Thursday, 21 December 2017

CTF training

On the 14th of December, our company decided to hold a CTF training provided by Dennis van Halteren and Joep van Gassel of Nováccent Group1 for us poor software developers.

I had never heard of it before, so I was kind of interested.

Capture the Flag is a competition where different teams compete to each find the most "Flags": issues in especially for the competition buildt pieces of software. Different flags have different scores. The Application you are trying to hack will let you know in different fashions about the flags you have found. Some flags are hard, some are easy, their respective points reflect this.

The CTF training consisted of an introduction into security and how to test it, and the main CTF competition.

One of the good points of the introduction, was regarding some of the tools that are used in security and penetration testing, which I will mention here:

BeEF3
a tool for injecting bad stuff into browsers of users by means of a vulnerable website
Kali Linux4
a Linux OS containing a lot of penetration test tools and security tools by default

The introduction was very general and lacked depth and lasted about an hour. I already learned most of it during a session working with WebGoat from OWASP2 some years previously.

The CTF competition was a lot of fun. We sorted ourselved into groups of two or three software designers. Each group was provided with a key with which to enter the portal from which all the assignments could be started. A dashboard showing the different scores was available on the big screen.

A number of web portals were provided to us, which all contained different challenges for us to overcome:

Some of the security issues to detect were:

  • caching
  • escalating priviledges
  • using left-over files that should have been deleted
  • SQL injection
  • using error messages to gain insight into the backend
  • wrong permissions that allow too much
  • examining web code for vulnerabilities (HTML, JavaScript, CSS)

The intensity was very high, all of us competing in finding the most flags the fastest. The combination of thinking very hard, trying stuff, frustration if it didnt't work, the cooperation and communication between team members, made most of us feel quite exhausted at the end of the day.

There was no followup after the competition, which I felt was a pity. The trainers were available for questions regarding some of the assignments during and after the competition.

References

[1] Nováccent Group
https://www.novaccent.nl/
[2] OWASP WebGoat
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
[3] Kali Linux - a free and open-source penetration testing platform
https://www.kali.org/
[4] BeEF - The Browser Exploitation Framework
http://beefproject.com/
Practice CTF List / Permanant CTF List
http://captf.com/practice-ctf/
Wikipedia - Wargame (hacking)
https://en.wikipedia.org/wiki/Wargame_(hacking)

No comments:

Post a Comment