Your One Stop CTF Resource Guide

What are CTFs? 👾

CTFs are gamified cybersecurity competitions, where you solve different challenges for “flags”, or an answer of sorts!

In true l33t hacker terms, this would be sort-of hacking an application to obtain a password (aka the “flag” in this context) as proof that you have compromised the system.

They are a fun way of developing cybersecurity skill sets, as well as to reinforce and learn more new knowledge on hacking and cybersecurity concepts.

Something important to note is that CTFs are not a realistic overview of day-to-day work that cybersecurity professionals do. As mentioned, they are meant to be a fun way of testing your knowledge and skills that you possess.

CTF Formats

These CTF competitions usually occur in two formats — Jeopardy and Attack & Defence.

Jeopardy provides participants with a series of challenges of different technical domains for participants to solve and submit the flag to the CTF platform for points.

On the contrary, in an attack-defense CTF format, each team is provided with a machine that is running some vulnerable services. Participants will have to exploit these vulnerabilities in the other team’s machines to gain points, while fixing their own services so that they won’t be attacked.

Getting Started ⛳

Setting up a CTF Environment

The most important thing you need before getting started is your very own Linux environment.

The recommended and straightforward setup would be to download a pre-built Kali Linux VM here, and download VMWare workstation Pro by following the instructions here.

Alternatively, Windows user can also opt to use Windows Subsystem for Linux (WSL). Ensure that you are using WSL2 and not WSL1.

Where to find CTFs?

Usually for local CTFs, you have to look out for advertisement blasts nearer to the dates or learn about it via word of mouth.

Usually you can follow the social media of different cybersecurity groups around Singapore to get more news about happenings in the scene.

For CTFs in general, you can find many international CTFs happening almost every weekend on CTFtime.

Learning Resources 📚

There are various kind of resources shared below.

Some of them are more general while most of them are specific to certain cybersecurity domains.

Good Overall Training Platforms

If you’re just looking for some platform to explore and try out and learn some basic CTF skills, these are some good places to start.

They provide beginner guides and beginner-friendly challenges for you to attempt all year round.

• PicoCTF
• Dreamhack - this contain training resources and challenges for every category mentioned below <3

General cybersecurity knowledge

• WhiteHacks 2021 - good contextual basics for beginners
• LiveOverflow YouTube - for the visual/auditory learners

An important fundamental in Cybersecurity is getting used to a Linux Terminal. These following resources familiarizes you with navigating around a linux shell.

• cmdchallenge
• OverTheWire Bandit

Reverse Engineering

Reverse Engineering is typically the process of taking a program and understanding the functionality of a program by converting it to and then understanding the assembly/code behind a program.

• omu.rce - learn about low-level assembly and linux basics
• challenges.re - a comprehensive book on reverse engineering with practices
• crackmes.one - a series of programs to reverse engineer and crack

Binary Exploitation / Pwn

Binary Exploitation involves taking a program, reverse engineering it to identify vulnerabilities within a program, and finally exploiting it in order to get access to a remote system or modifying the functionality of the program.

• Nightmare - collection of pwn writeups on different topics. learn by examples!
• RopEmporium - guide and practice on some pwn stuff
• Pwn College - covers all kind of pwn concepts from beginner to advanced
• Modern Binary Exploitation - old but gold resources, from rpisec

Abit of a shameless plug, and still empty at the moment but watch this page for a zero to hero pwn guide!

• my pwndocs

Forensics

Forensics is the art of recovering the digital trail left on a computer. There are plently of methods to find data which is seemingly deleted, not stored, or worse, covertly recorded.

Digital Forensics is typically such a broad topic, and there is no one stop resource to learn about it.

However you can look at CTF101 to see some common topics that you can google and do more research about!

Cryptography

Cryptography as a topic is about implementing complex and unbreakable encryption algorithms in order to secure our data online. In CTFs, we look at the math behind these algorithms and find ways to target weaknesses in these algorithms in order to break weak implementations of them. In general, just mathy stuff D:

• CryptoHack 🥇 - one of the most popular and exhaustive crypto platform out there
• cryptopals

Web Exploitation

Web Exploitation involves finding vulnerabilities in web applications and exploiting it to gain some kind of higher privileges.

• PortSwigger 🥇 - cover many different classes of web vulnerabilties with practical labs
• Lord of the SQLi - deep dive into SQL injection with basic to advanced challenges
• Websec.fr - another practice platform with web challenges

Blockchain Security

Blockchain involves the auditing of Smart Contracts to find exploitable bugs (usually more logical bugs unlike pwn) that can potentially be used to steal money out of a Smart Contract.

• Ethernaut - beginner friendly guide to smart contract vulnerabilities with practices
• onlypwner.xyz - practice platform with smart contract challenges

Tools ⚒

In order to solve different kinds of complicated problems, we have to learn to use different set of tools to approach it.

Pwn / Binary Exploitation / Reverse Engineering

• IDA Pro / Binary Ninja / Ghidra - disassembler/decompiler to reverse engineer any executables
• WinDBG / x64dbg - useful debugger for windows programs
• GDB - debugger for linux programs
• PwnDBG / GEF - extensions for GDB which makes it much more usable
• PwnTools - automation when interacting with programs and remote services
  • one_gadget - find one gadgets in a program (installed with Pwntools)
  • ROPgadget - find ROPgadgets in a program (installed with Pwntools)
• SysInternals Suite - trace what a windows program does when ran
• JADX / JEB - decompile android APKs to java code
• Angr - symbolic execution
• Unicorn - binary emulation

Web Exploitation

• Burpsuite - suite of tools to manipulate web traffic
• curl / httpie - command line tools to directly send a request to a website
• requests / beautifulsoup - python libraries to automate website interaction
• dirsearch - brute force website paths

Forensics / Miscellaneous

• CyberChef - all kind of byte manipulation
• AperiSolve - one stop solution to image steganograph
• binwalk - identifying/extracting embedded files
• FTK Imager / Autopsy - analyze disk/image files
• Wireshark - analyze network packet captures
• Volatility - used to analyze memdump of an entire computer
• Crackstation - look up known hashes
• John - used to brute force hashes

Cryptography

• SageMath - python with additional cryptography math functions