READ & WRITE "REVIEW OF WIKI ARTICLE - Capture The Flag 101"

 Capture The Flag 101 Review 

The overall explanation of what is CTF was presented in a simple order, I liked, that they mentioned also types of competition - Attack - Defense type and question based type. 

They also saying, that it is easy to join in such competitions, but didn't mentioned about attack - defense type, that it much harder to join rather than in question based CTF's, you should: 1) Find such type - they are usually hosted by some organization in a specific time with specific requirements; 2) Be ready, that attack - defense,  of course, depends on a side, highly different than question - based competition. 

Another thing to mention, that they provides screenshots of completed question - based CTF's,  and I was amazed, that they did the same CTF's as I did, but in a different way, if Im not mistaken it was on a CTFLearn site.


I got same flag in different way, instead of writing SQL Injection, I used script called sqlmap pre-installed on a Kali Linux, which gave me access to their database and table, and then I extracted same key. 

They also mentioned in overall different sub-types of challenges, like Binary Analysis, pwn, and manipulations with web, which is pretty common, and should be learn by beginners in such field. 

I hope they really solved them by themselves instead of googling solutions. 

In addition to their examples, it will be good to mentioned, how CTF's are similar to real life examples. 

Because, in case of question - based CTF's you know, that there is some kind of hole, you just have to find it. In case of real world, you even dont know, is there any hole or not, and you have to use not only your skills as pen tester, but also intuition, to find a right key for solution.

Also, it will be good, to explain about each type of "attack" how to find out, that this attack and how to pick right type of attack which will work. 

Same as XSS attacks, I would probably mentioned - php reverse shell, which is pretty similar to XSS attack which can provide you different access for holes on a server, and different way of usage such attack.

For example, web application have some kind of file loading field, that is not proceeding mime type of file and didn't look at it metadata, then you can upload your reverse php shell, find where that file is store, and access it. 

Also, if application have control panel, you may also find a way to exploit and then upload your malicious file, to get access to a server. 

In conclusion,  I would like to say, that it will be great to provide a links about different ctf sources, like they did, in a footer of page, with the material sources. 

Link for my colleges wiki article - Link

#

From my side, providing good links of CTF's: 

tryhackme

CTFLearn

hackthebox


Комментарии

Отправить комментарий

Популярные сообщения из этого блога

READ & WRITE "TASK 15. Good illustrative real-life case of the principle "if a person has control over any function, it can also be used to control the computer"."

Изображение
 Xamilion This is a nickname of a streamer, CS GO player and a good guy, he is streaming, playing and even driving without hands with his legs, no, he's not doing it for fun, he is a disabled person.  In fact, there is not much information about him from third sources, it is only known that his name is Denis Vladimirovich Kravchenko , he is 32 years old, he lives in Russia in Rostov as mentioned in his steam account but Im suppose he live in Krasnodar based on his instagram videos and he has a wife and a daughter. He does not want to talk about his problem, he says that it is personal, with which I can understand him. Denis is actually not the only one like that, I found at least three people from the Russian segment, with same or a similar problem. They are: 1) Denis Goncharov - https://www.youtube.com/channel/UCe9qo01z9X1pI7IzE4gkNEg 2) Foxvic - https://www.twitch.tv/videos/1011316451 3) theREALhandi - https://www.twitch.tv/videos/1010775140 However, I really liked Denis because,
Далее...

Read & Write "Task 2. Two technologies, one of them successful to nowadays, second - not"

Изображение
 💣💣💣 #1  1981 Space Shuttle In 1981 for the first time, NASA successfully launches and lands its reusable spacecraft, the Space Shuttle. The shuttle can be used for a number of applications, including launch, retrieval, and repair of satellites and as a laboratory for physical experiments. While extremely successful, the shuttle program will suffer a disaster in 1986 when the shuttle Challenger explodes after takeoff, killing all on board. NASA's original vision for the space shuttle was a fully reusable, two-stage vehicle that would be piloted in both stages. The hypersonic, winged first stage would carry the shuttle orbiter on its back, up to an altitude of at least 50,000 feet (15,240 meters). The first stage would then fly back to Earth and land like an airplane, while the orbiter cruised into space. Budget issues kept this from happening, and NASA ended up designing the shuttle system we see today — an orbiter carried aloft by two reusable solid rocket boosters. Similarly,
Далее...