What is CTF? How to get started with CTF

Language 2023-06-24 19:50:44 views: null

What is CTF?
CTF is the abbreviation of Capture The Flag. We call it Capture the Flag in Chinese. Its original meaning is a traditional sport in the West. In the game, the two armies will compete with each other for the flag. When one side's flag has been captured by the enemy, it means that side is defeated. CTF in the field of information security means that through various attack methods, after obtaining the server, look for the specified field, or a field with a fixed format in the file. This field is called flag, and its form is generally flag{xxxxxxxx}, which is submitted to the referee. machine can score.

The history of information security CTF can be said to be very long. It originated from the DEFCON Global Hacking Conference in 1996.

Why do you want to participate in CTF
introductory penetration, you must have various exercises, right? However, due to the promulgation of the "Network Security Law", random scanning of other people's websites, or unauthorized penetration testing has certain risks. There is also news recently:


To be honest, this guy was just scanning, the attack was blocked by the firewall, and he didn't get anything, but he was sentenced to the same sentence.

So remember not to scan domestic websites randomly, especially education and government websites. However, it is impossible for beginners to learn penetration testing without a corresponding environment, and common drones are too complicated for Xiaobai, and it is easy to not know how to start.

At this time, CTF is very suitable. CTF is generally a topic with one or several knowledge points mixed with each other, which is relatively targeted. If you want to experience a safe sense of accomplishment and fun, and promote yourself to learn while practicing, CTF is a good choice.

Types of CTF
CTF topic types are generally divided into Web penetration, RE reverse, Misc miscellaneous, PWN binary vulnerability exploitation, Crypto password deciphering. Students who are interested in penetration testing are suggested to start with the topic of Web penetration, supplemented by Misc miscellaneous and Crypto password study.

CTF is mainly divided into two modes, one is the problem-solving mode. For web security, you will be required to hack a website or target machine. After the attack is successful, the system will display the flag or search for the flag in a directory file database, and submit it to the answering system for scoring. The general forms of reverse engineering problems are cracking keygen, dynamic debugging, dump memory and so on. These topics can be understood by Baidu or Google other people's problem-solving reports (keyword: CTF writeup).

The disadvantage of this model is that it is similar to "examination-oriented education". The current trend is to focus on difficult and biased questions, without considering the reality, just like the Olympiad. Moreover, this mode only has attack, but no defense, and more work in the enterprise still considers how to defend. At this time, the AWD offensive and defensive game mode came into being.

The second is attack and defense, also known as AWD (Attack With Defense, both attack and defense) mode. You need to play the offensive side and the defensive side in a game, the attacker gets points, and the loser gets points deducted. That is to say, when you can get Flag points for attacking other people's drones, others will be deducted points. At the same time, you also need to protect your host from being scored by others to prevent points from being deducted.

This mode is very intense, so you need to be fully prepared, and you must have sufficient defense plans and EXP attack scripts. When I participated in this kind of competition for the first time, I was beaten badly QWQ, but the more I participate in the competition, the more experience I will accumulate. So, there is no need to panic in this kind of game, just play more, learn more and accumulate more.

There is also a saying in CTF that whoever turns in the Flag first will get bonus points, so quick hands are also very important. But generally speaking, it is not as fast as other bosses.

Comparison between CTF and real-world penetration
Realistic penetration testing will have a very complete process, starting from information collection, vulnerability detection, and then attacking one by one, and many times nothing will be found. In contrast, the goal of CTF will be clearer. Questions below medium difficulty will generally indicate where the vulnerability occurs in the question description. If there is no prompt, there will not be many detection points, and screening one by one is enough.

Secondly, there are many CTF topics that are a bit out of touch with reality. There are many routines and brain holes, and some knowledge points are not practical...how should I put it?

Sometimes, in order to come up with some new questions, the question maker will set the question so that the brain hole needs to be very big to make it. Misc security miscellaneous is the hardest hit area for this kind of question. Doing this kind of question is actually not helpful for reality penetration. For example, this password question was a big headache when I saw it for the first time. Please guess what it is:


I'm just staring at it...

Students who have done a lot of CTF should know that this is the password encryption of "On Zen with Buddha", and I don't know who came up with it...

It is not uncommon to see questions like this that are confusing and require particularly strange postures or routines. In fact, this also deviates from the original intention of CTF to a certain extent. We want to improve our safety posture level, rather than open our minds.

Therefore, the CTF questions that are relatively simple and have a big brain hole are only used to expand the knowledge. Having said that, now the CTF competitions have moved towards actual combat. Many high-level CTF questions will simulate real websites, so that you have a more realistic sense of penetration, and the penetration methods are closer to actual combat. The more conscientious CTFs in China include DDCTF, Anheng Cup Monthly Competition CTF and so on.

For information about CTF events, you can follow the event links compiled by the XCTF community or CTFtime, please click to read the original text. Although it is very possible that you can't beat the big guys in the game, it is also very good to paddle and learn knowledge.

Summarize
 

A novice-friendly collection of shooting ranges for CTF data

If you are a beginner, you can slowly read the questions in the shooting range. For questions that you don’t know, you can go directly to Baidu or Google, and there will be many problem-solving reports. The best way is to join a CTF group. Everyone helps each other and improves faster. If there is anything you need me to say in more detail, please leave a message or send a message.

Guess you like

Origin blog.csdn.net/2301_77152761/article/details/130754607
Recommended
"U.S. Threats and Damage to Global Cyberspace Security and Development" report released
Ranking
[DP] expected [UVA1498] Activation
What is the ABAP Dynpro program
记录一下halcon例程报错和两个视觉库感兴趣区域绘制
characterReplacement-the longest repeated character after replacement
Target element by id somewhere within an element targeted by id
Test classification
NOI 8780 interceptor missile linear dp
Equipment inspection management wants to fine, light streams Weapon children
sql packet takes the value of the most
Computer java project recommendation SSM (Spring+SpringMVC+MyBatis) takeaway ordering management system
Daily
More
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)

Code World

© 2018 codetd.com