How the Best Security Hackers Learn Their Craft
Intro: The Game-Changing Path To Be an Expert Security Hacker
How do the best security hackers learn their craft? I have been thinking about this for a lot of time. By hackers, I don't mean people who break others' websites commit access fraud or theft.
By hacker, I mean people who can exploit security vulnerabilities in systems, like hacking into networks or devices to uncover weaknesses and help to secure these devices through disclosure.
Generally, if we buy an iPhone or Android we are trapped in the app ecosystem. But hackers can get free from these ecosystems. They can make the phone do something that it's not supposed to do.
Looking into high-performance hackers you can figure out that there is a system using which you also can be a high-performance hacker. There is also a way to build high-performance teams and computer security hacking talent.
Here are two hackers who are real inspiration
Famous Security Hackers Who Became Experts at a Young Age
George Hotz
Georeg Hotz is the current President comma_ai. is known for developing iOS jailbreaks, and reverse engineering the PlayStation 3. He successfully managed to remove the lock that provided AT&T sole rights to the very first Apple iPhone. This was the first iPhone jailbreak.
This hack (although it is reported it took 4 people 500 hours to develop), enabled any SIM Card on any Carrier across the world to use and enjoy Apple’s iPhone.He also has many Zero-days in companies like Adobe, Firefox, etc.
A zero-day vulnerability is an undiscovered flaw in an application or operating system. It becomes a gap in security for which there is no defense or patch because the software developer doesn't know it exists. When software vendors and cybersecurity researchers discover a zero-day vulnerability, they act quickly to design and implement a security patch.
Richard Zhu
Pwn2Own is a worldwide hacking contest. The rules are that you will be given a laptop with an up-to-date operating system. There are no known vulnerabilities in this. Your goal is to break into this laptop and find new Zero days. Then you need to demonstrate how you can maintain persistence.
Richard Zhu is one of the youngest pwn2Own winners. He teamed up with Amat Cama to find exploits in many systems. They have been crowned the Master of Pwn for 2019. Their research earned them $375,000 over the contest.
When the zero day is found it is passed on to vendors. They patch these products and make the product safe.
What we are all curious to know is how these people get to that level.
How Expert Hackers Use Games To Master Skills.
One of the many ways to learn these skills is through hacking contests where teams of hackers battle. These are games built by hackers for hackers.
Defcon is one such event where hackers like George and Richard compete over their skills, to break into others and defend themselves.
Gamified Security Challenges or CTFs
These hacking competitions are called CTFs (Capture the Flags). These challenges gamify learning about computer safety and add a lot of fun.
The person will be given a challenge and their goal is to solve the challenge. For solving they are needed to avail a flag that is a text token that shows they know the solution. You can use external tools and google for help. There are no other major restrictions. But you are not allowed to hack the CTF infrastructure.
There are many types of CTF challenges. The most basic ones are the Jeopardy-style CTFs.
Jeopardy-Style CTFs: Learning the Essential
It starts with a set of categories that come under basic hacking skills. They are Cryptography, Forensics, exploration, and Reverse engineering. As the game starts you will be presented with more and more difficult challenges.
You will be given a problem that is a little bit out of your reach. Then you need to research, google, trial and error, and get to the flag.
After that challenge, you will be presented with a little more difficult challenge, and then as you go up the challenges become incrementally more difficult. This is how Jeopardy's style works.
This is also similar to how you take a mathematics course for example. You will be introduced to more and more complex topics and you learn them one by one.
There are many CTF that run annually every year. Some of them are :
- NahamCon CTF: https://nahamcon.com/
- Defcon: https://www.defcon.org/
- Google CTF: https://capturetheflag.withgoogle.com/
Some of the best CTF platforms for practicing your skills are :
Here are some ideas to set up your own CTFs.
Designing CTFs: How to Grow Hacking Talent Around You
There are 3 principles you have to take care of if you want to build good hacker talent within your organization.
1. Applied Deliberate Practice
We need to give the students ample time to practice and get to know the basics. In CTFs, we give the student challenge after challenge. This gives them familiarity and insight. They will get to understand a feel for computer security.
2. Autodidactic Learning
We need to set up the challenge so that we allow the students to research themselves and solve it. They should be in the mindset that they don't know everything, but they can figure it out.
3. Creative Problem Solving
Hacking is about thinking outside the box and doing things that no one has done before. In CTFs, students are presented with problems that require innovative solutions. There are often more than ways to solve the problem.
Let's see some of the examples of how these ctf challenges look, what to expect, and how to approach them.
Getting the Taste of CTF: Creative Problem Solving
Let's try out a basic buffer-overflow CTF challenge.
A buffer overflow happens when more data is written to a buffer, such as a string or an array, than it can hold, causing the excess data to overwrite adjacent memory. These are often found in c language. Many c functions are vulnerable to buffer overflows. Let's try out such a binary exploitation problem from the PicoCTF platform to get us started.
Let's see what the challenge is up to:
Let's see what happens when we do the netcat command:
It gives us a demo program to buy stocks. Let's look into the source code provided for the challenge vuln.c
. Looking at the main function we find there are two functions called buy_stonks
and view_portfolio
int main(int argc, char *argv[])
{
setbuf(stdout, NULL);
srand(time(NULL));
Portfolio *p = initialize_portfolio();
if (!p) {
printf("Memory failure\n");
exit(1);
}
int resp = 0;
printf("Welcome back to the trading app!\n\n");
printf("What would you like to do?\n");
printf("1) Buy some stonks!\n");
printf("2) View my portfolio\n");
scanf("%d", &resp);
if (resp == 1) {
buy_stonks(p);
} else if (resp == 2) {
view_portfolio(p);
}
free_portfolio(p);
printf("Goodbye!\n");
exit(0);
}
Here if we provide the input as 1 the program will execute buy_stonks()
. If the input is 2 it will execute view_portfolio()
.
Let's dig deeper into these functions, especially the buy_stonks()
:
int buy_stonks(Portfolio *p) {
if (!p) {
return 1;
}
char api_buf[FLAG_BUFFER];
FILE *f = fopen("api","r");
if (!f) {
printf("Flag file not found. Contact an admin.\n");
exit(1);
}
fgets(api_buf, FLAG_BUFFER, f);
Here we see that the flag is getting read each time we run the buy_stoncks
function. It's getting stored in a stack.
int money = p->money;
int shares = 0;
Stonk *temp = NULL;
printf("Using patented AI algorithms to buy stonks\n");
while (money > 0) {
shares = (rand() % money) + 1;
temp = pick_symbol_with_AI(shares);
temp->next = p->head;
p->head = temp;
money -= shares;
}
printf("Stonks chosen\n");
Then we have some random shares generation code.
char *user_buf = malloc(300 + 1);
printf("What is your API token?\n");
scanf("%300s", user_buf);
printf("Buying stonks with token:\n");
printf(user_buf);
view_portfolio(p);
return 0;
}
At last, we have and dialogue to provide an API key into the function. There are some common printf statements to show what API key we gave to the program.
We need to find a weak spot to attack this system to give us the flag information. We need to find a vulnerable function. The vulnerable function that we need is the printf(user_buffer)
.
Since it's not in a quotation mark printf()
is prone to format string vulnerability. We can inject format string values that will return values in the memory. We can try giving a lot of %x
which will return values in the stack. (You can give %p
a try)
Several inbuilt functions in C are vulnerable to Buffer Overflow attacks such as gets()
, strcpy()
, and gets()
.
Let's try to convert the hex back to a string using cyberchef:
We find that the flag is in reverse order. We can use swap endians to fix that by reordering the bytes.
That's the flag for the problem. We first found that the buy stocks had a stack-based format string vulnerability in the printf() function. We added lots of %x
to overflow the stack which returned hexadecimal values.
On converting the hexadecimal to string we found that there is a flag token that was rearranged. After some rearrangement of the hexadecimal values, we got the actual flag. On the way, we learned about format string vulnerabilities, and how to find and exploit them.
Hack or Get-Hacked: Attack Defence Style CTFs
Everyone starts with the knowledge of basic awareness. If you want to raise awareness then jeopardy-style CTFs are the best to use. We ask the people to solve small micro problems.
It gives them room to learn the fundamentals. When you get to the top level you move beyond the Jeopardy-style to Attack-defence style CTFs
Here you work in teams. the goal is to exploit all the other teams in the network. You have to defend yourself at the same time. Here you need to apply a good strategy to find the weakest links and exploit them.
The task is to find the vulnerabilities, then protect your services, attack the services of other teams, and steal some secret information (flags).
If you are starting out you should not go for attack-defense because you have very little room to grow and learn. It's more competitive than Jeopardy style.
Here is an attack defense ctf you can try https://tryhackme.com/games/koth
Conclusion: How To Find Next Upcoming CTFs
You can find CTFs from the official website for global CTFs called ctftime https://ctftime.org/
You can find and make teams with fellow hackers joining the discord channels of ctfs. Hope to see you around. Thanks for the read.