Bloodsport: Using Games and CTFs to Improve your Industry Skills

https://www.macintoshandmaud.com/yhswepisodes/2018/7/24/bloodsport

Participating in virtual and IRL challenges is a tremendous way to improve your Security and OSINT skills. I have gathered a few games that I find useful and I hope that my list will inspire you similarly. This is by no means an exhaustive list and I implore you to search on Google or locally for conferences to find even more.

CTFs/Hacking Games

Capture the Flag events are generally hosted virtually or at conferences and can come in several different formats (Red Team/Blue Team, Red Team) and cater to all skill levels. Working as an individual or with a team, players attempt to solve a timed series of challenges to earn a “flag” that is then translated to points. In the end, the points are totaled and a winner is announced based on the highest score. There are a wide variety of skills used when participating in CTFs such as critical thinking/problem solving, programming, OSINT, exploitation, reverse engineering, and cryptography to name a few.

I would like to stress to all people new to the field who may feel intimidated by CTFs — all skill levels can and should participate! If a newbie signs up for a CTF with zero experience and a will to learn, they will 100% come out the other side with new skills. Here are a few curated suggestions to get you started in the world of CTF:

Trace Labs CTF
The Trace Labs CTFs are a fantastic place for a new player to start because they rely almost entirely on a player’s ability to perform online searches and no prior skills are necessary! Using open-source intelligence, players attempt to find information on real missing people to help find them and bring them home.

www.intelligence101.com/tracelabs/

National Cyber League
NCL is a CTF specifically for High School and College students and the challenges are based on CompTIA Sec+ and EC Councils CEH certificates. This CTF runs in both spring and fall seasons and the challenges are made up of Open Source Intelligence, Scanning, Enumeration and Exploitation, Password Cracking, Traffic Analysis, Log Analysis, Wireless Security, Cryptography, and Web Application Security. As a bonus, at the end of this CTF you get a certificate which you can then users a talking point along with your resume when applying for jobs.

Score Card from Spring 2019 PSU World Campus Tech Club NCL Team Game

HacktheBox
HacktheBox is less CTF and more PenTesting Lab with CTF type challenges that allow you to collaborate and exchange ideas with other members. Sign-up is free but players will need to hack the page to get the signup code. This site is excellent for entry-level PenTesters to learn basic to advanced skills.

http://alickgardiner.com/hackthebox1/

HackThisSite
HackThisSite is a hacker war game site that offers the player several challenges that when unlocked lead to another page/challenge on the site. HTS 0ffers a free and legal way to practice hacking skills while also engaging with the community to learn or work through challenges. I really enjoy this site for quick, fun challenges when I am looking to mix things up a bit from a standard CTF.

Nullbytes

Root.me
This site offers 300+ different challenges and realistic learning environments to train on. The final objective for players of Root.me is to compromise <root> the host. Root.me also provides a learning path for beginners to help them work through the site in a way that builds on skills learned in the previous challenge.

@rootme_org

CTF365 (Offensive)
CTF365 is a security training platform focusing on security, system administrators, and web developers. These challenges are more offensive (blue team) in nature and it simulates what would happen in the real world when servers and networks are under attack.

@CTF365

GEOINT Quizzes

If you are a lover of OSINT like myself, I highly suggest checking out free Geospatial-Intelligence (GEOINT) quizzes available online. Not only are these quizzes a great learning tool but they are incredibly fun and challenging!

QuizTime on Twitter
The daily QuizTime is posted in the form of a photo, sound, video, etc. and challenges players to figure out and verify where or what it is. As with TraceLabs, no special skills are required just the ability to search online, curiosity, and willingness to follow a lead down a rabbit hole.

@Fiete_stegers on QuizTime

GeoGuesser
In this game, the player gets dropped in a random location on Google Maps and has to click through street view to try to figure out where they are. No advanced skills required here! Just click around until you see a clue and then search for an answer. The points per location depend upon on how close your guess is.

GeoGuesser Screenshot

Bug Bounties

I don’t consider Bug Bounties to be a game per se but I felt it necessary to mention their existence so that people new to the field could research further. Bug bounties are (sometimes large) monetary rewards for finding vulnerabilities in important internet software.

https://www.hackerone.com/product/bounty

HackerOne
HackerOne is a very popular bug bounty platform and they offer several things that would be of interest to someone new to the field. Hacker101 is a collection of videos and resources designed to train beginner to intermediate hacking skills. Hacker101 also provides a Capture the Flag to help players learn in a realistic environment.

https://www.hackerone.com/internet-bug-bounty

Final Thoughts

Using a game as a learning tool is a fun way to enhance industry skills without it feeling so much like work. Tip: When playing any of the above games, if you run into something that you don’t understand or can’t get past use that as a study tool and motivation for further research.

Be sure to search for events local to you such as BSides that often host CTFs for a very low entry fee! Not all CTFs are expensive and the community will welcome you with open arms. Just start by starting, there is no special amount of skills needed to play any of these games and there is no better time than now to start building up the skills that will translate to real-world success.

slashfilm.com
Previous
Previous

Rescue Boats and Google Searches

Next
Next

The Value of Community in InfoSec