While I appreciate the need to curb potential cheating, and I've participated in a few (one at my alma mater, one at DefCon, if you want to count Build It Break It Fix It, and a couple others), I really personally don't like the format of CTFs. The chaos and rush of everything just turns it into an adrenaline frenzy (and people challenging rules) and not a skills or technical analysis, and that's not as fun or skills learning to me personally. It's kind of like cosplaying Elliot from Mr.Robot or something.
But to each his own, I guess, I'm getting older I guess and the lost hair and stress from my regular blue team infosec job is starting to catch up to me. I like the format of these OverTheWire Wargames a lot since you can do them at your own pace, not that I'd likely learn much from them (hey who knows! I'll try them anyway).
I also really enjoyed the NSA's codebreaker challenges (https://nsa-codebreaker.org/challenge), they give you 6 months just relied on the challenge being so insanely difficult that it would take a lot of technical skill to actually accomplish (though I think you have to have a .edu email to sign up). Heavily reliant on reverse engineering, memory tracing, debugger skills, disassembly, etc.
Many CTFs keep their exercises available after the competition itself. Many of them also have Dockerfiles in the downloadable part too so you can run it on your own box.
Don't forget our old pal smashthestack.org for more fun. Otw and sts irc were the absolute places to be when the scene was still alive. RIP, scene, I never found you again and finally just gave up - you can never go back home.
I saw this while taking a smoke break in the middle of playing "Bandit." It's definitely making a lot of concepts (especially ssh/ssl usage) clearer and more intuitive through use. I look forward to playing the other games there.
I played about 3/4ths of bandit. I'm curious your play style: do you google specifically the problem (NOT the literal bandit problem ("bandit24 solution"), but the general solution needed, i.e., "how to recursivly decrypt") or do you read the man pages trying to find the solution?
It felt like I was basically decoding the problem, then turning to google for the answer, and it kind of felt like cheating. But that's also how I'd operate in the real world, so I guess it's not cheating?
I think it's designed that way, i.e. figuring out how to find solutions generally is one of the skills its trying to build. The man pages from the "possible commands" and the linked articles generally have enough information to get me through, and if not, they have enough to put my research in the right direction. The fringe benefit is time spent running down the wrong path actually results in me learning other useful, related things.
I put it down and come back to it, too. Each time I start from the beginning, and more bits are just in memory, and looking up specific commands is more about remembering the options than trying to figure out how to do it. When I first started playing, google was my main source but I've started turning to the man pages first, because it ends up being less effort digesting that than reading through a bunch of fluff to get to my specific use case.
It's probably also worth noting how old a lot of these games are. Bandit, for example, looks like it was released in '12. Back then, I imagine there weren't straight-up solutions plastered in every direction you looked.
As an industry junior now, I get asked all the time on how to get started. Out of desire to not give a gatekeeping response, I can only shrug and point people to OTW-Bandit/picoCTF and tell them to try to do what they can on their own but Google every answer if they have to. Everybody's got to start somewhere [e: snip].
I'll freely offer kudos to anyone with zero knowledge who even manages to go through a handful of exercises while looking up every answer if they otherwise would have not done anything hands-on at all.
I should probably tweak my response a bit by adding a standing offer of approachability if they actually give it a shot and get stuck on those particular CTFs I suggest them.
Oh, and yes, I have encountered many a CTF problems with very poor problem descriptions. I often don't feel bad about searching around deeply in those cases, if it's not a live competition.
Its not too difficult to just ignore all search results that reference "bandit" or "overthewire", and thus have an identical experience to before. I suspect there were places on the internet in 2012 where people discussed and disseminated bash tips and tricks.
Reading the title and before I saw the link, I thought this was referring to games like Armored Brigade or Red Dragon (always be reconning, find a weakness to exploit, execute, or conversely stop enemy recon and conceal your weaknesses). Both kinds of wargame require a similar process to be successful, even though OTW's wargames are more relevant to computer security (and a great place for beginners to start! Highly recommended).
They're really fun – thanks for sharing the names of some others.
Although I'm not "new" I hadn't encountered OverTheWire before. The first one is indeed a gentle introduction, but I think the difficulty does then increase. I got through all of leviathan using radare2 (which, frankly, I feel like I am still scratching the surface of) and reading the passwords out of registers. After finishing it, I googled for others' solutions, and found very creative -- and totally different -- solutions to the same puzzles, almost none of which involved something like gdb or r2 at all.
They very much feel like the traditional "book of Christmas puzzles", but for the HN audience that likes solving them interactively.
Well, the ones I named are more "wargames" in the traditional sense: tanks and planes and stuff. But as I mentioned, the principles of reconnaissance and exploiting weaknesses are the same, which is interesting.
For more computer-oriented wargames, I really enjoyed what I've done of Microcorruption (if you're into radare2 sort of stuff) and wechall is a challenge site tracker that has links to many other similar games as well as being a scoreboard that you can track your progress on all participating sites on.
Or if you like competition, CTFtime.org is a live calendar of many computer security capture-the-flag competitions you can join. If you're interested in that but want to join a team, OpenToAll is a team that welcomes anyone to join and talk about challenges.
The actual term of war gaming dates back to the 19th century, where generals would simulate battles or campaigns to practice and determine the viability of strategies. Modern militaries will conduct war games (distinct from military exercises, though sometimes both are done together) involving dozens of people on each side. I actually think that would be pretty cool to try and implement for cybersecurity, having multiple people working together as an APT group, or a security operations team. Especially if you have both sides competing against each other. I imagine that would be really difficult to implement, making it realistic while not having it take months to play.
"Megagames combine the physical mechanics of board games with the fluid emergent gameplay of role‐playing games at large player counts (40‐80 players). Players are encouraged to be creative but must act within the existing game mechanics and established setting. Megagames range in time length, ranging from two hours to entire weekends. A team of moderators (Control) coordinate the game, adjudicate rules, and make sure players have the best experience possible!"
Another semi-professional ("Professional games" being run by the DoD or various militaries for training or analysis.) option is the National Security Decision Making Game (https://paxsims.wordpress.com/2011/05/20/the-national-securi...). Pre-COVID, they ran a pandemic game several times that was at least somewhat prescient.
Oh, and I'd be remiss to not mention the Connections group of conferences (One or more on every continent except Antarctica, I think.) (https://connections-wargaming.com/) They have discussions primarily of professional games, but topics like megagaming, cybersecurity, and the NSDMG are common---it's open to anyone who wants to take gaming seriously. There will be a (free!) Connections Online in Summer 2022; strongly recommended.
I remember coming across these a few years ago, and the recommended starting game Bandit was way out of my depth.
Now, several years later, I was able to blaze through Bandit in no time at all! And, learn some really cool and nifty tricks and techniques I had only read of/seen in passing previously :D
Excited to tackle the next one.
EDIT: It was also pretty fun to come across artifacts of other players when working in /tmp/ :-)
Interesting. After some initial trepidation (because hey I don't know what a sophisticated malefactor could do to me through my terminal program!) I connected and started playing. I have to admit it's a little thrilling to connect to a strange ssh server. It is clearly a strange environment - it looks like users are differentiated by password rather than username, which is quite odd. A clever if confusing convention for a game that presumably wants to teach you sk1llz0rs. Based on the instructions, it looks like it's just a normal VPS running somewhere.
I would personally love to know more about how you secure a host for this kind of use! Of course this seems very low stakes so maybe if your ISP notices a problem you just nuke the instance and provision another one? This would explain why they only allow you to write into /tmp which probably isn't even near persistent.
I've gone through a few of these a couple years ago and it was FANTASTIC. I've always been interested in black hat stuff but never even really took a glance at all. Bandit was a ton of fun and I made it most of the way through natas and learned a bunch there too. Highly recommend.
I’m assuming it’s referring to the movie by the same name that released in the early 80s about hacking and thwarting an AI that’s trying to start a nuclear war with Russia.
If you liked that, check out https://ctftime.org and writeups from the top events (Google CTF, hxpctf, PlaidCTF are some examples).