Leveling Up Your Cyber Skills – A Guide To Capture The Flag (Part 4)
Hosting a CTF: Part 4 – How to Create “Find the Flag” Content for Jeopardy-Style CTF Event
Now that you have some tips on creating solid content, let’s work through an example of creating a challenge together.
You have an idea for a basic cryptography challenge where you will display hex data to a user and say, “find the flag,” and they’ll simply have to convert the hex to ASCII. This is a good, simple challenge, since many harder challenges hide flags in files as hex, so knowing how to convert hex to ASCII or how to quickly recognize hex that is encoding alphanumeric characters.
First, we have to create a flag to encode. We will use flag:X as our format. We let our brains go wild and choose flag:Playtomil (I like fake words that are pronounceable and memorable—some people use UUIDs or phrases.).
An easy way to convert that to hex is via an ASCII-to-hex converter. I often use RapidTables (https://www.rapidtables.com/convert/number/ascii-to-hex.html). The conversion yields 666c61673a506c6179746f6d696c.
Now, you have to decide if you want to make your challenge simple by saying, “Decode this to find the flag: 666c61673a506c6179746f6d696c,” or if you want to come up with a scenario simply for this question, such as the following:
Johnny, the coder in the office next to you recently left your company but failed to commit his latest update to the project you’re working on before he left. You need that update to meet your delivery date tomorrow. Luckily, it’s stored on his laptop, so you easily should be able to get it. Unluckily, he properly encrypted his hard drive, so you’ll need to recover the passwords first to boot it up and get the code. You found a sticky note under his desk that you think might be the encoded password. It reads ‘666c61673a506c6179746f6d696c.’ Try to decode and find the password so you can meet your delivery date.
If you’re trying to theme or create a scenario for the entire CTF, you’ll want to theme questions accordingly.
Let’s do one more example. We want to hide a flag in an image, for which we’ll provide the wrong extension and mangle the first couple bytes of the file (requiring them to fix the first couple bytes to open the image and view the flag).
First, we have to come up with the flag to hide. We’ll go with flag:wonderfullynumb.
Next, we’ll start with an existing image and simply paste the text on it. Pixabay is a good place to get free images you can use for whatever you want. I’ll also just use random pictures I have sitting on my hard drive of my camera, like a picture I have of one of the CTFs we did at the Georgia Cyber Center in August. Download the image and open it in your favorite image editor (I recommend Gimp). Then, in a font color that clearly stands out from the image, add “flag:wonderfullynumb” to the image and save it, let’s say as a .jpg.
Now change the file extension to .exe, just to confuse folks.
Next, edit the file in your favorite hex editor (I love Hexer, but there are many options). Let’s zero out the first 4 bytes of the file, which will leave the familiar “JFIF” that people can google to discover it’s a .jpg file, but will prevent the file from opening without fixing the bytes we changed first.
Now you can create a fun question for the challenge, or just go with the basic “Find the flag in this file.”
Note that both of these are effectively “find the flag” questions. In the next post, we’ll go over how to create more detailed content to answer questions that won’t result in flag:ABCD answers.