The Gamification of Hacking and InfoSec - How and Why to Start "Capture the Flag" (CTF) Right Now!
This year is weird. This pandemic has turned everything upside down for most of us, including myself. I’m tired of hearing about the negative; instead, I’m going to focus on how infosec professionals and enthusiasts such as myself can turn this into a positive and potentially change your life for the better (which is exactly what recently happened to me). If you missed my previous (and first ever) post, I am a 26 year old cybersecurity consultant, and gamification is a topic that I like to explore as a gamer. Recently, capture the flag (CTF) websites and competitions have become my latest obsession. If you're in the infosec field and not familiar with CTF, I want to explain why you need to familiarize yourself, and why now is a better time than ever to get started. The knowledge and experience that CTF provides is essential for everyone in the field of security. This article is aimed at those entry-level script kiddies that want to start hacking but don't know where to start. Whether you're a professional in security, or a college student with an interest for the security side of IT, you can benefit immensely by learning about CTF. I will begin with my story, and then I will tell you everything you need to know to get started with CTF at home on your PC. Below you will find everything from courses, videos, websites, and my preferred learning resources.
If you're a passionate security professional, I'm sure you're familiar with the constant, never-ending hunt for that rush of dopamine - whether it be smashing threats or exploiting vulnerabilities at work (depending on your role). As security-minded individuals, we get our pleasure from achieving, learning, improving, and polishing our knowledge database. There's no ceiling to what we can learn and achieve, and there is no end to that hunt for dopamine; that's the beauty of this industry and why I'm so passionate. There is no end to learning, and the challenges are rewarding. In addition to security, I chase that sweet, sweet rush through weightlifting, drumming, racing, and most importantly for now, gaming. I've found that if whatever job I'm working does not initiate the same reward response in my brain that gaming initiates, I tend to lose interest very quickly. Gamification of infosec allows all of us to hone our skills, learn anything, and have fun while doing so, all for that very reason - "tangible" achievements that we have to show for our work.
Back to the pandemic - I've been working as an analyst on a contract for KCS. My agency's office completely shut down, and we were assigned a strange remote role of 12 noon to 6pm. Every gym in my reach shut down, even my apartment's gym. Suddenly, I had much more time to spend on myself. With the lack of endorphins from the gym, and with very slow days at work, I was craving achievement. Games alone just didn't do the trick, and it felt like a waste of time. I got bored very quickly. Even keeping up with security news, working on my car, and talking with friends, I felt stagnant, until I remembered the CEH (Certified Ethical Hacker certification by EC-Council) that I obtained recently. I had a desire last year to pivot into penetration testing, and I maintained that desire, but I was no longer actively studying this side of security since I obtained my CEH. I determined that this is why I felt stagnant - there was a strange, massive void beginning to grow that I was desperate to fill with something productive, especially with the extra time I had on my hands, so I quickly began to explore the field of pen testing more, while talking to coworkers and friends in the industry. And eventually, one day, my magical YouTube algorithm graciously filled that void with a video that explained to me the world of online CTF communities and hacking from home (ethically, of course). I was taught that you can conduct mock-penetration testing engagements for points, rankings, respect, and badges! It's the perfect combination of my passions for both gaming and information security - it's offensive security with tangible achievements - my brain lit up like a battlefield with dopamine, serotonin, endorphins, oxytocin, everything I had been missing since the beginning of the COVID-19 pandemic - I had found my next calling: "That's it! This is what I've been looking for - I can master the methodology of penetration testing before I even land my first junior position! I can hack ethically for fun! I can climb leaderboards, and rank up! I can join this community of penetration testers and one day, I'll be among the best!"
So, what exactly is "CTF" and how does it work? CTF (capture the flag) websites are simply web apps that provide virtual networks of machines that you can connect to, and hack, for free, and with full permission of the owners of the machines. The machines (sometimes known as "boxes") are literally virtual machines (VMs) that can host anything from Windows 10 to a basic unix OS. The "flag" you must capture is simply a string of complex characters that you must obtain from different levels of access to each respective machine. There is typically a "user" flag that you can retrieve and submit after compromising a user on the machine, and a "root" flag that you can obtain only after achieving administrative access over the entire virtual machine (also known as "rooting" or "pwning" a machine/box). Additionally, these virtual machines have different levels of difficulty; some can be exploited in minutes using a commonly known vulnerability, and some require specific technical knowledge that challenge even the most senior of penetration testers. Regardless, they're all generally similar in that you must 1) connect to the VM network (usually with openvpn) and 2) perform recon, enumerate, scan, gain access, escalate privileges, and root the box. The main difference in different CTF websites is the delivery of content/rules. The two main CTF websites I will introduce to you are HackTheBox.eu and TryHackMe.com because I have learned an unbelievable amount from each website regarding penetration testing methodologies and how to compromise security by thinking like an adversary.
HackTheBox.eu is an online penetration testing platform that utilizes gamification to encourage users to hack new machines as soon as possible. At any given time, there are "active" machines, and "retired" machines. The rules are simple; nobody is allowed to post write-ups of active machines, or tell other users how to solve them in the forums. However, once a machine is retired, subscribers can follow walkthroughs and write-ups in order to root the machine. (For the best video walkthroughs of retired HTB machines, and to get a better idea of what CTF looks like in action, check out Ippsec on Youtube). The downside to this, is you do not level up for rooting retired machines. For this reason, Hack The Box is definitely one of the more advanced platforms in terms of difficulty, but a wonderful place for any penetration tester to hone their skills and learn new exploits.
Hack The Box doesn't stop there - there are separate challenges available that are essentially mini-CTF games focusing on specific areas of knowledge. These include crypto (cryptography challenges), reversing (reverse-engineering challenges), OSINT (open source intelligence) challenges, and much more. There are also tournaments and Pro Labs for more advanced users, but I haven't quite checked them out yet.
Hack The Box excels in acting as a real-life pen testing engagement. The easiest machines are now retired, and you'll have to pay to access these, but they are absolutely incredible for learning the basics such as exploiting outdated Apache web apps, basic privilege escalation, EternalBlue, and so much more. For active machines, there are always a wide range of difficulties available, and Hack The Box does a great job of keeping solutions/flags off of Google/out of their forums, thus making sure there is always a learning opportunity for hackers of all skill levels, as well as an opportunity to climb the leaderboards.
There are two more things worth noting about Hack The Box; first, nobody can just create an account. You have to "hack" your way in, and it's a really clever way of making the community feel exclusive. Secondly, there are job postings available on Hack The Box that are available nowhere else, just in case you didn't understand the real-life impact of beating these pen testing challenges. It is common for penetration testers to include their profiles in resumes, so keep that in mind while you're having fun solving challenges and hacking boxes! It is a very rewarding experience to hack a machine as a result, and I recommend you get started now if you desire a future in penetration testing. After all, you likely have more time for this sort of thing during the pandemic, and employers WILL ask what you did with the extra time while at home. This will set you apart.
TryHackMe.com is the other option I wanted to introduce; TryHackMe is both a "CTF" platform and a learning platform, unlike HackTheBox. While you can deploy machines, connect to their network, and capture the flag (among other challenges), TryHackMe is different in that it offers a massive number of walkthroughs that utilize virtual machines and hands-on learning experiences to teach you the basics of hacking, cybersecurity, scripting, and more. Whereas newcomers may feel a bit lost and overwhelmed with HackTheBox, TryHackMe will walk you through absolutely all of the basics, from Linux fundementals to buffer overflow challenges. In my opinion, this is the best CTF/cybersecurity online learning platform you can possibly subscribe to. While many of their "rooms" are free, you will have to pay a small subscription fee for other rooms (which is non-expensive and absolutely worth it). "Rooms" are simply a term TryHackMe uses to describe pages where you can deploy machines and learn a specific topic. For example, a "room" could be dedicated to teaching you Burpsuite, and once you complete all challenges within the room, you are awarded a badge for your public profile. Much like HackTheBox, there are ranks and leaderboards tied to this profile which, along with badges, make a great addition to your resume/job application.
Personally, if I was talking to a complete beginner in security (regardless of their role), I would recommend TryHackMe. As a security professional with an M.S. in cybersecurity, I believe this website teaches cybersecurity better than most universities. In fact, I believe this should be standard curriculum for anyone learning security. The learning is hands-on, requires research, but also provides you with forums, discord channels, and more, just in case you get totally lost. And the ones teaching are not professors - these are expert programmers, penetration testers, and specialists in their fields. TryHackMe's strongest feature, in my opinion, are the Learning Paths, which walk you through a carefully-curated selection of rooms to teach you fundamental knowledge. For example, there is a learning path called "Complete Beginner" which will ensure you have the basic knowledge required for penetration testing. However, there is also a OSCP (Offsensive Security Certified Professional) path to ready you for perhaps the most respected certification in penetration testing. TryHackMe is truly an incredibly underrated platform that you must check out NOW, whether you study security or are already a professional that's serious about honing your skills. And with the extra time most of us have during this pandemic, what better time to start than now??? As someone very wise once told me (and what I attempt to live by)- "9 to 5 pay the bills, 6 to 12 build your skills."
My next goal, while continuing to train every single day, is to achieve my OSCP certification, in addition to a junior penetration testing position. By leveraging the above platforms to my advantage, along with on-the-job experience, I believe I should have this certification by 2021, and I believe anyone can can achieve that same exact goal with these platforms and resources. Speaking of IT certifications, I understand this can be a very confusing and sprawling world for the beginner - some people will tell you to get the "trio" of CompTIA's Plus certifications (A+, Network+, Security+), and some will tell you to only focus on your specialty, while some ignore certifications altogether. I plan to discuss navigating the world of IT certifications (for beginners) in my next blog, as this is a question I hear quite often.
Before I wrap this up, I want to list a few resources that I believe are invaluable. If you're considering a career in penetration testing, you should get used to the process of continual learning. While you shouldn't spend all of your free time honing your skills, it is definitely necessary to sharpen that blade from time to time. Below are links to Udemy courses, Youtube channels, blogs, and more that I believe can give you a good start. If you have any questions or want some personal advice, feel free to reach out. Thanks for reading and I hope this helps point someone in the right direction. Don't give up, and continue to work on yourself and your goals.
Udemy - TCM Security (invaluable hacking courses)
IppSec's Youtube Channel (an expert pen tester walks you through CTFs)
Learn Python3 The Hard Way - Zed Shaw (just learn it. You will thank me later)
Null Byte - Hacker How-To Resource (very helpful for understanding concepts)
Krebs on Security Blog (incredible security blog)
Google.com (Google is now your best friend. Learn how to use it)