loading...

The joy of exploring cybersecurity, and how to get started

mateuszdrwal profile image mateuszdrwal ・3 min read

It's high school graduation time, and GitHub is offering swag for a blog post, to which I obviously must oblige. So here comes a reminder on the importance of cybersecurity, and the project I was a part of which helps teach out the basics in an exciting way.

If you think hacking (in the security sense of the word) sounds fun but you never tried to get into it, you might want to know about the concept of security capture the flag competitions, or CTFs for short. They are essentially hacking competitions usually played in teams, though individual users are often also welcome. The organizers of such competitions create a set of security-related challenges with varying difficulty which teams solve for points. Each challenge contains a flag, a string usually in the format of "flag{some_text_here}" which needs to be found and submitted to the competition platform to redeem the points. This flag is proof that you have solved a specific challenge. The challenges may be as simple as a file with the flag hidden in it through various methods, or a whole website which needs to be hacked in order to retrieve the flag from the backend.

These competitions are incredibly fun and educational as they teach about the structure and inner workings of files and programs, and how to break them. Throughout a single competition, there are countless binaries to reverse engineer, exploit, or websites to hack, custom made for the purpose of teaching you about how things can go wrong when creating software. Even if you have no interest in becoming a security researcher, the lessons learned are extremely valuable when writing any type of distributed software as you will be much more able to spot out and avoid potential security issues before you even write the code, increasing the overall security of your app.

After around 2/3 of a year playing all types of CTF competitions for fun, I and a couple of friends decided to pass on the knowledge we had learned and we organized our own competition late last year, called watevrCTF. I created 10 challenges for the competition, ranging in difficulties from absolute beginner to pretty hard. All challenges were open-sourced, and if you want you can try to solve them yourself at any time by checking them out in the GitHub repository:

GitHub logo wat3vr / watevrCTF-2019

Challenge repository for the watevrCTF 2019 CTF competition

logo

watevrCTF 2019

Build Status

repository for the first watevrCTF

For visitors:

Welcome!

This is the repository where you will find all challenges from watevrCTF 2019. All challenges have their sources and build scripts here, so you can explore how they were made. Most of the challenges also have automated solve scripts that you can investigate for a solution, and a few even have writeups.

If you want to start a web or pwn challenge locally here is how you do it:

The file install_dependencies.sh installs almost all dependencies required for building, running and solving challenges. If you are lazy you can just run that script to get set up, but please look at it and make sure you are ok with how it is installing stuff first. The only thing it doesn't install is docker-ce, which is required for starting all service based challenges. You will also have to install that yourself.

I also created the backend of our CTF competition in Django, which is still accessible at https://ctf.watevr.xyz. The GitHub Student Developer Pack was extremely useful here, as we used LogDNA to monitor the backend logs in realtime. The CTF platform itself is not open-sourced yet as the code has to be cleaned up quite a lot, but we plan to release it after our second competition this year!

The competition turned out to be a big success with over one thousand teams registered and a 24.92/25 rating on ctftime.org, and also enriched us with knowledge about how to organize big events and optimize a website for large instantaneous traffic.

So to summarize, if you have never played a CTF, go play one! There are always new ones coming up made by the CTF community, just check this list to find one: https://ctftime.org/event/list/upcoming. I guarantee you will be hooked just like we were, and I hope that you also get excited enough to organize your own competition!

See you around the CTF community!

Discussion

markdown guide