CTF platforms are not exactly wonderlands

I’ve been testing various platforms for CTFs. Here are some advices to stay safe.

Many users are already hackers…

It’s something I rarely see in blog posts about CTFs, but I would not trust hacking platforms 100%.

Don’t get me wrong. I’m certainly not accusing any platform of doing weird things, but these tools are not only meant for aspiring hackers. While some of them are great for complete beginners (you can start with 0 knowledge), skilled and experienced hackers use them to compete, among other things.

Why am I telling you that?

Depending on your configuration, you might put yourself at risk. For example, if you use your laptop with virtual machines and you enable bidirectional synchronizations, there could be some risks. It’s even more dangerous if you connect from work office.

Please do not install Kali Linux and hacking boxes without permission and an appropriate environment (e.g., segmentation, sandboxing).

In addition, it’s not uncommon to open communication channels with boxes to enable reverse shells, download hacking kits, or exfiltrate information. Some players might not realize that basic commands such as netcat or telnet may be easy to use, but they don’t encrypt anything.

In fact, most platforms for beginners will let you do almost whatever you want, including the most sloppy attacks. The goal is to practice, fail sometimes and understand why, then try again ^^.

5 optional actions in CTFs that would be required in real conditions

  • there’s no need to cover your tracks
  • you don’t have to use proxy chains or mask your real IP
  • you don’t have to evade detection tools that can spot anomalous activity
  • obfuscation is rarely required, you can attack directly like there’s no scanner
  • you’re not anonymous, the platform can track your progression and even display your activity publicly

Getting started safely

I think it’s important not to go blindly, especially when you’re a beginner. Not all platforms have the same standards regarding users’ privacy and safety.

Again, I won’t blame anyone here. It’s amazing to get such knowledge, most of the time, for free. However, it’s also easy to execute scripts you don’t fully understand or your may leave dangerous ports open on your machine (like port 80) just to get a flag and some random score, which does not necessarily reflect your real level and is more an indicator of your progression.

I would recommend the following:

  • at least mask your real IP
  • don’t disable anti-malware software just because it conflicts with your local setup
  • don’t sacrifice safety over convenience and gaming
  • don’t open your machine more than strictly necessary (watch your ports)

Wrap up

Despite these drawbacks, hacking platforms are still amazing places to learn your craft. People give their time to build gamified experiences to ease the pain and accelerate the learning curve.

However, be cautious and stay safe. It’s part of the learning path, to me.

See Also