A while back, I had the opportunity to watch a particularly inspiring video (the rest of USENIX Enigma is well worth watching):
Nominally, the video is about the QIRA debugger, but I think it (unintentionally) strikes unerringly at a more fundamental issue that we all know about, but many are afraid to admit: that much of what passes for “hacking” in the broader (in my context: Australian, at least) penetration testing industry is more or less a joke – and we all have much to learn.
A few weeks ago, I began Operation Suck Less: an ambitious attempt to do as many CTF’s/vulnerable VMs as I could for the foreseeable future. So far, it’s been an interesting exercise in illuminating areas that I need to learn, and here’s a few thoughts from this project.
Simplify your thinking, simplify your toolchain
A CTF is typically one-two days long, with a number of challenges which can be solved for a varying amount of points (the classic Jeopardy format. There’s also attack-defence, but this is beyond the scope of this discussion).
Unlike commercial penetration testing, it’s often not good enough to just identify the missing HTTP Only cookie flag to earn your $20,000, you must successfully exploit it in the face of various mitigating controls, with incomplete information.
This type of exercise requires a different, simpler type of thinking: your scripts don’t need to be perfect, they just need to work. Single-use python scripts are the order of the day, and retooling them into re-usable modules (e.g. proof-of-work solvers) can be done afterwards, if at all. As an example – if you wrote a proof-of-work solver for CTF A and you need a slightly varied one for CTF b, you can quickly rejig your CTF A code, while it’d take you much longer to write one from scratch, and even longer still to download someone else’s and find out how it works.
Don’t worry about best practice, writing good code, being thorough, or whatever: just make things that work.
There is no substitute for experience
In a CTF, you need to know things like how to recognize misaligned instructions in a binary, you need to know things like:
- how to dump variables in Python where you can’t use spaces
- the nuances of Chrome’s handling of various types of input
- how to inject environment variables from a browser and how you can get them executed in a subprocess
No amount of reporting lame CSRF bugs will teach you this stuff, there are no classes for this, there is no substitute for just doing it.
Exploitation is time-consuming and hard [tm]
Often, writing an exploit is difficult and time-consuming as you deal with various limitations artifically placed upon you – limits in the characters you can use, functions like toupper(), etc.
In commercial penetration testing, there’s no need to deal with any of this – you simply spot the initial attack vector, write it up as a High Risk [tm], and collect your fee and watch it go down the risk acceptance pipeline. Speaking of which:
This won’t get you anywhere with a CTF, which forced me to learn (or in a few cases, dust off) reverse engineering and binary exploitation skills.
All power demands sacrifice
This blog post would be incomplete without mention of the immense time dedication that this approach to getting good at computers takes. There’s typically multiple CTF’s per week, and it’s not possible to do them all – my personal physical limit is focusing on 2 per weekend, beyond which I collapse from exhaustion.
Doing this consistently requires giving up pretty much everything else, and consciously structuring your life around it – shopping on Friday so you don’t have to on the weekend (tea and fruit works well in the silly hours of the morning), being prepared to sleep less, playing less videogames, arranging for going out during the week, etc.
No words can describe the cost of doing this, but I’m convinced it’s worth it – I’ve learned more in a few weeks than I could have in years, if I didn’t do this.
From here, all my other projects are effectively on hold in favor of Operation Suck Less. I’ll post notes on most interesting CTF challenges (regardless of whether I’ve solved them or not) for everyone to enjoy 🙂