A lot of people have asked where to start with practical security activities such as capturing internet flags. This page is intended to be a bit of a resource dump for people just getting started, as well as an initial roadmap.
Setting up an environment
In capturing the flag, it is essential to have a versatile and easily accessible test environment, with a variety of operating systems and tools available at your fingertips. My preferred environment is structured as follows – it is by no means “the best” – but it can serve as a reference for when you are building your own CTF environment:
- My preferred virtual machine environment is VirtualBox, simply because of it’s ease of setup across multiple host platforms.
- I have a Linux virtual machine which doubles as a “general use” virtual machine as well as a CTF environment. Kali Linux and Ubuntu are popular if you don’t know where to start.
- I have a Santoku Linux VM, set up so that I can quickly decompile Android applications
- I have a Windows VM set up, currently via Microsoft’s free trial VM programme, but soon to be upgraded to a regular Windows license.
- I have an Ubuntu VM set up as a “playpen”, where I can test things like configuration changes without it wrecking a “production” system.
- Each virtual machine is configured to be able to communicate (in the TCP/IP sense of the word) to the host. This allows for rapid file transfer between these systems.
- Each virtual machine has Internet access. This allows me to quickly search for things like syntaxes within the OS I’m working in, without tricky sharing of the Clipboard between Host and Guest OS.
- I also run a machine in Amazon with no security group and iptables configured to accept every connection. This allows me to quickly start the machine (via AWS), then create an Internet-facing listener in <5mins.
- I also make use of online services, such as Shodan. This allows me to perform reconnaissance quickly – it’s not 100% “knowledge-perfect”, but it often suits the purposes of CTF’ing.
- My tools are minimal: I primarily use IDA Pro, GDB/WinDbg, Python and Burp Suite for the overwhelming majority of my CTF work.
Practice, Practice, Practice
I am a believer in the theory of deliberate practice: that is, we shouldn’t just “practice” by simply repeating an action, but we should seek out and tackle challenges which we are particularly weak in (with support from others – it’s not just headdesking all the time), so we improve.
Below, you will find some links where you can do some reading about the various tools used in a CTF, as well as some sample CTF exercises.
- https://www.openlearning.com/courses/sec (start here! this is more theory)
- https://www.codecademy.com/learn/python (start here! you’ll need to learn to code)
- http://www.learn-c.org/ (once you’re done with python, take a look at this)
- win32assembly.programminghorizon.com/tutorials.html (once you’re done with python, take a look at this)
- https://picoctf.com/ (start here!)
- http://overthewire.org/wargames/ (or start here!)
No substitute for the real thing…
When learning cybersecurity, there is no substitute for constant practice against real-life targets. To this end, I recommend finding a local community which is interested in this, and then working together on Bug Bounties and Capture the Flag events.
If you have absolutely no idea where to start, try this: CTF’s usually set up an IRC where the organisers can communicate with participants to provide clarity on CTF questions, or issue corrections: talk to people in there.
Whether you are just starting out, or a seasoned veteran aiming to try something new, I wish you the best of luck in your bug-hunting adventures.