How does a novice Xiaobai get started and learn CTF? 【cyber security】

Recently, many novice Xiaobai have privately messaged me: how to learn CTF? How should a novice Xiaobai get started with CTF? Want to play CTF, but have no idea what to do?

 After getting off work yesterday, I spent a few hours sorting out the ideas and methods of CTF learning, and shared it with everyone. If you find it helpful, remember to like, collect and follow!

CTF (Network Security Competition), a book I recommend to CTFers. ----- "From 0 to 1 - CTFer Growth Road". Written by members of the NU1L team, the content covers the common test areas, principles, utilization, and topic analysis of CTF. It can be said to be a relatively good CTF introductory book.

1. How to learn CTF?
2. What is the use of playing CTF

CTF itself has several common fields  MISC WEB reverse cryptography PWN

First of all, do you want to be a one-way player or a pentagonal fighter? Most of my side choose to take the web route (probably because there are more web companies around me), here I will give you a learning route based on web security, and I recommend it.

First of all, let me give you the learning route of web security, which is also the process I was looking at before.

Web security knowledge learning (theoretical period)

Web foundation/penetration environment construction/common tools

1. Basic knowledge of the web, such as learning HTML and other related front-end languages. In addition, you can also learn about the use of ports such as 3306 and 3389. (For details, please refer to the content of the loophole bank learning route)

2. The establishment of the infiltration environment is also essential. The quickest way is to install a kalilinux virtual machine, which is the best for Xiaobai. There is no need to configure too many environments and tools, and the system comes with it. For Kali is a good choice for web security researchers (you can private message me for the installation tutorial)

3. Commonly used tools, such as injection tools to learn sqlmap, and burp, MSF, nmap, beef, AWVS, wk, and other tools, to assist in the completion of infiltration and facilitate infiltration personnel. (Tools need to configure the environment. For example, sqlmap needs a python environment to be able to use it. Xiaobai’s configuration is rather tasteless. If you need a tutorial, you can private message me)

owasp top 10 vulnerabilities

• injection
• Broken Authentication and Session Management
• Sensitive Information Leakage
• XML External Entity Injection (XXE)
• access control interrupt
• security misconfiguration
• Cross Site Scripting (XSS)
• unsafe deserialization
• Use components with known vulnerabilities
• Insufficient logging and monitoring

These can be said to be the basics. As a web security researcher, it is necessary to know the technology. After mastering owasp top 10 vulnerability principles, mining, utilization, and repair methods (it is recommended that each vulnerability has actual combat capabilities, that is, it can be used in the shooting range. Reappear on the Internet, and then proceed to the next step of learning after a thorough understanding) you can try to actually combat some small and medium-sized websites.

Vulnerability mining (initial combat)

Google hacker

Maybe most of the students haven’t heard of it, learned it, or just had a rough understanding of Google Grammar, thinking that its function is general and of no great use, and then put it aside, but it’s not, in fact, in most cases The next loophole still depends on Google Grammar. Many students may have read the answers and articles of some SRC bosses, so they directly bring their computers and find some large groups, universities, governments and other platforms on the Internet to conduct penetration tests. This behavior is undoubtedly wrong and not correct
. Saying that you have no experience, how much can you gain for a novice if you set up such a big platform as soon as you come up? (lucky when I didn't say it).

The level and methods of those articles and SRC bosses may not necessarily apply to you. For novices, it is better to use Google grammar to find loopholes, such as finding logic loopholes (SMS bombing), intitle:register inurl:http://edu.cn If you don’t understand this grammar, it is recommended to remake it, this is the most basic , a simple Google grammar to find logical loopholes in educational institutions, or if you want to dig and inject, then inurl:asp?id=

The efficiency of digging holes in this way is definitely better than searching blindly on the Internet. Google Grammar can help us screen websites. We can use Google Grammar to find relevant websites for penetration testing based on different vulnerability URL characteristics, website content, titles, etc. This It is very important for Xiaobai to dig holes.

Website Information Collection

• In fact, the loopholes cannot be found. In addition to the problems of thinking, technical problems, and being dug by the boss, there is another point, the information collection is not in place. Sometimes the information collection may be trivial and useless, but sometimes he can decide this infiltration. Can it be successful, so we must do a good job in information collection in advance, such as whois, port, directory, subdomain name, mailbox enumeration and other means.
• So what are the better tools used in the information collection process?

The above is the web security learning route I recommend to novices. Let me talk about it here. What is the use of playing CTF?

• Many students want to play CTF, why?

1. Want to earn more credits by competing
2. Want to improve your personal technical level in the competition
3. I want to meet more bigwigs, broaden my horizons, have more employment options, etc.

Playing CTF, if you are a beginner who has just started learning or has not been in contact with it for a long time, if you go to some interesting games or teams, even if you can't solve a few questions, you will have no sense of presence in the team. But you can still learn a lot of operations, postures, and various strange skills that you have not touched before.

But there is one thing that students should pay attention to. At present, many of the topics and environments in CTF are derailed from reality (actual combat). Therefore, playing CTF can learn skills, but it may not be of great help to actual combat.

• But you can still exercise your own penetration ideas, techniques, and exercise your actual combat ability. At least in terms of basic skills, compared with others, there will be a significant improvement. 
• And at present, many CTFs are invested by major companies, and the recruitment of many security companies will have words such as "CTF winners are preferred", at least it will be helpful for future employment. And many colleges and universities can also earn credits through CTF competitions. For freshmen, there are still many benefits to playing CTF
• But at the end of the day, CTF is kind of like a party between hackers? There are not many competitions with a certain official background in China, and there are relatively few rankings and awards accepted by major companies

However, in the end it's up to you. As long as you feel that you have learned the skills in the game and feel happy, then stick to it . But don't over-think CTF , which may have a certain impact on your future actual projects. In the process of actual combat, there is often a certain gap with CTF. CTF inspection ideas, actual combat is more about inspection experience, always brushing CTF questions may lead to CTF, CTFers should regularly prevent chemical

After all, it is impossible for everyone to play CTF all the time. The purpose of playing games is to learn knowledge, refresh one's thinking and one's own technical level, and more to see actual combat. And if you play well in CTF, you can switch to the SRC platform to have a look.

Also, if you want to become an excellent CTFer, you can choose to join the CTF team. Joining a team can not only participate in more competitions, but also have more learning space and communication opportunities. After all, not every CTFer has the talent to play CTF , is a full-stack player, usually a team with different people in charge of different fields to complete a game.

Finally, under what circumstances is it not recommended to play CTF?

1. Excessive immersion in CTF, such as problem-solving skills, problem-setting modes, problem routines, etc.

This point, first of all, will have an impact on your actual penetration testing work and projects in the future. After all, you can’t play CTF for a lifetime, and there is still a difference between CTF and actual combat. Excessive immersion in the CTF mode will make you in actual combat. but can't do it

1. Hope to become an excellent CTFer in a short time

This kind is too impetuous, it is difficult to persevere and study hard. If you study with this purpose and mentality, I personally don’t recommend it, or do something else better?

Finally, I have also compiled a copy of CTF-related documents and notes from previous years. If there is a small partner who needs it, you can scan the QR code of the CSDN official certification below on WeChat or click the link to get it for free [guaranteed 100% free]

CSDN spree: "CTF Resource Pack"