Shulou(Shulou.com)05/31 Report--

Editor to share with you what CTF types are, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

CTF classification

CTF is divided into two factions: offensive and defensive mode and problem-solving mode.

Offensive and defensive mode

In this type of CTF, the contestants are divided into two teams, each assigned a computing environment-perhaps just a server. The two teams have the same task: attack each other's systems and defend their own systems. Each side of the system contains some informational flags for attackers to find and seize. This is the origin of the name "Flag Competition".

In attack and defense mode, defenders need to do their best to protect their servers: fix all software vulnerabilities, even those that are unclear; firewalls only allow access to necessary services; ensure that all passwords are strong passwords and accounts have only the necessary minimum permissions.

As for the attacker, it is necessary to use penetration technology to gain access to the defensive server. Admittedly, if the attacker can get root privileges, the competition will end quickly, but depending on the applications and services involved, a more limited attack will suffice.

Problem-solving mode

In the problem-solving tournament mode, several teams compete to solve the problem of different scores on the problem board. The team that solves the problem and finds the flag can submit it to the scoring system, get the corresponding score, and move on to the next problem. At the end of the clock, the team with the highest score wins.

Because it is easy to organize and manage, the problem-solving mode CTF is far more popular than the offensive and defensive mode.

Mountain king model

In Mountain King mode, each team strives to seize and retain control of the server. At the end of the clock, the team with the longest control of the server wins. This mode is a variant of attack and defense CTF.

Several models have their own advantages. The problem-solving model is conducive to the construction of problem-solving technology set, and the mountain king model CTF is a good training ground for event response, planning and collaboration. In short, any type of training can be beneficial as long as it can get security personnel out of their comfort zone.

Where can I find the CTF competition?

Open competitions have been held all over the world. One of the main venues of such events is on the CTFtime website. Most of the activities are problem-solving mode. For example, of the 152 activities in 2018, only 16 are offensive and defensive mode, while the vast majority of 135 activities are problem-solving mode.

If CTFtime is the ESPN of CTF, then the Super Bowl of CTF should be the annual hacker event held by DefCon-- in Las Vegas. The CTF winner of the 26th DefCon in 2018 is the DEFKOR00T team. All past records and complete data of DefCon CTF are kept on their servers. Another famous CTF was born with the annual NorthSec Safety Conference, held in Montreal.

There is always a place for conferences like DefCon, but most CTF are online. The National Network Alliance (NCL) organizes CTF, a problem-solving model for high school and college students, with a clear season and schedule.

Most competitions on CTFTime are organized by small groups of security enthusiasts, but there are exceptions. Trend Technology's CTF 2018 was witnessed at the end of 2018, and the final was held in Tokyo, including the Mountain King model competition. On the other hand, on April 20, 2019, the computer Security Club of Thomas Jefferson High School of Technology will hold a six-day competition in Fairfax, Virginia. Yes, this is indeed a high school CTF. The US Air Force holds online Patriot (CyberPatriot) competitions for middle and high school students.

CTF at mainstream security conferences like DefCon is really eye-catching, so many enterprises have launched their own CTF projects. This kind of activity is a good way to learn, and it also allows security personnel to switch from the trivial daily safety work of the enterprise, change their brains, and fill up their body and mind.

Build your own CTF

How to organize your own CTF? As an enterprise, you may be disappointed by your findings, who are used to improving and supporting professional products. There are not many off-the-shelf CTF for you to choose from, but you can gather countless details and organize them into your own unique and challenging competition.

Perhaps the closest thing to the CTF shooting range is the OWASP Juice Shop (Open Web Application Security Program Juice Store project). OWASP is a security expert organization that designs tools and guidelines to help developers and other IT people build secure applications.

Juice Shop is a fictional online store that sells fruit juices, T-shirts and other things. Don't worry about the details. You just need to know that the site is full of known vulnerabilities. The site is customizable, and you can change the brand logo or change the product to what you want. OWASP's Juice Shop comes in many forms, including a Docker image that runs on a single server instance.

Juice Shop also contains the scoreboard and account management functions needed to host competitions.

CTF framework

Some CTF frameworks are quite popular, while others are slightly unknown. CTFd is a CTF platform widely used by security providers, large-scale and hacker organizations. It contains scoreboards and other infrastructure for the competition. You only need to add actual questions and corresponding scores for users to earn.

Other mainstream frameworks include:

Facebook CTF framework

ICTF, computer Security Lab, University of California, Santa Barbara

HackTheArch

Mellivora

NightShade

LibreCTF

PicoCTF

CTF tool

Google has held some major CTF, although it has not released its entire framework, but the scoreboard code and most of the competition questions have already been released.

The list of useful tools is long, and here are just a few examples:

1. Security scenario Generator (SecGen): generates semi-random virtual machines with vulnerabilities.

2. Mkctf: create challenge topics in a predefined format that can be entered into the framework.

3. DVWA: an open source PHP/MySQL web application used to show known and unknown vulnerabilities. Users can select vulnerabilities (such as SQL injection) and activate them with UI. DVWA doesn't have an interesting front end like Juice Shop, but sometimes simplicity is the best.

The above is all the content of this article "what are the CTF types?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.