Ask Slashdot: Capture the Flag Training 102
An anonymous reader writes "I'm a computer science professor and a group of students want me to help them train for a capture the flag competition. I am interested in this and I'm familiar with security in general, but I've never been involved in one of these competitions. Does anyone know of any resources which would be useful to train for this?"
roblox? (Score:2)
lots of paintball capture the flags on roblox. not very realistic motions however unless you can jump higher than your head
Re: (Score:3)
Stop pretending to be banal, and sit up; it'll ruin your posture.
CTF? (Score:4, Interesting)
Re:CTF? (Score:5, Insightful)
Re: (Score:3)
Re: (Score:3, Insightful)
I went straight there... but a year ago I hadn't heard of hacker-style CTF, and I would expect many other visitors haven't either. The comments bear either that or 'everyone is a troll' out.
Re: (Score:2, Informative)
ctftime.org
ctf github
a lot of writeups, a lot of links to existing challenges from previous years. Don't read the writeup, and let them solve the downloadable challenges.
go to defcon, play openctf
Re: (Score:1)
Re: (Score:1)
Could be both. Check out Hack Fortress (at Defcon/Shmoocon every year)
Re: (Score:2)
LAPTOP! useful, indeed. (Score:1)
Either way, start with portable computing. 0wn the server fake the flag. w00t.
who's IP is 69.144.75.19 ? =).
Why not... (Score:1)
...use Unreal Tournament 99. Lots of levels for CTF, Last Man Standing, Deathmatch, Team Deathmatch and Assault.
Re: (Score:2)
Domination was a favorite of mine when we had our clan...
Re: (Score:2)
Re: (Score:1)
Unreal Tournament 99 is only practically playable on 32-bit Windows now, because community-made plugins require it.
It was the best days...
Re: (Score:2)
Re: (Score:1)
Yes. It was when Vista came out and I remember the problem has something to do with native dll plugins. However, I just tried it and all seem to be fine now. They also made new renderers to take advantage of new hardwares.
Re: (Score:2)
uh... there would be a problem if they required 16-bit environment, since 64-bit Windows has the canny ability to run 32-bit in compatibility mode (most of the time completely seamlessly) in which the memory space is shared. 16-bit mode in 64-bit requires a segregated memory space and a sandboxed environment.
Not a good idea (Score:1, Funny)
Most computer science students are fat and out of shape. Someone could get hurt.
Re: (Score:2, Funny)
Your stereotype is out of date. Most computer science students are Indians who eat curry and stay thin by dancing to Bollywood showtunes. Any fat American slob who is still studying computer science is an idiot who will never find a job.
Re: (Score:2, Funny)
Sorry, but your stereotype is out of date.
Computer science students are all women because they were given scholarships and inflated grades in order to promote something mis-named "equality".
Re:Not a good idea (Score:5, Funny)
Sorry, but your stereotype is out of date.
There are no computer science students, only entrepreneurs who happen to be in the early stages of their short path to becoming multi-billionaires and who vote for the rightmost wing to protect their imminent fortune.
Re:Not a good idea (Score:4, Insightful)
Sorry, but your stereotype is out of date.
There are no computer science students, because the industry only wants trained monkeys rather than people who can do new and clever things, and demand that computer science courses are replaced with programming ones.
Re:Not a good idea (Score:5, Funny)
Sorry, but your stereotype is out of date. Ever since they gaved trained monkeys rights like humans the industry only wants drunk college coeds.
Re: (Score:2)
demand that computer science courses are replaced with programming ones.
Sorry, but your stereotype is OFF.
Computer Science is not teaching you to do "programming"! If you want to replace the core course with "programming," you are picking the wrong major. You should rather change your major and go on Information Technology/System instead because they do learn more in programming (look at their course catalogue).
Best comments ever (Score:2, Informative)
The comments to this post are hilarious.
Re: (Score:2)
co-co-co-combo breaker!
Pico Ctf (Score:1)
Pico CTf is a good start.
Group wants, not want, (Score:1)
"I'm a computer science professor and a group of students want me to help them train for a capture the flag competition."
Why not just be a scout leader?
ingress (Score:1)
Www.ingress.com. it's about dominating control points. Lots of strategy and games are ongoing abd dynamic.
The obvious (Score:3, Insightful)
Get as much information about the playing field as possible, and also the opponent robots. Study multiple strategies, and play them against each other. The optimum would identify the enemy's strategy and play the one strongest against that, but you may be unable to reliably identify it. When choosing a strategy, consider the rules and whether it is better to score as many flags as possible, or win as many games as possible.
For web-app CTFs (Score:1)
Google Gruyere
OWASP's vulnerable web app project
HackThis Site
Keep it up (Score:5, Funny)
Not sure if the comments are hilariously misguided or weak trolls. Either way, good job.
Next month:
Team coached by Slashdotter banned from CTF competition. It took security two hours to apprehend all team members, who were running around non-stop. "We were just looking for their flag", said one of the members. When asked for their reasons to run like madmen on coke, they had this to say: "The other teams were not even trying, they were just fucking around on their computers. We found it strange at first, but kept looking". They accused other teams of cheating, stating "we searched for hours and found not a single flag, zero. The cheating bastards broke the rules, and even laughed at us. We found out and have been banned."
When pressed for comments, their coach mumbled something about "stupid [inaudible] beta" and walked away without making eye contact.
Have you looked at CyberPatriot? (Score:3)
You didn't say how old your students are. If they're still in high school (or younger), consider the CyberPatriot competition. It's a National Youth Cyber Education Program, put on by the Air Force. In the competition, teams are given VM images that have various vulnerable operating systems that they have to keep operational while they keep them secure. The earlier rounds feature a scoring robot; in the later rounds the students face a Red Team.
The entire competition is focused on defense, so there are no points for attack. Teams from around the country compete for a trip to the national finals. Prizes include scholarships for the winning teams.
If you're interested, have a look at https://en.wikipedia.org/wiki/... [wikipedia.org] . Today is the last day to register teams for this year's competition, so you might want to look quickly.
Even if you're not interested in standing up a competitive team, their site provides instructions on how to build practice images, and you can download their scoring bot to see how well your teams fared. http://www.uscyberpatriot.org/... [uscyberpatriot.org]
Another resource (Score:4, Informative)
Sorry about following up to myself, but I just thought of another resource. The Information Security stackexchange site has several postings you might find of value. Search for CTF: http://security.stackexchange.... [stackexchange.com] and you'll find really helpful sites like http://capture.thefl.ag/ [thefl.ag]
Re: (Score:2)
You didn't say how old your students are.
First line of the summary says "I'm a computer science professor"
His students are 18-23.
Roll your own (Score:1)
I would recommend rolling your own mini CTF style competition. Here at Evergreen some of the members have been creating chals for the rest of the team to solve as practice for the upcoming CSAW finals. They range from the very simple to somewhat complicated.
For some examples on what you can do, check out:
ctf.hackevergreen.com
We often use resources from websites like:
root-me.org
phrack magazine
(esp good one about stack smashing http://phrack.org/issues/49/14... [phrack.org])
Edged weapons and grappling (Score:2)
I'm a traditionalist.
Re: (Score:2)
Which tradition involves edged weapons and grappling? Greco-Roman filleting?
Re: Edged weapons and grappling (Score:1)
Want to win CTF? Bring real guns. Win by default.
The information you are looking for... (Score:5, Informative)
That is, if you're trying to figure out WTF the CTF in question is. (I've never heard of it before, but it sounds cool.)
Capture the Flag (CTF) is a special kind of information security competitions. There are three common types of CTFs: Jeopardy, Attack-Defence and mixed.
Jeopardy-style CTFs has a couple of questions (tasks) in range of categories. For example, Web, Forensic, Crypto, Binary or something else. Team can gain some points for every solved task. More points for more complicated tasks usually. The next task in chain can be opened only after some team solve previous task. Then the game time is over sum of points shows you a CTF winer. Famous example of such CTF is Defcon CTF quals.
Well, attack-defence is another interesting kind of competitions. Here every team has own network(or only one host) with vulnarable services. Your team has time for patching your services and developing exploits usually. So, then organizers connects participants of competition and the wargame starts! You should protect own services for defence points and hack opponents for attack points. Historically this is a first type of CTFs, everybody knows about DEF CON CTF - something like a World Cup of all other competitions.
Mixed competitions may vary possible formats. It may be something like wargame with special time for task-based elements (like UCSB iCTF).
CTF games often touch on many other aspects of information security: cryptography, stego, binary analysis, reverse engeneering, mobile security and others. Good teams generally have strong skills and experience in all these issues.
https://ctftime.org/ctf-wtf/ [ctftime.org]
Re: (Score:2)
Re: (Score:2)
Yes (Score:5, Funny)
For your convenience I have put some good resources in C:/ on the FBI mainframe.
Re: (Score:2)
Re: (Score:2)
Suggested reading (Score:3)
The Fugitive Game, by J. Littman (9780316528696).
Um... that's it, really. Unless you got time, in which case you could pick up The Art of Intrusion, The Art of Deception, or Ghost in the Wires (all K. D. Mitnick).
Willing to help (Score:2)
I'm also a comp sci prof and have played many cybersec ctfs. If you want to have a chat on the phone pm me and I can give some tips.
Best
Gareth
Re: (Score:3)
quakelive kind of ctf? (Score:1)
Software Tools (Score:4, Informative)
resources (Score:5, Informative)
(for some reason the first time I loaded this page there were no comments, so some of this is duplicate)
Excellent! Very glad to hear it. There are a /ton/ of helpful resources out there for you. Here's a brain-dump of some of the most popular:
* CTFTime : http://ctftime.org/ [ctftime.org] : Website that tracks team scores, upcoming events, and writeups for previous events.
* CapTF : http://captf.com/ [captf.com] : My CTF dump-site that includes a calendar, links to "practice" sites (aka Wargames), and many years worth of CTF events archived
* Field Guide : http://trailofbits.github.io/c... [github.io] : Specifically covering the skills / approaches, the field guide is a good read for anyone getting into this world.
* Guide for Running a CTF : https://github.com/pwning/docs... [github.com] : Written by PPP (CMU's ever-dominant CTF team) along with feedback from the broader CTF community, this guide is more relevant when making a CTF, but can aid in understanding how the good CTFs are designed.
* PicoCTF : https://picoctf.com/ [picoctf.com] : PicoCTF is designed for high school students, but had an awesome difficulty curve, getting up to some relatively advanced challenges by the end of it. It's also extremely well designed, runs for a longer period of time and is a
* CSAW : https://ctf.isis.poly.edu/ [poly.edu] : One of the best events targeted specifically at College students, unfortunately the qualifier round just finished, and the participants already selected for the final round, but you can always check out the archives of previous challenges to get a feel for the difficulty. Note that the qualifier event is typically intended to be much easier than the in-person finals to better encourage new students to get into the sport.
* IRC : irc.freenode.net#pwning : There's a lively and active community in #pwning on freenode that would be happy to help you with questions/advice related to CTFs.
* YouTube : There's a couple of different presentations/talks on CTFs over the years. If your'e interested in learning more about attack-defense CTFs and in-particular DEF CON CTF, I gave an old talk that's mostly still relevant (https://www.youtube.com/watch?v=okPWY0FeUoU), though I'd recommend you not focus on A/D at first, but just get into the regular challenge based or jeopardy boards as they're sometimes called.
The best way to prepare for CTF is by... playing CTFs. There's no real magic formula, just go out there and start working on challenges. Old CTFs are great as learning exercises since you can usually cheat and read a writeup, but avoid the temptation as much as possible. If stuck, go off and try another problem first, and only if you're /really/ stuck should you check out a writeup.
root-me (Score:3, Informative)
Also has IRC, forum, and some ressources.
Just grep around (Score:2)
some free classes (Score:2)
Along with the practice images others mentioned, some of your students may be interested in these free online classes, particularly the CYB-201 track.
http://www.teex.org/teex.cfm?p... [teex.org]
Links (Score:1)
Trail of Bits have written a startup guide: https://trailofbits.github.io/ctf/ctf.html
You will probably like to take a look at the Kali Linux distribution: http://www.kali.org/
It's a Ubuntu based live distro (can be installed too) with lots of security tools.
For web security you should take a look at WebGoat: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
It's a deliberately insecure Java web application with tutorials on each vulnerability.
http://www.kioptrix.com/ - Is a couple of downloadab
An oldie but goodie (Score:1)
HackThisSite [hackthissite.org] has been around since 2003. Its missions are old, but it's one of many good starting points. They're updating their challenges, too .. eventually.
CTF resources (Score:4, Informative)
Take a look at this list of practice or permanent CTFs [captf.com]. The root [captf.com] of the site also has a great archive of past CTFs, and other useful stuff.
study past competitions (Score:3)
This is the best advice for any competition.
Alsi arm yourselves with every tool you csn think of. Any minute spent familiarizing yourself with an extra tool is well spent.
Several years ago I led a team of capture the flag, our main tool was simply metasploit(the only tool we used more than once), 8 hours into the conpetition we were down to the last flag trailing the leading team by 15 minutes. We collected a hint stating that some users use the same password on multiple servers which got us to attempt to retrieve all passwords from an already compromised windows machine and try them on an apparently iron clad linux box with nothing but the latest openssh exposed. The other teams were using john the ripper but we had rainbow tabels. This is the only different tool we used and it gave us the win.
Re: study past competitions (Score:2)
Apologies for the horrible spelling.
ctf github (Score:1)
Eindbazen ebctf sources on github [github.com]
Make sure you get permissions... (Score:3)
Organized sports or military training assistance. (Score:1)
Most commentators are assuming a computer-based game which is a reasonable assumption, but not guaranteed. They might actually want to do something different and get out into the woods.
My experience with CTF games using paintball guns is the the vast majority of players want to strike out on their own or with a couple friends and be the hero. No concept of discipline, organization, or coordinated action exists. These groups of Rambos are easy pickings for any group that has learned to work together in a pla