 Hello, everyone. Welcome to the CSE 365 practice CTF info session. Give me a moment so I can screen share this. Cool. So, so many of you can see the slides. Cool. Okay. So yeah, welcome to today's CTF info session. Hopefully today I will be able to debunk everything that you may be wondering about what CTF is and what your midterm will be. It seems like a big scary thing, but I can assure you that it will be perfectly fine. Okay, so without we can get started. So what hurt you want to be a half a man, huh? Well, if you want to understand what CTF is, it stands for capture the flag, basically at its courts kind of like, I guess, security competition, and you want to get like a piece of a string that is the flag. Either doing programming, you could be breaking a webpage, stealing data, reversing something. But all that you're trying to do is get a flag. So we want flags, right? But how do we get a flag? We're going to be doing a variety of different steps, challenges, processes, and whatnot, and figuring out what the security challenge will be handed to you, and what I guess like, and methods and whatever the author intends for you to do. So if you want, we have to solve challenges, right? And this could be either working our way through a Linux environment, like having a remote access to like a shell, using tools to reverse up binary, watching incoming traffic, words, more so like attacking a defense CTFs. We'll get into these a little bit later, or you could be writing scripts to inject the payload for a service to get a flag that way. Challenges may be difficult, but each thing will be a learning experience. If you get overwhelmed easily about this, just try to think, what is this challenge trying to teach me? And that should help you a lot more. And also, guessing will do you literally no good. And this is why. Flags will have a certain format for each competition. For example, we have the Alice CTF, HXP, and the Dragon CTF, but each thing has its own unique format and everything, so it's going to be really, really hard to brute force a solution. So you basically have to do it the legit way. Yeah. So you might be learning what's in it for me. Well, outside of the class, there's also more competitions for CTFs. And one of the bigger ones that probably be easy to mention is the DARPA, Cyber Grand Challenge, in which some of the ASU's SCOM professors were a part of for this. And they placed third in this competition and won like a boatload of money. So they're part of the team called Shellfish. And you can see here, MechaFish is their thing that they created. And yeah, so for like a little bit more context, a lot of the contestants here were part of the, were a part of the like big defense companies and Shellfish just kind of came in like an underdog like a, like a group of security researchers from a university with like, not much. And somehow they pulled through and just placed third. Clout was also involved. I don't know how many of you guys have heard of DEF CON, but it is a really big cyber event that's hosted in Las Vegas almost annually. I think there's around like 27, 28 or something. I'm out of DEF CONs already. If you do enough CTFs, you can qualify for the DEF CON CTF, which is basically like the Olympics of CTFs. It's like the grand final and CTFs itself is like written by the order of the overflow. And some of your professors here at ASU, like Adam and Tiffany are part of the order of the overflow. It's basically like a mysterious entity that writes the challenges. You can also see here that we also have Adam and Yon and Fish being a part of Shellfish. This is the team that I mentioned earlier. It's basically kind of like a joint team between the UC Santa Barbara's hacking team and ASU's hacking team. We'll get into a little bit later. But they've been around for quite some time and are pretty well known. Also here you see Tiffany being part of the Plaid Parliament of Poning. She comes from Carnegie Mellon and the team usually places first in almost a lot of competitions and CTFs. And your grade is also part of this. Your midterm is 10% of your grade and your final will also be 20% of your grade. Don't worry too much about the midterm since it's 10%, but you will be, I guess, preparing enough for this. You'll be able to figure out what's going on and what you need to do. And the details for this will be ironed out shortly. And we'll go into the logistics a little bit later. So CTFs generally have two modes. This would be either Jeopardy and Attack and Defense. So in this class we won't be doing Attack and Defense, but we will be doing Jeopardy. So Jeopardy and Defense is kind of more like a super intense thing. Usually, you know, with like a team, you're given like a list of vulnerable services and you'll either have to patch the vulnerabilities, which is like the defense, or you can be writing exploits in attacking services, not just your own, but also other teams in the competition, which is the attack part. It's not based, and a scorebot will be generating flags that will be valid. And this will also depend on how long the CTF will be. So for example, with the DEF CON CTF, the final is basically a attack and a defense, and the scorebot will tick in like each day and people overnight will be writing exploits or patching services and whatnot, and running it tomorrow. Sorry, the day after for it. Generally for these, you want to find out where your flag to sort what the programs do and try to just figure out what's going on. And earlier I also mentioned that you might be analyzing your own traffic. So for this, you'll be like for these types of things. Since you will be patching and attacking, or yeah, so you're defending and attacking. Some other teams might be running exploits that you might not be aware of. And so if you monitor your traffic, you can kind of just, you know, steal their exploits and run them for yourself. You can see what people are doing to exploit your service and what's being stolen and you can use that to sort of leech off of it kind of, I guess, since you're analyzing your traffic, it's all kind of fair game. You can also view your opponent services and steal their flags as well, or bring down their service. Basically, I probably could have explained this better but you kind of have like a list of teams and a list of like vulnerabilities and networks. And that will kind of just kind of be like a closed like super intense kind of like boxed in competition ish. If you want like a better understanding or like kind of what it's like, I suggest you watch this YouTube video that I linked it's from live overflow and he demonstrated what the what an attack and defense CTF is like very, very well. Next we have Jeopardy Jeopardy is what you'll be doing for your midterm and final. Sometimes some of these challenge these competitions will be over a week or a weekend. Primarily like a weekend but for this class, it will be a week long, you'll be given a set of challenges with different categories for each thing, and you want to be solving these challenges to get flag and gain points. In normal competitions, usually the first to solve the challenge will get higher points and the higher points will basically when the competition. So each category will also scale based on the difficulty of the challenge itself. I'll show you an example later in the next slide. Okay, cool. So this is an example from the HXP CTF. This was somewhere last year I think near the end. So you have like your many categories of CTFs, like you have your crypto your miscellaneous pony reversing web and like an extra category. As you can see, you have like, it's kind of like an actual like Jeopardy format right you have different categories and then each individual challenge will scale based on its difficulty. So you can see that like for some of these it will be either green or it'll be yellow or it'll be red, and you can also see that like the number of solves also show typically how hard or how many people can crack these challenges. So yeah. Also one final note. That should probably mention that the scoring is public for this. You'll be able to see where you stand with the classmates for this CTF. I also mentioned earlier that the first to get the challenge correct will net you the most amount of points, but for this CTF area for your midterm, it won't matter when you finish just as long as you get the flag you'll get the points. There's no penalty for finishing last but please just don't start the day of traditional CTFs will be different. As I mentioned earlier. Sometimes there's like a formula or like a time like slash race condition of which you have to like finish this challenge first to get the most amount of points. So we can see like from the HX one of the HXP challenges, there is this big formula and depending on the number of solves that there is where you'll get like an X amount of points that scales. But don't worry about this for this class you will not have to be raised against like time or anything. So, with the jump pretty CTF categories that are usually these six five ish number of categories. We have binary or reversing pony web cryptography stego and miscellaneous. So if you're pulling off with binary or reversing this kind of distance for binary or reverse engineering for the most part you'll be given a file or like a binary. And you'll have to kind of find a flag out of it. So, usually people could just execute a playground to see what the program does, but you can only do so much without, you know, seeing what's under the hood right. So you're going to have to use special reverse engineering tools like a decompiler. And that way you can view the source code out of it. After you do see what's going on you can kind of figure out what you need to do in order to get the flag, and then you just send it in to the program and etch it up put it to you. So for this kind of everything is fair game so as long as you get the flag. So it's more than one way to like, you know, solve a challenge and you won't be limited to like how you do it like there's like multiple ways that can get you like the same flag. Also, don't worry about this for your midterm. This is one of the last concepts I believe for the class. So, don't worry about this quite yet. We have pony. So, pony generally can involve a lot of like, I guess, disciplines of hacking and the fundamentals of it, it'll take a lot of like, I guess, experience in various fields of like hacking itself and a lot of your knowledge, like understanding shall code assembly C and vulnerability is in, you know, kind of intertwining them all together for this. This will kind of still be like your binary expectation ish challenges. For the most part, an example of it could be like, you know, you given a vulnerable binary and you want to spawn a shell on a remote server. And within that show you can then spawn a flag. So, you know, these, these punnets can also be like, you know, your vulnerability is like buffer overflow stack overflows ROP is manipulating like the service bypassing the functionality that was intended. And, you know, you can use that to get the flag. And sometimes the binary itself might need like a really, really big payload in order to get a flag and you might even have to script it sometimes. And one of the more common libraries for this is pond tools. But don't worry about this quite yet because I don't think the challenges will be that hard for at least for this class. Well, I'm not entirely sure. You know, just know that it's out there. And then don't also don't worry about this yet. This will also come later with the class. Next we have web. These will be like your web exploitation challenges. So like, you know, your SQL injections crisis scripting that type of stuff. Sometimes it could be directed to website and you have to just find a vulnerability and exploit it in order to get you a flag. You can also check out port swigger. There are also really good resource for knowing more about this. Sometimes it could, you know, be using burpsuit or Chrome dev tools to figure out what the flag is within like a web page or something. Don't worry about this for your midterm, we will be learning web stuff later as well. Okay, crypto. So, this is probably one of the categories that will be challenged with. Once at a time the challenges will be revolving around ciphers like your Caesar cipher your Virginia cipher stream cipher stuff like that, and also encryption algorithms like DES ES and RSA. You may be decrypting, you know, a cipher text to get a plain text, which could also be a flag right. You know, you could be reversing or cracking a cryptography algorithm and doing that to also get you the flag. Next, we also have stego and miscellaneous. So my butcher pronunciation but stego stands for steganography. Yeah, this kind of just more of like image analysis type of things. And miscellaneous is just also like the odd ball category. Sometimes it's not even like classified with you mean like real challenges it's just toss up ish. You'll see there's more than like actual CTFs if you participate in them. But I don't think we'll be seeing these in the class. Yeah. So, on the right side we have another example from the HXP CTF it's basically like super miscellaneous stuff. You know it doesn't really fit in all the categories but you know it's just it's still there. Don't worry about either these for the midterm. These won't be like we won't really be going over these topics in the class for the most part. So takeaways. Jeopardy CTFs contain many categories with many challenges as you saw before saw before. Sorry. As the name suggests it's kind of like an actual Jeopardy game right you have different categories and then each individual challenge under the category will scale with points. You can answer whatever challenge you want in any order as well. If you find if the challenge gets harder or sorry. Yeah. If you know that like you see like a higher point value out of it just know that you know the challenge will be more difficult and sometimes it'll also involve more complex understanding of the category. So you encounter itself may involve using you know your different tools to do the job and that way you can, you know get your flag so you want to have like you know a nice arsenal or toolbox ready. And also another important note is that the name of the challenge and the description can give you hints about what you might have to do. So pictured here is another challenge from the HXP CTF. This is called excellent. And it's a reversing challenge. But in the description, it tells us that, you know, we might be, you know, doing something with Microsoft Excel. And you can, you know, it's also nice for your business strategies, but will be more appropriate. Of course, you need the excellent Excel goal subscription as to be excellent as HXP, but for this challenge, they'll kind of just ask you to crack like serial number that will basically be like your Excel goal subscription so you can have to reverse like an Excel sheet and see what the formula is and what the calculations are for it. You know, it's just like a slight example. In the speaker notes for this slide, I will list the like right up and you can kind of see what it's like with it. So common tools. First and foremost, the internet is your friend. Literally, like everything you might think of is super well documented. Well, maybe not super, but it's all documented somewhere. And you can just search whatever you want to find whatever you want to do. You can also have man pages, right? These will be like your manual pages. If you're unsure about like a Linux command or something, you can search. Search it up just using a manual page and you can just, you know, like type man and find whatever command you might be unsure of like you could, you know, man outlast and figure out what LS does. Or if it has like, you know, some hidden other functionality that you might not know of. We also have debuggers, right? Here we have like the GNU debugger, and you can just, you know, set break points and stop at certain points to understand what your program is doing. We also have wire shark. So this can be used to monitor your traffic and see, you know, what other teams might be exploding our service with or what flags are being stolen. I don't think we'll be using wire shock for CTFs, but we will be pretty sure we will go over wire shark sometime later. We also have our reverse engineering tools, right? We have like Gija, Ida Pro, or binary ninja. If you're not provided with the source code, you know, just throw the binary in there and I'll decompile it and kind of just give you a good picture of what's going on. We also have a burp suite for a web expectation. You could proc the HTTPS traffic, edit and repeat requests, and decode your data and whatnot. And most importantly, did we also forget about the internet? Please Google, like Dr. Go, start page, Bing search, I don't know, just search like whatever you want, or you're unsure of. And there's a very good chance that you can start doing backtracking or Google searching and figuring out what you need that you're missing from it, or they're just, you know, better understanding for something in order to do a challenge. Or in general. Moving on, we can start getting into before CTFs. So you have to, so first off, you have to understand what the rules are. Like what you can and can't do for CTFs, like you can't like do it off the site, you can like sometimes brute force solutions for attack and defense, you can't take down the scorebot, or, you know, take down the entire like platform. That does net you a whole ban. And also not cheating. CTFs, you just don't cheat, it's bad. And it will turn out really bad for you. You know, you should be coming prepared, you know, having like your toolbox ready right with like your text editor, your WebExpo resources, your reverse engineering stuff. You know, sometimes also having a virtual machine because you might have to work with like a Linux binary, or sorry, like a binary that works on Linux so you might have to, you know, have like a virtual machine ready. And also like your debuggers, like GDB and whatnot. But also, it may definitely going to be very important to disable auto reboot on Windows. This has definitely happened to too many people too many times, especially like, you know, during super important competitions and just outside of competitions to you definitely don't want Windows to auto reboot on you during your super critical work, like especially during like an attack on the fence and you're ready exploits or something that be just bad news bears. Okay, so before your midterm CTF, you want to understand like what the environment is like and what rules held there. So we will be going over it as a demo. So you understand what the CTF has ran on and you know what the site is like what what's like the host like, can you also access the services and challenges. But also, you can't cheat. Right. So, where do you go if you need to ask for help. That's right, not your classmates. But what you need to ask is also helpful. So we the teams and like the professors can only give you hints but they can't obviously handy the solution you're going to have to spend a lot of time on like the challenges, you know, doing a lot of Googling, or something to figure out what you need to do. To get your well being and check right, you know, just do a quick sanity check. You know, be sure that you're eating well you're sleeping well. Maybe maybe not get your caffeinated drinks ready. Finish all your homework so you know you can set enough time for the CTF. And also don't forget to drink water and take many breaks because sometimes you'll be sitting there like stuck and have absolutely no idea where you're going. You might just, you know, go take a break and then come back and pick it up and, you know, have a different perspective on the challenge and whatnot. Cool. So your midterm and final CTF. At least for your midterm it will be a week long and it will be from March 3, which is tomorrow, Wednesday to March 10. The CTF itself will be released sometime tomorrow so keep your eye out for that. The CTF itself will test you on class material and so it can be like, you know, from your lectures and assignments and everything in between. Also do keep in mind that class will be ongoing as the CTF is occurring so attend class. The CTF itself will be individual. You just, you know, set yourself some time to do the CTF. Cheat, we are all in the Discord and we will see literally everything that you do. If you ask for like answers, it's not going to be pretty. If you ask for help, it also depends on what type of help you're getting to. Just please be very careful and use your due diligence to know what you're doing and asking, especially in like a Discord or a Piazza post. If you have a question, just, you know, make it like a private post to the instructors and, you know, the grad tiers or Adam and Tiffany will take a look and see if the question is good. You know, if they think it's good, they'll make it public. And so yeah. Also just please don't wait until the last minute to do this. There will be some credit number of challenges. You, the last thing you want to do is sit there and be like, Oh my God, there is like 10 challenges. And like, I have to like crack RSA or something. Like freaking out, right? Just that's probably be like the worst take scenario that you'd ever want. But for this just please like leave yourself enough time to, you know, get stuck and struggle on this. This is like a learning experience for you because like, you know, challenges will be really hard. And sometimes you just will be dumbfounded and have absolutely no idea what to do. So just for fishes cost last semester, we spent like a lot of time on binary analysis like homework levels and just kind of like CTF challenges and you will be stuck there for a very, very long time, or really quickly depending on it and see like what you have to do and you might not even know what to do. So you just, you know, have to sit there, you know, read through your man pages, read through Google, looking through websites or not. It's, it'll be a lot. And just please just don't wait for the last minute. Also don't remember. Also remember to stay hydrated and take breaks and importantly don't give up. So yeah, also famous quote learning starts where prior knowledge ends from a wise man learning always when even when winners don't learn for also from the same wise man. So, just even though you think that like other people might be, you know, faster or better. You'll always be learning and learning is key. So for the midterm itself, you'll know more about like what you will want with your grade on the website itself there's like a great tab, and that will be like up and ready sometime tomorrow. And you can see, like, when you want to stop or like you'll know like if you have like the, like an a or something from the city of itself. And also your username is public as well as your progress. You can see like in the scoreboard tab on the website will demo this later. You can, you know, choose to be public or anonymous that's entirely up to you. You can also just, you know, start your hacker journey by picking your own hacker handle in inheriting your brand new identity. So for this CTF, what's unique about it is that you can do this entirely from your browser you don't even need to like you know have a terminal up or anything. And yeah, we'll also show the well demo the CTF thing. Sorry that CTF site after this presentation. For resources, you can also look at CTF time. CTF time is basically where a lot of the CTFs are held like for each month or basically kind of like your all things CTF site. So CTF time itself has like a CTF wiki, you can check that out. Pico CTF is great, since it's kind of market towards middle high schoolers. That's like, you know, kind of more like an intro to CTF, even though it's like targeted for that group, don't, like, don't like let that dissuade you from, you know, just checking it out because it's really helpful. I have done that, like, you know, a lot of like the Pico CTF stuff myself and I learned a lot from it was to have over the wire, and we also have like the war games from it. You can also check that out there was super great resource, and from Weechow, right, we did the bandit levels at the very beginning of this semester. Those, you know, just like generally help like you build upon your Linux knowledge, and can also, you know, learn more things from it. Another common like resource that people might suggest is the art of exploitation. This is kind of like the, know, I'll be like, you know, hacker handbook, like a big portion of the community does like pride this book as like, you know, like your holy grails of like how to hack a lot of fundamentals could come from there. It's just a really, really nice resource. YouTube, YouTube has a lot of videos people make YouTube CTF walkthrough as people talk about challenges, vulnerabilities and everything else in between. You know, there's a lot of stuff on YouTube that are available now to the public. We also have Hack the Box. Hack the Box is also really nice for challenges. You guys can also check that out. And for more resources we have, you know, some more local resources. We have our clubs at ASU right pound doubles and double sec pound doubles is kind of like our AC is very own hacking team, or CTF team. And if you guys, you know, check out the link. You guys can join the discord and, you know, participate with them and learn more about CTFs that way. Or if you really, really like CTFs, you can keep and you want to keep competing, you know, you can join them. All the CTFs will be held on CTF time. It's kind of like, as I mentioned earlier, it's like the whole like CTF schedule, all things CTF that happen like, you know, your round will all be there. And we just have double sec. Double sec is another club at ASU that focuses on like vulnerability, sorry, security expectation, kind of more like hands on like practical hacking, like web exploits, you know, just like more like practical application for like security and stuff. So, you know, archives right so for challenges that you might be stuck on or you might have attempted and you don't know what's going on, you can read the write ups that people will put up after the challenge. And you can, you know, it'll be on a lot of sites, especially like on CTF time, there will be a lot of like after challenge. You know, write ups tab in within like the challenge that was like posted, and a lot of teams can, you know, contribute to that. And usually they hope they just hope because like they write down their step by step process of what's going on, or like what their thinking is and what they did themselves to do the challenge, but also remember that there's like no one way to do the challenge and you can be creative with kind of your solution to get the flag. Now, I think the CTF intro should be enough. I think you guys are ready to be Hacker Man. And here's a picture of fish, the myth, the legend as Hacker Man. So if you guys have any questions, please do ask in chat, I can entertain questions for a little bit before we start doing a demo. When we register, should we use our real names? You don't have to. You can if you want, but just everyone will see it, basically. I have a question. If you want to be anonymous, you can be anonymous. But it would probably be wise to register with an AEC email. The practice CTF site is up already. Wait, I have a question. And I'll go for like another minute. And your other questions about like, you know, CTFs in general. I have a question about the midterm. So I know Matthew just clarified it. Wait, could you hear me, sir? Okay. So I know Matthew clarified me over the chat, but I just want to like another clarification. So like, once we start our midterm in the website, we do it in one sitting like we can't do like a certain amount of challenges that then do another set of challenges the next day. It has to be. Like, it's kind of like a come as a go come is like, yeah, it's kind of like a come as a go thing. You don't have to finish all of them in one sitting per se. You can obviously like, you know, split the challenges up, you know, do like some of them one day save the rest for later. Right. Yeah, you just don't know you don't have to like for yourself and just sit through and just for yourself to do the entire thing. Thank you. Yeah, I think the phrase is coming. Coming goes, please. Yeah, there is no time limit just as long as you know finish all of them or finish as much as you want before your midterm ends. Where's the site? Oh, how many are there? Okay, we don't know how many there are but the details for the midterm like more logistics will be released tomorrow. Do we need to do all of them? We don't know when you'll get like 100, you know, the grades tab will tell you how is this graded it's based on how many challenges you solve I'm pretty sure, and you know, like after enough of them has summed up you can tell like what your grade is. Unless I'm mistaken, you'll like, we kind of like know as much as you guys do for like the actual logistics of the CTF itself. I don't know if you can go over 100 but yeah, like, there might be a chance that you guys will, you know, possibly get extra credit from it. We don't know. We kind of just know as much as you guys do. For the site, we will be going over that next. Okay. I don't know how many challenges there are. Just assume that you'll be like assessed through what you've guys done throughout the semester. Do you have any like rough estimate on how long it'll take? Like just the average? Honestly, I can't say. Like 50 or like five? I don't know. I don't want to like put numbers but like, I just, I don't know. Just probably, you know, set yourself like at least like a day or two or maybe three. Just like set yourself like a decent amount of time. If the challenges are released, you don't have to sell them all at once at first. I guess like a good strategy would be like, you know, checking out the challenge, playing around with it and then like, you know, kind of gauging or difficulty based on that. You know, you could like also write notes about like how much time you think you probably need or when you want to solve it, you know, save it for another day. Yeah. So that's the date for the exam. It's from March 3 to March 10. So yeah, does anyone have any other questions or I can start segueing into the demo? Okay, I guess I'll take the last question. Are the challenges going to be so much advantage challenges? Maybe we don't know. It could literally be like, you know, bandit, it could be like crypto, it could be literally anything within reason. Okay, I think we can start going into the demo itself. If anyone else has any questions. Yeah, okay. So it's CTF time. The professors have created a CTF platform for you guys to go and test the site itself. We want you to get you guys familiar with what the site is like and what you'll be doing your entire CTF on. So if you guys could head on over to, excuse me, CTF.cs3c25.io, register for an account. And then after that, I will be going over like the rest of the stuff and how to access it. So yeah, basically we have like two challenges that are listed for us called hello flag and create file. I will also demo those after in a little bit. So on the site itself, you can just, you can, you know, access the CTF through SSH or you can just do it all on the browser and with the built in browser, I mean, sorry, with a built in terminal tab. Oh yeah, so some of the main takeaways. We don't know all the details yet but you know pick your hacker handle. It can be whatever you want it within reason or it could be your name. That's up to you. Just know that you know everything will be public. And you can see what your cost makes score you can see what you score and yeah. We don't know for sure yet but do register within a suit email for now. Yeah. Okay, so basically, there are two ways to access the challenges right, you can either do like an SS do that via SSH or you can do the web based terminal. So for SSH you could either, you know, do in the terminal you can like generate SSH key via like SSH key John, or you can use putty. Or putty itself you can Google it. So after you know generate SSH key, take the public key and then like you know copy it and then paste it into your SSH key settings on the page itself. Yeah, onto your account. And then once it's updated you can start, you know, as a staging in into the CTF. So I guess, um, an example. Okay, it's a type of but don't do this. Do this. Go to your settings and you should be able to see an SSH key tab. And then after you do, you know, go to your SSH key tab on the menu and then paste in your SSH key there and then hit update and you should be good to go there. Okay. So now I can go over like how to go over the web based terminal. So, after I show you guys how to like, you know, access the challenges. You go once you like hit play or like run the challenge itself you guys can go through the terminal tab and I'll spawn in like what's the challenge itself for you. So for this like, you know, click on a challenge, hit play, wait for it to, you know, be generated go to your terminal tab and everything should be available for you. So once you do have like, you know, kind of bigger setup ready or I guess like if you want to access station that way. Or, you know, just start the challenge. So there's a challenges tab on the site and once you see like your challenges go click on the thing. Yeah, click on the challenge itself and then click on run challenge. And you want to wait for this blue box down here. You know, you can connect with this SSH key SSH and the user and host to spawn in and so here you can either just SSH into this address with this exact command SSH CTF at CTF.CIC365.IO, or, you know, after it spawned in just go to the terminal tab and it should be there for you. After that, you know, just do the challenge and get the flag. So when you do get both the flags, say I'm in. And then once I see enough or, you know, once I see some struggle or demonstration, I'll demo over the challenges myself as well. So yeah, we want to. Here's our references in inspiration. We're going to have a shout out undertale and fish. And these links as well for, you know, helping us just give us like a some baseline for CTF stuff. Okay. Yes, the slides will be posted. You can do whatever name you want just, you know, just be professional. You know, also just pick your hacker home to be whatever you want. How should you review and prepare. Don't freak out. Take it step by step. You know, just come as you are type of thing and, you know, slowly figure out the challenges. If you can't run the challenge. It should spawn in like a box for you. So. Yeah. So I guess I can start like demoing it. Okay. It comes with a blank yellow box. What are we SSHing into. If the challenge spawns, you can see the SSH SSH CTF the CC 360 of the IO. Maybe we'll have to use jobs. I'm not sure permission to not public key. Make sure that, you know, you're submitting your public key into the machine. So if you get a blank yellow box, I'm not sure the Docker container might have been broken, or yeah, there's some Docker issues. So just be a little patient, refresh your page maybe. Yeah, register right now. This will be your platform for the midterm. Yeah. Okay, so I guess I can like screen share. Cool. Okay, you guys can see that. Yep. Okay. So, you know, here we are on the city of the city by website itself. You know, this is your entire midterm platform, you have, you know, your terminal, your grades, this is broken, not fixed up, not set up yet. We'll have, you know, all of our users. Or this is what I was talking about earlier. Depending on how fast you solve, you can like see like what the top 10 is or how many people, you know, finish a child's first, you can see your entire classrooms worth of hackers and their progress. And also we have our challenges tab here. Okay, so what you did, you know, just click on a challenge, hit run challenge and it should spawn in the blue box for you. Yeah, perfect. Okay, so either SSH in or just use the terminal tab. So once you do, you know, have that blue box, you can head over to the terminal and boom, voila, you have an entire docker like box just ready for you. Yeah, and you know, just throughout the challenge, we see like, you know, and we have the list practice city Apollo flag. And, yeah, so this terminal way to access it via terminal, I'll go over how to do it via SSH. Okay, cool. Okay. So you guys can see this right. Yeah, okay, so in terminal, you know, SSH run SSH key gen, get a key gen setup. And if you want to like specify a location, just know that like whatever file you create here will be in like the current directory that you're in. But for the purpose and tense of this presentation, I'll just put it in the IDR say I'm not going to have a password is cool. Okay, I have an identification saved in the IDR say, and I also have my public key. We want the public key here. This is the most important thing for this. So, you know, you can either like, you know, go to your file manager and open up yourself, or you know just cat, whatever content is in there, copy paste it. And then go to your settings, your SSH key, and then paste it in here. And then once you see the success, your public key has been updated, do you know that it's good to go. So, I'm going to once again run the challenge, just for demo purposes. You can connect with SSH ctf.ctf.csc365.io. So heading back on to our terminal. Oh, just SSH in. Authenticity of the host can be established. You're sure to be connecting. Yes. And adding that to the list. And voila, now you have access to the challenge. Yeah, so if you're keep, if you're still getting the little box error, just refresh and be a little patient with the site, because we're getting like bombarded with everyone else like registering and running all at once. When is this due? You can like, hopefully register by like tomorrow or before like get familiar with the site before tomorrow, it'll be like advantageous for you to understand like how your midterm works. You have unlimited attempts. You will not be docked for the number of times you try to submit. Also, yes, to practice is optional. Also, do note that, you know, since this is like the site. When you hit run, you get a unique Docker container that spawns for just you. So each person here will have different flags for each challenge. This is very important because if you cheat, we will know that you're cheating. If you submit a flag that was meant for someone else, like, we'll like the site will keep logs and Adam and Tiffany will know and it's not going to be a good time for you. So please just don't cheat. Don't copy flags because it won't work. We will not lose point. You won't lose points for failed solves. I probably should have mentioned this in the slides. Okay, so when I did the SSH key gen, I copied the public key. Yeah, take the public key and then, you know, copy it to a clipboard and then paste it into the site itself. What do we do? What do we do here? Okay. Invalid format. Maybe try regenerating your SSH key gen. It should just be like starting with SSH and then whatever encryption thing you did was your thing and it was like your user and host. We make the key independent of the site, yes, I think. So, like, is this one time upload for the key or if there's something wrong with that key, we can upload another key? Yeah, you can upload another key, I guess. If you're going from another machine or another terminal, you can do another key gen and then upload it into the site. Okay, thank you. Okay, let me just look at the challenges, see how many solves there are on 36, 118. Let's see, it's 1130. I'm not sure what this class ends. I'll forgive it. Okay, perfect. I guess I can start demoing the challenges if everyone has at least attempted them. Yeah, I was going to say at least just demo hello flag so they know what they're doing. Yeah, okay. So hopefully everybody has their account set up ready, you know, remember hacker handle. If you want to be anonymous, be anonymous if you want to be showing your name, show your name and ASU email for now. And so yeah. Support 22. Check out what Matt said. Permission denied. Okay. Okay, so I guess we'll start demoing the challenge itself. Okay, so what I'm going to do, I'm just going to run the challenge. Oh, yellow box. What do you know. See if the target thing or work. I'm pretty sure you know the whole site's being overloaded because everyone else is like doing the challenge at once. If you guys are doing with putty, you know, try doing like the web terminal for now. If you want to know more, there should be like a how to. Yeah, how to message key gen via putty. And, you know, just follow the instructions for this site. I'm on like a Linux machine. So I apologize for not being able to be guys. Yeah, you can also use WSL. If you have a yellow box just we've tried to refresh the page or something and pray for the bus honestly, or just be patient. So yeah, once the challenges run, you know, I'll go into the web terminal. And then you can see that there's a binary or there's a thing that just stands out called practice CTF underscore hello flag. So if we, you know, check out what the file is itself, it's a ELF. It's a family linked and it's based on Linux x86 64. And it's for going to Linux 3.2 point up. Cool. So let's just, you know, execute the primary and see what this does. Hi there in this challenge will give you the flag directly. The flag is in the path such flag I seen right here, and we will just read it to you. Here's your flag phone college and the flag format or just unique flag. Yeah, I'm pretty sure I can copy paste on the Firefox with my keyboard because Yeah, so I'm just going to do the boomer away copy paste it. And then, you know, go into your challenges copy the flag. You know, the flag itself submit and it should tell you correct. If it's incorrect, it'll say incorrect. So like it virtually submit that it just say incorrect. Yeah, you won't be doctor number points but it will show you like the number of times that you've attempted this. So if you have a fail, I'll show that but it won't affect your grade. This will not affect your grade. Just completing the solve will be enough. What did you catch the key. Okay, okay. So I, you know, I got the key from the director that told me it was in. If you're in another environment, just Google how to do it. Yeah, I just not yet not the public key the public. Yeah, I just kept the public key and copy based it. You can also, you know, view and Vim or Nana or whatever you want. You don't need a key. You can do it all in the browser, which is the cool part. But if you want to like, you know, do it from SSH, you can. Yes, good point. Make sure you're also authenticating the key. When you do, you know, make sure that you know authenticate with your private key that's saved here. So once I'm going to pause here real quick. Perfect. Okay. Yeah, so um, whoops. So from earlier with the SSH kitchen, I'll probably shouldn't have with the clear material. So, um, you know, you can SSH in the city of the CC 365. And then authenticate with a private key with dash I and then the directory that you store the private key in. So earlier we saw that, you know, your keys stored here and then your public key. So I'm just going to paste my my my private key here is where the it's stored. And then I can just SSH in. I'm going to give it a little bit and voila, it should just give it to you. And here I can also do practice to give and get the flag this way. So once you upload it as a key, you can start doing the challenges. You know, yeah, click on a challenge tab, you know, click on a challenge itself and then run it. Just now I'll go over create file, I'll wait for this to run. Oh, perfect. Cool. So head on over to my terminal. It's going to swap me a new Docker. So you see here we have like a flag directory, and let's have a binary practice city of create file. So let's execute practice city of create file. It says here this challenge to check if you create a file with correct content. You need to create a file at temp and this random string. You need to create the string of this without quote. Now, we got to check to create file and do the check for us and tells us that, you know, we can't open the file the file because, well, it doesn't exist. So if we see the into temp, we have rewrite permissions for this. So here we can, you know, create a file, you can just have everyone like you can touch the file and then like, you know, type something in, or you can just them and do it. So we're going to touch and we're going to create a GOS. You're going to either CD into it or you can just do it outside. You know, just there's multiple ways to just do it, whatever's like more comfortable for you. And then I'm going to echo the string here. Take the string. Can copy paste copy and then paste it in copy paste. There we go. And then I'm going to send the input into jysyhm what the file is. And then if we, you know, want to see what's inside, you know, and then you can see that it contains this string this time. So, you know, go back to your root directory, go back to root and then execute the binary. And this time it gives us the flag here. You know, yeah, just copy paste that. Going to create file, paste it and submit and there we go. Obviously there's multiple ways to do it. Like you can just touch temp. Yeah, I don't know what the thing is called again. Yeah, you can do like touch temp jyshm. And then input like the string in there so you can like just wait. I mean, you know, I can use them. You can like literally do whatever you want. Just something like get the string in there. Yeah, so we have them here. And then we can just paste the string and then save it. And then practice it again, etc. Yeah, it's pretty neat. Do we need to press the play button each time or once we solve a level as the system automatically puts it next level. I won't, you're going to have to do it each time, at least for the challenge that you want to work on. So, yeah, it won't like automatically moving up. You just have to like do it yourself because it's bonding like a Docker container for it. Yeah, we're near like the end of class time. Sorry, I like let on for so long, but hopefully this guy, this should give you like a good insight as to what the CTF is like, and what to it kind of expect for the format at least. Do all the challenges open tomorrow? Sorry, do all the challenges open tomorrow? Yes, it should be sometime tomorrow. So, yeah, that's it. Do we have to submit once we're done with all the challenges once we finish with the auto grid? You can submit as you go. You know, just take the thing and then like paste it into the challenge itself. Okay, if I were to like, okay. You know, if I were to like CD and I'm back in like my home directory. I'm back twice and then I'm back into root. Yeah, CD back into root. Cool, okay. So yeah, I guess this kind of concludes the CTF intro. I'll entertain a few more questions before I stop the session. Thank you for coming out to today's session. Hopefully, you know, this was entertaining or somewhat helpful to you guys. Me and Lonnie put a lot of work into the slides. And so it's like a short notice. So hopefully you guys will have learned something useful from this. The slides will be posted and the recording will also be posted when it's available. So, yeah. Yeah, if you're a user and you're interested in this, I'm going to give you a link to that. So hopefully you guys will be able to learn something useful from this. The slides will be posted and the recording will also be posted when it's available. So, yeah. Yeah, if you're using web browser, you don't have to paste the key. So yeah, thank you guys for coming out and hopefully this helped.