CTF training

On the 14th of December, our company decided to hold a CTF training provided by Dennis van Halteren and Joep van Gassel of Nováccent Group¹ for us poor software developers.

I had never heard of it before, so I was kind of interested.

Capture the Flag is a competition where different teams compete to each find the most "Flags": issues in especially for the competition buildt pieces of software. Different flags have different scores. The Application you are trying to hack will let you know in different fashions about the flags you have found. Some flags are hard, some are easy, their respective points reflect this.

The CTF training consisted of an introduction into security and how to test it, and the main CTF competition.

One of the good points of the introduction, was regarding some of the tools that are used in security and penetration testing, which I will mention here:

BeEF³

a tool for injecting bad stuff into browsers of users by means of a vulnerable website

Kali Linux⁴

a Linux OS containing a lot of penetration test tools and security tools by default

The introduction was very general and lacked depth and lasted about an hour. I already learned most of it during a session working with WebGoat from OWASP² some years previously.

The CTF competition was a lot of fun. We sorted ourselved into groups of two or three software designers. Each group was provided with a key with which to enter the portal from which all the assignments could be started. A dashboard showing the different scores was available on the big screen.

A number of web portals were provided to us, which all contained different challenges for us to overcome:

• https://novatown.nl/dashboard/challenges.php
• https://novabank.nl/challenge/
• https://novatown.nl/nc_core/
• https://novatown.nl/nvrobot/
• https://novaschool.nl/challenge/
• https://nova-shop.nl/challenge/

Some of the security issues to detect were:

• caching
• escalating priviledges
• using left-over files that should have been deleted
• SQL injection
• using error messages to gain insight into the backend
• wrong permissions that allow too much
• examining web code for vulnerabilities (HTML, JavaScript, CSS)

The intensity was very high, all of us competing in finding the most flags the fastest. The combination of thinking very hard, trying stuff, frustration if it didnt't work, the cooperation and communication between team members, made most of us feel quite exhausted at the end of the day.

There was no followup after the competition, which I felt was a pity. The trainers were available for questions regarding some of the assignments during and after the competition.

References

[1] Nováccent Group

https://www.novaccent.nl/

[2] OWASP WebGoat

https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

[3] Kali Linux - a free and open-source penetration testing platform

https://www.kali.org/

[4] BeEF - The Browser Exploitation Framework

http://beefproject.com/

Practice CTF List / Permanant CTF List

http://captf.com/practice-ctf/

Wikipedia - Wargame (hacking)

https://en.wikipedia.org/wiki/Wargame_(hacking)

The Dangers of Optional.orElse

Our architect at work explained how to properly use the Optional class, and sometimes it is not easy. I shall explain one of the intricaties in this blog with the aid of Cake, because who doesn't love cake?

Now some people tell me that the cake is a lie^{1 2}. Now, this may or may not be the case. So there may or there may not be cake.

This is basically the definition of the Optional² class in Java 8.

Optional<Cake> cake;

One of my colleagues is a fan of Eddie Izzard^{4 5}.

Our architect at work presented us the code he encountered of the Optional.orElse. I've changed it a bit by adding more cake.

If you run this program, you'll notice that after you have received a nice cake, you immediately die!

This is due to the fact that the expression in the .orElse is immediately evaluated after the new Cake(). This is very basic Java and what is to be expected.

Unfortunately, we software designers seem to have a blind spot, when it comes to the orElse() method. We automatically compare it to the if-else construction we know and love, and then we assume the behaviour is the same.

It is as if your brain automatically shunts over to the wrong abstraction.

The .orElse() is actually only suitable for constants.

Conclusion

In order to fix the problem, you need to use a lambda. To use a lambda, you need to use a different method of the Optional class, namely .orElseGet().

The code would look as follows:

    cake.orElseGet(this::death);

I had really hoped, that they would have changed the method name to something better. Some notable good examples would have been:

• "orElseConstant"
• "orDefault"

References

[1] Know Your Memes - The Cake is a Lie!

http://knowyourmeme.com/memes/the-cake-is-a-lie

[2] Wikipedia - Portal (video game)

https://en.wikipedia.org/wiki/Portal_(video_game)

[3] Oracle Javadoc - Optional

https://docs.oracle.com/javase/8/docs/api/java/util/Optional.html

[4] Wikipedia - Eddie Izzard

https://en.wikipedia.org/wiki/Eddie_Izzard

[5] Youtube - Eddie izzard-cake or death

https://www.youtube.com/watch?v=BNjcuZ-LiSY