TrunkCTF Resources

Howdy, and welcome to TrunkCTF! This page is meant as a quick intro to CTFs and what to expect during the event. If this seems like a massive infodump, that's okay - this is intended to be a collection of helpful info and tools that you can reference during the event, and it is not required reading (although if you wanted to read the whole thing, I certainly wouldn't stop you). And of course, feel free to reach out to me if you have any questions - I'm more than happy to help.

What is a CTF?

CTF, or Capture the Flag, is a security competition where players are given a set of challenges, and compete with each other looking for flags, which are small strings of text in a certain format (for this CTF, flags start with tctf{ and end with }). When you find a flag, you can submit it for points, and whoever gets the most points the fastest wins.

This is a Jeopardy style competition, which means that there will be a handful of challenge categories, with several challenges worth differing point values in each category - I've written up a brief intro to each challenge type below.

For a slightly longer explanation, LiveOverflow has a decent video.

FAQ

Do I need to be able to hack to play?

Absolutely not! The biggest thing you need is the ability to Google and a desire to break things - everything else you can pick up on the fly.

Do I need to be able to code to play?

It would certainly help, but it's not required. Many of the challenges will have provided source code that you'll need to find a vulnerability in, and some are rather involved. However, all of the OSINT (open source intelligence) challenges are intended to be solved without needing to read or write a line of code, and some of the other challenges have minimal code.

Challenge Categories

There will be 5 categories of challenge in this CTF: Crypto, OSINT, Web, Bin and Misc. There are other categories, but these are the main ones you'll see (with one exceptions detailed below).

Crypto

Crypto, or cryptography challenges, are challenges about encryption (and not about cryptocurrency!). These can range from breaking old and known-broken encyption schemes (sometimes ancient ones!), to using advanced math to attack the encryption schemes of today. Some helpful tools here are CyberChef for simple ciphers and data manipulation, and beefy tools like SageMath for doing advanced crypto math (you likely won't find such complicated challenges at this CTF, though).

OSINT

OSINT, or open source intelligence challenges, are challenges about using openly available information on the internet to find out information. This could be finding someone's location from a photo they posted or finding information about someone from what they've posted online. In general, these are low-tech challenges, and in this CTF specfically, all of the OSINT challenges can be solved without writing a line of code.

Web

Web challenges are challenges where you break a website, making it probably the most diverse challenge category. These challenges can range from SQL injection, to bypassing authentication, to injecting code into the webpage (e.g. XSS or SSTI attack), to much, much more. Useful tools here are your favorite way to make network requests (cURL, Postman, BurpSuite, the Python requests library, etc.).

Bin

Bin, or binary exploitation is a combination of two of the harder challenge categories - rev and pwn. They both deal with binary executables and are arguably both the hardest and the coolest ways to hack. You'd normally find these challenge categories separate in other CTFs, but they're similar enough and I don't have too many challenges for either, so I'm combining them here.

Rev

Rev, or reverse engineering, entails taking a (usually-compiled) program and figuring out how it works. The most common rev challenge is a flag checker - a program that takes in input and tells you if it's correct or not - the correct input is the flag. Thus, you need to pull apart the program to figure out what makes it tick. These won't always be compiled binaries - they can sometimes be highly obsfucated programs in interpreted languages. Some helpful tools here are DogBolt and Ghidra to decompile a compiled program and look at the original source code.

Pwn

Pwn challenges (typo of "own", as in "to own") involve breaking into a live service. You'll usually get a copy of a program running on a live server, and have to break in. These exploits can get very complicated very quickly, but usually involve some sort of memory corruption, such as a buffer overflow. pwntools is very helpful for interacting with servers, and there are plenty of tutorials for simpler exploits. pwndbg or some other augmented gdb is also very helpful for debugging and inspecting the memory layout when pwning.

Misc

Misc challenges are anything that didn't fall into one of the above categories. These can be pure programming challenges, neat tricks, or anything and everything, really.