CTF: A Fun Way to Learn Hacking

A few months ago, I discovered about CTFs or Capture The Flags. CTF is a type of computer security competition. There are different types of CTF, but the jeopardy style is the most commonly used in CTF where players are given many security challenges covering various fields such as forensic or reverse engineering and needed to solve it as many and as quickly possible. Each challenge solved will be rewarded with certain points based on the difficulty, and the player with highest points wins.

I found that CTF is a really fun way to learn cyber security. The excitement you get when you’ve used real exploits or tactics that you learned and seeing it actually works (you’ve hacked something) or the “Aha!” moment when you finally found the solution is what makes CTF really fun to play.

My First CTF

I immediately joined KPMG Cyber Security Challenge 2019 in Malaysia when I first discovered the event. CTF is still a rare event in Malaysia compared to hackathons (the hackathons are almost weekly here). Hence, I just jumped at the rare opportunity there. Unfortunately, it was a 4-member team competition, and out of my 3 teammates, only 1 of them is available during the competition.

Sadly, my team was ranked at 32th place out of 60+ teams and did not manage to pass the qualifier round. But nonetheless, I had a lot of fun, learned many things, and it was a great experience overall. And I personally think the result wasn’t too bad considering I just knew about CTF a few weeks prior and I was missing 2 members.

The Challenges

The qualifier round doesn’t have a lot of questions, there are around 7 questions and only comprised of steganography, forensic, and reverse engineering challenges. I managed to solve 3 challenges, 1 from each field. I had a hard time solving the other RE challenges as they gave Windows executables and I was expecting ELF files. So, without further ado, here we go.

Steganography

Steganography is the art of hiding data such as embedding secret message in an image. One example application of this in security is malware hiding.

Angola — Least Significant Failure

So first we are given a link to a zip file.

Least_Significant_Failures_95988b81547c2be1431cfd83199c573c.zip

So we just unzip it, using unzip command.

$ unzip Least_Significant_Failures_95988b81547c2be1431cfd83199c573c.zip

And we will get an image file kanye.png.

Before we do anything, we should check the extension is correct using the file command as file can be deceiving sometimes, and it is indeed a png file. As this is steganography challenge, and from the zip file name, this seems to use LSB techniques to hide the flag somewhere inside the image. So first, we used zsteg , a program which usually will reveal texts hidden in an image using LSB technique.

However, this only result in gibberish text as shown in the image above.

Next, we try to use Stegsolve.jar, a java tool for steganography by processing the image with various techniques (invert color, xor, etc.) or filters.

#beginner #learning #hacking #cybersecurity #ctf #deep learning