10 Tips for Capture The Flag’s

Here are 10 tips and best practices that I’ve picked up along the way from completing try hack me rooms and things i’ve found to make my life a bit easier!

These are all my own and aren’t in any particular order, otherwise Tillix would probably be number 1!!

I hope these help you

1 – Kali Environment

You have a lot of choices for this, should you use a virtual box, live image, dual boot or Try Hack Me’s Virtual Machine through their website?

For me personally, even as a try hack me subscriber, i use a live USB with encrypted persistence. The USB drive i use is a Sandisk Ultrafit 64gb. Its USB 3.0, its fast and its not expensive (currently £9 on Amazon)

The reason i went for a live environment is because i could store data in the live environment which was encrypted, it has persistence and i can use this on any machine just by booting from it.

2 – Keeping Folders

During the Try Hack Me challenges (and any CTF) if your completing multiple challenges in there you will end up transferring a lot of files from different deployed machines. It really helps to keep these organised as user.txt and root.txt are common filenames in these challenges. I keep everything under my try folder and then have folders with quick names so that i know which challenge this was for. Trust me, this really helps.

This shows the file structure i use for taking notes

3 – Take Notes!

When your doing the challenges notes will help, i usually take the original IP given, the original brief and what i’m looking for so i don’t have to keep referring back to the Try Hack Me page and then anything i learn on the way, it help keeps you focused and when you run into more difficult challenges it helps you work through what you’ve tried. Below is a really simple example of what type of notes i take. I also use the note editor ATOM as this can be really useful if you paste in any code snippets.

an example of note taking for capture the flags and pentesting

On Nmap, don’t forget to export your results using something similar to the below. -oN is the command to output then the output folder and directory.

-oN ./nmap/initial

4 – Exploits and CVE’s

On some challenges your going to have to find your own exploits, this can be from a reference in the brief such as MS17-010 or you may take a version number you’ve found through enumeration and then search this.

My usual go to would be ExploitDB

I do use other ones but this is my usual initial go to

screenshot of the exploit database

5 – Crackstation!

Not going to lie, i love this website!!

Crackstation is operated by Defuse Security and they have done an amazing job in terms of the wordlist (Yes, you can download this yourself in you want a strong wordlist) and also the speed that this can crack hashes.

You can throw in NTLM, MD5 and tons of SHA variations and its done in no time.

I use this when I know that the hash format is one that crackstation supports and i want it done quickly.

this is a screenshot of crackstation

6 – Cyberchef

No, this aint gonna cook for you and the recipes are more Sha-256 than pan seared fillet, but this will help you with decoding ciphers and is an amazing tool to explore.

Cyberchef is hosted on Github (you can download a copy if you want to) and was made by the GCHQ (Nice to know i got something back for my tax….)

I really suggest you have a play with it

an image showing cyberchef working

7 – Reverse Shell Cheat Sheet

I know this has the word cheat in it, but this is seriously helpful!!

Reverse Shell Cheat Sheet is made by Pen Test Monkey and is so helpful when you are completing CTF Challenges.

These reverse shells have been really cut down into sometimes single line commands that just work! They are in a vast amount of languages so if you come across a command input on a box that you cant get with bash because of a restriction, maybe perl will work instead.

a screenshot showing the pentest monkey reverse shell cheat sheet

8 – Tilix

This is the tool, other than Kali, that i use more than anything else on a CTF!

The majority of things you do are through a terminal things like gobuster, MSFConsole, Nmap, Netcat, Listeners etc… sometimes terminal windows become un-organised and this slows you down.

Tilix is a terminal emulator that lets you run multiple instances of a terminal in the same window and it just works!!

To install just use the command below or find them over on Github

sudo apt-get install tilix
a screenshot of the terminal emulator tilix

9 – Keep Your Stuff!

While doing CTF’s ive learned that once youve got it, keep it!

Ive downloaded multiple tools and written out reverse shells while ive been doing them and ive learned that once ive got it i keep it! This could either be in a text file, or the actual files themselves.

Below is an example of my reverse shell folder, these are all variations of PHP Reverse Shells which ive used a lot. Once ive got one and it works well, i don’t need to spend time finding or making another one.

The important bit here, is keep it organised in the same parent folder so you know where to look when you need it, otherwise its that screwdriver you know you’ve got but when you need it, its not where you last put it!

my filing and storage system for exploits

10 – Persist!!

While doing a CTF and knowing the solution is either available by Google or from the writeup list in a room, it can be tempting to just click on the solution.

Try not to, persist and if you get stuck, research without googling what the answer is, take what you know and research the vulnerability or versions or review the source code, change your nmap search to expand your port range, reach out to another member on Try Hack Me (its a really supportive group at EVERY skill level).

That being said, its meant to be a learning experience and fun, so if after you’ve given it your best try, by all means read a writeup BUT try to only read up to the point your stuck, once you’ve got past that bit, then try to finish the rest by yourself, its the best way to learn.

Conclusion

I really hope these have helped you, as i said at the start, these are the things ive picked up along the way that have really helped me in general for doing CTF’s.

As i start putting writeup’s on here, i will include more specifics on the exploitation techniques and tools such as XSS, SQL Injection, GoBuster etc..

Thank You

Marc