HackingatCTFUCLA:

ABeginnersGuide
Date:05/21/2017

https://ctfcalifornia.org/

CTFOverview
CTFUCLAhasthreetypesofquestions:
Flag:Anofflinechallengewhichusuallyprovidesasmallfiletodownload.
Example:"Takethisbinaryandexploitittogetittoemitahiddenphrase
(theflag)."Flagscanbeofmanytypes,butcommononesare:
i. Binaryexploitationorreverse-engineering:findahiddenphraseina
binary(compiledprogram)ormodifyitsbehaviorinunintended
ways
ii. Cryptography:Achallengeinwhichyouneedtodecodeafileor
plaintext,CTFUCLAhasnocryptoquestionsthisyear.
Example:Thisplaintextfileisencoded.Decodeittofindthe
hiddenmessage.
iii. Steganography:Achallengeinvolvingfindingorextractingahidden
messagefromapicture.
Example:Hereisa.jpgimage,findtheflaghiddeninit.
Base:Anonlinechallengewhereanup-and-runningsystemmustbe
compromised.WedonthaveanybaseproblemsduringthisCTF,but
maybenextyear!
Example:"Thiswebappisvulnerable.Compromiseandgetittoemita
hiddenphrase(theflag)"
Quiz:Ashortquestiontowhichyouinputananswer.
Example:"WhatisthelargestkeysizeforAES?"

WhatsanExploit?
Anexploitisapieceofsoftware,achunkofdata,orasequenceofcommands
thattakesadvantageofabugorvulnerabilityinordertocauseunintendedor
unanticipatedbehaviortooccuroncomputersoftware,hardware,orsomething
electronic(usuallycomputerized).
Abetterquestionthough,ishowdoyoufigureoutwhatexploittouse?
Unfortunately,thereisntanykindformulaoralgorithmthatcanguaranteeyouan
answer,however,hereareafewtips:

 3

Readthequestiontitleandtextcarefully.Questionsoftencontainhints
abouttheexploittouse,oratleastwhatyouneedtogoogle.
Googleanythingandeverything.Seriously,Googleisyourbestfriend
duringaCTF.Googletermsremotelyrelatedtothequestion,heckifyou
arereallystuck,GooglecommonCTFflagquestionsorcheck
cybersecurityStackOverflow.Forbeginners,CTFsoftenbecomea
competitionaboutwhocangooglethebestandlearnnewtopicsfastest.
Often,knowingthebackgroundorunderlyinginfrastructurebehind
operatingsystemsorthebasicfunctioningofportsmakesfiguringoutan
approach.Wikipediaarticlesareusuallysufficientlythorough.
Commonportsused:
http://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-sg-en-4/ch-por
ts.html
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_nu
mbers
OSI:
https://en.wikipedia.org/wiki/OSI_model
HTTP:
https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol
TCP/IP:
https://en.wikipedia.org/wiki/Internet_protocol_suite
Also,heresaquickreferencetofigureoutwhatkindofchallengeyouarefacing,
basedonwhatsgiveninthequestion:
Weblink:Webquestion(relatingto/usingHTTP,PHP,Javascript,SQL,
curl,nc)
Image/MusicFile:Steganography
(https://en.wikipedia.org/wiki/Steganography)
JumbledTextFile:Cryptography(wedonthaveanyforthisCTF)
Stillindoubt?Neverfear,usethefilecommandonterminal/command
line:
file<filename>
Letsinterprettheresults
PCAP/anythingweborpacketrelated:Webquestion
ELF/anexecutable:Reverseengineering(akindofflag,needto
disassembleusingGDB)

 4

Anyotheroutput?PlugtheresultsintoGoogle.
ThislinkprovidesamoreindepthexplanationofthethingsImentionedabove
andcanserveasagreatsupplementaryresource:
https://github.com/ctfs/resources/tree/master/topics

Quiz
Quizquestionsareprettystraightforward,youllgetaquestionbasedonyour
understandingofcomputersystemsandcybersecurity.Therightanswerwillgive
youthepointsyouneed.
Thebestwaytoapproachtheseproblems?Google.Googlestrategicallyandplay
closeattentiontothephrasingofquestions(theyoftenprovideclues).
Quizzestestyourknowledgeofbasiccybersecurityandtrivia(either
historical/linux/portrelated).
Somequizzesmayseemlikeatestofyourgooglingability,butinrealitytheyaim
toteachyouaboutsomereallycoolaspectsofcybersecuritywhileyoureadup
onnewconcepts.

Example
Howmanycookiesdoesctf.linux.ucla.eduuse?

Explanation:

Cookiesarepiecesofdataawebsitetellsabrowsertostoreonitsbehalf.
They'retypicallyusedtomaintainstateforawebsite,suchaswhichuserthe
browserisloggedinas,orwhatisintheshoppingcart.

Thesimplestwaytolookatcookiesistousethebrowser'sdeveloperconsole
andinspecttheCookiestab.Doingsowillshow7cookies.

Unfortunately,apureHTTPtoollikecurlmaynotworkhere,duetothepossibility
ofawebsiteusingJavascriptandAJAXtosetadditionalcookiesbeyondthe
initialpageload.

Steganography
ToquoteourlordandsaviourGoogle,

Steganographyisthehidingofasecretmessagewithinanordinarymessage
andtheextractionofitatitsdestination.

Insimplerwords,steganographyisbasicallyhidingasecretinanimage.Tobe
abletosolveasteganographyquestion,youneedtoprocesstheimageuntilyou
uncoversomethingsuspicious.Knowledgeofhowimagedataisstoredwillalso
comeinhandy.
Thetwomostcommonapproachestosteganographyinclude:
1. ApplyingfiltersusingGIMP/Photoshopandplayingaroundwith
2. Processingpicturesusingonlinesoftware/scripts
ReadingthislinkwillgreatlyhelpyouduringtheCTF:
https://github.com/ctfs/resources/tree/master/topics/steganography/file-in-ima
ge

Example:
https://ctfs.github.io/resources/topics/steganography/invisible-text/README.ht
ml

GDB
GDBistheGNUProjectdebugger,thatallowsyoutostepthroughaprogram.Its
generallyusedtocatchbugs,andinourcase,toexploitthesebugsaswell.To
quotetheofficialGDBguide,thisiswhatyoucandowithGDBtotrysolving
challenges:
Startyourprogram,specifyinganythingthatmightaffectitsbehavior.
Makeyourprogramstoponspecifiedconditions(setting
breakpoints/watchpoints).
Examinewhathashappened,whenyourprogramhasstopped.
Changethingsinyourprogram,soyoucanexperimentwithcorrectingthe
effectsofonebugandgoontolearnaboutanother.
HerearetwocheatsheetsofkeyGDBcommands:

 6

http://www.yolinux.com/TUTORIALS/GDB-Commands.html
http://darkdust.net/files/GDB%20Cheat%20Sheet.pdf
Thesearethebasiccommandsyoudefinitelyneedtoknow,runthesein
terminal/commandline:
gdbprogram[core]:debugprogram[usingcoredumpcore]
b[file:]:functionsetbreakpointatfunction
[infile]run[arglist]:startyourprogram[witharglist]
bt:backtrace:displayprogramstack
pexpr:displaythevalueofanexpression
c:continuerunningyourprogram
n:nextline,steppingoverfunctioncalls
s:nextline,steppingintofunctioncalls

Flags
Thegoalissimple,findastringofcharacters-theflag.Doingit?Notsomuch!
Butwereheretohelp.Flagsgenerallyinvolvedownloadingafileandfiguringout
whatvulnerabilityinthefiletoexploit.

Herearesomecommonexploits:

Bufferoverflow

Binaryexploitation/ReverseEngineering

SQLInjection

CrossSiteScripting

Example:
QuoteoftheDay1

AnactualproblemfromlastyearsCTF!

Description:

Acertaindistinguishedcaptainisfondofspeakingwordsofwisdom.Assuch,
heprovidesaquote-of-the-dayservicesohisfollowerscanbetouchedbyhis
brillianceeveryday.Noteveryonehasaccessthough;itwillonlyletyouin

 7

ifyouknowthepassword!

Youmanagedtoconvinceasailortostealtheqotdbinaryandsendittoyou.
However,thequoteinthebinaryisoutofdate.Analyzethebinary,retrieve
today'squotefromtheserver,andgiveusitsmd5hash!

ctf2.linux.ucla.edu:7001

(Thebinaryforthisquestioncanbefoundat:)

Hint:

There'saveryobvioussegmentofcodeinserve_request

Flag:

51de72fc70308c816406370a71e56012

Explanation:

secure_qotdistheattachmentwiththeoutdatedquote.

Thischallengerequiresreverseengineeringthebinarygiventoyou.Thebinaryis
aservicethatlistensonaport.Whenyouconnecttoit(viancortelnet),itasks
forapasswordanddispensesaquoteifyougetitright.Youneedtofigureout
thepassword,connecttotherealservicerunningonctf2.linux.ucla.edu:7001,and
retrievethequoteontheserver.

ReverseengineeringmaybefreshinthemindsofCS33students.People
typicallyapproachitfirstbycallingthereadelforstringsutilitiesandcheckifany
interestinginfocomesup.Inthiscasehowever,thisapproachisn'tveryuseful.

Beforedivingstraightintothegdbgrinderthough,itmightbeusefultotakea
quicklookthroughthedisassemblyfirst:
objdump -d secure_qotd > secure_qotd.S

Ifyouscanthroughthedisassembly,youwillfindlibclibraryfunctions,aswellas
normal-soundingfunctionslikereap_children,serve_request,andmain.Inthe
processofskimmingthroughit,youmayalsonoticeabigblockofcodeinside
serve_request:

 8

400cd6: c6 45 d0 67 movb $0x67,-0x30(%rbp)
400cda: c6 45 d1 31 movb $0x31,-0x2f(%rbp)
400cde: c6 45 d2 66 movb $0x66,-0x2e(%rbp)
400ce2: c6 45 d3 66 movb $0x66,-0x2d(%rbp)
400ce6: c6 45 d4 6d movb $0x6d,-0x2c(%rbp)
400cea: c6 45 d5 65 movb $0x65,-0x2b(%rbp)
400cee: c6 45 d6 66 movb $0x66,-0x2a(%rbp)
400cf2: c6 45 d7 61 movb $0x61,-0x29(%rbp)
400cf6: c6 45 d8 62 movb $0x62,-0x28(%rbp)
400cfa: c6 45 d9 51 movb $0x51,-0x27(%rbp)
400cfe: c6 45 da 75 movb $0x75,-0x26(%rbp)
400d02: c6 45 db 30 movb $0x30,-0x25(%rbp)
400d06: c6 45 dc 74 movb $0x74,-0x24(%rbp)
400d0a: c6 45 dd 65 movb $0x65,-0x23(%rbp)
400d0e: c6 45 de 73 movb $0x73,-0x22(%rbp)
400d12: c6 45 df 21 movb $0x21,-0x21(%rbp)

If you've read the hint (or if you're just plain perceptive!), you may realize that all
of these bytes are alphanumeric ASCII characters. Looking this up in an ASCII
table, you'll find that it translates to

g1ffmefabQu0tes!

And that is indeed the password! From the terminal:

$ echo -n "g1ffmefabQu0tes!" | nc ctf2.linux.ucla.edu 7001

Welcome to my fabulous Quote of the Day dispenser!
To receive my wisdom, please enter the password.
Password: Here's the quote of the day:
Only Eat Breakfast In the Morning

To retrieve the md5 hash of this, you can use an online tool, or simply the
md5sum utility:

$ echo -n "Only Eat Breakfast In the Morning" | md5sum -

51de72fc70308c816406370a71e56012

SQLInjection
SQLInjectionsgenerallyconsistofenteringmaliciousSQLstatementsintoweb
pageinputfields.
Firstthingsfirst,whatisSQL?SQLorStructuredQueryLanguageisa
programminglanguagethatdealswiththestorageofdatainrelational
databases,basicallystoringdataintables.
Funfact:SQLisntcasesensitive!
CommonSQLcommands:
DataManipulation
SELECT:Display/getdatafromadatabase
SELECT<column_name>from<table_name>;
UPDATE:Changeexistingdataofdatabase
UPDATE<table_name>SET<column_name>=<value>;
DELETE:Deleterows/datafromdatabase
Deletesallrows:DELETEFROM<table_name>
Deletesrowswithacondition:DELETEFROM<table_name>
WHERE<column_name>=<value>;
DataDefinition
ALTER:Modifyatablesdefinitionbyaddingacolumn
ALTERTABLE<table_name>ADD<column_name>
<column_datatype>;
DROP:Removeeitheratableordatabase
Table:DROPTABLE<name>;
Database:DROPDATABASE<name>;
AggregateFunctions
AVG:Printsaverageofacolumn
Eg:SELECTAVG(column)fromtable;
SUM:Printssumofacolumn
Eg:SELECTSUM(column)fromtable;
Operators/Keywords
WHERE:Evaluatewhereconditionistrue
WHERE<column_name>=<value>
Eg:SELECT*FROMtableWHEREcol1=4;
AND:Samethingas&&inC++,bothconditionsmustbetrue

 10

Eg:DELETEFROMtableWHEREcol1=2ANDcol2=4;
OR:Samethingas||inC++,eitherconditionmustbetrue
Eg:DELETEFROMtableWHEREcol1=2ORcol2=4;
ORDERBY:Displayrowsofatableaftersortingbyagivencolumn
Eg:SELECT*FROMtableORDERBYcol1<ASCorDESC>;
GROUPBY:Groupoutputbasedonvalueofaggregatefunctions
Eg:SELECTCOUNT(*)FROMtableGROUPBYcolumn;
Cheatsheets:
http://www.cheat-sheets.org/sites/sql.su/
http://cse.unl.edu/~sscott/ShowFiles/SQL/CheatSheet/SQLCheatSheet.h
tml
https://www.codecademy.com/articles/sql-commands?r=master
MethodsgenerallyusedduringSQLInjection:
AddingSQLstatementstotheendofaURL:
Eg:websitename.com/stuff.php?id=3orderby1
EnteringSQlstatementsintoanyformonthewebsite
Ifputtingsinglequotesinformsleadtoapagesayingsomething
aboutsyntaxerror,thenthewebsiteisprobablyvulnerabletoSQL
injection.So,whenyouapproachaquestioninvolvingforms,make
suretotryaddingsinglequotestodifferentfields.
Eg:PuttingtheargumentOR1=1;/*intheUSERNAMEfieldand
*/--inthePASSWORDfieldofaform
Thisstatementwillbeevaluatedtothisbythewebsite:
SELECT * FROM Users WHERE user_id='' OR 1=1; /* ' AND password= '
*/--'
Everythingafterthe/*essentiallybecomesacommentandsince
1=1alwaysevaluatestotrue,youjustcircumnavigatedaround
enteringavalidusernameandpassword.
Also,makesuretoremembertwodashes(--)denotesacommentin
SQL.Itistheequivalentof//inC++.
Forfurtherreading:
https://en.wikipedia.org/wiki/SQL_injection#Technical_implementations
CheckouttheguidesinResourcessectionoftheguidebelowtolearnmore
aboutSQLInjection.

 11

Example:
https://ehsandev.com/pico2014/web_exploitation/injection_1.html

OneLastThing
CTFUCLAismeanttobeawayforstudentsofallexperiencelevelstocome
togethertolearnaboutcybersecurityandcompeteagainsteachother.Wewant
youtogainexposuretoafieldthatsusuallyhardtogetinto,andhavefunwhile
doingso!
Ifyouhitawallwhilesolvingaproblem,orifyoudontunderstandanyconcepts
orexploits,askamentor.Wereheretohelpnudgeyouintherightdirection.
Sometimes,ifyougetstuck,itsbesttotakeastepbackanddoanotherproblem.
Ithelpstolookataproblemlaterwithfresheyes.Makesureyouandyour
teammatesareonthesamepageandconsidermakingagameplanforwhat
orderyouwanttosolveproblemsin.
Makeuseoftheresourcesandguideslinkedbelow,theymaycomeinhandy.
Ifyouhaveanyfeedbackabouthowtomakethisguidemorecomprehensive,or
iftheresanythingthatneedstobeexplainedmorethoroughly,pleaseletus
know!Wewanttomakelearningaboutcybersecurityasaccessibleaspossible.

ResourcesandOnlineGuides:
CTFResources:
https://ctfs.github.io/resources/
CTFFieldGuide:
https://trailofbits.github.io/ctf/
PicoCTF2014ChallengeExplanation(Formoreexamplesofproblemssimilarto
theonesatCTFUCLA)
https://ehsandev.com/pico2014/index.html
ToolsandResourcestoPrepareforaHackerCTFCompetitionorChallenge(lists
commonlyusedsoftwareyoumayneed)
http://resources.infosecinstitute.com/tools-of-trade-and-resources-to-pre
pare-in-a-hacker-ctf-competition-or-challenge/#gref
LearnXinYMinutes(Python3)

 12

https://learnxinyminutes.com/docs/python3/
ReverseEngineeringforBeginners
https://github.com/dennis714/RE-for-beginners
TheEssentialNewbiesGuidetoSQLInjections
https://null-byte.wonderhowto.com/how-to/essential-newbies-guide-sql-in
jections-and-manipulating-data-mysql-database-0133921/
StepByStepGuidetoSQLInjection
https://breakthesecurity.cysecurity.org/2010/12/hacking-website-using-s
ql-injection-step-by-step-guide.html
SQLInjectionTutorialforBeginners
https://blog.udemy.com/sql-injection-tutorial/
ForensicsWiki
http://forensicswiki.org/wiki/Main_Page
SecList(Acollectionoflistsusedduringsecurityassessments)
https://github.com/danielmiessler/SecLists
Hacksplaining(Lessonswithexercises)
https://www.hacksplaining.com/
SQLBolt(SQLguide)
https://sqlbolt.com/
GDBGuides
https://www.tutorialspoint.com/gnu_debugger/gdb_quick_guide.htm
https://beej.us/guide/bggdb/
LinuxCommandsCheatSheet
http://www.mediacollege.com/linux/command/linux-command.html
RyansTutorial
Linux:http://ryanstutorials.net/linuxtutorial/
BashScripting:http://ryanstutorials.net/bash-scripting-tutorial/

Morepracticefornextyear:
www.root-me.org
http://overthewire.org/wargames/
http://pwnable.kr/
http://smashthestack.org/
https://exploit-exercises.com/

 13

FunArticles/BlogsaboutCybersecurity:
https://www.guardicore.com/2017/05/the-bondnet-army/
http://krebsonsecurity.com/
http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microso
ft/index.html
https://www.troyhunt.com
https://medium.com/@thegrugq
https://www.schneier.com/
https://blog.cryptographyengineering.com/