Thursday, July 15, 2021

How to get started with CTFs

What are CTFs?

CTFs are a kind of hacking competition where you often need to find a "flag", a particular text string. There are three types of CTF: jeopardy, attack&defense and boot2root.

Boot2root CTFs are vulnarable machines that have to be hacked to obtain root or administrator privileges and read one or more flags.

In attack & defense CTFs, participants have one or more virtual machines with some vulnerable exposed services. The aim is both to defend your services and to attack those of others to get flags and earn points. The team with more points wins the competition.

In jeopardy CTFs there are one or more challenges, each of which give you a flag and some points. The team with more points wins the competition. There are various types of jeopardy CTFs, for example:

-web, where you have to hack a web site

-steganography, where you have to found information hidden in files or images

-cryptography, where you have to decrypt a message

-pwn, where you typically have to exploit a server

-reversing, where you have to reverse an application.


Where do I start? 

Below there are some resources to learn and to practice

Web:

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws - by Dafydd Stuttard and Marcus Pinto

Web application pentesting with Mutillidae II 

Mutillidae II 

Damn Vulnerable Web Application 

bWAPP 

Juice Shop 

Websec.fr 

Cryptography:

Crypto101 

Pwn:

Hacking: the art of exploitation - by Jon Erickson

The Shellcoders Handbook. Discovering and Exploiting Security Holes - by Chris Anley, John Heasman, Felix "FX" Lindner and Gerardo Richarte

Binary hacking 

Modern binary exploitation 

Pwnable.kr

Pwnable.tw

Exploit.education 

Reversing:

Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation - by Bruce Dang, Alexandre Gazet and Elias Bachaalany

x86 Assembly

Boot2root

Vulnhub 

Hackthebox

Book review: Real-World Bug Hunting

  "Real-World Bug Hunting: A Field Guide to Web Hacking" is a cybersecurity manual written by Peter Yaworski, a known bug bounty h...