Introduction

Flag

Flag is a special string format that needs to be submit in the CTF platform indicate the player solved the challenge.

Flag could be in format like flag{example} OR could be the direct answer such as:

  • IP Address

  • Md5 hash

  • Anything

Stages in iHack 2024

There will be 3 stages:

  1. Stage 1 - Jeopardy

  2. Stage 2 - Attack and Defense

  3. Stage 3 - Jeopardy Time-Based Attack

How to play?

  1. Team consist of 3 people

  2. Play with strategy

  3. Laptop with a good speed (For VM)

  4. Comfortable using Windows and Linux - Linux got a lot of useful security tools

  5. Good foundation knowledge of security, OS, programming and networking.

  6. Solve the challenges and submit the flag

OS

  • Linux for sure

  • Lot of CTF tools pre-installed in Linux

  • We used both Kali Linux and Windows

  • Some tools are easier to play in windows environment and some not.

  • Use VM or bash for Windows

  • Suggestions: Kali Linux, Remnux, Flare VM

Jeopardy

You will be given a few categories of challenges. Solve the cybersecurity challenges and find the flag. The team with the most points will win.

Strategy

  1. Focus on solving challenges that you find easy first.

    • Solve easy one first. For the sake of momentum, motivation and brain processing.

  2. Distribute the challenges among your team members. Dedicate a person in the team to specific category based on interests and their skill.

  3. Dedicate yourself to a challenge until you feel exhausted.

  4. Assign a dedicated person to solve challenges within a specific category.

Categories in Jeopardy

  1. Digital Forensics = Analyze artifacts

  2. Reverse Engineering = Reverse the given program/file and find the flag

  3. Malware Analysis = Analyze malware and find the flag

  4. Web = Hack the web system and solve the challenge

  5. Pwn = Reverse the given program first, and try to exploit the program to get flag/shell

  6. Boot2root = Hack the box that contains several services/ports such as Web, SSH and etc. Get the USER privilege and ROOT privilege

Attack and Defense

You will be given an IP address with several vulnerable services and ports, similar to the other team's setup. Your objectives are:

  1. Defend your services from being hacked or exploited by the other team.

  2. Attack the other team's IP services and ports to capture the flag.

  3. Do not disable your services to prevent exploitation, as doing so will result in penalties for your team.

The services might be:

  • Vulnerable website (Web Pentest)

  • Vulnerable running binary (ELF Pwn)

  • Vulnerable outdated application (Public exploit)

General Strategy

  1. Defend Yourself First: Apply patches to your services.

  2. Identify and Exploit Vulnerabilities: Once you identify the vulnerable code or points, use your knowledge of the exploit to attack the other team.

Strategy to Defend

  1. Scan Your IP: Identify which services are running.

  2. Gain Access: Without credentials or direct access to patch the services, exploit your own services to gain shell access.

  3. Identify Vulnerabilities: After gaining shell or backdoor access to your system, locate the vulnerable points.

  4. Patch Vulnerabilities: Patch the vulnerable code to defend against attacks from the other team.

Strategy to Attack

  1. Leverage Previous Knowledge: Use your experience in finding, attacking, and patching your own services to exploit the other team's vulnerabilities.

  2. Target Unpatched Systems: Focus on teams that have not patched their systems.

  3. Use given API to automate attack, more flag!

Jeopardy Time-Based

Within a given time frame, all teams will be presented with the same challenge and have the same amount of time to solve it. When time is up, the challenge will change to another question. The first team to solve each challenge will earn points. The team with the most points will win.

Teamwork is crucial during this time. All team members should be dedicated to solving the same question. There is a high possibility of encountering IoT challenges, and web challenges might also be included.

Tips before the game

  • Prepare your tools and cheat sheet

  • Do not study hard a day before CTF,

  • Sometimes when your brain is loaded up too much.. you will blank during the game.

  • Just relax and calm.

Tips during the game

  • Refer your cheat sheets.

  • If you don’t know how to approach, please ask Google and ChatGPT

  • If you’re stuck. Free your mind by rest. Take a walk, eat your lunch, perform solat and come back later.

Dump exercise

  1. https://github.com/fareedfauzi/UiTM-iHack2022-Qualification/tree/main

  2. https://drive.google.com/drive/folders/1t0rN8BHCfawbg4--pKfS9LpkY1_JPQdZ?usp=sharing

NextIntroduction

Last updated