The Most Dangerous Wargame
Just about everyone reading this has probably heard of the game ‘capture the flag’ before. Most people have participated in this traditional run-and-tag field game, it’s simple and timeless; just about all of the rules you need to know are explained in its name. Given its simplicity and ubiquity, the game of capture the flag is easy to adapt for different situations, and has taken on many different forms over the years — of particular interest is the game’s interpretation by the network security community.
In network security, games of capture the flag are used as a form of recreation, training, and sometimes even recruitment. Games of capture the flag played in the security community, as you might expect, play a bit differently than their namesake would suggest. They also come in a few different varieties.
The less common variant of network security capture the flag also happens to be the more recognizable. This variant is referred to as ‘attack and defense’. An ‘attack and defense’ game pits two teams of players against each other on identical, pre-constructed computer networks, each with a string of characters referred to as the ‘flag’ hidden somewhere within one of the machines. The goal is to hack into the other team’s network and acquire the ‘flag’, while at the same time securing your own team’s network from invasion.
‘Jeopardy’ style variants are far more common, and can support thousands of teams of players simultaneously. In a ‘jeopardy’ style game, contest organizers design elaborate challenges that can only be solved by utilizing skills that are important for network security professionals to possess. These challenges are organized by category and difficulty, with more difficult challenges offering more points — much like a Jeopardy board. Unlimited amounts of teams can compete online to score the most points and secure their victory. Competitions like these are designed with different skill levels in mind, which makes them conducive to beginning players with little experience. A simple challenge would look like this:
After reading about string encoding methods and searching around for ways to decode such strings, you might try running that string through a base-64 decoder like this one which would reveal the flag.
More complicated challenges might see you recovering secret messages encoded in images, SQL injecting web applications, writing a buffer overflow for an executable file or any combination of various skills and techniques. If any of those sound foreign to you, another unspoken tradition of capture the flag competitions is for competitors to post detailed explanations online about how they solved challenges, after the competition is complete. This way, less experienced competitors can learn and advanced competitors can use such published material to attract potential employers.
In the end, the philosophy of these competitions is this: be a hacker. To think like a hacker is a positive and desirable trait. A ‘hacker’ mindset is a mindset of creative problem solving; an important skill not just in network security, but in almost any profession.
Entry filed under: Uncategorized.