Take note of this website: https://metactf.com/tools/cyber/. We found it to be very useful.

Overall

What is a CTF? I've never done a CTF before. Help me! Trust us, you'll be surprised on how much you already know. You have the entire internet at your disposal as well, so you are welcome to google and research vulnerabilities. Below are some resources you can check out from other similar CTFs that walk you through some answers to their problems. Make sure to check through the other resources which may also help. Good luck!

Programming Mindset

When programming, especially when the system will have many users, it is important to follow good programming practices. One needs to be aware of potential format string attacks, buffer overflows, sql injection, and more. When working on a CTF problem, particularly Web Exp challenges, ask yourself if best practices are being followed. Are they properly comparing two strings together? Is the web app vulnerable to SQL injection? Your best bet is to research the functions used in the code and make sure you understand them before you can exploit them.

Algorithms

Put simply, an algorithm is a step by step process to accomplish a specific task. Algorithms are used heavily in programming and are instrumental to designing a good program. When analyzing code, see if you can understand all the steps the programmer was taken. By doing so, you might see a check the programmer forgot to do, perhaps he was too lazy to sanitize user input? When you are approaching other problems, you can also benefit from just breaking the problem down and taking a very algorithmic approach.

Cryptography

One of the best way to prevent black hats from stealing your data is through strong cryptography. Unfortunately, many sites either choose not to implement or do it wrong. Always try to use sites with the green "https," especially if you are making a purchase. When checking for vulnerabilities, make sure their crypto is up to date with best practices and they are using sufficiently large numbers. One of the biggest dangers is using small or weak numbers which can make the encryption easily crackable. Oh, and do NOT implement your own crypto. Really. You will do it wrong.

Reconnaissance

Recon in CTFs is mainly proving you can utilize the full power of the Internet. For these problems especially and also others, you should be Google searching to the best of your abilities. Make sure to use the advanced search features like using quotes around text to search for a specific string. If you are trying to track someone down, make sure to check their social media accounts and generally look around to identify their presence online. Remember, search engines are you friends.

Number Bases

Seriously why do we use base 10 when we could just use base 7 for everything? Or base 13? Or base 22? Maybe everything could just be binary, 1 or 0. Understanding number bases is an important concept in Computer Science, especially binary (base 2), octal (base 8), and hexadecimal (base 16). There are plenty of converters online to use but you could also just write your own of course. Pay close attention when programming with bases otherwise you can get an unexpected result as well. For instance in Java, placing a 0 in front of a number denotes octal.

Binary Logic

Wouldn't it be nice if everything in life was binary? Yes or no. No in betweens. That's essentially what binary logic is. Binary logic is another critical part of Computer Science and understanding logic will help immensely in programming. It is important to know how the conditions relate to each other and what happens if each is true or false. Drawing it out on a truth table may help as well, especially when there is lots of nots, and, ors, and shifts.

HTML & CSS

HTML and CSS are like the bread and butter of the Internet. They make up each and every page on the Internet and control the display and formatting. They can also be used in malicious ways like hiding invisible iframes, or using css to hide certain things from you. If you want to see all the parts of a webpage, you can either use DevTools or right click then view source. When viewing the source, you can make sure all the code is on the up and up and that the site is not sneakily loading in bad JavaScript code.

JavaScript

JavaScript is probably the most popular web based language and is one of the most popular programming languages overall. JavaScript can be used for just about everything; it is extremely powerful as you can use it to modify the DOM and more. The possibilities are endless; however, JavaScript also can have some serious security implications. Functions like eval() can be used to execute any code on a page. One common vulnerability is called Cross Site Script (XSS) which allows attackers to execute code on the webpage of any visitor to the website.

Browser Developer Tools & view-source

The developer tools in browsers like Chrome are pretty powerful, and they come built in without the need to download or install other extensions. You can do things like check the source of the page and it will even show you which code corresponds to what part of the page. You can also use it to show the resources fetched, emulate a mobile device, or interact with the JavaScript console. These tools can be very helpful to figure out what the website is doing like what requests it is making or where it is sending your data.

Servers

That's what this website is hosted on! Servers are basically just regular computers with special software installed and configured so any computer can connect to them through the internet. The most common software used is Apache which is that our server is running. Microsoft also has a web hosting program called IIS.

Server Side vs. Client Side

First we have server-side which is what happens on the server before the data gets sent to the client. One example is PHP. When a user goes to the page, PHP generates the html for the page then delivers it to the client. When everything happens on the user's end that is called client side. For example when JavaScript runs, it happens without any further interaction with the server.

PHP

PHP stands for PHP: Hypertext Preprocessor (see that, the first word of the acronym is the acronym). The main goal of PHP is to make it easy for web developers to dynamically generate webpages efficiently. When the user requests a page, the server will process the page and then generate specific HTML code for the user. This allows for things like customized content or the little box that says you are logged in as "Jake".

CGI

CGI, Common Gateway Interface, provides a means for a web server to connect the user's request to an application (or script(s)). This basically creates a bridge between the user and a set of scripts (that can be in any language). The interface is also consistent across any operating system to make it easy to deploy.

Databases

Databases are used to store data, whether that be customer data, product information, and more. For example, we store the user accounts for this site as well as problem data in the database for the site. If you pay any attention to the news, you will know how important it is to make sure your databases are secured properly. If an attacker can get in your database, they can do a lot of damage including steal valuable user information. That is why it is important to protect yourself from things like SQL Injection.

SQL and SQL Injection

SQL is a querying language used for requesting and modifying data contained in a database. It provides an easy way to access the user data and more which can be used to dynamically generate the webpage. SQL Injection is a common vulnerability associated with SQL. SQL Injection can be used to convince the database to return more information than it should or modify current data or the infamous DROP TABLE command. Check out the links below to learn more.

Steganography

Steganography is the art of hiding information with the intent that it will be hidden from everyone except for the intended recipients. Steganography can take a myriad of different forms from hidden text in pictures, to obscure codes and more. For example, terrorists have been known to pass secret messages and files hidden in images. When analyzing an image or other format, make sure to take a thorough look at it and maybe even check things like metadata.

Basic Ciphers

Ciphers such as these range from simple pen and paper ciphers to a bit more complex ciphers. Most of these are only good at obscuring the text as they typically don't use several hundred digit long numbers to ensure security and thus many can be easily decrypted. The Rumkin site (below) is an excellent place that contains many basic ciphers and also provides some history on them.

Repeating XOR

On this one, I will defer directly to the first link since I think they can explain it a lot quicker and better than I can. Anyways, a few things. First, remember brute forcing can be helpful to print out all possible solutions here. Second, shorter keys (under 8 or so characters) are probably crackable, but any larger than that it will be pretty impossible.

RSA

RSA (Rivest-Shamir-Adleman) is a public key cryptosystem which is commonly used to encrypt and send data over the web. It has a public and a private key, relying on the fact that it is almost impossible to factor very large numbers (like 2048 bits). One of the most common attacks or weaknesses in RSA is when the public key can be factored. For example even if the public keys are very large, if they share a common factor, it is easy to find the GCF between the two, which lets you find p.

Elliptic Curve Cryptography

Also referred to as ECC, Elliptical Curve Cryptography is more common than you might think. When you see the connection as uses ECDH_ECDSA as the key exchange mechanism, that is using ECC. This is yet another way to encrypt data, similar to RSA. Our best suggestions are to read up on the links below if there is a problem involving ECC.

Python

In recent years, Python has become one of the most popular programming languages. It has a very simple syntax (reading almost like plain English), and it can do it all. It enables programmers to express more in much shorter, readable code. Since it is very easy to learn, many start off learning Python as opposed to other languages.

Java

Java is a very popular computer language, one that is also used on the AP Computer Science Exam. It is object oriented. In addition, since the source code is compiled into bytecode before execution and Java is run in a JVM (Java Virtual Machine), the code can be written once, and run anywhere.

Object-Oriented Programming

Object Oriented program is a type of programming that revolves around the creation of objects. Each object is laid out in a hierarchy similar to a family. Children can inherit from their parent class etc etc. This structure allows programmers to allow objects to share different functions and data which saves code. Remember inheritance concepts like IS-A and HAS-A.

Brute-forcing in Programming

When in doubt, brute force it. While this solution might not always work (like when you have massive numbers in crypto -> see attempting to factor a key in RSA), it will surprisingly work pretty often. Tie in some speed enhancements and then it will work even better. This can be helpful in a lot of different ways from breaking simple ciphers to trying to attack each port on a server.

Our Suggestions

We wanted to take a moment to link to some of our favorite tools and services out there as well. While this list certainly won't include everything, it is an excellent collection containing some of the services we use and count on everyday. If you see any other awesome sites or apps that are going above and beyond that you enjoy using, feel free to tell us about them at contact@metactf.com.

Links:

LastPass DuoMobile Todoist Google Inbox Google Keep ArsTechnica