All about the Mystique CTF

All about the Mystique CTF

[Total: 1    Average: 4/5]
[Total: 1    Average: 4/5]
Cairo Security Camp 2018
Rating 0
Post / Page Order By:   Most Rated | Highest Rated
Writing Your Own Malware

[Total:134    Average 3.7]
Issue 20

[Total:34    Average 1.5]
Pentesting on Non-Jailbroken IOS Device’s– PART1

[Total:21    Average 3.9]
Computer Forensics Lab Requirements

[Total:19    Average 3]
Xss Attack Through MetaSploit

[Total:12    Average 4]
CAM Table Overflow Attack & how to prevent it

[Total:8    Average 3.5]
Security of Radio Frequency Identification (RFID) Tags

[Total:8    Average 3.4]
Killing Android Mobile SIM Cards Using USSD

[Total:7    Average 3.7]
Master of Security Science (MSS) By EC-Council University Program Review

[Total:6    Average 2.2]
Pentesting on Non-Jailbroken IOS Device’s!! PART2

[Total:6    Average 3.8]
Post / Page Order By:   Most Rated | Highest Rated
Interview With Vivek Ramachandran Founder of Security Tube.net

[Total:2    Average 5]
Grey Box Pentesting Scenario

[Total:2    Average 5]
Encrypting Windows Traffic Using IPSec PART1

[Total:2    Average 5]
Mobile Device Forensics at a glance

[Total:4    Average 4.8]
Understanding the POS (Point-of-sale) Malware

[Total:2    Average 4.5]
Custom Shellcode Encoders

[Total:5    Average 4.4]
Xss Attack Through MetaSploit

[Total:12    Average 4]
Issue 23

[Total:4    Average 4]
Issue 15

[Total:3    Average 4]
Pentesting on Non-Jailbroken IOS Device’s– PART1

[Total:21    Average 3.9]

 

In the current days, it`s astonishing to find many IT personnel and information security officers not aware about the world of the CTF, though there are many events and organizations handling many CTFs  per year at a large scale.

 

Ctf stands for capture the flag, it`s a competition where security enthusiasts play a various categories of games all related to security, the aim is to find a key in their targets and submit it for points. Of course in each categories there are different levels with different points and by tradition, the team that submits the keys first gets more points.

 

A ctf is usually organized by organizations or entities that are involved in the information security field, also global conferences like defcon have their own ctf, the ucsb ictf comes out from the university of california santa barbra branch, there are plenty of other ctfs too like the cyberollympics ctf with the final round held in hacker halted in usa. You can track them all from a website called ctftime. Org which contains information about the ranking of teams, upcoming ctfs and other related info.

 

 

How does it all happen, well, basically there is an announcement for a qualification phase, that phase is usually online and any person can participate in it, the top teams scoring in the qualification phase can continue in the final phase, the final phase is held offline at a certain place in most of the time. So, let`s dive into the details of the ctf. The ctf has three types, there`s the Jeopadry style: contains some tasks distributed among categories like:

 

 

• Web : where you`re required to find some vulnerabilities in a web application , bypass the security of web ids or certain evaluations, sqli, nosql, lfis, rfis and others lie in this category, i advise you to check the top 10 owasp web security risks.

 

 

• Crypto: here you are generally asked to get the plaintext, given a cypher text and in many cases you are not given the encryption algorithm, you just figure it out, mathematics geeks will find this one worthy, you`ll need writing some code to test and apply your deductions.

 

 
• Reversing: you`re given a compiled application and you`re asked to find the key. You might find the application running and asking you for a password, or it`s even crashing and you`ll have to reverse the application and get used to decompilers and debuggers to patch the application and trace the logic to get the key. Good command of assembly and os concepts is needed. The applications can be on any os including the mobile phones and embedded devices

 

 
• Forensics: a bit of steganography where you`re asked to recover data hidden in images, sound files or even movies and it might be also a memory dump or a capture dump and you`ll have to extract everything piece of information that can lead to you answer.

 
• Trivia: not included in all ctfs, it`s basically some questions asked related to information security that are not so easy to find using google and will require some reading and general knowledge in the field.

 

 

• Exploitation: also not found in all online ctfs, here you`re required to exploit a service running on a remote application and escape the context of the application, to get the contents of the key file, here you might need privilege escalation and finding vulnerabilities in your target platform.

 

 

The other style is called attack-defense:

 

 

It`s basically following the idea of red and blue teams where a team is responsible for patching their network or their host and they are given some time before they are connected to a network containing the hosts of the other team and you try to bypass their security measure and hack their network or pc while defending your resources from their attacks. The ctf are said to have started in this way.

 

Other mixed types combine a mixture of the previous two. The cyberollympics had the attack-defense style without the offensive part of attacking other networks, you only had to patch a fedora and a windows server and you get points on the services patched.

 

So now you are introduced to the types of a ctf. In cairo security camp  the ctfs are of a jeopadry style, we`ve been running the ctf in each cairo security camp. In
2014, which was the 3rd ctf organized by bluekaizen. The qualification phase had more than 250 teams from countries all over the globe. The final round was held during the 2 days of the camp, the first team more smoked leet chicken (mslc) was represented by one of its russian members who ranked the first and won the prize, the second where r0x with a slight difference between them and the third team named rabaa.

 

 

Many people are asking by now, “how can i prepare myself to participate in these interesting games”. Well it`s pretty simple, in order to pass you`ll have to construct a team of various talents covering the categories of the ctf. It`s hard to focus on all of them at once, choose a category and start practicing a lot. A good team consists of people talented in the various categories.

 
If you choose the web challenges then you can download vulnerable web applications like dvwa, webgoat and others, then try to get the most out of them. Get familiar with owasp top 10 vulnerabilities and their protection techniques and how to bypass them.

 
For the reversing and exploitation practice you can refer to the crackmes.De site which has many executables for reversing and you might want to check opensecuritytraining.Info which is a good site with materials supporting a wide range of security training including tutorials on reverse engineering and binary analysis.

 
For forensics, you`ll find plenty of resources and tools, but i recommend playing ctf and downloading the forensics files for later reference and practice. For crypto you can attend the cryptography course at courseera site and practice a lot with their assignments and examples provided.

 

 

A good practice is to play ctfs a lot and review the writeups of teams regarding their solved challenges, you can find these on ctftime.Org too. Many players post their write-ups at their blogs, get social and try to ask them about it in the irc channel of the ctf. This brings us to the communication, many of the egyptian players this year were not familiar with irc (internet relay chat) , it`s a must a quick and effective way to get help and support, so check youtube on dealing with your irc.

 

 

Ctfs are not for script kiddies, expect lots of brain teasers and challenging ideas that will trigger your innovation and skills consistency. Playing a ctf puts your security knowledge to an interesting real world practice and ranks you among other security professionals. Many winner players from the ctfs get offers from many companies and are always under the spotlights. It`s definitely worthy even for the fun and joy of it. You get to know many geeks and talented security pros in such environments.

 

 

We`re trying to put a program where we`ll able to hold more ctf at a more frequent rate and we`re thinking of starting mini ctfs in universities and making another one among all the universities that have bluekaizen chapters and will try to include more categories like social engineering and other physical hacking categories. Keep tuned and for more info please contact [email protected]

 

 

About The Author

 

mohab ali

 

 

 

 

 

 

 

 

Information Security Consultant, at EG-CERT

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *