Categories
Uncategorized

Capture The Flag – first thoughts on being noob hacker

Yesterday I was watching Lex Fridman’s AI podcast’s episode with George Hotz. The guy is a founder of https://comma.ai (2nd-level autonomy vehicle module for 1000$) and a guy known for being first to career-unlock first iPhone among other things.

Among discussions on autonomous vehicles and hacking I’ve heard term “CTF” or “capture the flag”.

Originally an outdoor game that you can also play with paintball guns and vans, as shown below, in the computer science world capture the flag is a competition, when you try to break into the system and find a “flag” – hidden piece of information, that can be in the file, in DB, or the source code.

Paintball with Capture the Flag game, as well as some cool cars to ride

As an engineer I’ve spend most of time building system, and hacking systems seemed like a fun thing for a change. I decided to give it a go, and by searching for “ctf” I got to Hacker101 CTF website, which has many challenges for various skill levels (they also have hints to warm you up).

I’ve tried 4 of the “web” focused challenges. In most of them you try to exploit some very simple vulnerability, such as inject custom script like <script>alert(“hello”);</script> into some text fields, in others you need to inspect code of the webpage to find something weird you can use.

When you succeed are rewarded with ^FLAG^ that would look similar to the image below. Typical problem would have from 1-7 flags hidden in it.

Flag I got for attempting “user” “password” login combination 😐

To me, SQL injection exercise was the most interesting so far, as you try to guess what can be the code and DB behind the scenes (though in my case this was easy as error message gave out details of code and DB engine).

I got to learn about sqlmap and many (open-source) tools out there that help you break into systems and explore vulnerabilities. Exciting times to be white-hat hacker!

On the closing note

I’ve spend few happy hours practicing different attacks and definitely recommend it to any engineer building user-facing system -> you can’t know how to make system secure if you don’t know how to break them.

And format of CTF is fun, so give it a try and let me know about your experience.

Keep on hacking!