Beyond Advent of CTF 2020
Best wishes for 2021!
The last month of 2020, the month of December, was dominated by the various Capture The Flag (CTF) competitions. If you’re not familiar with CTF, I give you a short explanation. A CTF competition consists of multiple hacking challenges that participants must complete. You can get your hands dirty, in a safe environment. The difficulty of the challenges can vary, in most CTFs start with simple challenges and as the participants complete the challenges, the challenges become more and more difficult. The player can complete a challenge by obtaining a flag and must submit it and receive points for this flag. The amount of points the player receives usually depends on the difficulty of the challenge. for example, the format of the flag can be ^FLAG^37ae568362f974017fa575f08cd215044cd6bb395c3f5e5e293ee5324ba6769c$FLAG$
(HackerOne CTF) or HTB{Th1s_ 1s_4n_3x4mpl3_fl4g}
(Hack The Box).
CTFs usually have different categories of challenges. Common categories are:
- Web: The player is presented with a website and has to find a vulnerability in the web application and hack it to get to the flag. Coding (Programming): The player receives a script or program which needs to be resolved. In some cases, this type of challenge can be mixed with the ‘Web’ type.
- Reverse Engineering: The player needs to reverse engineer an executable to solve this challenge.
- Stenography: The player needs to find hidden messages in plain-looking objects, the Stego categories will have you use steganographic tools, and your detective intuition to search for the hidden flag.
- Forensics: In this category, the player needs to find the flag through WireShark traces, or data recovery is involved.
- OSINT: In this category, the player needs to find publicly available information to get to the flag.
- Misc: this category is for challenges which are not fit in a specific category. Just another which needs to be solved.
Advent of CTF 2020
This year I participated in the CTF competition ‘Advent of CTF‘. This CTF was organized by the NOVI University of Applied Sciences. The challenges were built by Arjen Wiersma, the Chief Lecturer for Cyber Security at NOVI. This was my first CTF competition in which I participated. The CTF competition has started on 1 December 2020 and has ended on 24 December 2020, on every day there was a challenge unlocked. During this challenge, it was not allowed to use any automatic tools like sqlmap, tplmap, and so on. Everything has to be done manually. We are only allowed to use the web browser (with the Development Tools) and CyberChef. Burp Suite was allowed, and I have used this application.
Of the 416 participants I finished on place 19, in the top 20. For my first CTF competition, I am quite proud of this position on the scoreboard. I’ve participated in this challenge for the reason that I want to develop my skills and learn something new. So, that’s the prize that I’ve received for participating in this CTF competition.
To get the most out of the knowledge gathering, I also published the write-ups with a walkthrough on how I solved the 24 challenges. I write these write-ups to organize my thoughts, to share the knowledge, and to summarize what I have learned. You can find my write-ups here. I hope you will like my write-ups!
Skills improvement and learning
I learned a lot during this competition. I have improved my skills, gained new knowledge and experiences. It is also always fun to share your techniques with the community and learn new techniques from the community. On some challenges, it was difficult for me to complete and it is always nice that someone from the community can think along with you and give you a nudge in the right direction. The CTF was 100% based on Web Exploitation. Below is an overview of topics covered during the challenges, each challenge had its own specific topic for education.
Challenge | Points | Learning topics | Write-up |
---|---|---|---|
Challenge 1 | 100 | Inspect page source Identify and decode Base64 How does the Advent of CTF system works |
Advent of CTF 1 |
Challenge 2 | 200 | How cookies are stored in a browser Identifying structures with Base64 URL Encoding Manipulating JSON structures |
Advent of CTF 2 |
Challenge 3 | 300 | How you can view Javascript in your browser Read some Javascript to figure out what is happening Running Javascript you wrote yourself |
Advent of CTF 3 |
Challenge 4 | 400 | What Local Storage is in the browser How to examine Javascript code in the browser How to run code that is part of a web application in the browser |
Advent of CTF 4 |
Challenge 5 | 500 | Discover of SQL Injections Deducing SQL queries Manipulating SQL queries |
Advent of CTF 5 |
Challenge 6 | 600 | How to identify a UNION SELECT How to learn about other tables in a schema How to use a substring |
Advent of CTF 6 |
Challenge 7 | 700 | Identify SQL injections when there are no error messages Use SLEEP() to extract data, character for character |
Advent of CTF 7 |
Challenge 8 | 800 | What robots.txt files are | Advent of CTF 8 |
Challenge 9 | 900 | Read error messages Identify JSON structures in Base64 JSON Web Tokens (JWT) and the NONE algorithm That session management is important |
Advent of CTF 9 |
Challenge 10 | 1000 | Local File Inclusions in PHP Rainbow tables |
Advent of CTF 10 |
Challenge 11 | 1100 | How to detect filtering How to use php://filter |
Advent of CTF 11 |
Challenge 12 | 1200 | Identifying a command injection Using shell processing to execute commands Redirect command output |
Advent of CTF 12 |
Challenge 13 | 1300 | Edit and Resend requests with Firefox Identify an XML file Extract data using PHP filters |
Advent of CTF 13 |
Challenge 14 | 1400 | Read some PHP PHP Types |
Advent of CTF 14 |
Challenge 15 | 1500 | Type juggling in strcmp | Advent of CTF 15 |
Challenge 16 | 1600 | Identify SSTI Use SSTI to read program variables Use SSTI to read files from the filesystem Use some python |
Advent of CTF 16 |
Challenge 17 | 1700 | Bypassing filters | Advent of CTF 17 |
Challenge 18 | 1800 | How to identify a Javascript injection How to exploit a Javascript injection |
Advent of CTF 18 |
Challenge 19 | 1900 | Bypassing the safe-eval module | Advent of CTF 19 |
Challenge 20 | 2000 | Identify serialized data Manipulate serialized data |
Advent of CTF 20 |
Challenge 21 | 2100 | The call_user_func function The extract function PHP sessions |
Advent of CTF 21 |
Challenge 22 | 2200 | Server-Side Request Forgery | Advent of CTF 22 |
Challenge 23 | 2300 | How to identify WebSockets How to send your own messages |
Advent of CTF 23 |
Challenge 24 | 2400 | The basics of a blockchain | Advent of CTF 24 |
Earning extra points
During this CTF competition, every player could receive a badge after solving a challenge. The badge is an appropriate image for the challenge in question. During this challenge, two extra challenges were suddenly added, starting from challenge 20 and challenge 24. These challenges related to the earned badges. There are apparently hidden messages to be found in these badges.
Badge Collector #2
This extra challenge was unlocked after solving challenge 20 and it’s worth 250 extra points. So, I’ve grabbed badge 20 and after some time of thinking and trying, I was able to reveal the hidden message with strings
. The hidden message: thisisgreatfun
.
1
strings c1f93b6ee2e1cd25ea02f9a78c364b12.png
The response:
1
2
3
4
2020-12-11T10:20:04+01:00
IEND
So far the challenge has been all about web application security. But these badges are quite something! Level 20 is a great point to add something in the mix don't you think? This puzzle does not have a badge, nor does the top 10 get additional points, but who doesn't like 100 extra points?
Badge Collector #2: thisisgreatfun
After submitting this message, I’ve earned 250 extra points.
Badge Collector #1
This extra challenge was unlocked after solving challenge 24 and it’s worth 250 extra points. After grabbing the badge from challenge 24. I have tried several ways to read some information from this image. Like the previous one, I used strings
, but no luck this time. As it’s an image it holds EXIF data. So, we can try to read the EXIF data from this image. As we are working from a macOS machine, we can use the builtin utility mdls
(which stands for metadata-ls) for extracting this information.
1
mdls b915cb528c4b3d6fc4644f73ba8b829d.png
The output:
1
2
3
4
5
6
7
8
9
_kMDItemDisplayNameWithExtensions = "b915cb528c4b3d6fc4644f73ba8b829d.png"
kMDItemBitsPerSample = 32
kMDItemColorSpace = "RGB"
kMDItemComment = "Thank you for playing Advent of CTF. I had a great time creating these challenges. I hope you had a great time solving them! You can enter this flag for the challenge "Badge Collector #1": untilnextyear"
kMDItemContentCreationDate = 2020-12-11 09:41:14 +0000
kMDItemContentCreationDate_Ranking = 2020-12-11 00:00:00 +0000
kMDItemContentModificationDate = 2021-01-01 16:36:11 +0000
kMDItemContentModificationDate_Ranking = 2021-01-01 00:00:00 +0000
kMDItemContentType = "public.png"
We can now read the flag from the EXIF data, the flag: untilnextyear
. Does this mean that we have the next Advent of CTF in 2021? I hope so!
Looking forward to the next CTF competition. Thanks for creating and hosting this CTF challenge Arjan Wiersma!!