picoCTF 2023 General Skills series: "Chrono" Walk-Through

 What's up everyone, I wanted to start a new series for the picoCTF 2023 General Skills challenges. I'm going to try to make a walk-through for every challenge as I'm working through them so you can follow along. This first one we'll be going through today is the "chrono" challenge. 

Right of the bat if you have a pretty good knowledge of Linux you might know where the challenge is going based off of the name alone. If you are newer to Linux you might not and that's okay. Let's go ahead and jump into this challenge. 

 

 

Okay so after opening the challenge it's prompting us to start a new instance so let's go ahead and click that and it should start a new instance for us to use. 

 

 

After starting a new instance we're going to have to use ssh to connect to the server so go ahead and get into the web shell and we'll be entering this command: 

$ ssh picoplayer@saturn.picoctf.net -p (port number)

Now that we are connected to the server we can go ahead actually start the challenge. So we're seeing this prompt saying "How to automate tasks to run at intervals on linux servers?". Lucky for us they give us no hints for this one. There's really nothing else here that gives us any information as to where to even start with this challenge so what we're going to do is use hacker's best friend: google. 

I'm just going to simply google the prompt it gives us and see what we can find. So I googled "How to automate tasks to run at intervals on linux servers?" and I found this link:  https://www.freecodecamp.org/news/cron-jobs-in-linux/

Go ahead and read through the link if you'd like but there's a couple things that stood out to me. 

 

 

Alright so here we can see 'cron' is used to schedule a job on linux and 'cron' reads the 'crontab' for running scripts. Let's read further...

 

 So after reading further we see cron jobs need to be added in the /etc directory. Well if you been studying linux fundamentals you might know this but if not let's learn real quick what is usually stored in the /etc folder using google. So I'm going to google "what is stored in /etc in linux?" and see what we can find.

 I stumbled across this website: https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s07.html

Okay so based off of that we may want to go ahead and explore /etc to find our flag. So I'm going to play around in the terminal a little bit and see what I can find it that directory as should you. 

So here you can I've used cd to change directory over to /etc and looking around here we see stuff related to crone. So I'm just gonna ls some stuff to list what's in the folders and see if I can't maybe cat out some stuff. While looking at this I wanted to note we can see a cronetab just like we saw in the article earlier so maybe that might be promising. 

Okay so after playing around with some different commands I decided to go ahead and just cat out the contents of crontab and looks like we found our flag! 

So after going through this CTF it may seem like that one was pretty easy all we really had to do was cd over to a directory and then cat out the contents of a file but there are two big takeaways for me from this challenge. 1. Using google can be our best tool in some challenges. There's going to be a lot of times that you're looking at your screen having no idea what's going on and that's for whatever level you're at so get used to using google as a tool. 2. We learned a little bit about what 'cron' does and how it works as well as a little bit about the /etc directory and what we can find there so a lot of these beginner challenges are all about researching things we may not know about and keep in mind some of these general skills are geared towards middle school and high school students however it can be for any beginners also. We started this challenge off with no hints and by utilizing the resources we had we were able to find this flag with some simple commands and that's what it's all about! We were able to learn about linux systems and that ultimately was the goal with this challenge.

Go ahead and cat it out yourself if you haven't already and find your flag! And that's going to wrap it up for this CTF walk through. Stayed tuned for more in the 2023 general skills series soon..

"HOW CYBERSECURITY REALLY WORKS" by Sam Grubb Review

"HOW CYBERSECURITY REALLY WORKS" by Sam Grubb Review

 

Today I just wanted to give an in-depth review of the book "How Cybersecurity Really Works: A Hands-On Guide for Total Beginners" by Sam Grubb published by No Starch Press. Who is this book for? What can I learn from this book? Should I read this book? These are all questions we'll be looking at in this review so let's get right into it. 

Who is this book for? Well it is pretty much right there in the title: "total beginners". Flash back to earlier this year I decided it was time to go back to college and I wanted to pursue a career worth while and landed on cybersecurity. Now prior to this I had no knowledge of what cybersecurity actually was beyond the idea that it was a field for hackers and dealt with computers... So I picked this book up because of the title mainly. It seemed really geared towards someone like myself who wants to start exploring the world of cyber security but didn't know where to start. Now after reading this book I will say that it gave me the very basic foundational knowledge of how cybersecurity works and gave me a good stepping stone to begin actually learning the fundamentals. 

Some of examples of things the book will go over is the difference between white hats vs black hats, how the internet works, methodology, very basic networking, different types of attacks, malware, password security, cloud attacks, and encryption. The thing the book does is give a very surface level introduction to these examples and gives you the basics of what you need to know before jumping right into the world of cybersecurity. 

The book did have some different exercises where you can use things you've learned in a practical setting however I personally did not see much of benefit to many of the exercises. There are some fun ones though like using Shodan and Encrypting/Hashing files but for the most part I found most of the exercises to be things I already knew how to do even though I was not coming from a strong technology background. 

Most of the information I learned in the book is all out there online for you to learn. You could easily learn the scope of this book on Youtube or other free training sources online which begs the question should you actually buy this book? After having bought and read this book I would say I was satisfied with what I was able to accomplish using the book and I believe it did give me a good foundation to start learning the fundamentals. What this book is not is a course to teach you how to become a cybersecurity professional. It is not going to explain to you how to go about getting certs or what you need to study to begin becoming proficient in the field. However, if you were like me at the beginning of my journey and never heard the term "white hat" or "black hat" or didn't the very basics of how computers worked and how that relates to security then this book will be helpful for you. If you're like me and you like to have something  tangible to actually learn something or you're just a regular person who has an interests in the basics of security then there's something you can get from this book. If you're someone who has been studying cybersecurity for a while or have already been through some online courses, started practicing on CTF/hacking challenges online, or feel like you already have the basics of this field then I would not recommend to waste your time on this book. 

In summary if you somehow have landed on this blog and have no idea what cybersecurity is or haven't started learning the fundamentals of the field yet then there is something for you in this book. If you've already started then don't waste your time. I believe the book was well put together and I thoroughly enjoyed reading it. I learned a lot and was able to use those things I learned and go even farther thanks to this book. 

picoCTF Obedient Cat Walk-through

 Hello Everyone!

Today I'm gonna give a quick walk-through of the Obedient Cat challenge offered by picoCTF.  This will most likely be the first challenge you'll be presented with after signing up for picoCTF and it is very beginner friendly and a fun little way to start getting your feet wet with the world of capture the flag! So without further ado let's jump right into it...

So to start off when you create an account on picoCTF you can go to the practice section of the website and you should see a bunch of challenges like below. 

 

 

 

 

 

 If you are doing CTF challenges for the first time you can set the Category Filters to General Skills and this will be a good starting point. One of the first challenges you'll see will be Obedient Cat. 

Now on the picoCTF challenges you two options you can either deploy the webshell provided and use that as your terminal interface or you can go ahead and use your machine's actual terminal. For this challenge it's really up to you but for the purposes of this demonstration I'll be walking you through using the terminal on your actual machine. 

 

Okay, let's go ahead and select the Obedient Cat challenge and see what we're dealing with. 

 

 So here we can see we have the prompt "This file has a flag in plain sight (aka "in-the-clear") with a link to download the flag. We also have three hints on the right. Let's go ahead and take a look at the hints before we download the flag.  

 

For this first hint, it is pretty self explanatory. Just keep in mind if they are giving any hints about entering a command in our Terminal, the command will start after the '$' symbol so everything after the dollar sign will be what you type into you Terminal.
 

For this second hint, this is going to be applicable if you deployed the webshell to use as your terminal interface. If you did deploy the webshell, you won't need to download the file they provided for this challenge you can simply enter the command 'wget' followed by the link provided. Simply put, 'wget' (web get) is a command you can use to retrieve files from webpages to your local machine or in this case the webshell you deployed. If you are going to be using the webshell for every challenge then 'wget' is going to be your best friend. If you are using the terminal on your Linux system like me you can go ahead and disregard this hint but it can be useful for future challenges if you choose to use the webshell in the future.

Finally, for the last hint it gives us '$ man cat'. If you'll remember from the first hint anything after '$' is going to be a command we can use in our terminal so let's go ahead and input this into our terminal and see what we get..

Looks like we get the manual page for the 'cat' command. If you haven't already guessed it...we are going to be exploring the 'cat' command with this challenge. Usually in Linux, 'man' is going to be referring to 'manual' and with the 'man cat' command we are basically asking to be shown the manual for 'cat'. Go ahead and read up on it in the man page but to put it simply 'cat' stands for 'concatenate' and is a command mainly used to output the contents of a file however there are other things you can do with the command such as creating and appending files however I will let you read up on the other uses of 'cat' on your own time. For this CTF we will be using the functionality to output the contents of a file using 'cat'. 

Now that we have looked through all the hints and read through the manual page for the 'cat' command lets go ahead and download the file. After downloading the file you could technically just open the file to find the flag...but whats the fun in that. Rather let's go ahead use our terminal to finally use the 'cat' command we've read so much about. 

 

Once you open your terminal let's go ahead and find out where the flag was downloaded to by using the 'ls' command. This command will list the files located in a directory. I'm going to guess mine was saved to (you guessed it) the Downloads directory so I'll go ahead and 'ls' that directory. 

After listing the files located in my Downloads directory we can see the file 'flag' is located here. Next let's go ahead and 'cd' over to the Downloads directory. The 'cd' command will allow us to 'change directory' so we are in the Downloads directory. Also in Linux it is important to remember that everything is case sensitive. Meaning if you input the command 'cd downloads' you will mostly likely get an error because it won't be able to locate a directory named 'downloads' so make sure you are inputting 'cd Downloads'.

  

Above you can see where I used the 'cd' command to get into the Downloads directory, then I used the 'ls' command to show the files within this directory. From here we can see the flag file that we downloaded earlier. We are one command away from securing the flag.. Let's go ahead and 'cat' this file.

We did it! You can see the output of the 'cat' command was the flag: 

picoCTF{s4n1ty_v3r1f13d_28e8376d}

It's important noting that in picoCTF, all the flags that we find will almost always be in the same format: picoCTF {insert flag here}. So keep that in mind as you are progressing through these CTF challenges. 

And that pretty much wraps up our first walk-through on picoCTF! Hopefully you learned a little bit about how CTF works and some basic Linux commands as well. As you progress through these challenges they will become increasingly difficult so hacking one of these challenges will not always be as easy as inputting a simple command into out terminal, however, it will be a great way to practice the things you learn in a practical setting. 

Thank you for reading along and keep an eye out for more walk-throughs here in the near future!

As always,

Happy Hacking!

print ("Hello world!")

Hello world!

Thank you for checking out my cyber security blog. A little background about myself I am currently working full time and after a long break I am going back to college in the fall to pursue cyber security.

 

This summer I have been focused on learning the fundamentals and preparing myself as much as I can to hit the floor running once the semester stars in August. Some goals I've been focused on this summer have included: learning the basics of Linux, learning Python, and learning the fundamentals of ethical hacking. 

 

Some resources that have really helped me learn the world of computer science and cyber security after having no background in those fields whatsoever have been Try Hack Me, picoCTF, and some books from No Starch Press. 

 

I'll leave some detailed reviews of the No Starch Press books I've read this summer as well as some walkthroughs of challenges and rooms I've completed on THM and picoCTF soon as well. 

 

If you have read this far thank you for checking out the blog and feel free to leave a comment if you are new to cyber security like me and happy hacking!