CTF: Methodology


Learn the hacking process at https://shabbyporpoise.com

Going into a competition requires bringing in your list of tools you like to use and are comfortable with.  In addition to your tangible tools you need to have a solid process (methodology).

This post is going g to highlight a process that you can use.  Like any process this would be a framework for you to build on.  Maybe aspects of the process don't work perfectly for you, that's just fine. Tweak this process so that it works for you.

Generally, you are going to follow the standard Pen Test process.

0.Pre Pent Test (In red because the stage has already been set, you are exploiting vulnerabilities.  There may be a scope that is told at the beginning of the engagement [CTF Event])

1.Passive Info Gathering

-During the passive stage you haven't actually started interacting with the machine.  However this phase does belong here as some machines will be hosting websites.  In this case visiting a website is not considered "Active" because if this were the real world thousands of people could be visiting a website.

-You are "gleaning" valuable information that provides clues to what your target may have as a vulnerability

-Things to do during this phase: Analyzing source code of site, checking to see if forms are vulnerable to SQL, look at how POSTS and GETS are handled, use Wireshark and analyze traffic to the site.

2.Active Info Gathering

- Active means that you are actually interacting with a target.  In a CTF scenario quite often you will actually start here.  You will be given a machine (IP address) and told to "START!".

-If you are getting going on the Active phase, then you are likely going to start with a port scan.  A port scan will tell you which ports are facing you and what their state is.  Knowing the state/port/service that you are able to access is the beginning of exploring vulnerabilities that you can utilize.  Before you engage in a CTF event it is recommended that you have solid concept of port scanning.  Nmap is crazy powerful and has A LOT of features you can use to aide you in your quest for the flag.


-At this point we have found the machine's vulnerability and we are ready to exploit that vulnerability.

-You may have used nmap to determine the vulnerability or a plethora of other tools, it's during this phase that we actually gain a foothold in the machine.  Keep in mind your foothold is not always going to be a full shell.  Your task as the player is to either use that current level to acquire the information you need or to escalate your privileges so that you can accomplish your mission.

-Keep watching apt-secure.ca for more articles on Exploitation techniques

4.Post Exploitation

-You have gained a foothold and now you are transferring files, escalating privileges, planting a backdoor, for the most part however you have likely found the flag by this point.

5.Cover your tracks (This one is in red because typically once you have found the flag you are good-to-go and collect your points.  Maybe your CTF will be different)

Popular Posts