PenTest: Capture The Flag!

Description

Dear PenTest Readers, 

It's been a while since we published an open-access issue, so it's high time to change it! This one is dedicated to the topic of Capture The Flag events. Participation in CTFs is the best way to practically learn the full scope of cybersecurity. No matter if you’re into red or blue teaming, OSINT, reverse engineering and binary exploitation, networking, steganography, or forensics, you will always benefit from taking part in CTF competitions. The business and educational value of Capture The Flag events will definitely keep on rising as well.

Taking all of this into account, PenTest Mag gathered 5 articles which present case studies from various CTF competitions, a report from Collegiate Penetration Testing Competition (CPTC) written by one of its organizers, an article on the growing meaning of these events in the cybersecurity landscape and how it differs from certification and traditional education learning methods, and last but not least - a piece on the prospect of using CTF concepts as the perfect training for children and teenagers, presented on the case of Bolivia.

Regardless if you’re mostly interested in threat management, incident response, hacking, or forensics, you will definitely get inspired by this content. All you need to do is register on PenTest Magazine’s website with a free account to get the full issue free of charge.

Are you a CTF beginner or veteran? Do you prefer learning by practice, or reading about experience of other professionals? No matter what is your exact answer to these questions, don’t hesitate and capture this flag!   

Enjoy the reading,
PenTest Magazine's Editorial Team

---

This magazine is free to download, just register as a  free user and enjoy your reading! 

---

Table of Contents

---

“J3 - Call a Taxii” from Trend Micro CTF Finals

by Fernando Dantas

The challenge I chose for this write-up is the “J3 - Call a Taxii”, sadly, I forgot to copy the original enunciate; basically, it gives us a malicious binary found in a security incident and TAXII server info where we can get more information. When trying to solve the challenge, I started first analyzing the binary and then connecting to the TAXII server to get the information, but I believe it was a mistake, since the information available in the TAXII server would make my static analysis simpler. Actually, it was my first time using TAXII (Trusted Automated Exchange of Indicator Information) which is a protocol for exchanging Cyber Threat Intelligence.

---

Hacking the Box - a CTF Writeup

by Federico Lagrasta

One of the best ways to learn new offensive security techniques and sharpen the old ones is without a doubt participating in Capture The Flag competitions, also known as CTFs. There are different kinds of CTFs, but the most common are Jeopardy, Attack & Defense and Boot2Root. The first one is by far the most common and consists of different categories of challenges, ranging from web attacks, to forensic analysis and binary exploitation. The team who scores the most flags (which are the proof of having solved a challenge) ranks first. The second kind instead sees two opposing teams. The teams are supposed to both hack the other team's infrastructure and defend their own. The last one instead focuses on hackers targeting a single machine, with little to no knowledge about it, with the aim of gaining a foothold and later taking full control of it. This is the kind of challenge we will focus on in this article.

---

DinoBank – Where Pentesting is Never Prehistoric

by Eric Crutchlow

If you were attending one of several colleges in the US, you might have been introduced to the Collegiate Penetration Testing Competition (CPTC, https://nationalcptc.org/). Started in 2015 and held at the Rochester Institute of Technology (RIT) in Rochester, New York, it has quickly grown to a nation-wide colligate event. For most pentesters, learn by doing is the school we attended. But how much easier if you had a place that offers a real-world environment to test skills, learn to effectively use tools and methods without losing your job? That’s the goal of CPTC.

---

Evolution of the CTF: The Value of Training by Gaming

by Torry Crass

In the new era of cyber awareness, more organizations than ever before have come to realize the need for security of the cyber kind. Now, we can argue all day long about adequacy, funding, proper implementations, and strategies, but that's (still) a discussion for another time. The reality for the practitioner is there are more jobs out there and more need than ever. For the employer, the skills gap is real and the need for capable cyber experts is a serious struggle. The businesses need to continue to work to better understand cyber security and it's up to us to become good enough and understand the world of information technology well enough to be able to help put security controls around it.

---

CTF As Training For Freshers

by Ruben Suxo Camacho

On CTFs, there are different kind of challenges like Cryptography, Web hacking, Steganography, Networking, Reversing, Forensic, Exploits and OSINT. Nevertheless, the most common ones are the first four. Similar to different challenges, there are also different kinds of CTFs where the two most common are Red Team vs Blue Team and Jeopardy. Red vs Blue is when there are two teams, each one contains a group of members who attacks the other team, called Red Team, while the other group of the same team have a group of members who defend the attacks from the other team, called Blue Team. Once each team defines each Red and Blue, each team will have a number of servers, the Blue teams from each one has to defend and harden the servers while the Red team of each team has to attack the servers and get the flags.

---