
My experience with CTF games using paintball guns is the the vast majority of players want to strike out on their own or with a couple friends and be the hero. No concept of discipline, organization, or coordinated action exists. These groups of Rambos are easy pickings for any group that has learned to work together in a planned action. Military veterans and most people who have spent time playing in team sports will have developed the skills and ability to work in a group. Enlist people like that to teach your students to work together.