So I'm graduating from the MLH Fellowship and looking back I've made a lot of awesome Open Source contributions. But you know what? The most amazing thing I did was the Fellowship CTF.
But wait, what's a CTF anyways?
Oh yeah, sorry about that.
CTF stands for Capture The Flag: a security competition in which contestants exploit systems or crack ciphers to uncover flags (generally a piece of text like gmelodieCTF{this_is_a_flag}
.
Here's a more concrete example challenge for you, can you crack it? (solution in the end of the article)
Z21lbG9kaWVDVEZ7Y29uZ3JhdHVsYXRpb25zX3lvdSF9
My Background
For those of you who don't have that much experience with security, making a CTF competition may seem like something only underground most wanted hackers are able to do. That's not true. In fact, I've only been into security for about one year now.
So how do you build a CTF?
That's a question I asked myself two and a half months ago. I had played a lot of CTFs, but it turns out building one is way different.
Platform
The first thing you need to assess when creating a CTF competition is choosing a platform that will hold your challenges and everything else they might need (title, description, files, hints, etc.).
The most well-known CTF platform is by far CTFd, which is what we used for the MLH Fellowship CTF.
Audience
So before you go out trying to come up with the most crazy hard binary exploitation challenges you have to understand what's your audience. Just like this article is aimed at cybersecurity beginners, a CTF has to be focused on a certain type of audience. It's impossible to make everyone happy, you have to focus on the main types of people interested on your CTF.
When I first had the idea for a CTF for the fellows I asked around for people with some security knowledge wanting to help building it. I found only 3 people among 150 fellows that knew enough to offer help, so I knew that it'd be a beginners CTF because most fellows didn't have any experience with security.
Challenges
When I was set on an audience and had a basic platform to hold the challenges, I started to build some.
In this case, because most fellows had absolutely no experience whatsoever with CTFs, I knew that they were going to need some guidance in order to solve the challenges. The thing is: I didn't want to require any prior security-specific knowledge. So most challenges were incremental, having a first part and a second part. By solving part 1, one would learn the basics they needed to solve part 2.
One example of this was the Underst00d
cryptography challenge series. The first challenge would give you a string of ones and zeroes (e.g. "01000101 01111000 01100001 01101101 01110000 01101100 01100101"
). The task was simply to convert the string to ascii. The following challenges on the series (Underst01d
, Underst10d
and Underst11d
) were simply variations of the first one with different bases like base64
and base32
. After doing the first one you'd have a good clue that the next was going to be a base decoding challenge.
Testing
Testing is super important and I insisted we tested the overall process of
- Deploying the CTFd platform
- Putting some challenges in
- Releasing them to the fellows
And boy it was it worth.
I cannot stress how important testing actually is, so perhaps an example will help.
So, two weeks before the actual CTF, I created a Warmup CTF with only 5 challenges (one released each day of the week from Monday to Friday). In the middle of the week we realized that some of the functionalities of CTFd we needed weren't working in the version we had running. Also, some of the exploitation challenges opened major security breaches on the CTF server (which encouraged us to use a chroot
jail).
Testing is super important. Do it.
The Numbers
The results were amazing! 17 registered teams, 26 challenges created, 53 users and more than 300 flag submissions!
Challenge solution
Back in the intro section of this post I gave you a sample CTF challenge
Z21lbG9kaWVDVEZ7Y29uZ3JhdHVsYXRpb25zX3lvdSF9
At first glance you might have no clue what this mess is. Neither have I most times, that's why there's a bunch of online cipher identification tools like this one that can tell us that this is a base64
string.
Decoding the text in any base64 decoder would give us the ASCII string:
gmelodieCTF{congratulations_you!}
Top comments (1)
Well done!